CISA issues critical warning on Juniper device vulnerabilities

SISA Weekly Threat Watch 20 Nov 2023

This week’s cybersecurity landscape witnessed diverse threats, from nation-state malware targeting macOS to hidden malicious Python packages on trusted platforms. Also observed were sophisticated espionage activities by Chinese hacking groups, VMware’s alert on a critical Cloud Director vulnerability, and CISA’s urgent warning regarding active exploits targeting Juniper devices. These incidents highlight escalating cyber risks across various platforms and sectors, necessitating heightened vigilance and immediate proactive measures to combat these evolving threats.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. BlueNoroff blamed for hacking macOS machines with ObjCShellz malware

The BlueNoroff APT group, linked to North Korea, has emerged with ObjCShellz, a newly identified macOS-targeting malware akin to the RustBucket campaign. Discovered while investigating a Mach-O binary connecting to a suspicious domain previously linked to BlueNoroff, ObjCShellz is coded in Objective-C, acting as a remote shell for executing commands from the attackers’ command-and-control (C2) server.

Though the malware’s initial access method remains unclear, suspicions suggest it could be disseminated through social engineering tactics. The focus on a domain related to cryptocurrency hints at potential targets within the cryptocurrency exchange sector. To prevent such attacks, it is recommended to implement robust network monitoring tools with anomaly detection capabilities, enhance endpoint security, and conduct thorough training sessions for users to recognize and resist social engineering attempts.

2. CISA urges immediate action to secure Juniper devices against active exploits

CISA (Cybersecurity and Infrastructure Security Agency) has issued a warning urging federal agencies to secure Juniper devices due to four vulnerabilities (CVE-2023-36844 to CVE-2023-36847) currently exploited in remote code execution attacks. These vulnerabilities in Juniper’s J-Web interface pose significant risks, allowing preAuth remote code execution by combining specific requests that upload arbitrary files without authentication.

Exploitation attempts were detected shortly after Juniper’s security updates were released, coinciding with the publication of a proof-of-concept (PoC) exploit. ShadowServer data shows over 10,000 vulnerable Juniper devices exposed online, with a notable concentration in South Korea. Administrators are advised to immediately secure their devices by upgrading JunOS to the most recent release. As a minimum precaution, it is also recommended to disable J-Web or restrict Internet access to the J-Web interface to eliminate the attack vector.

3. BlazeStealer malware discovered in Python Packages on PyPI

Security experts recently uncovered a series of malicious Python packages within the Python Package Index (PyPI) repository. Despite presenting themselves as innocuous obfuscation tools these packages actually harbor a malware known as BlazeStealer. The initiative commenced in January 2023 and encompasses eight packages: Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood.

The BlazeStealer malware, embedded in these packages, can execute various harmful actions on the compromised host, such as collecting sensitive information like passwords and screenshots, carrying out arbitrary commands, encrypting files, and disabling Microsoft Defender Antivirus. Additionally, the malware employs a Discord bot to streamline communication between the threat actor and the infected system. The need for cautious open-source engagement in software development and a balanced approach of innovation and rigorous package scrutiny is vital for a resilient and secure development ecosystem.

4. Chinese hackers launch covert espionage attacks on 24 Cambodian organizations

Security experts have detected sophisticated cyber operations conducted by two Chinese nation-state hacking groups targeting 24 critical Cambodian government organizations. These entities encompass vital sectors such as national defense, election oversight, human rights, finance, politics, and telecommunications, housing sensitive data. The observed cyber campaign is believed to be part of a larger espionage effort seeking persistent access to valuable government networks.

Notably, the hackers aligned their activity with Cambodian business hours and adjusted behaviors to match China’s Golden Week and “Special Working Days” holidays, indicating a base in China. The attackers utilized malicious SSL certificates on servers hosting subdomains posing as cloud storage services, potentially to legitimize data exfiltration, and deployed selective IP filtering and deceptive port strategies to evade detection. It is recommended to regularly monitor and validate SSL certificates, employ advanced anomaly detection tools, and regularly review and update IP filtering rules to strengthen security defenses against such advanced threats.

5. VMware issues alert regarding unpatched critical vulnerability in Cloud Director

VMware has alerted users to a critical and unpatched vulnerability in Cloud Director that remains unaddressed. This flaw poses a risk of exploitation by malicious entities seeking to bypass authentication safeguards. In an updated version of VMware Cloud Director Appliance 10.5, there is a security vulnerability that allows a malicious actor with network access to the appliance to circumvent login restrictions when authenticating on port 22 (SSH) or port 5480 (appliance management console).

It is important to note that this bypass does not occur on port 443 (VCD provider and tenant login). Additionally, this vulnerability is not present in a fresh installation of VMware Cloud Director Appliance 10.5. The flaw impacts instances that have been upgraded to version 10.5 from an older version. While VMware has yet to release a patch for the flaw it has provided a workaround in the form of a shell script (“WA_CVE-2023-34060.sh”).

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider