05/02/2024-05/08/2024 Hackers Exploit LiteSpeed Cache Bug, ROOTROT Webshell in Network Attack And More.

1. Hackers Exploit LiteSpeed Cache Bug to Create WordPress Admins

Hackers are exploiting an outdated LiteSpeed Cache plugin in WordPress, targeting sites to gain admin control. LiteSpeed Cache, used in over 5 million sites, promises faster loads and better rankings. WPScan noted a surge in attacks on versions older than 5.7.0.1 due to a severe cross-site scripting flaw (CVE-2023-40000). Over 1.2 million probing requests originated from a single IP. Attackers inject malicious code into WordPress files, creating admin users like ‘wpsupp-user’ or ‘wp-configuser’. The presence of “eval(atob(Strings.fromCharCode” in the database signals infection. While many users upgraded, 1,835,000 remain vulnerable.
Another campaign targets “Email Subscribers,” exploiting CVE-2024-2876 for SQL injection. Despite its smaller user base (90,000 installs), the attacks highlight hacker persistence. Admins must update plugins, remove unnecessary components, and monitor for new admin accounts. In case of a breach, a thorough cleanup, including resetting passwords and restoring clean backups, is essential.

2. Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks

HPE Aruba Networking issued security updates for critical vulnerabilities in ArubaOS, posing a risk of remote code execution. Among the 10 flaws, four are deemed severe, including unauthenticated buffer overflow issues. Of the 10 security defects, four are rated critical in severity:

• CVE-2024-26304 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol;
• CVE-2024-26305 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol;
• CVE-2024-33511 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol;
• CVE-2024-33512 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol.

Exploitation involves sending crafted packets to the Process Application Programming Interface (PAPI) UDP port (8211), granting attackers the ability to execute code on affected systems. Vulnerable software versions encompass ArubaOS 10.5.1.0 and below, impacting Mobility Conductor, Controllers, and WLAN Gateways. Even end-of-maintenance versions like ArubaOS 8.6.x.x are affected. Security researcher Chancen discovered seven of the issues. Users should promptly apply updates to mitigate risks, with temporary measures recommended for ArubaOS 8.x.

3. MITRE Reveals that Chinese Hackers Used ROOTROT Webshell in Network Attack

MITRE Corporation, a non-profit serving US government research, revealed a breach by sophisticated nation-state hackers, likely Chinese group UNC5221. Exploiting Ivanti Connect Secure VPN flaws (CVE-2023-46805, CVE-2024-21887), they infiltrated MITRE’s NERVE network. After gaining access, they moved within VMware, installing webshells and backdoors to steal data. MITRE’s response contained the breach, confirming NERVE’s isolation from other networks. While unnamed, the attackers resemble UNC5221 observed by firms like Mandiant exploiting Ivanti vulnerabilities. The incident underscores persistent risks for national security and tech research. MITRE collaborates with law enforcement for investigation and plans to share insights to bolster future defenses.

4. CISA Urges Software Devs to Weed Out Path Traversal Vulnerabilities

CISA and the FBI advised software companies to eliminate path traversal vulnerabilities, which allow attackers to manipulate files to execute code or breach security measures. Exploiting these flaws, threat actors can access sensitive data or disrupt systems. Recent incidents in critical infrastructure prompted this warning. They urged developers to implement preventive measures such as generating unique identifiers for files, restricting file name characters, and ensuring non-executable permissions for uploads. Path vulnerabilities rank among the top software weaknesses according to MITRE. This alert follows previous warnings about SQL injection vulnerabilities, which also pose significant risks.