05/30/2024-06/05/2024 RAT-Dropping npm Package, XSS Flaws In Multiple WordPress Plugins, Actively Exploited Linux Kernel Flaw And More.

1. Researchers Uncover RAT-Dropping npm Package Targeting Gulp Users

Cybersecurity researchers found a malicious package, glup-debugger-log, in the npm registry designed to deploy a remote access trojan (RAT) on compromised systems. Targeting users of the gulp toolkit, it has been downloaded 175 times. Phylum, a software supply chain security firm, discovered the package includes two obfuscated files: one acts as an initial dropper, compromising the target and downloading additional malware, while the other maintains persistent remote access.
The package’s “index.js” file runs another obfuscated file, “play.js,” which performs checks to ensure it’s on an active developer machine. If successful, “play-safe.js” sets up persistence and can execute arbitrary commands via an HTTP server. Phylum described the RAT as both crude and sophisticated, highlighting evolving malware tactics in open-source ecosystems.

2. Exploit For Critical Progress Telerik Auth Bypass Released, Patch Now

Researchers have published a proof-of-concept (PoC) exploit script demonstrating a chained remote code execution (RCE) vulnerability on Progress Telerik Report Servers. The exploit chains an authentication bypass (CVE-2024-4358) and a deserialization flaw (CVE-2024-1800). The bypass flaw allows admin account creation without checks and has a CVSS score of 9.8. The deserialization flaw, with a CVSS score of 8.8, enables remote code execution via specially crafted XML payloads. Both issues have been addressed in updates, and organizations are urged to upgrade to version 10.1.24.514 or later. Administrators should review user lists for unfamiliar accounts due to potential exploitation.

3. XSS Flaws In Multiple WordPress Plugins Exploited To Deploy Malware

Researchers uncovered malware attacks exploiting XSS vulnerabilities in WordPress plugins. Attackers leveraged known flaws in three plugins: WP Meta SEO (CVE-2023-6961), LiteSpeed Cache (CVE-2023-40000), and WP Statistics (CVE-2024-2194). These high-severity vulnerabilities allowed the injection of malicious scripts. Fastly’s security team observed JavaScript malware performing functions such as installing PHP backdoors, creating rogue admin accounts, and setting up tracking scripts. Despite patches being available, active exploitation indicates that many sites are not updated. WordPress admins must update plugins to the latest versions to protect against these threats.

4. Zyxel Releases Patches for Firmware Vulnerabilities in EoL NAS Models

Zyxel has issued updates to address critical flaws in two end-of-life NAS devices. Three of the five vulnerabilities could allow unauthenticated attackers to execute OS commands and arbitrary code.

Affected models include NAS326 (versions V5.21(AAZF.16)C0 and earlier) and NAS542 (versions V5.21(ABAG.13)C0 and earlier). These issues are fixed in versions V5.21(AAZF.17)C0 and V5.21(ABAG.14)C0.

The flaws include:

• CVE-2024-29972: Command injection in “remote_help-cgi” via crafted HTTP POST.
• CVE-2024-29973: Command injection via the ‘setCookie’ parameter.
• CVE-2024-29974: Remote code execution via “file_upload-cgi” with a crafted file.
• CVE-2024-29975: Privilege management issue allowing root command execution.
  CVE-2024-29976: Privilege management issue leaking session information.

Outpost24’s Timothy Hjort reported these flaws. Users should update to the latest versions for protection.

5. CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw

(CISA) on Thursday added a security flaw impacting the Linux kernel to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This high-severity issue, with a CVSS score of 7.8, involves a use-after-free bug in the netfilter component, allowing local attackers to escalate privileges to root. Also added to the KEV catalog is a newly disclosed security flaw impacting Check Point network gateway security products (CVE-2024-24919, CVSS score: 7.5) that allows an attacker to read sensitive information on Internet-connected Gateways with remote access VPN or mobile access enabled.

In light of the active exploitation of CVE-2024-1086 and CVE-2024-24919, federal agencies are recommended to apply the latest fixes by June 20, 2024, to protect their networks against potential threats.

05/15/2024-05/30/2024 Flaws in Python Package, New Flaws in QTS and QuTS Hero Impacting NAS Appliances, Ivanti Patches Critical Remote Code Execution Flaws, Cybercriminals Abuse Stack Overflow to Promote Malicious Python Package And More.

1. Critical GitHub Enterprise Server Flaw Allows Auth Bypass, Fix Now 

GitHub has fixed an authentication bypass vulnerability in GitHub Enterprise Server (GHES) related to SAML single sign-on (SSO) with encrypted assertions (CVE-2024-4985, CVSS v4 score: 10.0). This flaw allowed attackers to forge SAML responses, gaining site admin access without prior authentication. GHES, a self-hosted platform for software development, is not affected if encrypted assertions are disabled. The vulnerability impacted all versions before 3.13.0 and was reported via GitHub’s Bug Bounty program.

Fixes were released on May 20th in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. GitHub advises upgrading to these versions or newer to prevent potential future exploits.

2. Researchers Uncover Flaws in Python Package for AI Models and PDF.js Used by Firefox

A critical security flaw in the llama_cpp_python Python package (CVE-2024-34359, CVSS score: 9.7) has been disclosed, potentially allowing arbitrary code execution. Named Llama Drama by Checkmarx, this vulnerability stems from the misuse of the Jinja2 template engine, leading to server-side template injection. With over 3 million downloads, llama_cpp_python is a popular tool for integrating AI models with Python. The flaw, discovered by security researcher Patrick Peng (retr0reg), has been fixed in version 0.2.72. Exploitation could result in data theft, system compromise, and operational disruption.

Additionally, a high-severity flaw (CVE-2024-4367) in Mozilla’s PDF.js library allows arbitrary JavaScript execution in PDF.js. This has been fixed in Firefox 126, Firefox ESR 115.11, Thunderbird 115.11, and pdfjs-dist version 4.2.67.

3. Microsoft’s Transition From VBScript To JavaScript And PowerShell

Microsoft will discontinue VBScript by late 2024, gradually phasing it out of Windows. Initially introduced in 1996, VBScript will transition to an on-demand feature before its complete removal in future Windows versions.
VBScript has been surpassed by more robust alternatives like PowerShell and JavaScript, leading to its retirement.

Key reasons include:

• Security Vulnerabilities: VBScript’s architecture is prone to exploitation.
• Limited Functionality: Modern languages like JavaScript and PowerShell offer more advanced features.
• Modernization Focus: Microsoft’s shift towards updated scripting solutions.

The deprecation timeline includes:

• Second half of 2024: VBScript becomes an on-demand feature in Windows 11 24H2.
• Around 2027: VBScript remains available on-demand but is not enabled by default.
• Future Date: Complete removal from Windows.

Microsoft recommends transitioning to JavaScript and PowerShell for enhanced security and functionality.

4. Ivanti Patches Critical Remote Code Execution Flaws in Endpoint Manager

Ivanti has fixed multiple critical security flaws in Endpoint Manager (EPM) that could allow remote code execution. Six vulnerabilities (CVE-2024-29822 to CVE-2024-29827, CVSS 9.6) involve SQL injection flaws allowing unauthenticated attackers to execute arbitrary code. Four additional bugs (CVE-2024-29828 to CVE-2024-29830, CVE-2024-29846, CVSS 8.4) require attacker authentication.

The affected versions are Ivanti EPM 2022 SU5 and prior. Ivanti also addressed a high-severity flaw in Avalanche version 6.4.3.602 (CVE-2024-29848, CVSS 7.2) allowing remote code execution via a specially crafted file. Other fixes include vulnerabilities in Neurons for ITSM, Connect Secure, and the Secure Access client for Windows and Linux.

There is no evidence of these flaws being exploited in the wild. Users should update to the latest versions to mitigate potential threats.

5.  CISA Alert on Active Exploitation of a Vulnerability

On May 23, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) added a critical Apache Flink vulnerability (CVE-2020-17519) to its Catalog of Known Exploited Vulnerabilities (KEV). Despite being patched in January 2021, it is actively exploited, endangering many systems. CVE-2020-17519 is an inappropriate access control flaw in Apache Flink, allowing attackers to read any file on the JobManager’s local file system via its REST interface. This affects Flink versions 1.11.0 to 1.11.2.

Recommendations:

• CISA: Apply mitigation measures or stop using vulnerable versions. Upgrade to Flink 1.11.3 or 1.12.0 by June 13, 2024.
• NIST: Upgrade to patched versions following the April 2024 advisory.

Exploits of CVE-2020-17519 and other vulnerabilities (e. g., CVE-2020-28188) have compromised data security since late 2020. CISA urges quick implementation of patches and mitigations to protect against active threats and secure sensitive data.

6. Researchers Warn of CatDDoS Botnet and DNSBomb DDoS Attack Technique

The CatDDoS botnet has exploited over 80 security flaws in the past three months to hijack devices for DDoS attacks. The vulnerabilities affect routers and devices from companies like Apache, Cisco, D-Link, Huawei, Jenkins, NETGEAR, and more.

CatDDoS, a variant of the Mirai botnet, emerged in August 2023 and targets China, the U.S., Japan, and other countries. It uses the ChaCha20 algorithm for C2 communication and shares cryptographic elements with other botnets like hailBot and VapeBot. The original authors likely ceased operations in December 2023, but new variants have since emerged.

Researchers also revealed a powerful PDoS technique called DNSBomb (CVE-2024-33655), which exploits DNS features to create high-volume traffic bursts. BIND software is not vulnerable to this attack.

7. Cybercriminals Abuse Stack Overflow to Promote Malicious Python Package

Cybersecurity researchers have discovered a malicious Python package named “pytoileur” in the Python Package Index (PyPI) repository, aimed at cryptocurrency theft. This package, downloaded 316 times, was re-uploaded as version 1.0.2 after version 1.0.1 was removed on May 28, 2024.

According to Sonatype, the malicious code is in the setup.py script, executing a Base64-encoded payload to retrieve a Windows binary, “Runtime.exe,” which runs via PowerShell and VBScript commands. This binary installs spyware and data-stealing malware.

A StackOverflow account, “EstAYA G,” has been promoting this package as a solution to user queries. Sonatype and Stack Overflow have linked this to the same threat actor behind previous malicious packages like Pystob and Pywool. This incident highlights the risks in open-source ecosystems and the need for vigilant security practices.

8. New Report Warns of LLM-Enhanced Cyber Threats: Polymorphic Malware, Customer Service Jailbreaking, and Highly Personalized Spearphishing

Recent advancements in Large Language Models (LLMs) are making it possible to automate tasks that were once considered too complex, including those with malicious intent. In a collaborative technology exploration project, the Netherlands Organization for Applied Scientific Research (TNO) and the National Cyber Security Centre (NCSC-NL) examined how LLMs could influence the cyber threat landscape over the next three to five years.

The report focuses on the current and near-future capabilities of LLMs and their potential to enhance cyber threats. While it does speculate on some future possibilities, it is grounded in the present realities of what LLMs can already do or are likely to do in the near term.

05/08/2024-05/15/2024 QakBot Exploits Microsoft Windows DWM Zero-Day Vulnerability, Malicious Python Package, VMware Fixes And More.

1. QakBot Exploits Microsoft Windows DWM Zero-Day Vulnerability

A zero-day vulnerability (CVE-2024-30051) in Microsoft Windows DWM has been identified and is currently being actively exploited by QakBot actors. This vulnerability allows local attackers to escalate their privileges to system level. Although a patch for this vulnerability has been released, exploits for the vulnerability have been observed in conjunction with QakBot and other malware. It is crucial for Windows users to update their systems with the latest security patches to mitigate the risk posed by this zero-day exploit.

