November 19, 2023

27 Malicious PyPI Packages with Thousands of Downloads Found Targeting IT Experts

Description

A sophisticated and persistent threat actor has been identified engaging in a malicious campaign on the Python Package Index (PyPI) repository for approximately six months. This campaign involves the creation and distribution of 27 typosquat packages that disguise themselves as popular and legitimate Python libraries. These packages have successfully attracted thousands of downloads, primarily from users in the U.S., China, France, Hong Kong, Germany, Russia, Ireland, Singapore, the U.K., and Japan. The attackers employed a notable technique by utilizing steganography to conceal a malicious payload within seemingly innocent image files, enhancing the stealthiness of their operation. Noteworthy packages involved in this campaign include pyefflorer, pyminor, pyowler, pystallerer, pystob, and pywool, the latter being introduced on May 13, 2023. The attackers exploited the setup.py script to reference other malicious packages, such as pystob and pywool, which utilize Visual Basic Script (VBScript) to download and execute a file named “Runtime.exe,” ensuring persistence on the infected host.The malicious payload within the binary is designed to gather sensitive information from web browsers, cryptocurrency wallets, and other applications, posing a significant risk to the affected users.

Infected Technology

•Python Package Index (PyPI) repository, a central hub for Python packages and libraries.

Source

https://thehackernews.com/2023/11/27-malicious-pypi-packages-with.html

Recommendation

• Developers and users are urged to exercise heightened vigilance when reviewing and downloading packages from PyPI. Scrutinizing package names, maintaining an awareness of legitimate authors, and verifying package integrity can help identify potential threats.

Reptar: New Intel CPU Vulnerability Impacts Multi-Tenant Virtualized Environments

Description

Intel has addressed a significant vulnerability, codenamed Reptar, affecting its desktop, mobile, and server CPUs with the release of fixes as part of the November 2023 updates. Tracked as CVE-2023-23583, the high-severity flaw, with a CVSS score of 8.8, could allow escalation of privilege, information disclosure, or denial of service through local access. Google Cloud highlighted that successful exploitation might lead to bypassing the CPU’s security boundaries, particularly impactful in a multi-tenant virtualized environment, causing a host machine crash and resulting in a Denial of Service to other guest machines. Security researcher Tavis Normandy pointed out the potential for corruption of the system state and machine-check exceptions. Intel has issued updated microcode for all affected processors and emphasized that non-malicious real-world software is not expected to encounter the issue. Meanwhile, AMD has also released patches for a separate security flaw, CacheWarp (CVE-2023-20592), impacting its processors, allowing unauthorized access to AMD SEV-protected VMs for privilege escalation and remote code execution. No active attacks exploiting the Intel vulnerability have been reported.

Infected Technology

•Intel Desktops, Mobile and server CPUs

Source

https://thehackernews.com/2023/11/reptar-new-intel-cpu-vulnerability.html

Recommendation

•Update microcode for all affected processors

CVE ID

CVE-2023-23583

CVE-2023-5528: Kubernetes Windows Nodes Leading To Admin Privilege Escalation

Description

A high-severity vulnerability (CVE-2023-5528) has been identified inKubernetes Windows Nodes, posing a risk of administrative privilege escalation. The primary contributors to this vulnerability include the lag in Windows Node development, the Kubernetes Container Storage Interface(CSI), and the PersistentVolume component. Windows Nodes, introduced in 2019, lag behind Linux counterparts, using SIDs, ACLs, and usernames. The CSI, an alternative to storage plugins, and PersistentVolume, a Kubernetes Cluster resource, contribute to the vulnerability. When in-tree storage plugins lack input sanitization, an attacker with pod and PersistentVolume creation access could gain administrative privileges on cluster nodes.

Infected Technology

• Kubernetes Windows Nodes and Kubernetes Container Storage Interface (CSI)

Source

https://cybersecuritynews.com/kubernetes-windows-nodes-vulnerability/

Recommendation

•Ensure in-tree storage plugins are absent. •Upgrade to Kubernetes CSI v1.27

CVE ID

CVE-2023-5528

FortiSIEM Injection Flaw Let Attackers Execute Malicious Commands

Description

Security experts from Fortinet Product Security Incident Response Team (PSIRT) have discovered a vulnerability in FortiSIEM that could be exploited to execute unauthorized and malicious commands. A vulnerability labeled as an improper neutralization of special elements used in an OS Command (CWE-78) has been found within the FortiSIEM report server. This flaw could potentially enable a remote and unauthenticated attacker to execute unauthorized commands by sending specially crafted API requests. dditionally, this severe vulnerability in FortiSIEM, classified as an injection flaw, has been recognized as a variation of CVE-2023-34992, which was another critical vulnerability that had already been addressed and resolved in October of this year.

Infected Technology

• FortiSIEM (4.7, 4.9, 4.10, 5.0, 5.1, 5.2,5.3, 5.4) all versions.

Source

https://cybersecuritynews.com/fortisiem-injection-flaw/

Recommendation

• Upgrade to FortiSIEM version (6.4.3, 6.5.2, 6.6.4, 6.7.6, 7.0.1, 7.1.0) or above.

CVE ID

CVE-2023-36553

WP Fastest Cache Plugin Exposes Over 600K+ WordPress Sites to SQL Injection Attacks

Description

The WPScan team has discovered a notable security vulnerability in the widely utilized WP Fastest Cache plugin. This particular vulnerability, classified as an unauthenticated SQL injection, has the potential to provide unauthorized entry to sensitive data stored in the WordPress database.The vulnerability becomes more severe due to the execution of the function during plugin load, occurring before the application’s data undergoes sanitization by wp_magic_quotes(). To exploit this issue, a hacker without authentication could tamper with the $username variable, sourced from a particular cookie, enabling the injection of a time-based blind SQL payload.

Infected Technology

• WordPress

Source

https://cybersecuritynews.com/wp-fastest-cache-plugin-exposes/?

Recommendation

• Updating to version 1.2.2.

CVE ID

CVE-2023-6063