02/21/2024-02/28/2024 WordPress LiteSpeed Plugin Vulnerability, Dormant PyPI Package, Malicious npm Packages And More.

1. WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk

A security flaw in LiteSpeed Cache plugin for WordPress (CVE-2023-40000) allows unauthenticated users to escalate privileges. Patched in version 5.7.0.1 (Oct 2023), it’s caused by insufficient input sanitization. The plugin, with over 5 million installs, aims to enhance site performance. The latest version is 6.1 (Feb 5, 2024). Vulnerability stems from lack of user input sanitization, affecting the update_cdn_status() function. An XSS payload as an admin notice triggers the flaw, exploitable by any user in the wp-admin area. Four months earlier, Wordfence disclosed another XSS flaw (CVE-2023-4372) in the same plugin (version 5.7). This flaw permits authenticated attackers (contributor-level and above) to inject arbitrary web scripts, posing a risk to page visitors.

2. Dormant PyPI Package Compromised to Spread Nova Sentinel Malware

A Python package on PyPI, “django-log-tracker,” lay dormant for nearly two years before being updated with Nova Sentinel malware. Phylum, a security firm, detected the anomalous update on February 21, 2024. Although the linked GitHub repository remained unchanged since April 10, 2022, the malicious update suggests a compromised PyPI account. The package has been downloaded 3,866 times, with the rogue version (1.0.4) downloaded 107 times before its removal from PyPI. The update stripped most original content, leaving only “init.py” and “example.py.” It fetches and executes “Updater_1.4.4_x64.exe” from a remote server, embedding Nova Sentinel. This malware was initially found in fake Electron apps on dubious gaming sites. Phylum noted the attempted supply-chain attack via PyPI compromise. Such attacks could impact projects relying on unversioned or flexibly versioned dependencies.

3. North Korean Hackers Targeting Developers with Malicious npm Packages

Phylum’s recent findings reveal a group of fake npm packages linked to North Korean state actors. Among these are “execution-time-async” and others masquerading as legitimate Node.js utilities. “execution-time-async” alone, disguised as a widely used library, downloaded 302 times before removal, installing malware like cryptocurrency stealers. The attack includes obfuscated code in a test file fetching payloads from a remote server to steal credentials and execute malicious actions. The campaign involves GitHub accounts with repositories like “File-Uploader” and “auth-playground,” suggesting ongoing efforts to bypass takedowns. Additionally, a package called “next-assessment” references a dependency served from a suspicious domain, indicating potential social engineering tactics. This scheme shares similarities with “Contagious Interview,” targeting developers through fake job portals to distribute malware.

4. New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers

Cybersecurity researchers have uncovered two authentication bypass flaws in Wi-Fi software used in Android, Linux, and ChromeOS, allowing attackers to deceive users into connecting to malicious networks or access trusted networks without passwords. Tracked as CVE-2023-52160 and CVE-2023-52161, the flaws were found in wpa_supplicant and Intel’s iNet Wireless Daemon (IWD), respectively. These vulnerabilities enable interception of traffic and unauthorized access to protected networks, posing risks like malware infections and data theft. While CVE-2023-52160 affects Android devices using wpa_supplicant, CVE-2023-52161 impacts Linux-based access points. Exploitation often requires physical proximity to victims. Major Linux distributions have issued advisories, and ChromeOS has addressed the wpa_supplicant issue. However, fixes for Android remain pending.

5. Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub

The Xeno RAT, an intricately designed remote access trojan (RAT), has surfaced on GitHub, available for free. Developed in C#, it’s compatible with Windows 10 and 11, boasting features like real-time audio recording and a hidden hVNC module. Its builder allows customization for tailored attacks. Notably, its creator, moom825, is also behind DiscordRAT 2.0. Xeno RAT distribution via Discord CDN highlights the growing trend of accessible malware. Its propagation involves disguised shortcuts as downloader vectors, employing DLL side-loading for execution. Concurrently, AhnLab discovered Nood RAT, a variant of Gh0st RAT, targeting Linux systems. Despite its simplicity, Nood RAT employs encryption and executes various malicious tasks commanded by threat actors, showcasing the evolving landscape of RAT-based attacks.