02/21/2024-02/28/2024 WordPress LiteSpeed Plugin Vulnerability, Dormant PyPI Package, Malicious npm Packages And More.

1. WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk

A security flaw in LiteSpeed Cache plugin for WordPress (CVE-2023-40000) allows unauthenticated users to escalate privileges. Patched in version 5.7.0.1 (Oct 2023), it’s caused by insufficient input sanitization. The plugin, with over 5 million installs, aims to enhance site performance. The latest version is 6.1 (Feb 5, 2024). Vulnerability stems from lack of user input sanitization, affecting the update_cdn_status() function. An XSS payload as an admin notice triggers the flaw, exploitable by any user in the wp-admin area. Four months earlier, Wordfence disclosed another XSS flaw (CVE-2023-4372) in the same plugin (version 5.7). This flaw permits authenticated attackers (contributor-level and above) to inject arbitrary web scripts, posing a risk to page visitors.

2. Dormant PyPI Package Compromised to Spread Nova Sentinel Malware

A Python package on PyPI, “django-log-tracker,” lay dormant for nearly two years before being updated with Nova Sentinel malware. Phylum, a security firm, detected the anomalous update on February 21, 2024. Although the linked GitHub repository remained unchanged since April 10, 2022, the malicious update suggests a compromised PyPI account. The package has been downloaded 3,866 times, with the rogue version (1.0.4) downloaded 107 times before its removal from PyPI. The update stripped most original content, leaving only “init.py” and “example.py.” It fetches and executes “Updater_1.4.4_x64.exe” from a remote server, embedding Nova Sentinel. This malware was initially found in fake Electron apps on dubious gaming sites. Phylum noted the attempted supply-chain attack via PyPI compromise. Such attacks could impact projects relying on unversioned or flexibly versioned dependencies.

3. North Korean Hackers Targeting Developers with Malicious npm Packages

Phylum’s recent findings reveal a group of fake npm packages linked to North Korean state actors. Among these are “execution-time-async” and others masquerading as legitimate Node.js utilities. “execution-time-async” alone, disguised as a widely used library, downloaded 302 times before removal, installing malware like cryptocurrency stealers. The attack includes obfuscated code in a test file fetching payloads from a remote server to steal credentials and execute malicious actions. The campaign involves GitHub accounts with repositories like “File-Uploader” and “auth-playground,” suggesting ongoing efforts to bypass takedowns. Additionally, a package called “next-assessment” references a dependency served from a suspicious domain, indicating potential social engineering tactics. This scheme shares similarities with “Contagious Interview,” targeting developers through fake job portals to distribute malware.

4. New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers

Cybersecurity researchers have uncovered two authentication bypass flaws in Wi-Fi software used in Android, Linux, and ChromeOS, allowing attackers to deceive users into connecting to malicious networks or access trusted networks without passwords. Tracked as CVE-2023-52160 and CVE-2023-52161, the flaws were found in wpa_supplicant and Intel’s iNet Wireless Daemon (IWD), respectively. These vulnerabilities enable interception of traffic and unauthorized access to protected networks, posing risks like malware infections and data theft. While CVE-2023-52160 affects Android devices using wpa_supplicant, CVE-2023-52161 impacts Linux-based access points. Exploitation often requires physical proximity to victims. Major Linux distributions have issued advisories, and ChromeOS has addressed the wpa_supplicant issue. However, fixes for Android remain pending.

5. Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub

The Xeno RAT, an intricately designed remote access trojan (RAT), has surfaced on GitHub, available for free. Developed in C#, it’s compatible with Windows 10 and 11, boasting features like real-time audio recording and a hidden hVNC module. Its builder allows customization for tailored attacks. Notably, its creator, moom825, is also behind DiscordRAT 2.0. Xeno RAT distribution via Discord CDN highlights the growing trend of accessible malware. Its propagation involves disguised shortcuts as downloader vectors, employing DLL side-loading for execution. Concurrently, AhnLab discovered Nood RAT, a variant of Gh0st RAT, targeting Linux systems. Despite its simplicity, Nood RAT employs encryption and executes various malicious tasks commanded by threat actors, showcasing the evolving landscape of RAT-based attacks.

02/14/2024-02/21/2024 VMware Alert, New Malicious PyPI Packages,Critical Flaws in ConnectWise ScreenConnect Software And More.

1. VMware Alert: Uninstall EAP Now – Critical Flaw Puts Active Directory at Risk

VMware advises uninstalling the deprecated Enhanced Authentication Plugin (EAP) due to a critical security flaw (CVE-2024-22245, CVSS score: 9.6), described as an arbitrary authentication relay bug. This flaw could enable a malicious actor to manipulate service tickets for arbitrary Active Directory Service Principal Names (SPNs) through a user’s browser. Also discovered is a session hijack flaw (CVE-2024-22250, CVSS score: 7.8) in EAP, allowing a local actor to seize a privileged session. Users connecting to VMware vSphere via the vSphere Client on Windows systems may be affected. VMware will not patch these flaws, recommending complete removal of the plugin. Meanwhile, SonarSource disclosed cross-site scripting (XSS) flaws in Joomla! (CVE-2024-21726), addressed in versions 5.0.3 and 4.4.3, posing a moderate threat.

2. New Malicious PyPI Packages Caught Using Covert Side-Loading

TacticsCybersecurity researchers found two malicious packages on PyPI using DLL side-loading to evade detection and execute harmful code. Named NP6HelperHttptest and NP6HelperHttper, they were downloaded 537 and 166 times before removal. This discovery underscores the expanding threat of software supply chain attacks. The NP6 reference connects to a legitimate ChapsVision marketing solution, with the fake packages mimicking legitimate tools NP6HelperHttp and NP6HelperConfig. Their goal is to deceive developers into downloading rogue versions. These packages contain a setup.py script designed to download an executable vulnerable to DLL side-loading (“ComServer.exe”) and a malicious DLL (“dgdeskband64.dll”). The DLL aims to avoid detection, similar to previous cases like the npm package “aabquerys,” which deployed a remote access trojan. It communicates with an attacker-controlled domain to fetch malicious code, potentially part of a broader campaign targeting supply chain security in open-source repositories.

3. Critical Flaws Found in ConnectWise ScreenConnect Software – Patch Now

ConnectWise issued updates for its ScreenConnect remote desktop software to fix two security flaws, one critical allowing remote code execution. The vulnerabilities, lacking CVE identifiers, include authentication bypass (CVSS: 10.0) and path traversal (CVSS: 8.4). These critical issues affect versions 23.9.7 and below, with fixes in version 23.9.8, reported on February 13, 2024. Although no exploitation evidence exists, self-hosted users are urged to update. ConnectWise will provide updates for versions 22.4 through 23.9.7, but recommends version 23.9.8. Huntress found over 8,800 vulnerable servers and demonstrated an exploit bypassing authentication, emphasizing the need for immediate action.

4. WordPress Bricks Theme Under Active Attack: Critical Flaw Impacts 25,000+ Sites

The Bricks WordPress theme suffers a critical flaw (CVE-2024-25600, CVSS: 9.8) exploited for remote code execution by unauthenticated attackers. Versions up to 1.9.6 are vulnerable, fixed in 1.9.6.1 released on February 13, 2024. The flaw, reported by Snicco on February 10, involves a nonce-related vulnerability in the prepare_query_vars_from_settings() function. Attack attempts started on February 14, with over three dozen detected by Wordfence. The flaw exposes around 25,000 active installations. Users should promptly update to mitigate risks.

5. Ivanti Pulse Secure Found Using 11-Year-Old Linux Version and Outdated Libraries

A firmware analysis of Ivanti Pulse Secure appliances uncovered significant vulnerabilities, highlighting the ongoing challenge of securing software supply chains. The firmware, based on unsupported CentOS 6.4, exposes outdated Linux components dating back over a decade. Threat actors exploit these weaknesses, targeting Ivanti Connect Secure, Policy Secure, and ZTA gateways with various malware. Active exploits include CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, with Akamai reporting heightened scanning activity for CVE-2024-22024. Exploiting CVE-2024-21893, Eclypsium gained access to the appliance, revealing outdated packages and vulnerable libraries. Notably, Perl remains at version 5.6.1 from 2001, and the Linux kernel at 2.6.32, posing significant risks. Additionally, Ivanti’s Integrity Checker Tool (ICT) exhibits flaws, potentially allowing attackers to bypass detection. Eclypsium emphasizes the need for transparent validation processes to bolster supply chain security amid increasing exploitation attempts. 

02/07/2024-02/14/2024 Ivanti Vulnerability, CISA and OpenSSF Release Framework, New Ivanti Auth Bypass Flaw And More.

1. Ivanti Vulnerability Exploited to Install ‘DSLog’ Backdoor on 670+ IT Infrastructures

Threat actors are exploiting a recent security flaw in Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor named DSLog. Orange Cyberdefense noted the exploitation of CVE-2024-21893 shortly after the proof-of-concept code was released. This vulnerability, disclosed alongside CVE-2024-21888, allows server-side request forgery (SSRF), potentially granting unauthorized access to restricted resources. Ivanti confirmed limited targeted attacks, but the scale remains uncertain. Shadowserver Foundation reported a surge in exploitation attempts from over 170 IP addresses. Compromises have been detected since February 3, with attackers injecting DSLog into a Perl file for persistent remote access. DSLog uses unique hashes per appliance, complicating detection. Attackers use the hash in HTTP requests to execute commands. They also erase “.access” logs to evade detection. Orange Cyberdefense identified 670 compromised assets initially, decreasing to 524 by February 7, by analyzing artifacts triggered by the SSRF vulnerability.

2. CISA and OpenSSF Release Framework for Package Repository Security

CISA is collaborating with the Open Source Security Foundation (OpenSSF) to release a framework named Principles for Package Repository Security. This framework, developed by OpenSSF’s Securing Software Repositories Working Group, aims to fortify package repositories and enhance security in open-source software ecosystems. It introduces four security maturity levels covering authentication, authorization, general capabilities, and command-line interface (CLI) tooling. The levels range from basic security measures like multi-factor authentication (MFA) to advanced protocols such as requiring MFA for all maintainers and supporting package build provenance. All package management ecosystems should strive for at least Level 1 security. The framework enables package repositories to assess their security maturity and implement necessary improvements over time to combat evolving security threats effectively. 

3. Warning: New Ivanti Auth Bypass Flaw Affects Connect Secure and ZTA Gateways

Ivanti warns of a critical security flaw (CVE-2024-22024) affecting Connect Secure, Policy Secure, and ZTA gateway devices, potentially enabling authentication bypass. The vulnerability, rated 8.3 out of 10 on the CVSS scale, stems from an XML external entity (XXE) issue in the SAML component. Versions affected include Connect Secure 9.x, 22.x, Policy Secure 9.x, 22.x, and ZTA 22.x. Patch updates are available for affected versions. While there’s no evidence of active exploitation, given the recent abuse of similar vulnerabilities, users are urged to apply patches promptly. The flaw was brought to Ivanti’s attention by cybersecurity firm watchTowr, highlighting potential impacts such as denial of service (DOS), local file read, and server-side request forgery (SSRF), contingent on available protocols.

4. Critical Patches Released for New Flaws in Cisco, Fortinet, VMware Products

Cisco, Fortinet, and VMware have issued security patches for various vulnerabilities, including critical ones enabling arbitrary actions on affected devices. Cisco disclosed three flaws (CVE-2024-20252, CVE-2024-20254, CVE-2024-20255) in Expressway Series, allowing CSRF attacks. Exploitation could lead to unauthorized actions, including modifying configurations. Fortinet addressed bypasses for a critical FortiSIEM supervisor flaw (CVE-2023-34992) with two new vulnerabilities (CVE-2024-23108, CVE-2024-23109), allowing remote code execution. VMware reported five moderate-to-important flaws in Aria Operations for Networks, involving local privilege escalation and cross-site scripting vulnerabilities. Upgrading to specified versions mitigates risks across all platforms.

5. DarkMe Malware Targets Traders Using Microsoft SmartScreen Zero-Day Vulnerability

A zero-day vulnerability in Microsoft Defender SmartScreen has been exploited by an advanced persistent threat group known as Water Hydra (aka DarkCasino), targeting financial traders. Trend Micro discovered the campaign in December 2023, involving CVE-2024-21412, a security bypass flaw in Internet Shortcut Files (.URL). This flaw bypasses SmartScreen to deliver the DarkMe malware. Microsoft patched it in February. The attack requires convincing the victim to click on a booby-trapped URL to download a malicious installer. The technique abuses the search: application protocol, delivering malware via layered internet shortcut files to evade SmartScreen. The end goal is to deploy DarkMe, a Visual Basic trojan, allowing remote control and data exfiltration. This trend of cybercrime groups exploiting zero-days reflects their increasing sophistication. Water Hydra demonstrates the capability to discover and exploit zero-days, indicating a merging of cybercrime and nation-state hacking tactics.

6.  Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days

Microsoft’s February Patch Tuesday addresses 73 security flaws, including two zero-days exploited by Water Hydra targeting financial traders. Notably, CVE-2024-21351 and CVE-2024-21412 allow code injection into SmartScreen and bypassing security checks, respectively. Successful exploitation requires convincing users to open malicious files. Water Hydra exploits CVE-2024-21412 in a zero-day attack chain. The update also covers five critical flaws, including remote code execution vulnerabilities in Microsoft Exchange Server and Outlook. CVE-2023-50387, a 24-year-old design flaw in DNSSEC, is also patched, named KeyTrap, capable of causing denial-of-service attacks. Users are urged to apply patches promptly to mitigate risks.

.