12/11/2024-12/18/2024 Two Vulnerabilities in The Hunk Companion, 390,000+ WordPress Credentials Stolen via Malicious GitHub Repository, Critical OpenWrt Vulnerability.

1. Two Vulnerabilities in The Hunk Companion and WP Query Console WordPress Plugins 

Threat actors are exploiting two vulnerabilities in the Hunk Companion and WP Query Console WordPress plugins to gain backdoor access to websites. Hunk Companion, a plugin for ThemeHunk themes, has a missing capability check allowing unauthorized plugin installations. Tracked as CVE-2024-9707 (CVSS 9.8), this flaw can enable remote code execution if another vulnerable plugin is active. While patches were released in October and December, 90% of its 10,000 installations remain unpatched. Over the past day, Defiance blocked 56,000 attacks targeting this vulnerability. Attackers use it to install WP Query Console, an outdated plugin with a remote code execution flaw (CVE-2024-50498, CVSS 9.8). This vulnerability, disclosed in October, allows full control of websites. Admins should update Hunk Companion to version 1.9.0 immediately and check for unauthorized plugins or intrusions.

2. New Glutton Malware Exploits Popular PHP Frameworks Like Laravel and ThinkPHP

Cybersecurity researchers have uncovered a new PHP-based backdoor, Glutton, used in attacks targeting China, the U.S., Cambodia, Pakistan, and South Africa. Discovered by QiAnXin XLab in April 2024, the malware is linked with moderate confidence to the Chinese nation-state group Winnti (APT41). Glutton targets PHP frameworks like Baota, ThinkPHP, Yii, and Laravel to steal system information, inject code, and plant ELF backdoors. Despite ties to Winnti, Glutton lacks typical stealth features, such as encrypted C2 communications, and relies on HTTP for payload delivery. Notably, Glutton also targets cybercriminals by poisoning their operations. The backdoor exploits zero-day flaws and brute-force attacks, using a “task_loader” module to download additional components, including ELF malware masquerading as FastCGI Process Manager. It supports 22 commands for operations like file management and remote code execution. Glutton’s modular design ensures stealth by operating within PHP processes, leaving no traceable payloads. Researchers highlighted its dual focus on traditional victims and cybercrime operators, turning attackers’ tools against them.

3. 390,000+ WordPress Credentials Stolen via Malicious GitHub Repository Hosting PoC Exploits

A now-removed GitHub repository advertising a WordPress tool is believed to have enabled the exfiltration of over 390,000 credentials. The campaign, linked to the threat actor MUT-1244, targeted pentesters, security researchers, and malicious actors, stealing sensitive data like SSH keys and AWS credentials.MUT-1244 used phishing and trojanized GitHub repositories claiming to host proof-of-concept (PoC) exploit code but containing malware. One repository, “yawpp,” claimed to be a WordPress poster but deployed malware via a rogue npm dependency, compromising credentials and exfiltrating them to a Dropbox account. MUT-1244 also employed phishing emails, tricking victims into executing malicious shell commands. Payload delivery methods included backdoored compilation files, malicious PDFs, Python droppers, and npm packages like “0xengine/meow.” The campaign highlights attackers exploiting GitHub PoCs and targeting cybersecurity professionals to steal data for further attacks. Researchers warn of the growing trend of fake PoCs used to compromise systems and spread malware.

4. Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection

A critical security flaw (CVE-2024-54143, CVSS 9.3) in OpenWrt’s Attended Sysupgrade (ASU) feature could allow attackers to distribute malicious firmware packages. Discovered by Flatt Security researcher RyotaK and patched in ASU version 920c8a1, the flaw involves command injection and a truncated SHA-256 hash that enables hash collisions. Exploitation allows attackers to inject arbitrary commands into the build process, creating malicious firmware images signed with a legitimate build key. Worse, a 12-character hash collision could swap a legitimate image with a prebuilt malicious one, posing a severe supply chain risk.

The vulnerability does not require authentication, allowing crafted package lists to compromise build requests. OpenWrt warns that attackers could force legitimate requests to receive malicious images. While it’s unclear if this flaw has been exploited, users are urged to update to the latest version immediately to mitigate potential risks.