Reported 5 malicious #Python packages to #PyPI: numberpy, tqmmd, pandans, openpyexl, reqwestss all by the same user leemay1782.
All with the same "functionality", getting commands via a socket from dzgi0h7on1jhzdg0vknw9pp9309rxjl8.oastify[.]com and executing it.
I don't think I saw the setup.py entry_points being used as a trigger mechanism before?
Have a look, see what you think. How could I make it more useful to you?
It's generated using a custom-made graph-network abstraction layer I wrote in Python and then pulling some publicly available JSON-files for the Intrusion Sets and Techniques.
A couple of days ago, LockBit had published an entry on their leaksite titled "telekom.com". I asked the Telekom press corps and they denied any incident.
Yesterday, LB also published the data allegedy from Telekom. I had a look at the files. So far, it seems that nothing in the 1.2GByte directory on their file share has anything to do with Deutsche Telekom. It seems that in fact, they breached a client PC owned by a non-profit in Hamburg.
There is a buffer overflow vulnerability in the underlying Utility daemon that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
Note that it says "results in the ability," not "may result in the ability" to execute remote code.
Affected Products
=================
HPE Aruba Networking
- Mobility Conductor (formerly Mobility Master)
- Mobility Controllers
- WLAN Gateways and SD-WAN Gateways managed by Aruba Central
Affected Software Versions:
- ArubaOS 10.5.x.x: 10.5.1.0 and below
- ArubaOS 10.4.x.x: 10.4.1.0 and below
- ArubaOS 8.11.x.x: 8.11.2.1 and below
- ArubaOS 8.10.x.x: 8.10.0.10 and below
The following ArubaOS and SD-WAN software versions that are End
of Maintenance are affected by these vulnerabilities and are not
patched by this advisory:
- ArubaOS 10.3.x.x: all
- ArubaOS 8.9.x.x: all
- ArubaOS 8.8.x.x: all
- ArubaOS 8.7.x.x: all
- ArubaOS 8.6.x.x: all
- ArubaOS 6.5.4.x: all
- SD-WAN 8.7.0.0-2.3.0.x: all
- SD-WAN 8.6.0.4-2.2.x.x: all
Our research reveals that nearly 20% of these public repositories (almost three million repositories!) actually hosted malicious content. The content ranged from simple spam that promotes pirated content, to extremely malicious entities such as malware and phishing sites, uploaded by automatically generated accounts.
The vulnerability, cataloged under CVE-2024-2961 and rated 8.8 on the CVSS scale, resides in the ISO-2022-CN-EXT plugin of the glibc’s iconv library. This critical flaw occurs during the charset conversion process from UCS4, where specific escape characters are required to signify changes in the charset to the library. However, due to insufficient boundary checks on internal buffers, an out-of-bounds write can occur, allowing up to three bytes to be written outside the intended memory area.
This vulnerability poses a significant risk as it compromises the Integrity, Confidentiality, and Availability (ICA) triad by potentially allowing attackers to craft malicious character sequences that trigger the out-of-bounds write, leading to remote code execution. The exploitation of this flaw could result in application crashes, arbitrary memory corruption, data overwrites, and even system takeovers.