2. Malicious Python Package Hides Sliver C2 Framework in Fake Requests Library

LogoCybersecurity experts have uncovered a deceitful Python package masquerading as an offshoot of the widely-used requests library. Dubbed requests-darwin-lite, it secretly embeds a Golang version of the Sliver command-and-control framework within a PNG image of the project’s logo. This package, downloaded 417 times before its removal from PyPI, appears as a modified version of requests, but with a concealed malicious binary. Upon installation, it decodes and executes a Base64-encoded command to gather the system’s UUID, targeting specifically macOS systems. This discovery follows the detection of vue2util, a rogue npm package, which orchestrates a cryptojacking scheme. The sizable PNG file within requests-darwin-lite contains the hidden Sliver binary, indicating a potential targeted attack or a prelude to a broader campaign. This incident underscores the vulnerability of open-source ecosystems to malware distribution, necessitating systematic solutions to safeguard against such threats.

3. VMware Fixes Three Zero-day Bugs Exploited at Pwn2Own 2024

VMware patched four security vulnerabilities in Workstation and Fusion hypervisors, including three zero-days used in Pwn2Own Vancouver 2024. The most severe flaw, CVE-2024-22267, is a use-after-free bug in vbluetooth, allowing code execution by a local admin on a virtual machine’s VMX process. Admins can temporarily disable Bluetooth support as a workaround. Two other high-severity bugs (CVE-2024-22269 and CVE-2024-22270) permit local admins to access privileged info from hypervisor memory. CVE-2024-22268, a heap buffer overflow in Shader, can cause a denial of service if 3D graphics are enabled. Pwn2Own saw researchers earn $1,132,500, with exploits targeting browsers and VMware Workstation. STAR Labs SG and Theori teams won by exploiting VMware vulnerabilities for remote code execution and escaping VMs to execute code on host OS. Google and Mozilla promptly patched zero-days exploited at the event.

4. Critical Flaws in Cacti Framework Could Let Attackers Execute Malicious Code

The maintainers of the Cacti open-source network monitoring and fault management framework have addressed a dozen security flaws, including two critical issues that could lead to the execution of arbitrary code.

The most severe of the vulnerabilities are listed below –

• CVE-2024-25641 (CVSS score: 9.1) – An arbitrary file write vulnerability in the “Package Import” feature that allows authenticated users having the “Import Templates” permission to execute arbitrary PHP code on the web server, resulting in remote code execution;
• CVE-2024-29895 (CVSS score: 10.0) – A command injection vulnerability allows any unauthenticated user to execute arbitrary command on the server when the “register_argc_argv” option of PHP is On.
  Also addressed by Cacti are two other high-severity flaws that could lead to code execution via SQL injection and file inclusion –
• CVE-2024-31445 (CVSS score: 8.8) – An SQL injection vulnerability in api_automation.php that allows authenticated users to perform privilege escalation and remote code execution;
• CVE-2024-31459 (CVSS score: N/A) – A file inclusion issue in the “lib/plugin.php” file that could be combined with SQL injection vulnerabilities to result in remote code execution.

It’s worth noting that 10 out of the 12 flaws, with the exception of CVE-2024-29895 and CVE-2024-30268 (CVSS score: 6.1), impact all versions of Cacti, including and prior to 1.2.26. They have been addressed in version 1.2.27 released on May 13, 2024. The two other flaws affect development versions 1.3.x.

5. New Chrome Zero-Day Vulnerability CVE-2024-4761 Under Active Exploitation

Google on Monday shipped emergency fixes to address a new zero-day flaw in the Chrome web browser that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2024-4761, is an out-of-bounds write bug impacting the V8 JavaScript and WebAssembly engine. It was reported anonymously on May 9, 2024. The disclosure comes merely days after the company patched CVE-2024-4671, a use-after-free vulnerability in the Visuals component that has also been exploited in real-world attacks.
With the latest fix, Google has addressed a total of six zero-days since the start of the year, three of which were demonstrated at the Pwn2Own hacking contest in Vancouver in March –

• CVE-2024-0519 – Out-of-bounds memory access in V8 (actively exploited)
• CVE-2024-2886 – Use-after-free in WebCodecs
• CVE-2024-2887 – Type confusion in WebAssembly
• CVE-2024-3159 – Out-of-bounds memory access in V8
• CVE-2024-4671 – Use-after-free in Visuals (actively exploited)
  Users are recommended to upgrade to Chrome version 124.0.6367.207/.208 for Windows and macOS, and version 124.0.6367.207 for Linux to mitigate potential threats.