Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.

The cybersecurity landscape continues to face significant challenges as malicious actors exploit vulnerabilities across various platforms. Recent developments include attackers leveraging a remote code execution flaw in Ghostscript, the disclosure of critical unpatched vulnerabilities in the popular Gogs open-source Git service, and a source code disclosure flaw in the Apache HTTP server that has now been patched. Meanwhile, a new variant of the Mallox ransomware is targeting Linux systems, and troubling reports have emerged that OpenAI failed to disclose a 2023 data breach, raising concerns about transparency and security practices in the tech industry. Additionally, Mercku, a Canadian tech company, has been compromised, leading to an increase in MetaMask phishing emails.

• Attackers Exploiting Remote Code Execution Vulnerability in Ghostscript

Security researchers are sounding the alarm over a critical Ghostscript vulnerability, CVE-2024-29510, which has already been exploited in the wild. This flaw, described as a format string injection in the uniprint device, allows attackers to bypass the -dSAFER sandbox and execute remote code.

Codean Labs, the security researchers who identified the issue, warns that this vulnerability significantly impacts web applications and other services that offer document conversion and preview functionalities. These services often use Ghostscript, a widely-used document conversion toolkit, under the hood. Ghostscript is utilized in various applications across Windows, Linux, macOS, and embedded systems for processing user-supplied files.

To prevent abuse, Ghostscript developers have implemented several sandboxing features and enabled the -dSAFER sandbox by default for hardening purposes. Despite these precautions, Codean Labs discovered and reported six vulnerabilities in Ghostscript, which were addressed in versions 10.03.0 and 10.03.1. These include CVE-2024-29510, three buffer overflows (CVE-2024-29509, CVE-2024-29506, and CVE-2024-29507), a pointer leak (CVE-2024-29508), and an arbitrary file read/write (CVE-2024-29511).

The vulnerability CVE-2024-29510 was found in the uniprint device, which supports generating command data for various printer models by changing configuration parameters. This device’s versatility allows users to control the format string and access the device output by setting it to a temporary file, which can lead to data leaks and memory corruption. Codean has published proof-of-concept (PoC) code demonstrating how an attacker can exploit this flaw to bypass Ghostscript’s -dSAFER sandbox and execute shell commands on the system. The bug can be triggered through both image and document processors. Codean recommends that organizations verify if their solutions use Ghostscript and update to the latest version if necessary. The vulnerability was addressed in early May with the release of Ghostscript version 10.03.1, but detailed information was only made public last week. Following Codean’s blog post and PoC release, security researchers highlighted the potentially devastating impact of this bug.

CVE-2024-29510 is described as a significant threat, with Ghostscript being widely used and attackers already exploiting the flaw. The best mitigation against this vulnerability is to update Ghostscript to version 10.03.1. If the latest version is not available from your distribution, check for a patch that addresses this vulnerability.

• Critical Unpatched Flaws Disclosed in Popular Gogs Open-Source Git-Service

Four unpatched security vulnerabilities, including three critical ones, have been identified in Gogs, an open-source, self-hosted Git service. These flaws, disclosed by SonarSource researchers Thomas Chauchefoin and Paul Gerste, could allow an authenticated attacker to compromise vulnerable instances, steal or delete source code, and even insert backdoors. The vulnerabilities are CVE-2024-39930, CVE-2024-39931, CVE-2024-39932, and CVE-2024-39933. Successful exploitation of the first three could enable arbitrary command execution on the Gogs server, while the fourth could allow attackers to read arbitrary files, including source code and configuration secrets.

These vulnerabilities could be exploited by a threat actor to read, modify, or delete source code, target internal hosts accessible from the Gogs server, and impersonate other users to escalate privileges. Exploitation requires the attacker to be authenticated and, in the case of CVE-2024-39930, the built-in SSH server must be enabled, a specific version of the env binary used, and the attacker must possess a valid SSH private key. If registration is enabled on the Gogs instance, an attacker can create an account and register their SSH key. Otherwise, they must compromise another account or steal a user’s SSH private key.

