03/13/2024-03/20/2024 Critical RCE Vulnerability, Severe SQLi Vulnerability, Kubernetes Vulnerability And More.

1. Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool

Fortra disclosed a critical security flaw in FileCatalyst, CVE-2024-25153, allowing remote code execution. The vulnerability, with a CVSS score of 9.8, stemmed from a directory traversal issue in the ‘ftpservlet.’ Attackers could upload files outside the designated directory via a crafted POST request. Once uploaded, malicious JSP files could execute code, including web shells. Discovered by Tom Wedgbury, the flaw was patched in FileCatalyst Workflow version 5.1.6 Build 114. Fortra also fixed CVE-2024-25154 and CVE-2024-25155 in FileCatalyst Direct in January 2024, addressing information leakage and code execution vulnerabilities. Given past exploits on Fortra’s MFT solutions, users should promptly apply updates to safeguard against potential threats.

2. Fortinet Warns of Severe SQLi Vulnerability in FortiClientEMS Software

Fortinet has warned of a critical security flaw impacting its FortiClientEMS software that could allow attackers to achieve code execution on affected systems. The vulnerability, tracked as CVE-2023-48788, carries a CVSS rating of 9.3 out of a maximum of 10. It impacts the following versions: FortiClientEMS 7.2.0 through 7.2.2 (Upgrade to 7.2.3 or above); FortiClientEMS 7.0.1 through 7.0.10 (Upgrade to 7.0.11 or above. Horizon3.ai found unpatched vulnerabilities in FortiWLM and FortiSIEM: unauthenticated log file read and static session ID issues. Security researcher Zach Hanley highlighted the risk of session hijacking. Users should update promptly to mitigate risks.

3. WordPress Admins Urged to Remove miniOrange Plugins Due to Critical Flaw

MiniOrange’s Malware Scanner and Web Application Firewall plugins for WordPress have a critical security flaw, CVE-2024-2172, rated 9.8 on CVSS. Versions <= 4.7.2 for Malware Scanner and <= 2.1.1 for Web Application Firewall are affected. The plugins were permanently closed on March 7, 2024. Wordfence reported the flaw, which allows an attacker to gain admin privileges by updating a user's password. This can lead to complete site compromise, including uploading malicious files and modifying content. Similarly, a high-severity flaw in the RegistrationMagic plugin (CVE-2024-1991) was addressed in version 5.3.1.0 on March 11, 2024, affecting all versions up to 5.3.0.0. It allows authenticated attackers to elevate their privileges, with more than 10,000 active installations. Users are urged to delete these plugins immediately to mitigate risks.

4. Researchers Detail Kubernetes Vulnerability That Enables Windows Node Takeover

A high-severity flaw in Kubernetes (CVE-2023-5528, CVSS: 7.2) allows remote code execution with SYSTEM privileges on Windows endpoints within a cluster. Attackers exploit the flaw by applying malicious YAML files. Versions affected include kubelet v1.8.0 onwards, patched in versions like v1.28.4. Successful exploitation could lead to complete takeover of Windows nodes. Similar flaws were disclosed by the web infrastructure company in September 2023. The vulnerability arises from insecure function calls and lack of user input sanitization in Kubernetes volumes, particularly with local volumes. The Kubernetes team patched it by replacing a vulnerable command call with a safer native GO function. Meanwhile, threat actors exploit a critical flaw (CVE-2024-0778, CVSS: 9.8) in the end-of-life Zhejiang Uniview ISC camera model 2500-S to distribute the Mirai botnet variant NetKiller, indicating potential widespread use of the Condi botnet source code released on GitHub.

