05/08/2024-05/15/2024 QakBot Exploits Microsoft Windows DWM Zero-Day Vulnerability, Malicious Python Package, VMware Fixes And More.

1. QakBot Exploits Microsoft Windows DWM Zero-Day Vulnerability

A zero-day vulnerability (CVE-2024-30051) in Microsoft Windows DWM has been identified and is currently being actively exploited by QakBot actors. This vulnerability allows local attackers to escalate their privileges to system level. Although a patch for this vulnerability has been released, exploits for the vulnerability have been observed in conjunction with QakBot and other malware. It is crucial for Windows users to update their systems with the latest security patches to mitigate the risk posed by this zero-day exploit.

2. Malicious Python Package Hides Sliver C2 Framework in Fake Requests Library

LogoCybersecurity experts have uncovered a deceitful Python package masquerading as an offshoot of the widely-used requests library. Dubbed requests-darwin-lite, it secretly embeds a Golang version of the Sliver command-and-control framework within a PNG image of the project’s logo. This package, downloaded 417 times before its removal from PyPI, appears as a modified version of requests, but with a concealed malicious binary. Upon installation, it decodes and executes a Base64-encoded command to gather the system’s UUID, targeting specifically macOS systems. This discovery follows the detection of vue2util, a rogue npm package, which orchestrates a cryptojacking scheme. The sizable PNG file within requests-darwin-lite contains the hidden Sliver binary, indicating a potential targeted attack or a prelude to a broader campaign. This incident underscores the vulnerability of open-source ecosystems to malware distribution, necessitating systematic solutions to safeguard against such threats.

3. VMware Fixes Three Zero-day Bugs Exploited at Pwn2Own 2024

VMware patched four security vulnerabilities in Workstation and Fusion hypervisors, including three zero-days used in Pwn2Own Vancouver 2024. The most severe flaw, CVE-2024-22267, is a use-after-free bug in vbluetooth, allowing code execution by a local admin on a virtual machine’s VMX process. Admins can temporarily disable Bluetooth support as a workaround. Two other high-severity bugs (CVE-2024-22269 and CVE-2024-22270) permit local admins to access privileged info from hypervisor memory. CVE-2024-22268, a heap buffer overflow in Shader, can cause a denial of service if 3D graphics are enabled. Pwn2Own saw researchers earn $1,132,500, with exploits targeting browsers and VMware Workstation. STAR Labs SG and Theori teams won by exploiting VMware vulnerabilities for remote code execution and escaping VMs to execute code on host OS. Google and Mozilla promptly patched zero-days exploited at the event.

4. Critical Flaws in Cacti Framework Could Let Attackers Execute Malicious Code

The maintainers of the Cacti open-source network monitoring and fault management framework have addressed a dozen security flaws, including two critical issues that could lead to the execution of arbitrary code.

The most severe of the vulnerabilities are listed below –

• CVE-2024-25641 (CVSS score: 9.1) – An arbitrary file write vulnerability in the “Package Import” feature that allows authenticated users having the “Import Templates” permission to execute arbitrary PHP code on the web server, resulting in remote code execution;
• CVE-2024-29895 (CVSS score: 10.0) – A command injection vulnerability allows any unauthenticated user to execute arbitrary command on the server when the “register_argc_argv” option of PHP is On.
  Also addressed by Cacti are two other high-severity flaws that could lead to code execution via SQL injection and file inclusion –
• CVE-2024-31445 (CVSS score: 8.8) – An SQL injection vulnerability in api_automation.php that allows authenticated users to perform privilege escalation and remote code execution;
• CVE-2024-31459 (CVSS score: N/A) – A file inclusion issue in the “lib/plugin.php” file that could be combined with SQL injection vulnerabilities to result in remote code execution.

It’s worth noting that 10 out of the 12 flaws, with the exception of CVE-2024-29895 and CVE-2024-30268 (CVSS score: 6.1), impact all versions of Cacti, including and prior to 1.2.26. They have been addressed in version 1.2.27 released on May 13, 2024. The two other flaws affect development versions 1.3.x.

5. New Chrome Zero-Day Vulnerability CVE-2024-4761 Under Active Exploitation

Google on Monday shipped emergency fixes to address a new zero-day flaw in the Chrome web browser that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2024-4761, is an out-of-bounds write bug impacting the V8 JavaScript and WebAssembly engine. It was reported anonymously on May 9, 2024. The disclosure comes merely days after the company patched CVE-2024-4671, a use-after-free vulnerability in the Visuals component that has also been exploited in real-world attacks.
With the latest fix, Google has addressed a total of six zero-days since the start of the year, three of which were demonstrated at the Pwn2Own hacking contest in Vancouver in March –

• CVE-2024-0519 – Out-of-bounds memory access in V8 (actively exploited)
• CVE-2024-2886 – Use-after-free in WebCodecs
• CVE-2024-2887 – Type confusion in WebAssembly
• CVE-2024-3159 – Out-of-bounds memory access in V8
• CVE-2024-4671 – Use-after-free in Visuals (actively exploited)
  Users are recommended to upgrade to Chrome version 124.0.6367.207/.208 for Windows and macOS, and version 124.0.6367.207 for Linux to mitigate potential threats.