Gogs instances running on Windows and the Docker image are not vulnerable. However, those on Debian and Ubuntu are at risk due to the env binary’s support for the “–split-string” option. Approximately 7,300 Gogs instances are publicly accessible online, with nearly 60% located in China, followed by the U.S., Germany, Russia, and Hong Kong. The exact number of vulnerable servers is unknown, and there is no visibility into whether these flaws are being exploited in the wild.

SonarSource reported that project maintainers have not implemented fixes and ceased communication after accepting the initial report on April 28, 2023. In response, users are advised to disable the built-in SSH server, turn off user registration to prevent mass exploitation, and consider switching to Gitea. SonarSource has released a patch for users to apply, but it has not been extensively tested.

This disclosure coincides with findings from cloud security firm Aqua, which discovered that sensitive information such as access tokens and passwords, once hard-coded, could remain permanently exposed even after removal from Git-based source code management (SCM) systems. These “phantom secrets” remain undiscovered by conventional scanning methods and are accessible through “git clone –mirror” or cached views of SCM platforms. This highlights the limitations of current scanning tools and the persistent risk of exposed secrets. Commits remain accessible through “cache views” on the SCM, meaning that even if a secret-containing commit is removed from both the cloned and mirrored versions of a repository, it can still be accessed if someone knows the commit hash. This persistent exposure underscores the need for robust security measures and thorough audits of code repositories to prevent data breaches and maintain the integrity of sensitive information.

• Apache Fixed a Source Code Disclosure Flaw in Apache HTTP Server

The Apache Software Foundation has addressed several significant vulnerabilities in its widely-used Apache HTTP Server, including issues related to denial-of-service (DoS), remote code execution, and unauthorized access. Among these, a critical source code disclosure vulnerability, identified as CVE-2024-39884, stands out.

The advisory explains that CVE-2024-39884 arises from a regression in the core of Apache HTTP Server version 2.4.60, which disregards some uses of the legacy content-type based configuration of handlers. Specifically, when directives like “AddType” and similar configurations are applied under certain conditions, they can lead to the inadvertent disclosure of source code for local content. This means that files intended to be executed, such as PHP scripts, may be served in their raw form instead of being processed by the server, thereby exposing sensitive information to potential attackers.

The Apache Foundation strongly advises users to upgrade to version 2.4.61 to mitigate this vulnerability and ensure their servers are protected against potential exploits.

• New Mallox Ransomware Variant Targets Linux Systems

Cybersecurity researchers at Uptycs have identified a new variant of Mallox ransomware that targets Linux systems using custom encryption and a builder web panel. This variant encrypts victims’ data, rendering it inaccessible until a ransom is paid. However, Uptycs has also discovered a decryptor, offering some hope to victims. Despite this, maintaining robust security practices and regular backups remains essential for defense against such threats.

The Uptycs threat research team uncovered this new Mallox variant, which utilizes a custom Python script named web_server.py to deliver the ransomware payload. This script, based on the Flask framework, serves as a web panel for Mallox ransomware, connecting to a backend database using the system’s environment variables for credentials. This connection provides researchers with insight into the attacker’s infrastructure. What makes Mallox ransomware, also known as Fargo, TargetCompany, and Mawahelper, particularly alarming is its web panel. This panel allows cybercriminals to create custom variants of Mallox, manage their deployment, and download the ransomware. The new variant encrypts user data and appends a .locked extension to encrypted files. Previous versions utilized .NET-based, .EXE, or .DLL files and were distributed via MS-SQL servers and phishing or spam emails. The web panel includes various functions such as user authentication, build management, new user registration, login and password reset, and ransomware build creation. It also features user profile management, a chat interface, and a custom 404 error page.

According to Uptycs’ report, the encryption process used by Mallox employs the AES-256 CBC algorithm, a robust encryption standard that makes it extremely difficult for victims to decrypt their files without the decryption key held by the attackers. Mallox ransomware operations have been active since mid-2021 and transitioned into a Ransomware-as-a-Service (RaaS) distribution model by mid-2022. The Mallox group uses multi-extortion tactics, encrypting victims’ data and threatening to post it on public TOR-based sites.

