Cyber Security Weekly Briefing, 17 – 23 December

Telefónica Tech    23 December, 2022

SentinelOne: malicious Python package in PyPI

Researchers at ReversingLabs have published an investigation in which they report having identified a Python package in PyPI that masquerades as the legitimate SDK client of cybersecurity firm SentinelOne.

According to the researchers, malicious actors have created a Trojan with the same name as the SentinelOne company in order to trick victims. The malware also offers a legitimate functionality, which is to access the SentinelOne API from another project.

However, this package is obfuscated with malware dedicated to exfiltration of sensitive data from compromised systems.

ReversingLabs has reported detecting five similarly named packages uploaded by the same authors between 8 and 11 December 2022, and estimates that they have been downloaded up to 1,000 times in total.

More info

* * *

OWASSRF: new Microsoft Exchange exploit method

The CrowdStrike team has discovered a new method of exploiting Microsoft Exchange that bypasses ProxyNotShell mitigations. This new way of exploiting the flaw, which they have named OWASSRF, was detected while researchers were analysing the entry vectors of the Play ransomware, as they suspected that the operators behind the malware were exploiting ProxyNotShell (CVE-2022-41040 and CVE-2022-41082).

However, no evidence of exploitation of the first vulnerability (CVE-2022-41040) was detected, while evidence of exploitation of the second vulnerability (CVE-2022-41082) was detected. According to CrowdStrike, the security flaw, which would serve as initial access to later exploit CVE-2022-41082, has been catalogued as CVE-2022-41080, with a CVSSv3 of 9.8, being a privilege escalation flaw via the Outlook Web Application (OWA) endpoint.

It is also worth noting that during the investigation, Huntress Labs threat researcher Dray Agha discovered an attacker’s tools exposed in an open repository. These included a PoC for Play’s Exchange exploit, which allowed CrowdStrike to replicate the attacks.

More info

* * *

Achilles: vulnerability in Apple Gatekeeper

Within Microsoft has disclosed details on a vulnerability in macOS that would allow bypassing the application execution restrictions of Apple’s Gatekeeper security mechanism. The vulnerability, which has been listed as CVE-2022-42821, with a CVSS of 5.5, was discovered by the Microsoft team in July and was fixed with last week’s updates to macOS 13 (Ventura), macOS 12.6.2 (Monterey), and macOS 1.7.2 (Big Sur).

The Gatekeeper security mechanism consists of checking applications downloaded from the Internet to see if they are approved by Apple, sending a message to the user to confirm before launching them, or issuing an alert that the application cannot be run because it is untrusted.

This verification is done by checking the attribute that web browsers assign to downloaded files. The detected vulnerability, also referred to as Achilles, exploits the Access Control List (ACL) permissions model by adding very restrictive permissions to a downloaded file, which prevents Safari from setting the attribute and could allow an attacker to create a malicious application that could be used as an initial access vector for malware or other threats.

More info

* * *

Glupteba botnet active again

Researchers at Nozomi Networks have detected that the Glupteba botnet is active again, after Google stopped its operation a year ago. According to the researchers, the latest campaign reportedly started in June this year and is still active.

Glupteba is a backdoor distributed via pay-per-install (PPI) networks in infected installers or software bugs. It is blockchain-enabled, infecting Windows devices to mine cryptocurrencies, steal user credentials, cookies, and deploy proxies on IoT devices and Windows systems.

However, the highlight of Glupteba is that it uses the Bitcoin Blockchain to distribute its Command and Control (C2) domains, which makes it highly resistant to deletion, as a validated Bitcoin transaction cannot be deleted or censored.

In this regard, Nozomi has observed how the use of Bitcoin addresses has been increasing, as in its first campaign, dating back to 2019, it only used one address, while in the latest one, up to seventeen different addresses have been detected.

More info