01/17/2024-01/24/2024 Malicious NPM Packages, ~40,000 Attacks in 3 Days, MavenGate Attack Could Let Hackers Hijack Java And More.

1. Patch Your GoAnywhere MFT Immediately – Critical Flaw Lets Anyone Be Admin

A critical security flaw has been disclosed in Fortra’s GoAnywhere Managed File Transfer (MFT) software that could be abused to create a new administrator user. Tracked as CVE-2024-0204, the issue carries a CVSS score of 9.8 out of 10. Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal. The issue is the result of a path traversal weakness in the “/InitialAccountSetup.xhtml” endpoint that could be exploited to create administrative users. Users who cannot upgrade to version 7.4.1 can apply temporary workarounds in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services.

2. Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub

Malicious npm packages, warbeast2000 and kodiak2k, discovered using GitHub to store stolen Base64-encrypted SSH keys from developers. Uploaded at the beginning of the month, the packages attracted 412 and 1,281 downloads before npm took them down on January 21, 2024. Security firm ReversingLabs revealed eight versions of warbeast2000 and over 30 versions of kodiak2k. Both execute postinstall scripts, with warbeast2000 attempting to access private SSH keys and kodiak2k searching for a key named “meow.” Lucija Valentić, a security researcher, explained that warbeast2000 uploads the key to an attacker-controlled GitHub repo. Kodiak2k’s later versions execute a script from an archived GitHub project, launching the Mimikatz tool to extract credentials. Valentić emphasizes this incident showcases cybercriminals exploiting open-source package managers for malicious software supply chain attacks on development and end-user organizations.

3. ~40,000 Attacks in 3 Days: Critical Confluence RCE Under Active Exploitation

Malicious actors have begun to actively exploit a recently disclosed critical security flaw impacting Atlassian Confluence Data Center and Confluence Server. Tracked as CVE-2023-22527 (CVSS score: 10.0), the vulnerability impacts out-of-date versions of the software, allowing unauthenticated attackers to achieve remote code execution on susceptible installations. The shortcoming affects Confluence Data Center and Server 8 versions released before December 5, 2023, as well as 8.4.5. Over 11,000 Atlassian instances have been found to be accessible over the internet as of January 21, 2024, although it’s currently not known how many of them are vulnerable to CVE-2023-22527. This vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence instance, thereby enabling the execution of arbitrary code and system commands. 

4. PixieFail UEFI Flaws Expose Millions of Computers to RCE, DoS, and Data Theft

Multiple security vulnerabilities, collectively named PixieFail by Quarkslab, have been revealed in the TCP/IP network protocol stack of the widely used Unified Extensible Firmware Interface (UEFI) specification. These nine issues, found in the TianoCore EFI Development Kit II (EDK II), can lead to remote code execution, denial-of-service (DoS), DNS cache poisoning, and sensitive information leakage. UEFI firmware from major providers like AMI, Intel, Insyde, and Phoenix Technologies are affected. The vulnerabilities stem from overflow bugs, out-of-bounds reads, infinite loops, and a weak pseudorandom number generator in EDK II’s NetworkPkg, impacting PXE functionality during the Preboot eXecution Environment (PXE) stage. The vulnerabilities have specific identifiers (CVEs) and varying CVSS scores. The impact and exploitability depend on firmware builds and default PXE boot configurations, with potential for remote code execution, DoS, DNS cache poisoning, or data extraction.

5. MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries

Numerous widely-used Java and Android libraries are vulnerable to a novel software supply chain attack called MavenGate. Oversecured reported that domain name purchases could be used to hijack project access, exploiting default build configurations and making attacks difficult to detect. The attack can inject malicious code into dependencies, compromising the build process via a malicious plugin. All Maven-based technologies, including Gradle, are susceptible, affecting over 200 companies like Google, Facebook, and Amazon. Apache Maven, vital for Java projects, is a target due to potentially compromised dependencies in public repositories. The attack involves obtaining expired domains, asserting rights through a DNS TXT record, and gaining access to vulnerable groupIds. While Maven Central believes the outlined attack is infeasible due to automation, Oversecured suggests developers and end-users play crucial roles in ensuring security for direct and transitive dependencies, emphasizing the responsibility of both parties.

6. U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw, CVE-2023-35082, affecting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities catalog. The flaw, now patched, is an authentication bypass that could potentially expose users’ personal information. Ivanti disclosed the vulnerability in August 2023, urging users to update to version 11.11.0.0. The flaw could be chained with CVE-2023-35081 to allow attackers to write malicious web shell files. Though there’s no detail on real-world exploits, federal agencies are advised to apply fixes by February 8, 2024. Two zero-day flaws in Ivanti Connect Secure VPN devices are also under mass exploitation, prompting the company to release updates next week. The attacks, initially linked to a Chinese threat actor, have since attracted additional threat actors globally, compromising over 2,100 devices across various sectors. Organizations are urged to apply Ivanti’s provided mitigation after importing backup configurations to prevent re-compromise.