5. Hackers Using Cracked Software on GitHub to Spread RisePro Info Stealer

Cybersecurity researchers have identified numerous GitHub repositories offering cracked software linked to the information stealer RisePro. Dubbed “gitgub,” the campaign involved 17 repositories across 11 accounts, now removed by Microsoft-owned GitHub. These repositories typically featured a README.md file promising free cracked software, embellished with green Unicode circles to feign legitimacy. Each repository directed users to download a RAR archive from “digitalxnetwork[.]com,” containing a 699 MB installer file. Despite its size, the actual payload is a mere 3.43 MB loader designed to inject RisePro (version 1.6) into system processes. RisePro, previously distributed via a pay-per-install malware service, is adept at extracting sensitive information and transmitting it to Telegram channels. Stealer malware, like Snake Keylogger, leverage varied techniques such as FTP, SMTP, and Telegram integration for data exfiltration. Notably, RedLine, Vidar, and Raccoon have emerged as prominent stealers, posing significant threats to cybersecurity. Flashpoint warns of the evolving landscape of information-stealing malware, driven by financial motives and increasing accessibility.

03/06/2024-03/13/2024 Microsoft’s March Updates Fix 61 Vulnerabilities, OpenEdge Vulnerability, Vulnerability in the Popup Builder Plugin, PyPI Python Packages Can Drain Your Crypto Wallets And More.

1. Microsoft’s March Updates Fix 61 Vulnerabilities, Including Critical Hyper-V Flaws

Microsoft released its monthly security update, fixing 61 flaws across its software, including two critical issues in Windows Hyper-V that could lead to DoS and remote code execution. Of these vulnerabilities, two are Critical, 58 are Important, and one is Low severity. Although none are publicly known or actively attacked, six are tagged “Exploitation More Likely.” This update also patches 17 flaws in the Chromium-based Edge browser since February 2024. Critical issues include Hyper-V flaws CVE-2024-21407 and CVE-2024-21408. Additionally, there are privilege escalation flaws in Azure Kubernetes Service, Windows Composite Image File System, and Authenticator. Notably, CVE-2024-21390 could allow an attacker to access multi-factor authentication codes. Another critical flaw is CVE-2024-21334, a remote code execution in Open Management Infrastructure.

2. Proof-of-Concept Exploit Released for Progress Software OpenEdge Vulnerability

A critical security flaw (CVE-2024-1403) in Progress Software OpenEdge Authentication Gateway and AdminServer allows bypassing authentication protections. It affects OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0. The flaw, rated 10.0 on the CVSS scale, enables unauthorized access due to mishandling of usernames and passwords. Progress Software released fixes in versions OpenEdge LTS Update 11.7.19, 12.2.14, and 12.8.1. A PoC exploit has been released by Horizon3.ai, revealing the flaw’s root cause in a function called connect(). This function invokes authorizeUser(), which if supplied with specific credentials, can bypass authentication. However, accessing deeper attack surfaces, like deploying new applications, requires increased complexity due to internal service message brokers and custom messages, noted security researcher Zach Hanley.

3. Malware Campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Sites

A malware campaign exploits a severe vulnerability in the Popup Builder plugin for WordPress, infecting over 3,900 sites within three weeks, as reported by Sucuri. Exploiting CVE-2023-6000, attackers create rogue admin users and install arbitrary plugins. This flaw was also exploited in a previous Balada Injector campaign, compromising over 7,000 sites in January. The current attacks inject malicious JavaScript code, redirecting visitors to phishing and scam pages. WordPress site owners are urged to update plugins, scan for suspicious code or users, and perform cleanup. Meanwhile, Wordfence disclosed a high-severity XSS bug (CVE-2024-2123) in the Ultimate Member plugin, patched in version 2.8.4 on March 6, 2024. This flaw allows unauthenticated attackers to inject arbitrary web scripts, potentially gaining administrative access. 

4. Cisco Issues Patch for High-Severity VPN Hijacking Bug in Secure Client

Cisco has patched a high-severity vulnerability (CVE-2024-20337, CVSS score: 8.2) in its Secure Client software, enabling a threat actor to initiate a VPN session with a targeted user. Arising from insufficient validation of user input, a malicious link could be used to execute arbitrary script code in the browser, accessing sensitive information like a valid SAML token. This token could then be exploited to establish a remote access VPN session as the affected user. The flaw affects Secure Client for Windows, Linux, and macOS, with fixes available in versions 4.10.08025, 5.1.2.42, and beyond. The vulnerability enables attackers to access internal networks when victims visit a controlled website. Additionally, Cisco addressed CVE-2024-20338 (CVSS score: 7.3) in Secure Client for Linux, allowing local attackers to elevate privileges; fixed in version 5.1.2.42.

5. CISA Warns of Actively Exploited JetBrains TeamCity Vulnerability

 CISA  added a critical security flaw impacting JetBrains TeamCity On-Premises software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.The vulnerability, tracked as CVE-2024-27198 (CVSS score: 9.8), refers to an authentication bypass bug that allows for a complete compromise of a susceptible server by a remote unauthenticated attacker. It was addressed by JetBrains earlier this week alongside CVE-2024-27199 (CVSS score: 7.3), another moderate-severity authentication bypass flaw that allows for a “limited amount” of information disclosure and system modification.The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server. In light of active exploitation, users running on-premises versions of the software are advised to apply the updates as soon as possible to mitigate potential threats.

6. Watch Out: These PyPI Python Packages Can Drain Your Crypto Wallets

Threat hunters uncovered seven Python packages on PyPI designed to steal BIP39 mnemonic phrases for cryptocurrency wallets, dubbed BIPClip by ReversingLabs. The packages were downloaded 7,451 times before removal. Operating since December 2022, this campaign targeted crypto wallet developers. Though one package, mnemonic_to_address, lacked malicious functionality, it listed bip39-mnemonic-decrypt as a dependency, containing the harmful component. These packages stealthily exfiltrate mnemonic phrases to a controlled server. ReversingLabs identified two other packages, public-address-generator and erc20-scanner, working similarly. Hashdecrypts, meanwhile, functions independently to harvest data. The GitHub profile “HashSnake’’ is associated with these packages, with a repository named hCrypto advertised for phrase extraction. The packages were meticulously crafted to target crypto wallets, minimizing detection by security tools.

02/28/2024-03/06/2024 Security Patches for ESXi, Workstation, and Fusion Flaws, Critical JetBrains TeamCity On-Premises Flaws, 100 Malicious AI/ML Models And More.

1. VMware Issues Security Patches for ESXi, Workstation, and Fusion Flaws

VMware issued patches for four security flaws in ESXi, Workstation, and Fusion, including two critical ones allowing code execution (CVE-2024-22252 and CVE-2024-22253). These are described as use-after-free bugs in the XHCI USB controller, scoring 9.3 for Workstation/Fusion and 8.4 for ESXi. Exploitation could lead to code execution within VMX sandboxes or on the host machine. Researchers from Ant Group Light-Year Security Lab and QiAnXin discovered CVE-2024-22252, while VictorV and Wei reported CVE-2024-22253. Also fixed are CVE-2024-22254 (ESXi sandbox escape) and CVE-2024-22255 (VMX process memory leak). Patched versions include ESXi 6.5 to 8.0, Workstation 17.x, and Fusion 13.x. A workaround advises removing USB controllers from virtual machines. Virtual USB devices won’t function, but default keyboard/mouse inputs are unaffected.

2. Critical JetBrains TeamCity On-Premises Flaws Could Lead to Server Takeovers

Two new vulnerabilities, CVE-2024-27198 (CVSS: 9.8) and CVE-2024-27199 (CVSS: 7.3), have been disclosed in JetBrains TeamCity On-Premises software, impacting versions up to 2023.11.3. Fixed in version 2023.11.4, these flaws allow unauthenticated attackers to gain administrative control over affected servers. They enable bypassing authentication checks and manipulating server settings, including HTTPS certificate replacement. Rapid7 discovered and reported these issues on February 20, 2024. The company warned that compromising a server grants control over projects, builds, agents, and artifacts, making it a potential supply chain attack vector. Prior fixes addressed another critical flaw (CVE-2024-23917). With past exploits by threat actors, users should promptly update their servers to mitigate risks.

