08/28/2024-09/04/2024 Malicious npm Packages Mimicking ‘noblox.js’, Critical Fortra FileCatalyst Workflow Vulnerability, Critical Apache OFBiz Flaw And More.

1. Malicious npm Packages Mimicking ‘noblox.js’ Compromise Roblox Developers’ Systems

Roblox developers are being targeted by a campaign using fake npm packages to compromise systems, highlighting the ongoing exploitation of trust in the open-source ecosystem. Attackers mimic the popular “noblox.js” library, publishing malicious packages like noblox.js-proxy-server and noblox-ts to steal data and deliver malware, including the Luna Token Grabber and Quasar RAT. These packages are deceptively named, such as noblox.js-async and noblox.js-api, to appear legitimate. They use tactics like starjacking, linking to the real noblox.js repository. The malware steals Discord tokens, evades detection, and ensures persistence by altering Windows Registry settings. Developers must remain vigilant against these threats, as new malicious packages continue to surface.

2. North Korean Hackers Target Developers with Malicious npm Packages

A set of fake npm packages linked to North Korean state-sponsored actors has been uncovered, according to Phylum. The packages, including execution-time-async, data-time-utils, and mongodb-connection-utils, were designed to steal credentials and cryptocurrency. Execution-time-async, for example, mimics the legitimate execution-time library, which has over 27,000 weekly downloads. These packages, downloaded over 300 times before takedown, concealed malicious scripts within test files, targeting browsers like Chrome and Brave. Connections to North Korean actors emerged through obfuscated JavaScript resembling BeaverTail malware, linked to the Contagious Interview campaign, which targets developers through fake job interviews.

3. Critical Fortra FileCatalyst Workflow Vulnerability Patched (CVE-2024-6633)

Organizations using Fortra’s FileCatalyst Workflow should urgently upgrade to version 5.1.7 to patch two critical vulnerabilities. The first, CVE-2024-6633, involves static credentials for an internal HSQL database exposed in a vendor knowledge base article. Attackers exploiting this flaw can gain admin access to the Workflow web application by adding an admin-level user. The HSQL database, meant only for installation, is vulnerable if not replaced with a recommended alternative database.

The second flaw, CVE-2024-6632, is a SQL injection vulnerability that allows unauthorized modifications to the MySQL database during setup. Both vulnerabilities affect versions up to 5.1.6 and can only be resolved by upgrading.

4. CISA Flags Critical Apache OFBiz Flaw Amid Active Exploitation Reports

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Apache OFBiz vulnerability, CVE-2024-38856, to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. This flaw, with a CVSS score of 9.8, allows unauthenticated attackers to execute remote code via a Groovy payload.

Discovered as a patch bypass for CVE-2024-36104, it exploits a flaw in the override view functionality, exposing critical endpoints. Although specific details of its exploitation are scarce, proof-of-concept exploits are publicly available. Organizations are urged to update to version 18.12.15, with federal agencies required to apply updates by September 17, 2024.

08/21/2024-08/28/2024 Apache OFBiz RCE Flaw, Critical WPML Plugin Flaw, Supply Chain Vulnerabilities in MLOps Platforms And More.

1. CISA Warns About Actively Exploited Apache OFBiz RCE Flaw

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has warned of two exploited vulnerabilities, including a path traversal flaw in Apache OFBiz (CVE-2024-32113). Apache OFBiz, an open-source ERP system, is widely used due to its versatility. The flaw affects versions before 18.12.13 and allows remote execution of arbitrary commands. Federal agencies must apply security updates or stop using the product by August 28, 2024. Another vulnerability, CVE-2024-36971, affecting the Android kernel, was also flagged. A newer OFBiz flaw, CVE-2024-38856, impacts versions up to 18.12.14 and poses a critical pre-authentication remote code execution risk. Users should upgrade to version 18.12.15 to secure their systems.

2. Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution

A critical flaw in the WPML WordPress plugin (CVE-2024-6386, CVSS score: 9.9) could let authenticated users execute arbitrary code remotely. This vulnerability affects all versions before 4.6.13, released on August 20, 2024. Caused by missing input validation, the issue allows attackers with Contributor-level access or higher to exploit server-side template injection (SSTI) via shortcodes. WPML, used on over a million sites for multilingual content, failed to properly sanitize input in Twig templates, leading to potential server takeover. Users are strongly advised to update to the latest version to mitigate this risk.

3. SonicWall SonicOS Vulnerability Let Attackers Gain Unauthorized Access & Crash Firewall

SonicWall has disclosed a critical vulnerability (CVE-2024-40766) in its SonicOS management access, rated with a high CVSS score of 9.3. This flaw, identified as an improper access control issue, could lead to unauthorized resource access and potentially cause firewall crashes. The vulnerability affects a wide range of SonicWall devices, including Gen 5, Gen 6, and Gen 7 models. SonicWall strongly advises updating to the latest firmware versions to mitigate these risks and suggests restricting or disabling WAN management access from untrusted sources. Updated firmware versions are available, and users are urged to apply these patches immediately. 

4. Researchers Identify Over 20 Supply Chain Vulnerabilities in MLOps Platforms

Cybersecurity researchers have uncovered over 20 vulnerabilities in machine learning (ML) software supply chains, posing significant risks to MLOps platforms. These flaws, both inherent and implementation-based, could lead to severe outcomes such as arbitrary code execution or loading malicious datasets.

MLOps platforms enable the creation and execution of ML models, but vulnerabilities like automatic code execution in models and datasets, particularly in tools like JupyterLab, can open doors for malware attacks. Implementation weaknesses, such as lack of authentication, have been exploited by attackers to deploy cryptocurrency miners, as seen with unpatched Anyscale Ray instances. Additionally, a container escape vulnerability in Seldon Core allows attackers to move laterally in cloud environments, compromising models and data.

5. Hardcoded Credential Vulnerability Found in SolarWinds Web Help Desk

SolarWinds has issued patches to address a new security flaw in its Web Help Desk (WHD) software that could allow remote unauthenticated users to gain unauthorized access to susceptible instances. The issue, tracked as CVE-2024-28987, is rated 9.1 on the CVSS scoring system, indicating critical severity. Horizon3.ai security researcher Zach Hanley has been credited with discovering and reporting the flaw. Users are recommended to update to version 12.8.3 Hotfix 2, but applying the fix requires Web Help Desk 12.8.3.1813 or 12.8.3 HF1. The disclosure comes a week after SolarWinds moved to resolve another critical vulnerability in the same software that could be exploited to execute arbitrary code (CVE-2024-28986, CVSS score: 9.8). Additional details about CVE-2024-28987 are expected to be released next month.

08/15/2024-08/21/2024 GitHub Vulnerability ‘ArtiPACKED’, Jenkins RCE Bug, PHP Vulnerability And More

1. GitHub Vulnerability ‘ArtiPACKED’ Exposes Repositories to Potential Takeover

A newly discovered attack vector in GitHub Actions artifacts dubbed ArtiPACKED could be exploited to take over repositories and gain access to organizations’ cloud environments. A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume. This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access. The cybersecurity company said it primarily observed the leakage of GitHub tokens (e. g., GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN), which could not only give malicious actors unauthorized access to the repositories, but also grant them the ability to poison the source code and get it pushed to production via CI/CD workflows. GitHub has labeled the issue as informational, urging users to secure their artifacts. Open-source projects from AWS, Google, Microsoft, Red Hat, and Ubuntu are among those affected.

2. CISA Warns Of Jenkins RCE Bug Exploited In Ransomware Attacks

CISA has added a critical Jenkins vulnerability, CVE-2024-23897, to its list of actively exploited security issues. This flaw, affecting Jenkins automation servers, allows unauthenticated attackers to read arbitrary files on the Jenkins controller through the args4j command parser, which processes file paths in arguments by default. Exploits for this vulnerability were published shortly after security updates in January, with attack attempts observed soon after. Shadowserver reports over 28,000 exposed Jenkins instances, with significant numbers in China and the U.S. Trend Micro notes exploitation began in March, and recent attacks include ransomware incidents by the RansomEXX gang, impacting Indian banks. CISA’s addition of CVE-2024-23897 to its Known Exploited Vulnerabilities catalog warns of ongoing exploitation and urges all organizations to address the flaw, especially federal agencies with a September 9 deadline to secure their Jenkins servers.

3. Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor

A new backdoor named Msupedge has been discovered in an attack against a university in Taiwan. This backdoor communicates with its command-and-control (C&C) server using DNS traffic, leveraging a method based on the open-source dnscat2 tool. The backdoor, identified as a DLL installed in specific system paths, was likely deployed via the exploitation of a critical PHP vulnerability (CVE-2024-4577) with a CVSS score of 9.8. Msupedge uses DNS tunneling to receive commands and executes actions based on the resolved IP address of the C&C server.

Commands supported by Msupedge include creating processes, downloading files, and managing temporary files. Additionally, the UTG-Q-010 threat group is linked to a phishing campaign distributing the Pupy RAT, which uses malicious .lnk files to load and execute malware.

4. SolarWinds Urges an Immediate Update to Fix a Critical Web Help Desk Vulnerability

SolarWinds has released patches to fix a critical security vulnerability in its Web Help Desk software, identified as CVE-2024-28986. This flaw involves a Java deserialization issue that could permit an attacker to run commands on a compromised host machine. The company has issued a hotfix and urges users to install it immediately.

Initial reports indicated that the vulnerability could be exploited without authentication. However, SolarWinds’ extensive testing has not confirmed this claim.

The vulnerability affects all versions of Web Help Desk up to and including version 12.8.3, with the issue resolved in version 12.8.3 HF 1. SolarWinds advises all WHD customers to upgrade to the latest version, recommends to revoke secrets, passwords, and tokens configured in PAN-OS firewalls post-upgrade and create backup copies of original files before applying the hotfix to avoid potential issues.

5. Critical WordPress Plugin RCE Vulnerability Impacts 100k+ Sites

A severe flaw in the GiveWP WordPress donation plugin, affecting over 100,000 sites, has been uncovered. This unauthenticated PHP Object Injection vulnerability (CVE-2024-5932) allows remote code execution, rated a critical 10.0 on the CVSS scale. Discovered by researcher villu164 and reported through Wordfence on May 26, 2024, the flaw impacts all versions up to 3.14.1. It allows unauthenticated attackers to inject malicious PHP objects through the ‘give_title’ parameter, potentially leading to remote code execution and arbitrary file deletion. The vulnerability stems from improper input sanitization in the donation form processing function. Attackers can exploit this flaw to inject serialized PHP objects, which are then unserialized during payment processing. A PHP POP chain present in the plugin allows for the execution of arbitrary code and file deletion. A patched version has been released. Site administrators must update to version 3.14.2 immediately to avoid severe security risks.