05/02/2024-05/08/2024 Hackers Exploit LiteSpeed Cache Bug, ROOTROT Webshell in Network Attack And More.

1. Hackers Exploit LiteSpeed Cache Bug to Create WordPress Admins

Hackers are exploiting an outdated LiteSpeed Cache plugin in WordPress, targeting sites to gain admin control. LiteSpeed Cache, used in over 5 million sites, promises faster loads and better rankings. WPScan noted a surge in attacks on versions older than 5.7.0.1 due to a severe cross-site scripting flaw (CVE-2023-40000). Over 1.2 million probing requests originated from a single IP. Attackers inject malicious code into WordPress files, creating admin users like ‘wpsupp-user’ or ‘wp-configuser’. The presence of “eval(atob(Strings.fromCharCode” in the database signals infection. While many users upgraded, 1,835,000 remain vulnerable.
Another campaign targets “Email Subscribers,” exploiting CVE-2024-2876 for SQL injection. Despite its smaller user base (90,000 installs), the attacks highlight hacker persistence. Admins must update plugins, remove unnecessary components, and monitor for new admin accounts. In case of a breach, a thorough cleanup, including resetting passwords and restoring clean backups, is essential.

2. Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks

HPE Aruba Networking issued security updates for critical vulnerabilities in ArubaOS, posing a risk of remote code execution. Among the 10 flaws, four are deemed severe, including unauthenticated buffer overflow issues. Of the 10 security defects, four are rated critical in severity:

• CVE-2024-26304 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol;
• CVE-2024-26305 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol;
• CVE-2024-33511 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol;
• CVE-2024-33512 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol.

Exploitation involves sending crafted packets to the Process Application Programming Interface (PAPI) UDP port (8211), granting attackers the ability to execute code on affected systems. Vulnerable software versions encompass ArubaOS 10.5.1.0 and below, impacting Mobility Conductor, Controllers, and WLAN Gateways. Even end-of-maintenance versions like ArubaOS 8.6.x.x are affected. Security researcher Chancen discovered seven of the issues. Users should promptly apply updates to mitigate risks, with temporary measures recommended for ArubaOS 8.x.

3. MITRE Reveals that Chinese Hackers Used ROOTROT Webshell in Network Attack

MITRE Corporation, a non-profit serving US government research, revealed a breach by sophisticated nation-state hackers, likely Chinese group UNC5221. Exploiting Ivanti Connect Secure VPN flaws (CVE-2023-46805, CVE-2024-21887), they infiltrated MITRE’s NERVE network. After gaining access, they moved within VMware, installing webshells and backdoors to steal data. MITRE’s response contained the breach, confirming NERVE’s isolation from other networks. While unnamed, the attackers resemble UNC5221 observed by firms like Mandiant exploiting Ivanti vulnerabilities. The incident underscores persistent risks for national security and tech research. MITRE collaborates with law enforcement for investigation and plans to share insights to bolster future defenses.

4. CISA Urges Software Devs to Weed Out Path Traversal Vulnerabilities

CISA and the FBI advised software companies to eliminate path traversal vulnerabilities, which allow attackers to manipulate files to execute code or breach security measures. Exploiting these flaws, threat actors can access sensitive data or disrupt systems. Recent incidents in critical infrastructure prompted this warning. They urged developers to implement preventive measures such as generating unique identifiers for files, restricting file name characters, and ensuring non-executable permissions for uploads. Path vulnerabilities rank among the top software weaknesses according to MITRE. This alert follows previous warnings about SQL injection vulnerabilities, which also pose significant risks.

04/24/2024-05/02/2024 Judge0 Sandbox Vulnerabilities, New R Programming Vulnerability, GitLab Password Reset Vulnerability And More.

1. Judge0 Sandbox Vulnerabilities Expose Systems to Takeover Risk

Judge0, an open-source code execution service, faces critical vulnerabilities (CVE-2024-29021, CVE-2024-28185, and CVE-2024-28189) discovered by Tanto Security, potentially leading to system takeover. These flaws allow attackers to escape sandboxes and gain root access. Organizations, including educational institutions and recruitment firms, heavily rely on Judge0 for secure code execution, especially in competitive programming. Tanto Security found weaknesses in Judge0’s isolate binary, running in privileged mode like Docker containers, posing risks of unauthorized system access. Vulnerabilities in user-submitted code processing and component interaction were identified, indicating potential system compromise. Despite initial patches, subsequent bypasses were found, highlighting persistent vulnerabilities. 

2. New R Programming Vulnerability Exposes Projects to Supply Chain Attacks

A critical flaw in the R programming language (CVE-2024-27322, CVSS score: 8.8) enables threat actors to execute code by crafting malicious RDS (R Data Serialization) files. HiddenLayer reported that lazy evaluation in R, akin to promise objects, is the root cause. RDS, similar to Python’s pickle, serializes data structures, and is used in R for saving and loading data and packages. Version 4.4.0, released on April 24, 2024, mitigates the issue. Attackers can exploit this flaw through specially crafted R packages, leading to supply chain attacks. The flaw is detailed in an advisory by CERT/CC, warning of potential exploitation through malicious RDS or rdx files, emphasizing the risk in projects utilizing readRDS on untrusted files.

3. CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability

CISA has flagged a critical flaw in GitLab, designated CVE-2023-7028, due to ongoing exploitation. This vulnerability, with a severity score of 10.0, allows account takeover by sending password reset emails to unverified addresses. GitLab disclosed the issue in January, linking it to a code change in version 16.1.0 from May 1, 2023. All authentication methods within these versions are affected, posing significant risks such as data theft and source code manipulation. Mitiga warns of potential supply chain attacks if malicious code is injected into CI/CD pipelines. GitLab has released patches for versions 16.5.6, 16.6.4, and 16.7.2, backporting fixes to older versions. CISA urges federal agencies to apply these updates by May 22, 2024, to safeguard their systems. No further details on real-world exploits have been provided by CISA yet.

4. Enhancing Software Supply Chain Security through GitHub’s 2FA Implementation

GitHub has enforced mandatory two-factor authentication (2FA) for code contributors, significantly boosting security in the software supply chain. This initiative has driven widespread adoption of 2FA among developers, prompting GitHub to encourage other organizations to follow suit. The platform has seen a notable increase in 2FA usage, particularly among users with critical roles in the software supply chain. The move to mandatory 2FA has not only enhanced security but also promoted the adoption of more robust 2FA methods, such as passkeys, over less secure options like SMS. Leading organizations like RubyGems, PyPI, and AWS have joined in, elevating software supply chain security standards. GitHub’s 2FA implementation has reduced reliance on SMS, mitigating vulnerabilities like SIM swapping. Users now frequently configure multiple 2FA methods, adding an extra layer of protection and decreasing related support tickets.

5. Bogus npm Packages Used to Trick Software Developers into Installing Malware

A social engineering campaign dubbed DEV#POPPER is targeting software developers, deceiving them with fake job interviews to download a Python backdoor via bogus npm packages. Securonix attributes this activity to North Korean threat actors. The scheme involves luring developers to run seemingly legitimate software from GitHub, containing malicious payloads compromising their systems. Initially flagged by Palo Alto Networks Unit 42 as Contagious Interview, the campaign evolved to distribute malware like BeaverTail and InvisibleFerret. Phylum discovered similar malicious npm packages on the registry, aiming to extract sensitive data. The attack chain starts with a ZIP archive on GitHub, containing a seemingly harmless npm module harboring a JavaScript file (BeaverTail) and a Python backdoor (InvisibleFerret).

6. Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

Palo Alto Networks has issued guidance for fixing a critical security flaw, CVE-2024-3400, affecting PAN-OS. This flaw allows unauthenticated remote shell command execution on vulnerable devices and has been actively exploited since at least March 26, 2024, by a threat cluster known as UTA0218 in Operation MidnightEclipse.
Palo Alto Networks recommends different remediation steps based on the level of compromise:

• Level 0 Probe: Update to the latest hotfix.
• Level 1 Test: Update to the latest hotfix.
• Level 2 Potential Exfiltration: Update to the latest hotfix and perform a Private Data Reset.
• Level 3 Interactive access: Update to the latest hotfix and perform a Factory Reset.

Palo Alto Networks updated its advisory on April 29, 2024, acknowledging proof-of-concept post-exploit persistence techniques. Fixes and Threat Prevention signatures are recommended to prevent further exploitation.

04/17/2024-04/24/2024 Details on Critical PAN-OS Flaw, Vulnerability for PHP (CVE-2024-2961), Critical Atlassian Flaw Exploited And More.

1. Apache Cordova App Harness Targeted in Dependency Confusion Attack

A dependency confusion vulnerability affects Cordova App Harness, an archived Apache project. Exploiting package manager behaviors, attackers can replace private packages with malicious ones in public repositories. This exposes downstream users to risks. Despite npm’s fixes, Cordova App Harness lacks proper dependency references. Legit Security demonstrated this flaw, highlighting the risk. Apache addressed the issue by taking control of the package. The incident underscores the importance of monitoring third-party dependencies, especially in archived projects. Security researcher Ofek Haviv emphasizes the need for vigilance, as such projects often harbor unfixed vulnerabilities. Organizations should use public packages as placeholders to mitigate such attacks. 

2. Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack

Palo Alto Networks disclosed a critical security flaw, CVE-2024-3400, in PAN-OS software versions 10.2, 11.0, and 11.1. This flaw allows attackers to execute remote shell commands. The exploit involves two bugs: one allowing storage of files with chosen filenames and another trusting those filenames as system-generated commands. Threat actor UTA0218 has exploited this flaw in Operation MidnightEclipse, deploying commands and tools like GOST. Recent findings by Bishop Fox revealed that device telemetry is not required for exploitation. Palo Alto Networks has issued patches for affected versions. Users should apply these fixes promptly due to active exploitation and the availability of exploit code. The U.S. CISA has listed the flaw as a Known Exploited Vulnerability, mandating federal agencies to secure their devices by April 19, 2024.
 

3. Mitigating the Iconv Vulnerability for PHP (CVE-2024-2961)

Recently, CVE-2024-2961 was released which identifies a buffer overflow vulnerability in GNU libc versions < 2.39 when converting charsets to certain Chinese Extended encodings. This vulnerability affects PHP when iconv is used to translate request encodings to/from the affected charsets and has the potential to be wide-ranging (e.g. the latest wordpress:apache image has iconv with the vulnerable charsets enabled).Obviously, the best mitigation is to update to a patched version of glibc. However, if you are unable to (or it's not available on your OS yet), you can mitigate this issue by disabling the affected charsets in gconv. The elaborated information on how to check for and mitigate this issue at the OS-level can be found in the link mentioned above. 

4. Recent Rust Security Advisory: CVE-2024-24576

The Rust Security Response WG announced CVE-2024-24576, which affects the Rust Standard Library on Windows. Some Tauri organization repositories use batch files (cmd.exe under the hood) for developer environment tooling such as build scripts. No reviewed repositories use batch files for runtime code. our Tauri app might be affected if it meets specific criteria, such as using Tauri v1 shell feature with certain configurations. Implementing custom commands exposing Rust Command with runtime arguments could also be a risk. Please upgrade your Rust version to 1.77.2 as soon as possible and distribute updates to your users.
 

5. Linux Cerber Ransomware Variant Exploits Atlassian Servers

Threat actors exploit unpatched Atlassian servers, deploying Cerber ransomware, aka C3RB3R, targeting CVE-2023-22518 in Atlassian Confluence. This critical flaw allows unauthorized access to reset Confluence and create admin accounts, granting control over systems. Financially motivated groups install the Effluence web shell plugin for arbitrary command execution. The ransomware, written in C++, carries additional harmful software fetched from attackers’ servers. After encryption, it self-removes, leaving behind components for permission checks and file encryption. Despite ransom notes, no data exfiltration occurs. The prevalence of C++ payloads stands out amidst language shifts. Cerber’s sophistication is noted, but encryption limited to Confluence data reduces victim payment incentives. New ransomware variants target Windows and VMware ESXi, emphasizing the need for robust security measures and a strong cybersecurity culture.