3. Over 100 Malicious AI/ML Models Found on Hugging Face Platform

Over 100 malicious AI/ML models were found on the Hugging Face platform, posing risks like code execution upon loading pickle files. This could lead to a backdoor granting attackers full control over compromised machines, potentially causing large-scale breaches or corporate espionage. One model initiates a reverse shell connection to a specific IP address. The incident raises concerns about open-source repositories being tainted for malicious purposes. Additionally, researchers have developed methods like BEAST to prompt harmful responses from large-language models (LLMs), and a generative AI worm named Morris II, capable of data theft and malware spread. This underscores the vulnerability of systems reliant on LLMs, with attacks like ComPromptMized exploiting their output for malicious ends, akin to traditional injection attacks. Such threats highlight the ongoing battle to secure LLMs against manipulation and exploitation.

4. Five Eyes Agencies Warn of Active Exploitation of Ivanti Gateway Vulnerabilities

The Five Eyes (FVEY) intelligence alliance issued a cybersecurity advisory warning of cyber threat actors exploiting known flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways. They noted that Ivanti’s Integrity Checker Tool (ICT) can be misled, offering a false sense of security. Ivanti has disclosed five vulnerabilities since January 10, 2024, four of which are actively exploited. 

• CVE-2023-46805 (CVSS score: 8.2) – Authentication bypass vulnerability in web component;
• CVE-2024-21887 (CVSS score: 9.1) – Command injection vulnerability in web component;
• CVE-2024-21888 (CVSS score: 8.8) – Privilege escalation vulnerability in web component;
• CVE-2024-21893 (CVSS score: 8.2) – SSRF vulnerability in the SAML component;
• CVE-2024-22024 (CVSS score: 8.3) – XXE vulnerability in the SAML component.

Mandiant described how malware like BUSHWALK can evade detection by ICT. Directory exclusions allow attackers to bypass scans and install backdoors. Agencies urge caution and consider the risk of continued device operation. Akamai data shows thousands of daily exploitation attempts worldwide. Ivanti claims no instances of successful persistence post-security updates and factory resets. They’re releasing an updated ICT for enhanced visibility.

5. GitHub Rolls Out Default Secret Scanning Push Protection for Public Repositories

GitHub announced default secret scanning push protection for all pushes to public repositories. If a secret is detected, users can remove it from commits or bypass the block. Push protection was piloted as an opt-in feature in August 2023 and became generally available in May 2023. The feature identifies over 200 token types and patterns from 180+ service providers to prevent misuse. The development comes nearly five months after the Microsoft subsidiary expanded secret scanning to include validity checks for popular services such as Amazon Web Services (AWS), Microsoft, Google, and Slack.

It responds to an ongoing “repo confusion” attack targeting GitHub, flooding it with repositories containing obfuscated malware to steal passwords and cryptocurrency. The attacks are part of a malware distribution campaign discovered last year, using fake Python packages to deploy BlackCap Grabber.

6. Lazarus Exploits Typos to Sneak PyPI Malware into Dev Systems

North Korean hacking group Lazarus infiltrated the Python Package Index (PyPI), uploading four malware-infected packages: pycryptoenv, pycryptoconf, quasarlib, and swapmempool. Though taken down, they were downloaded collectively 3,269 times, with pycryptoconf accounting for 1,351 downloads. These packages mimic pycrypto, exploiting typos during installation. This revelation follows Phylum’s discovery of rogue npm packages in a campaign dubbed Contagious Interview, sharing a similar tactic of concealing malware within a test script. The malicious code, disguised as a test file (“test.py”), actually contains an XOR-encoded DLL file leading to the execution of Comebacker malware, establishing connections with a command-and-control server. This attack mirrors a campaign detailed by Phylum in November 2023, targeting developers with crypto-themed npm modules. Users are urged to be cautious during software installation to avoid unwittingly downloading malware.