GitHub supply chain attack hits Top.gg and developers

Last week witnessed a surge in cyber threats targeting various sectors globally. These included a critical SQL injection vulnerability in Fortinet’s FortiClient EMS software, phishing attacks delivering StrelaStealer malware, sophisticated supply chain attack on GitHub accounts, emergence of a Linux variant of DinodasRAT, and a new phishing campaign distributing Agent Tesla keylogger disguised as bank payment notices. Posing significant risks to organizations, these diverse threats emphasize the importance of proactive security measures and regular audits.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. CVE-2023-48788: Exploit released for Fortinet RCE bug used in attacks

A critical SQL injection vulnerability, identified as CVE-2023-48788, has been discovered in Fortinet’s FortiClient Enterprise Management Server (EMS) software, affecting versions 7.0 and 7.2. This flaw, located in the DB2 Administration Server (DAS) component, permits unauthenticated threat actors to execute remote code with SYSTEM privileges on vulnerable servers.

Security researchers have released a proof-of-concept exploit, confirming the vulnerability’s status but requiring modification for full exploitability. Over 440 FortiClient EMS servers are currently exposed online, with a significant number in the United States. To address this issue, users are advised to update their FortiClient EMS installations to version 7.2.3 or above for 7.2.x versions and 7.0.11 or above for 7.0.x versions or apply the virtual patch available in FMWP db update 27.750.

2. Organizations in EU and US targeted by StrelaStealer phishing attacks

A recent surge in phishing attacks targeting over 100 organizations in the EU and US has been detected, delivering the StrelaStealer malware. These attacks utilize evolving spam emails with attachments containing the StrelaStealer’s DLL payload, aiming to steal email login data. Since its disclosure in November 2022, StrelaStealer has been involved in large-scale campaigns across various sectors, prompting cybersecurity researchers to observe its constant evolution.

The latest variant employs improved obfuscation and anti-analysis techniques, with phishing emails now adopting invoice-themed content and ZIP attachments containing JavaScript files. To mitigate these threats, organizations are advised to educate employees on phishing awareness, implement robust email filtering, and maintain up-to-date security patches.

3. Hackers target GitHub accounts in supply chain attack impacting Top.gg and others

A sophisticated attack campaign targeted individual developers and the GitHub organization account associated with Top.gg, a Discord bot discovery site. The attackers employed various tactics, including account takeover via stolen browser cookies, contributing malicious code with verified commits, and hosting trojanized packages on a typosquatted domain. This resulted in the theft of sensitive information and the propagation of rogue packages via GitHub repositories.

Cloudflare has taken down the domain used for hosting trojanized packages. To mitigate such threats, developers are advised to enable two-factor authentication (2FA) for GitHub accounts, adhere to secure coding practices, and thoroughly vet dependencies before installing packages and repositories, even from trusted sources.

4. DinodasRAT Linux attack spreads worldwide

Recent findings reveal the emergence of a Linux variant of DinodasRAT, also known as XDealer, a versatile cross-platform backdoor targeting China, Taiwan, Turkey, and Uzbekistan. Crafted in C++, this malware predominantly targets Red Hat-based distributions and Ubuntu Linux systems, establishing stealthy persistence through startup scripts and communicating with remote servers for command execution.

With capabilities including file manipulation, process enumeration, and shell command execution, DinodasRAT facilitates complete control over infected systems for data exfiltration and espionage activities. Security Researchers emphasize the importance of regular system updates, network traffic monitoring, and enhanced access controls to mitigate the threat posed by DinodasRAT.

5. New phishing attack delivers Keylogger disguised as bank payment notice

A recent phishing campaign has been identified, featuring a unique malware loader distributing the Agent Tesla information-stealing and keylogging program. The campaign involves deceptive emails posing as bank payment notifications, prompting recipients to open an attached archive file named “Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz.” This loader, coded in .NET, employs obfuscation techniques, polymorphic behavior, and intricate decryption methods to avoid detection.

It retrieves the XOR-encoded Agent Tesla payload from a remote server, evading Windows Antimalware Scan Interface (AMSI) detection by altering the AmsiScanBuffer function. The final stage involves executing Agent Tesla in memory, enabling covert data extraction via SMTP through a compromised email account, providing anonymity to threat actors. This sophisticated attack underscores the importance of implementing email filtering, robust endpoint security, and patch management strategies to mitigate such threats.