07/31/2024-08/07/2024 New Linux Kernel Exploit Technique ‘SLUBStick, Critical Security Flaw in WhatsUp Gold, Malicious Python Packages And More.

1. New Linux Kernel Exploit Technique ‘SLUBStick’ Discovered by Researchers

Cybersecurity researchers have discovered a new Linux kernel exploitation technique called SLUBStick, which can elevate a limited heap vulnerability to an arbitrary memory read-and-write primitive. Researchers from Graz University of Technology explained that SLUBStick exploits a timing side-channel of the allocator for a reliable cross-cache attack, achieving a success rate above 99% for frequently used generic caches.

Memory safety vulnerabilities in the Linux kernel are typically hard to exploit due to security features like SMAP, KASLR, and kCFI. Traditional cross-cache attack methods have a success rate of only 40%. SLUBStick, demonstrated on Linux kernel versions 5.19 and 6.2, uses nine security flaws found between 2021 and 2023 to achieve root privilege escalation and container escapes. This method effectively bypasses defenses like KASLR, assuming the presence of a heap vulnerability and code execution capabilities by an unprivileged user.

The researchers noted SLUBStick’s ability to exploit recent systems with a variety of heap vulnerabilities.

2. Critical Security Flaw in WhatsUp Gold Under Active Attack – Patch Now

 A critical security flaw in Progress Software’s WhatsUp Gold is under active exploitation, urging users to quickly apply the latest updates. The vulnerability, CVE-2024-4885 (CVSS score: 9.8), is an unauthenticated remote code execution bug in versions before 2023.1.3. It allows execution of commands with iisapppool\nmconsole privileges due to inadequate validation of user-supplied paths in the GetFileWithoutZip method.

Exploitation attempts have been observed since August 1, 2024, with a proof-of-concept exploit released by researcher Sina Kheirkhah. Version 2023.1.3 also addresses two other critical flaws (CVE-2024-4883 and CVE-2024-4884) and a high-severity privilege escalation issue (CVE-2024-5009). Admins must apply updates and restrict traffic to trusted IP addresses to mitigate threats.

3. 0.0.0.0 Day exploit reveals 18-year-old security flaw in Chrome, Safari, and Firefox

An 18-year-old vulnerability, the “0.0.0.0 Day” flaw, allows malicious websites to bypass security protocols in major browsers like Google Chrome, Mozilla Firefox, and Apple Safari. This flaw mainly impacts Linux and macOS devices, enabling threat actors to change settings, access sensitive information, and execute remote code. Initially reported in 2008, the issue remains unresolved, though developers are working on fixes.

The vulnerability stems from inconsistent security mechanisms and the use of the “wildcard” IP address 0.0.0.0, which attackers exploit to target local services. Researchers at Oligo Security have noted active exploitation by threat actors, with campaigns targeting AI workloads and Selenium Grid servers.
Browser developers are planning updates to block access to 0.0.0.0. Meanwhile, Oligo recommends using PNA headers, verifying HOST headers, and employing HTTPS and CSRF tokens for added security.

4. Hackers Distributing Malicious Python Packages via Popular Developer Q&A Platform

Threat actors are tricking users into downloading malware via Stack Exchange, targeting developers with bogus Python packages that drain cryptocurrency wallets. 

The rogue packages include:

• raydium (762 downloads)
• raydium-sdk (137 downloads)
• sol-instruct (115 downloads)
• sol-structs (292 downloads)
• spl-types (776 downloads)

These packages, downloaded 2,082 times, contained malware that stole data, including web browser passwords, cryptocurrency wallets, and messaging app information. They also captured screenshots and searched for sensitive files. The data was exfiltrated to Telegram bots. The malware included a backdoor for persistent remote access.

The attackers used Stack Exchange to promote these packages by posting seemingly helpful answers to developer questions. This campaign highlights the need for developers and organizations to reassess their security strategies to prevent supply chain attacks.

5. North Korea-Linked Malware Targets Developers on Windows, Linux, and macOS

Threat actors in an ongoing malware campaign, dubbed DEV#POPPER and linked to North Korea, have expanded their tactics to target Windows, Linux, and macOS systems. This campaign targets software developers globally, including South Korea, North America, Europe, and the Middle East.

Securonix researchers revealed that the attackers pose as interviewers, urging candidates to download a ZIP file for a coding assignment. This file contains a malicious npm module that triggers the BeaverTail malware, which identifies the operating system and exfiltrates data.

The malware can also download additional payloads, including the InvisibleFerret Python backdoor, which steals system metadata, browser cookies, and logs keystrokes. Enhanced obfuscation and AnyDesk remote monitoring software are used for persistence. Despite heavy sanctions, North Korea continues to import foreign technology to enhance its operational security.