Cyber Threat Pulse
#11, September 2024
North Korean Hackers Distribute Malware via Python Packages
Palo Alto Networks Unit 42 researchers have discovered a new malicious campaign using infected Python packages that targets software developers. As part of this campaign, attackers associated with the North Korean group Gleaming Pisces (aka Citrine Sleet), distributed malicious packages through the popular PyPI repository. Thus, Linux and macOS operating systems become vulnerable to Trojans such as PondRAT and POOLRAT.
The main goal of the attack was to compromise supply chains by infecting developers' work devices, which allowed them to gain access to their clients' systems. The attackers uploaded several infected packages to PyPI, such as real-ids and beautifultext, which, once installed, downloaded and executed malware on target systems.
This campaign poses a significant threat to organizations, as the use of legitimate-looking Python packages makes attacks difficult to detect and can lead to compromise of the entire network.
Full Unit42 Study: https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/
Preview of Windows Updates Causes Problems Loading the OS
Microsoft's KB5043145 preview update for Windows 11, released in September 2024, is causing serious issues, including reboot loops and blue screens. Affected systems may enter automatic restart cycles or become unresponsive, with some users also encountering BitLocker recovery prompts. The Automatic Repair tool may activate in response to these problems.
Microsoft is currently investigating the issue and recommends affected users file reports via the Feedback Hub. Similar problems with Windows booting and freezes have been addressed in past updates, with fixes for dual-boot systems and earlier security update bugs also being worked on.
More details at: https://support.microsoft.com/en-us/topic/september-26-2024-kb5043145-os-builds-22621-4249-and-22631-4249-preview-71ee16f6-9a39-4569-937c-fe0fd8577285
Evolution of Ransomware Kryptina and Mallox
SentinelLabs researchers have discovered that the Mallox group (also known as TargetCompany) is using a modified version of the Kryptina ransomware to attack Linux systems. Kryptina, initially proposed as a low-cost ransomware-as-a-service (RaaS) platform in late 2023, was bound to attract the attention of cyber criminals. In February 2024, its source code was posted for free on hacker forums.
In May 2024, a data leak occurred on the server of one of the affiliates Mallox revealed that Kryptina has been integrated into their tools, and the new version, renamed "Mallox Linux 1.0", uses the same encryption engine and core Kryptina functionality. SentinelLabs emphasized that Mallox is actively attacking vulnerable Linux and VMWare ESXi servers, which puts enterprises with large IT infrastructures at risk.
Full SentinelLabs study: https://www.sentinelone.com/labs/kryptina-raas-from-unsellable-cast-off-to-enterprise-ransomware/
It's Time to Update!
Microsoft
Microsoft has addressed 79 vulnerabilities this Patch Tuesday, including seven critical ones and four zero-days. The most notable updates include:
● CVE-2024-43491 – A critical remote code execution (RCE) vulnerability in Windows 10’s servicing stack. Exploitation has been observed due to rollback issues in updates. Attackers can exploit this over the network without user interaction. ● CVE-2024-38014 – A zero-day Windows Installer vulnerability enabling elevation of privileges to SYSTEM-level. It poses significant risks to enterprise environments. ● SharePoint Vulnerabilities (CVE-2024-38018 & CVE-2024-43464) – Both allow RCE due to unsafe deserialization, with varying privilege requirements, potentially leading to system compromise and data exfiltration. ● SQL Server Vulnerabilities – Multiple issues leading to arbitrary code execution via memory corruption techniques like heap-based buffer overflows and out-of-bounds reads.
Google Chrome
The new version of Chrome (128) has fixed the CVE-2024-7965 (CVSS 8.8) vulnerability associated with the JavaScript V8 engine. It allows attackers to remotely cause heap memory corruption using specially crafted HTML pages, which could lead to code execution or access to sensitive data. The vulnerability also affects Chromium-based browsers. such as Edge and Opera. Attacks using this vulnerability have been recorded.
Mozilla Firefox
Firefox version 130 fixes 13 vulnerabilities, 7 of which are high-risk. The main problems are related to browser memory corruption, which can lead to arbitrary code execution.
Adobe
Adobe has released an update that fixes 72 vulnerabilities, including critical RCEs in Acrobat Reader and Adobe Commerce. The most severe vulnerability, CVE-2024-39397, has a CVSS score of 9.0.
Fortra FileCatalyst
A critical vulnerability CVE-2024-6633 (CVSS 9.8) has been discovered in FileCatalyst Workflow due to the presence of a password in the application code, which allows attackers to gain access to the database and full administrator rights. An immediate update to version 5.1.7 is recommended.