Critical Tinyproxy flaw puts over 50,000 hosts at risk

Last week witnessed a surge in cybersecurity threats, ranging from North Korean hackers exploiting weak DMARC email policies for spearphishing to supply chain attacks targeting Docker Hub with malicious ‘imageless’ containers. Additionally, a new sophisticated information stealer targeting Apple macOS systems was discovered, posing espionage risks. Critical vulnerabilities in F5 Central Manager and the Tinyproxy service also emerged, underscoring the importance of immediate patching and proactive security measures.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. NSA warns about North Korean hackers leveraging weak DMARC email policies

The NSA and FBI have issued a warning about APT43, a North Korean cyber group also known as Kimsuky, exploiting weak DMARC policies for spearphishing. APT43 targets experts in East Asian affairs to gather geopolitical intelligence, using spoofed emails from trusted sources to gain access to private documents and communications. Since 2018, they have targeted organizations worldwide, impersonating journalists and academics.

By infiltrating policy analysts and other professionals, Kimsuky supplies the North Korean government with stolen data and significant geopolitical information. They exploit DMARC policies with “p=none” configurations to bypass checks and reach targets, with recent reports indicating their use of this method since December 2023. Recommendations include updating DMARC policies to “quarantine” or “reject,” setting SPF and DKIM records properly, and being vigilant for red flag indicators such as innocuous initial communications followed by malicious links/documents.

2. Critical Tinyproxy vulnerability exposes 50,000+ hosts to remote code execution

A critical security flaw, CVE-2023-49606, affecting the Tinyproxy service has been identified, exposing more than half of the 90,310 hosts to potential remote code execution. The vulnerability arises from a use-after-free bug triggered by a specially crafted HTTP header, leading to memory corruption. Unauthenticated attackers can exploit this flaw by sending a specially crafted HTTP Connection header, potentially resulting in remote code execution.

Approximately 57% of exposed hosts are running vulnerable versions, with a significant number located in the U.S., South Korea, China, France, and Germany. A proof-of-concept demonstrates the exploit’s feasibility, prompting users to update to the latest Tinyproxy version once available and to ensure that the service is not exposed to the public internet to reduce exploitation risk.

3. Numerous malicious ‘imageless’ containers planted on Docker Hub in 5 years

Cybersecurity researchers have unearthed supply chain attacks targeting Docker Hub, where over four million imageless repositories have been exploited to redirect users to phishing or malware-hosting sites. Among these repositories, 2.81 million were involved in campaigns redirecting users to fraudulent sites through tactics like downloader campaigns, e-book phishing schemes, and benign website clusters. The downloader campaign leads users to pirated content links, eventually redirecting to malicious sources, while the e-book phishing scheme prompts users to input financial information for e-book downloads.

The attacks were facilitated by 208,739 fake accounts created by threat actors to host malicious repositories, with the downloader campaign delivering payloads that connect to a command-and-control server for transmitting system metadata and receiving cracked software links. Recommendations include regularly reviewing Docker Hub repositories, implementing strong authentication measures, and educating users on identifying phishing attempts and malicious redirects.

4. A new breed of threat: ‘Cuckoo’ spyware targets Macs with persistence

Security experts have recently uncovered Cuckoo by Kandji, a sophisticated information stealer targeting Apple macOS systems. Distributed through various websites posing as offering music conversion applications, Cuckoo establishes persistence on compromised devices and conducts espionage activities. Upon download, it invokes a bash shell to gather host information and executes a locale check before running the malicious binary.

Employing techniques like LaunchAgent for persistence and osascript for password prompts, Cuckoo targets specific applications to extract hardware details, capture running processes, and harvest data from iCloud Keychain, among other sources. Notably, most application bundles are signed, posing a challenge to detection. This discovery follows the revelation of another macOS stealer malware, CloudChat, highlighting the importance of software updates, antivirus protection, cautious downloading practices, and firewall implementation for macOS users.

5. Critical flaws in F5 Central Manager enable complete device takeover

F5 has addressed two critical vulnerabilities in the BIG-IP Next Central Manager, allowing unauthorized administrative access and covert unauthorized account creation across managed assets. These vulnerabilities, an SQL injection flaw (CVE-2024-26026) and an OData injection flaw (CVE-2024-21793), enable remote exploitation, granting attackers complete administrative control over the device.

Exploiting these flaws, attackers can execute malicious SQL statements, potentially leading to unauthorized access and system compromise. Additionally, weaknesses allowing brute-force attacks and password resets were also uncovered. Immediate patching, regular security audits, access control measures, and monitoring are recommended to mitigate these risks.