03/27/2024-04/03/2024 Flaw Found in Popular LayerSlider WordPress Plugin, Malicious Code in XZ Utils for Linux Systems, PyPI Halts Sign-Ups Amid Surge And More.

1. Critical Security Flaw Found in Popular LayerSlider WordPress Plugin

A critical security flaw (CVE-2024-2879) in the LayerSlider plugin for WordPress, rated 9.8/10 on the CVSS scale, allows attackers to extract sensitive data via SQL injection in versions 7.9.11 through 7.10.0. The issue is patched in version 7.10.1, released on March 27, 2024. LayerSlider, a popular web content editor and design tool, has millions of users worldwide. The vulnerability arises from insufficient parameter escaping, enabling attackers to append SQL queries. Meanwhile, WP-Members Membership Plugin was affected by an unauthenticated stored XSS flaw (CVE-2024-1852, CVSS score: 7.2), now fixed in version 3.4.9.3. This flaw allows attackers to inject malicious scripts, potentially leading to account creation, redirection, and other attacks if executed within an administrator’s session.

2. Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution

A recent analysis unveiled a malicious code inserted into XZ Utils, a commonly used package in major Linux distributions. Tracked as CVE-2024-3094 with a CVSS score of 10.0, the compromise allows remote code execution. Microsoft engineer Andres Freund discovered a backdoor, enabling attackers to bypass secure shell authentication and gain complete system access. The backdoor, discovered during micro-benchmarking, stemmed from unusual CPU usage in sshd processes. The compromised XZ Utils version 5.6.0 and 5.6.1 were released in February 2024. Project maintainer Jia Tan introduced the changes, possibly orchestrated over multiple years. The sophisticated attack involved social engineering with fake accounts and co-maintainer requests. The breach underscores the threat of supply chain attacks, with potential severe consequences if integrated into stable Linux releases.

3. PyPI Halts Sign-Ups Amid Surge of Malicious Package Uploads Targeting Developers

The Python Package Index (PyPI) temporarily halted new user sign-ups due to a surge in malicious projects as part of a typosquatting campaign. The suspension, aimed at mitigating a malware upload campaign, lasted 10 hours until March 28, 2024. Threat actors flooded the repository with typosquatted versions of popular packages, targeting developers to steal crypto wallets, browser data, and credentials. Over 100 malicious packages, including variations of ML libraries, were detected. The attack, automated and decentralized, involved over 500 deceptive variants uploaded from a unique account starting March 26, 2024. The malware, detected on Windows systems, steals files, Discord tokens, browser data, and cryptocurrency wallets. This incident underscores the growing threat of software supply chain attacks, necessitating rigorous scrutiny of third-party components by developers. PyPI has previously suspended user registrations multiple times due to similar security concerns.

4. CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw in Microsoft Sharepoint Server, CVE-2023-24955 (CVSS score: 7.2). The flaw permits authenticated attackers with Site Owner privileges to execute remote code. Microsoft patched this flaw in May 2023. CISA’s move follows the addition of CVE-2023-29357, a privilege escalation flaw, to the KEV catalog two months prior. While an exploit chain combining both vulnerabilities was demonstrated at Pwn2Own Vancouver, there’s no current information on active attacks or threat actors. Microsoft advises enabling automatic updates for protection.

5. Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining

Cybersecurity researchers warn of active exploitation of an unpatched vulnerability in Anyscale Ray, an open-source AI platform, for illicit cryptocurrency mining. Dubbed “ShadowRay,” the campaign targets computing power since September 2023 across sectors like education and biopharma. Ray, used by major companies, suffers from CVE-2023-48022 (CVSS: 9.8), allowing remote code execution. Anyscale doesn’t plan to fix it immediately, citing security boundaries, but plans authentication in future versions. Exploiting flaws in Ray components enables unauthorized job submissions and access to sensitive information. Oligo observed hundreds of GPU clusters breached, exposing crucial credentials and enabling cryptocurrency mining. Anyscale releases Ray Open Ports Checker to address cluster security concerns.