Security News – Week 26

[vc_row pix_particles_check=”” nav_skin=”light” consent_include=”include”][vc_column width=”1/4″][vc_empty_space][vc_single_image image=”11954″ img_size=”medium” alignment=”center”][/vc_column][vc_column width=”3/4″][vc_column_text]

LockBit Threat Actors Release LockBit 3.0 with New “Bug Bounty” Program

LockBit Ransomware threat actors announced the release of version 3.0 of LockBit Ransomware. With the new version, the LockBit Bug Bounty program, a first for the Dark Web, has been launched. In addition, a statute containing the rules for potential affiliates participating in the affiliate program in the new version of LockBit, which is based on the RaaS (Ransomware as a Service) model, has been published.[/vc_column_text][vc_empty_space height=”15px”][vc_single_image image=”11939″ img_size=”full” alignment=”center”][vc_column_text]With the launching Bug Bounty program, LockBit invites security researchers and hackers to join the program, noting that it will offer rewards for threat actors, high-profile targets, security vulnerabilities, and more (PII). Although it is claimed that high amounts of rewards will be given to the participants in the program in question, it should be noted that LockBit is a Ransomware threat group.[/vc_column_text][vc_empty_space height=”15px”][vc_single_image image=”11940″ img_size=”full” alignment=”center”][vc_column_text]

In order not to be the target of attacks that can be carried out using the new LockBit 3.0 version released in this context;

[/vc_column_text][/vc_column][/vc_row][vc_row pix_particles_check=”” nav_skin=”light” consent_include=”include”][vc_column width=”1/4″][vc_empty_space height=”15px”][vc_single_image image=”11934″ img_size=”full” alignment=”center”][/vc_column][vc_column width=”3/4″][vc_column_text]

Critical RCE Vulnerability Found in Mitel MiVoice VoIP Devices Actively Exploited

A 0-day vulnerability detected in Linux-based Mitel MiVoice VOIP devices was found to be used by threat actors to execute code on vulnerable systems. Critical organizations in various industries rely on Mitel VOIP devices for their telephony needs.

The 0-day RCE vulnerability, tracked as CVE-2022-29499, is used by threat actors to gain access to the network. And successful first accesses are observed as the beginning of larger ransomware attacks.

The vulnerability affecting the Service Appliance component in Mitel MiVoice Connect exists due to incorrect data validation. MiVoice Connect devices using the Service Appliance component and affected by the vulnerability are as follows;

  • SA 100
  • SA 400
  • Virtual SA

There is no official update yet that fixes the vulnerability. However, on April 19, 2022, Mitel released a hotfix script for the following affected versions;

  • MiVoice Connect versions 19.2 SP3 and earlier.
  • R14.x versions

The vulnerability has been exploited in at least one ransomware campaign. In this context, it is recommended to regularly monitor the updates that correct the vulnerability and implement the mitigation measures immediately. Also, it is important to take advantage of comprehensive security solutions for potential ransomware attacks.

[/vc_column_text][vc_empty_space][/vc_column][/vc_row][vc_row pix_particles_check=”” nav_skin=”light” consent_include=”include”][vc_column width=”1/4″][vc_empty_space height=”15px”][vc_single_image image=”11951″ img_size=”full” alignment=”center”][/vc_column][vc_column width=”3/4″][vc_column_text]

Multiple PyPI Packages Detected Aiming to Hijack AWS Credentials and Metadata

Sonatype security researchers have detected multiple Python packages (PyPI) containing malicious code developed to hijack and publicly leak AWS (Amazon Web Services) credentials and environment variables.

Python is a programming language built on packages and modules, so it creates the basis for possible security breaches.

PyPI packages found to contain malicious code developed to hijack AWS are as follows;
  • Loglib-Modules
  • Pyg-Modules
  • Pygrata
  • Pygrata-Utils
  • Hkg-Sol-Utils

While loglib-modules’ and ‘pygrata-utils’ packages contain malicious code developed to capture sensitive data from the system, packages such as ‘pygrata’ use one of these packages as a dependency. The packages ‘loglib-modules’ and ‘pygrata-utils’ contain malicious code, some of which are shown below.

[/vc_column_text][vc_empty_space height=”15px”][vc_single_image image=”11916″ img_size=”full” alignment=”center”][vc_column_text]

When the image is examined, it is seen that the malicious code scans the AWS credentials, network interface information, and environment variables on the system and sends the collected sensitive data and metadata to one or more endpoints hosted on the PyGrata domain. (hxxp://graph.pygrata[.]com:8000/upload)

[/vc_column_text][vc_empty_space height=”15px”][vc_single_image image=”11917″ img_size=”full” alignment=”center”][vc_column_text]

After the data collected from the system is uploaded to the PyGrata server, it is shared on the internet in hundreds of .txt formats that everyone can access.

[/vc_column_text][vc_empty_space height=”15px”][vc_single_image image=”11919″ img_size=”full” alignment=”center”][vc_column_text]

There are no details yet as to who the threat actors behind the manipulation of these packages are and their ultimate goals. However, detected malicious python packages have been deprecated after reporting them to the PyPI security team.

In this context, it is recommended to check the PyPI dependencies of the packages used and to use comprehensive Anti-Malware solutions in order not to be the target of similar attacks. In addition, it is important to follow the IOC findings related to the campaign and prevent it from the security solutions used if found.


Share This: