11/27/2024-12/04/2024 RCE Vulnerability, Critical SailPoint IdentityIQ Vulnerability, ProjectSend, North Grid Proself, and Zyxel Firewalls Bugs.

1. XML-RPC npm Library Turns Malicious, Steals Data, Deploys Crypto Miner

Researchers uncovered a year-long software supply chain attack on the npm registry involving the package @0xengine/xmlrpc, initially published as a JavaScript XML-RPC library. Malicious code was introduced in version 1.3.4, enabling the theft of SSH keys, bash history, system metadata, and environment variables every 12 hours. It also installed the XMRig cryptocurrency miner, compromising at least 68 systems. The attack spread through npm installations and a GitHub project named yawpp, which listed the malicious package as a dependency, causing automatic downloads during setup. The malware established persistence using systemd, monitored processes to evade detection, and suspended mining when user activity was detected.

This incident highlights the risks of supply chain attacks. “Even well-maintained packages can become malicious,” warned security researcher Yehuda Gelb. Additionally, Datadog Security Labs reported another campaign using fake npm and PyPI packages to deploy malware targeting Roblox developers.

2. Veeam Service Provider RCE Vulnerability Let Attackers Execute Arbitrary Code

Veeam has disclosed two major vulnerabilities in its Service Provider Console (VSPC), including a critical remote code execution (RCE) flaw. The most severe issue, CVE-2024-42448, has a CVSS score of 9.9, allowing attackers to execute arbitrary code on unpatched VSPC servers if the management agent is authorized. Another vulnerability, CVE-2024-42449, rated at 7.1, enables attackers to steal NTLM hashes and potentially delete files. Both flaws affect VSPC version 8.1.0.21377 and earlier. Veeam urges users to upgrade to the patched version (8.1.0.21999) immediately, as no mitigation methods are available. These vulnerabilities underscore the need for timely updates, especially after incidents like ransomware attacks exploiting prior Veeam flaws. Organizations must act quickly to secure their systems and safeguard data from potential threats.

3. Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

A critical vulnerability in SailPoint’s IdentityIQ software (CVE-2024-10905) has been disclosed, earning a maximum CVSS score of 10.0. This flaw affects IdentityIQ versions 8.2, 8.3, 8.4, and earlier. The issue stems from improper handling of virtual resource file names (CWE-66), enabling unauthorized HTTP access to static content in the application directory, potentially exposing sensitive files. Impacted versions include all 8.4 patch levels before 8.4p2, 8.3 versions before 8.3p5, 8.2 versions before 8.2p8, and all prior releases.

SailPoint has not yet issued a security advisory or additional details about the flaw. Organizations using affected versions should upgrade to patched levels immediately to mitigate risks.

4. Decade-Old Cisco Vulnerability Under Active Exploit 

Cisco has issued a warning about active exploitation of a decade-old vulnerability (CVE-2014-2120) in its Adaptive Security Appliance (ASA). The flaw, found in ASA’s WebVPN login page, allows unauthenticated attackers to launch cross-site scripting (XSS) attacks by tricking users into clicking malicious links. Cisco first identified the vulnerability in 2014, citing insufficient input validation. Recent in-the-wild exploitation attempts were reported in November 2024. The company urges users to upgrade to a fixed software release, as no workarounds are available.

5. CISA Adds to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2023-45727 (Proself): XXE flaw in versions before Ver5.62, Ver1.65, and Ver1.08 allows unauthenticated attackers to read server files.
• CVE-2024-11680 (ProjectSend): Improper authentication in versions before r1720 enables attackers to modify configurations, upload webshells, and embed malicious JavaScript.
• CVE-2024-11667 (Zyxel): Directory traversal flaw in firmware V5.00–V5.38 allows file upload/download via crafted URLs.

The ProjectSend flaw (CVSS 9.8) has been exploited in the wild since September 2024 using tools like Metasploit. Attackers enable user registration, modify configurations, and store webshells in predictable locations. CISA urges FCEB agencies to patch these flaws under BOD 22-01, and private organizations are advised to review and address the vulnerabilities to secure their systems.

11/20/2024-11/27/2024 Critical “Array Networks” Flaw, PyPI Attack, Palo Alto Networks Firewalls Compromised And More.

1. CISA Urges Agencies to Patch Critical “Array Networks” Flaw Amid Active

AttacksCISA has added a critical vulnerability in Array Networks AG and vxAG secure access gateways (CVE-2023-28461) to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation. This flaw (CVSS score: 9.8) allows remote code execution without authentication via a vulnerable URL and was patched in March 2023 (version 9.4.0.484). Trend Micro linked the vulnerability to China-based cyber espionage group Earth Kasha, which targets Japanese entities and, increasingly, Taiwan, India, and Europe. Earth Kasha has exploited flaws in Array AG, Proself, and Fortinet FortiOS for initial access. ESET recently exposed a campaign by the group using the upcoming World Expo 2025 as a lure to deliver malware. CISA advises agencies to apply patches by December 16, 2024. Over 440,000 internet-exposed systems remain at risk.

2. PyPI Attack: ChatGPT, Claude Impersonators Deliver JarkaStealer via Python Libraries

Researchers have identified two malicious packages on the Python Package Index (PyPI), gptplus and claudeai-eng, impersonating popular AI models OpenAI ChatGPT and Anthropic Claude to distribute the information stealer JarkaStealer. Uploaded by “Xeroline” in November 2023, the packages attracted over 3,500 downloads before being removed. Marketed as tools to access GPT-4 Turbo and Claude AI APIs, they concealed malicious code that deployed malware upon installation. The packages’ __init__.py file contained encoded code to download a Java-based stealer, JavaUpdater.jar, from GitHub and install Java Runtime Environment if needed. Once executed, JarkaStealer harvested sensitive data, including browser data, screenshots, and app session tokens (Telegram, Discord, Steam). The stolen data was archived, sent to the attacker’s server, and deleted from the victim’s system. Sold as malware-as-a-service (MaaS) for $20–$50 on Telegram, JarkaStealer’s source code has also leaked online. 

3. 2,000 Palo Alto Networks Firewalls Compromised

A recent campaign exploiting two vulnerabilities has compromised around 2,000 Palo Alto Networks firewalls, according to Shadowserver researchers. The flaws include a critical authentication bypass (CVE-2024-0012, severity 9.3) and a medium-severity privilege escalation bug (CVE-2024-9474, severity 6.9), which can be chained for attacks. CVE-2024-0012 allows unauthenticated attackers with access to the management interface to gain admin privileges, tamper with configurations, or exploit CVE-2024-9474. The flaws, disclosed earlier in November, affect certain PAN-OS 10.2–11.2 deployments on PA-Series, VM-Series, CN-Series, and Panorama devices but not Cloud NGFW or Prisma Access.

Palo Alto Networks disputes Shadowserver’s numbers, stating fewer than 0.5% of customer firewalls have internet-exposed interfaces and that the impact is “limited.” The company emphasizes securing management interfaces to reduce risks. 

4. Decades-Old Security Vulnerabilities Found in Ubuntu’s Needrestart Package

The Qualys Threat Research Unit (TRU) has uncovered five Local Privilege Escalation (LPE) vulnerabilities in Ubuntu’s needrestart package, enabling local attackers to gain root privileges without user interaction. The flaws, introduced in version 0.8 (April 2014), affect Ubuntu Server systems with needrestart installed by default since version 21.04.

The vulnerabilities are tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. They allow attackers to execute arbitrary code as root by exploiting issues with interpreter environment variables (Python/Ruby) or race conditions.

Qualys warns that these vulnerabilities, with CVSS scores up to 7.8, are highly exploitable and could soon see public exploits, posing severe risks like unauthorized access, malware, and system compromise.

Mitigation includes disabling interpreter scanning by adding $nrconf{interpscan} = 0; to /etc/needrestart/needrestart.conf. Enterprises should update needrestart immediately to avoid operational disruptions and data breaches.

11/13/2024-11/20/2024 High-Severity Flaw in PostgreSQL, Oracle Agile PLM Zero-Day Vulnerability, Critical WordPress Plugin Vulnerability And More.

1. Oracle Agile PLM Zero-Day Vulnerability Exploited In The Wild

Oracle has issued a security alert for a critical vulnerability (CVE-2024-21287) in its Agile Product Lifecycle Management (PLM) Framework, currently being actively exploited. The flaw, with a CVSS score of 7.5, affects version 9.3.6 and allows unauthenticated attackers to remotely access and download sensitive files via HTTP or HTTPS. Exploiting this vulnerability could grant attackers unauthorized access to critical data under the PLM application’s privileges.Oracle confirmed active exploitation and has released a security patch. Customers are urged to apply updates immediately and monitor for unauthorized activity.Organizations should act promptly to secure systems against this high-severity zero-day vulnerability.

2. Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites

A critical vulnerability (CVE-2024-10924, CVSS 9.8) in the Really Simple Security plugin for WordPress could allow attackers to gain full administrative access to affected sites. The flaw impacts versions 9.0.0 to 9.1.1.1 of the plugin, used by over 4 million websites. It stems from improper handling of user authentication in the “check_login_and_get_user” function, enabling unauthenticated attackers to bypass two-factor authentication. The vulnerability, disclosed by Wordfence on November 6, 2024, has been patched in version 9.1.2. To mitigate risks, WordPress collaborated with the plugin developers to force-update all affected sites. Separately, another flaw (CVE-2024-10470, CVSS 9.8) in the WPLMS Learning Management System plugin allows unauthenticated users to read or delete files, potentially enabling site takeovers.These incidents highlight the importance of immediate patching and maintaining updated WordPress plugins to protect against severe exploitation.

3. Palo Alto Networks Confirms Zero-Day Exploitation in PAN-OS Firewalls

Palo Alto Networks has confirmed active exploitation of a zero-day vulnerability in its PAN-OS firewall management interface, initially reported as a potential remote code execution flaw (CVSS 9.3). The zero-day is being exploited to deploy web shells for persistent remote access. A CVE is pending assignment. Threat actors target exposed management interfaces, emphasizing the need to restrict access to trusted internal IPs. The company recommends isolating the management interface on a VLAN, using jump servers, limiting inbound IPs, and allowing only secure protocols like SSH and HTTPS. Indicators of compromise (IoCs) include malicious activity from IPs such as `136.144.17[.]*` and a specific web shell checksum. Restricting interface access significantly reduces risk, dropping the CVSS score to 7.5. Palo Alto urges immediate application of these best practices. 

Additionally, CISA added two related vulnerabilities (CVE-2024-9463 and CVE-2024-9465) to its Known Exploited Vulnerabilities catalog.

4. Researchers Warn of Privilege Escalation Risks in Google’s Vertex AI ML Platform

Researchers from Palo Alto Networks Unit 42 uncovered two critical flaws in Google’s Vertex AI platform that could enable attackers to escalate privileges and exfiltrate machine learning (ML) models. The first vulnerability exploits Vertex AI Pipelines, a feature for automating ML workflows. By manipulating custom job permissions, attackers can escalate privileges, gain unauthorized access to restricted resources, and deploy a reverse shell for backdoor access. The second flaw involves deploying a poisoned model that abuses permissions to move laterally into Kubernetes clusters. This allows attackers to exfiltrate proprietary ML models, including fine-tuned large language models (LLMs). These vulnerabilities pose serious risks, as a single malicious model could compromise an entire AI environment. Google has since patched the issues.  

5. High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables

Researchers have disclosed a critical vulnerability (CVE-2024-10979) in PostgreSQL, rated CVSS 8.8, that allows unprivileged users to alter environment variables, potentially enabling code execution or information disclosure. The flaw affects PostgreSQL’s PL/Perl extension, where improper control of environment variables (e. g., PATH) can let attackers execute arbitrary code, even without access to the server’s operating system. This could lead to severe security risks, including malicious code execution or data extraction. The issue has been addressed in PostgreSQL versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Users are advised to apply the patch and restrict extension permissions, following the principle of least privilege, to minimize risk. The vulnerability was discovered by Varonis researchers Tal Peleg and Coby Abrams. More details are being withheld to allow time for users to secure their systems.

6. CISA Adds Palo Alto Networks Expedition Vulnerabilities to Exploited Catalog 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple vulnerabilities in Palo Alto Networks’ Expedition tool to its Known Exploited Vulnerabilities (KEV) catalog. These flaws, affecting versions prior to 1.2.96, could allow attackers to access sensitive data, execute commands, and compromise firewall configurations.  

Key vulnerabilities include:  

• CVE-2024-9463 (CVSS 9.9): Unauthenticated command injection granting root access to sensitive data.  
• CVE-2024-9465 (CVSS 9.2):SQL injection enabling unauthorized database access and file manipulation.  
• CVE-2024-9464 (CVSS 9.3): Authenticated OS command injection exposing credentials and API keys.  

Researchers from Horizon3 shared proof-of-concept exploits and Indicators of Compromise (IOCs). Palo Alto recommends restricting Expedition’s access to trusted users and checking for compromise.  Federal agencies must address these flaws by December 5, 2024, per CISA’s Binding Operational Directive, and private organizations are advised to follow suit to protect their networks.