Fortunately, Uptycs researchers have found a decryptor for Mallox ransomware, providing a potential remedy for victims. However, this solution may be short-lived as the creators of Mallox could update their ransomware to evade decryption. To protect against Mallox ransomware, it is crucial to maintain regular backups of your data, exercise caution with suspicious attachments and links, keep software up-to-date with security patches, and use reliable security solutions. These measures can help restore your files in the event of a ransomware attack without paying the ransom.

• OpenAI Allegedly Never Bothered to Report 2023 Data Breach

OpenAI is facing significant cybersecurity scrutiny following revelations of a 2023 data breach and privacy concerns related to its ChatGPT app for macOS. According to a report from the New York Times, two anonymous insiders revealed that early last year, a private forum used by OpenAI employees was breached. Despite this intrusion, OpenAI chose not to disclose the breach publicly or inform law enforcement, as the company believed the actual AI builds were not compromised and the breach was likely the work of an unaffiliated individual rather than a foreign entity. The decision to keep the breach under wraps has raised concerns, especially in light of recent departures of key personnel from OpenAI, including chief scientist Ilya Sutskever. These departures have been attributed to concerns over a perceived lack of safety culture within the company. In response, OpenAI has committed to establishing an AI safety committee to address long-term AI threats, following the exits of Sutskever and Jan Leike, the head of the previous safety team.

The handling of the breach and the departure of key figures have cast a shadow on OpenAI’s commitment to security and transparency. This latest disclosure does little to bolster its reputation, particularly as it comes alongside another troubling revelation about the ChatGPT app for macOS. Software developer Pedro José Pereira Vieito discovered that the macOS version of ChatGPT was designed to bypass the Mac’s built-in sandboxing protections, which are intended to prevent apps from accessing private data. Instead, the app stored all user conversations in plain text within an unsecured directory. OpenAI has since addressed and fixed this issue but did not provide a response to inquiries about the oversight.

• Mercku, the Canadian Company, Compromised: Beware of MetaMask Phishing Emails

In a concerning development, it has been verified that Mercku’s helpdesk portal is currently compromised and sending out MetaMask phishing emails in response to newly filed support tickets. This breach has serious implications for customers of the Canadian router manufacturer. Mercku is a Canadian company known for its mesh WiFi routers and networking equipment, which it supplies to several Internet Service Providers (ISPs) and networking companies in Canada and Europe. Some of their prominent partners include Start.ca, FibreStream, Innsys, RealNett, Orion Telekom, and Kelcom. With offices in Canada, China, Germany, and Pakistan, Mercku plays a significant role in the networking industry.

Recently, support requests submitted through Mercku’s Zendesk portal have been met with phishing emails disguised as mandatory MetaMask account updates. The email, titled “Metamask: Mandatory Metamask Account Update Required,” falsely urges users to update their MetaMask accounts within 24 hours to avoid losing access.

The phishing link in the email is designed to deceive users. Although it appears to lead to MetaMask’s official site (metamask.io), it actually redirects to a malicious site (zpr[.]io). This tactic leverages the URL “userinfo” component, as outlined in RFC 3986, to mislead users. The deceptive URL structure is:

hxxps://metamask.io:login@zpr[.]io/x4hFSxCxEqcd`

Contrary to appearances, the actual destination is zpr[.]io, not metamask.io. The “userinfo” part (metamask.io:login) is ignored by the server but is used to trick users into thinking they are connecting to a legitimate site.

This phishing scam is particularly dangerous because of MetaMask’s popularity as a cryptocurrency wallet. Users who fall for this scam risk losing access to their MetaMask accounts and any cryptocurrency stored within them. The final destination URL (matjercasa.youcan[.]store) was found to be suspended, temporarily halting further attacks. However, the risk remains for users who might encounter similar tactics.

Until the issue is resolved, Mercku customers are advised to:

1. Avoid submitting support tickets through Mercku’s helpdesk portal.
2. Ignore and delete any suspicious emails received from Mercku’s support portal.
3. Refrain from clicking on links or opening attachments in emails claiming to be from MetaMask or Mercku support.

References:

Share post: