12/25/2024-01/03/2025 Severe Security Flaws Patched in Microsoft Dynamics 365, Malicious Obfuscated NPM Package, Apache MINA CVE-2024-52046.

1. Critical Deadline: Update Old .NET Domains Before January 7, 2025 to Avoid Service Disruption

Microsoft has announced a change to how .NET installers and archives are distributed, requiring developers to update their infrastructure. This change follows Akamai’s acquisition of assets from Edgio, which is shutting down its service on January 15, 2025. .NET binaries are currently hosted on Edgio’s CDN, but Microsoft is migrating to Azure Front Door CDNs. If no action is taken, Microsoft will automatically migrate customers by January 7, 2025. However, automatic migration won’t be possible for some endpoints, and users migrating to other CDNs must set a feature flag by the same date. Configuration changes to Azure CDN by Edgio profiles will freeze on January 3, 2025. Microsoft recommends migrating to a custom domain to avoid future risks. Users must also update their codebases to avoid relying on *.azureedge[.]net.

2. Severe Security Flaws Patched in Microsoft Dynamics 365 and Power Apps Web API

Three security vulnerabilities in Dynamics 365 and Power Apps Web API, discovered by Stratus Security, were patched in May 2024. Two flaws are in the OData Web API Filter, and one is in the FetchXML API. The first vulnerability allows unauthorized access to sensitive data, like password hashes, through a lack of access control. Attackers can exploit this by performing a sequential search to retrieve the complete password hash. The second flaw lets attackers use the orderby clause to extract data from columns like email addresses. The FetchXML vulnerability allows attackers to bypass access controls and retrieve restricted data using a crafted query. These flaws could enable attackers to steal or sell password hashes and emails. Stratus Security emphasizes the need for constant cybersecurity vigilance, especially for large data holders like Microsoft.

3. Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT

Researchers found a malicious package on npm, named ethereumvulncontracthandler, disguised as an Ethereum vulnerability detection tool. Published on December 18, 2024, it has been downloaded 66 times. When installed, it retrieves a script from a remote server to deploy the Quasar RAT, a remote access trojan, on Windows systems. The trojan uses techniques like Base64 and XOR encoding to avoid detection and establishes persistence by modifying the Windows Registry. It then connects to a command-and-control server to exfiltrate data and receive instructions. The Quasar RAT has been used in cybercrime and espionage campaigns since 2014. This discovery highlights the growing issue of fake “stars” on GitHub, used to artificially inflate the popularity of malicious repositories. Researchers urge caution, noting that star counts alone are unreliable for assessing repository quality.

4. Palo Alto Networks Patches DoS Bug in PAN-OS Software

Palo Alto Networks released a patch on Dec. 26 for a high-severity DoS vulnerability (CVE-2024-3393) in the DNS security feature of its PAN-OS firewall software. The flaw allows unauthenticated attackers to send malicious packets that reboot the firewall, causing it to enter maintenance mode after repeated attempts. This issue affects PAN-OS versions 10.X and 11.X, as well as Prisma Access running PAN-OS 10.2.8 and later, or prior to 11.2.3. The company has issued patches for affected versions. Experts warn that the vulnerability could disrupt network operations, requiring manual intervention. Palo Alto Networks discovered this flaw in production, indicating potential active exploitation. Immediate patching is recommended to avoid service disruptions and ensure continued protection from DNS-based attacks.

5. Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization

The Apache Software Foundation (ASF) has released patches for a critical vulnerability in the MINA Java network framework, tracked as CVE-2024-52046, with a CVSS score of 10.0. The flaw affects versions 2.0.X, 2.1.X, and 2.2.X. It arises from the ObjectSerializationDecoder, which improperly handles Java’s native deserialization protocol, allowing remote code execution (RCE) if exploited with specially crafted data. The vulnerability is exploitable only when specific methods and classes are used. ASF advises upgrading and explicitly configuring the decoder to accept safe classes. This disclosure follows recent fixes for vulnerabilities in Tomcat, Traffic Control, HugeGraph-Server, and Struts, all with significant security implications. Users are urged to update to protect against potential threats.

12/18/2024-12/25/2024 Critical Fortinet EMS Vulnerability, PyPI Packages Stealing Keystrokes, Rspack npm Packages Compromised, Thousands Download Malicious npm Libraries.

1. Sophos Patches Critical Firewall Vulnerabilities

Sophos has issued patches for a critical firewall vulnerability, CVE-2024-12727 (CVSS 9.8), which allows remote code execution (RCE) through an SQL injection in the email protection feature. This flaw impacts firewalls configured with Secure PDF eXchange (SPX) in High Availability (HA) mode and affects 0.05% of devices. The issue is resolved in Sophos Firewall version 21.0 MR1 (21.0.1). Additionally, CVE-2024-12728 (CVSS 9.8), involving weak SSH credentials in HA setups, affects 0.5% of devices. Users should restrict SSH access, use strong passphrases, and disable WAN access via SSH. Another vulnerability, CVE-2024-12729 (CVSS 8.8), allows authenticated attackers to execute remote code via the User Portal. To mitigate risks, users should disable WAN access to the User Portal and Webadmin. Sophos emphasizes there’s no evidence of exploitation yet, but urges immediate updates.

2. Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools

A critical vulnerability, CVE-2023-48788 (CVSS 9.3), in Fortinet FortiClient EMS has been exploited in a cyber campaign to install remote desktop tools like AnyDesk and ScreenConnect. The SQL injection flaw enables unauthorized code execution via crafted data packets. Kaspersky reported the October 2024 attack on a company’s internet-exposed Windows server with open FortiClient EMS ports. The attackers used the flaw for initial access, installing ScreenConnect and uploading additional tools for credential theft, network scanning, and persistence. Dropped tools included Mimikatz, webbrowserpassview.exe (password recovery), and netscan.exe (network scanning). Targets spanned multiple countries, including Brazil, India, and Spain. Attackers used various ScreenConnect subdomains for lateral movement. Kaspersky also observed CVE-2023-48788 being exploited to execute PowerShell scripts via webhook[.]site domains, highlighting evolving attacker tactics. A similar campaign was uncovered earlier, using the vulnerability to deliver ScreenConnect and Metasploit payloads. 

3. Researchers Uncover PyPI Packages Stealing Keystrokes and Hijacking Social Accounts

Cybersecurity researchers have identified two malicious Python packages, zebo and cometlogger, uploaded to the PyPI repository. These packages, downloaded 118 and 164 times respectively before removal, were designed to exfiltrate sensitive data from compromised systems. The packages collected system metadata, network and Wi-Fi details, running processes, and clipboard content. They also incorporated checks to evade virtual environments and terminated browser-related processes for unrestricted file access.

Fortinet noted that the script operates asynchronously to efficiently steal large volumes of data. These findings underscore the ongoing risks posed by malicious packages in open-source repositories.

4. Apache Tomcat Vulnerability CVE-2024-56337

The Apache Software Foundation (ASF) has patched CVE-2024-56337, a vulnerability in Apache Tomcat that could lead to remote code execution (RCE) under specific conditions. This TOCTOU race condition affects Tomcat versions 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97, stemming from incomplete mitigation of CVE-2024-50379 (CVSS 9.8).

Exploitation is possible on case-insensitive file systems with the default servlet write enabled (readonly initialization set to false). Proper configuration based on Java versions is critical:

• Java 8/11: Set sun.io.useCanonCaches to false.
• Java 17: Ensure the property is false (default).
• Java 21+: No action required (property removed).

Future Tomcat versions (11.0.3, 10.1.35, 9.0.99) enforce these configurations. Researchers Nacl, WHOAMI, Yemoli, and Ruozhi discovered these flaws, with KnownSec 404 Team independently reporting CVE-2024-56337 along with a proof-of-concept.

5. CISA Adds Critical Flaw in BeyondTrust Software to Exploited Vulnerabilities Catalog

CISA added CVE-2024-12356, a critical command injection vulnerability (CVSS 9.8), in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products, to its KEV. This flaw allows unauthenticated attackers to inject and execute operating system commands as a site user via malicious client requests. BeyondTrust confirmed all versions of PRA and RS prior to 22.1.x are affected and has released patches to address the issue.

Federal agencies must fix this vulnerability by December 27, 2024, as per Binding Operational Directive (BOD) 22-01, which mandates mitigation of listed vulnerabilities to protect government networks. Private organizations are also urged to review the KEV catalog and secure their systems to prevent exploitation.

6.  Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack

Rspack developers disclosed a supply chain attack compromising their npm packages, @rspack/core and @rspack/cli, which were replaced with malicious versions containing cryptocurrency mining malware. The affected versions, 1.1.7, were removed, and the latest safe release is 1.1.8. The rogue packages exploited a postinstall script to download and execute an XMRig miner on Linux hosts. They also exfiltrated sensitive data, including cloud credentials and IP details, targeting machines in specific countries like China and Russia. The malware activated automatically upon installation. Rspack, a high-performance JavaScript bundler written in Rust and adopted by major companies, sees over 300,000 weekly downloads for @rspack/core. Maintainers revoked all npm and GitHub tokens, secured permissions, and audited code to prevent further breaches. Another npm package, vant (41,000 weekly downloads), was similarly compromised via a stolen npm token. This incident underscores the urgent need for stricter safeguards in software package management.

7. Thousands Download Malicious npm Libraries Impersonating Legitimate Tools

Threat actors have uploaded malicious typosquats of npm packages like typescript-eslint and @types/node, which have accumulated thousands of downloads. These fake packages, named @typescript_eslinter/eslint and types-node, deliver trojans and second-stage payloads. Sonatype’s analysis revealed that @typescript_eslinter/eslint includes a file, prettier.bat, which installs itself in Windows Startup. Despite its name, it’s a disguised trojan executable. The package impersonates popular tools to deceive users. Similarly, types-node fetches malicious scripts from a Pastebin URL to execute a deceptive npm.exe payload. ReversingLabs also flagged malicious Visual Studio Code (VSCode) extensions, such as Ethereum.SoliditySupport and ZoomWorkspace.Zoom, targeting the crypto community and broader users. These extensions contained obfuscated JavaScript to download unknown second-stage payloads. These findings highlight the critical need for stronger supply chain security and vigilance when using open-source tools to avoid introducing malicious code into projects.

12/11/2024-12/18/2024 Two Vulnerabilities in The Hunk Companion, 390,000+ WordPress Credentials Stolen via Malicious GitHub Repository, Critical OpenWrt Vulnerability.

1. Two Vulnerabilities in The Hunk Companion and WP Query Console WordPress Plugins 

Threat actors are exploiting two vulnerabilities in the Hunk Companion and WP Query Console WordPress plugins to gain backdoor access to websites. Hunk Companion, a plugin for ThemeHunk themes, has a missing capability check allowing unauthorized plugin installations. Tracked as CVE-2024-9707 (CVSS 9.8), this flaw can enable remote code execution if another vulnerable plugin is active. While patches were released in October and December, 90% of its 10,000 installations remain unpatched. Over the past day, Defiance blocked 56,000 attacks targeting this vulnerability. Attackers use it to install WP Query Console, an outdated plugin with a remote code execution flaw (CVE-2024-50498, CVSS 9.8). This vulnerability, disclosed in October, allows full control of websites. Admins should update Hunk Companion to version 1.9.0 immediately and check for unauthorized plugins or intrusions.

2. New Glutton Malware Exploits Popular PHP Frameworks Like Laravel and ThinkPHP

Cybersecurity researchers have uncovered a new PHP-based backdoor, Glutton, used in attacks targeting China, the U.S., Cambodia, Pakistan, and South Africa. Discovered by QiAnXin XLab in April 2024, the malware is linked with moderate confidence to the Chinese nation-state group Winnti (APT41). Glutton targets PHP frameworks like Baota, ThinkPHP, Yii, and Laravel to steal system information, inject code, and plant ELF backdoors. Despite ties to Winnti, Glutton lacks typical stealth features, such as encrypted C2 communications, and relies on HTTP for payload delivery. Notably, Glutton also targets cybercriminals by poisoning their operations. The backdoor exploits zero-day flaws and brute-force attacks, using a “task_loader” module to download additional components, including ELF malware masquerading as FastCGI Process Manager. It supports 22 commands for operations like file management and remote code execution. Glutton’s modular design ensures stealth by operating within PHP processes, leaving no traceable payloads. Researchers highlighted its dual focus on traditional victims and cybercrime operators, turning attackers’ tools against them.

3. 390,000+ WordPress Credentials Stolen via Malicious GitHub Repository Hosting PoC Exploits

A now-removed GitHub repository advertising a WordPress tool is believed to have enabled the exfiltration of over 390,000 credentials. The campaign, linked to the threat actor MUT-1244, targeted pentesters, security researchers, and malicious actors, stealing sensitive data like SSH keys and AWS credentials.MUT-1244 used phishing and trojanized GitHub repositories claiming to host proof-of-concept (PoC) exploit code but containing malware. One repository, “yawpp,” claimed to be a WordPress poster but deployed malware via a rogue npm dependency, compromising credentials and exfiltrating them to a Dropbox account. MUT-1244 also employed phishing emails, tricking victims into executing malicious shell commands. Payload delivery methods included backdoored compilation files, malicious PDFs, Python droppers, and npm packages like “0xengine/meow.” The campaign highlights attackers exploiting GitHub PoCs and targeting cybersecurity professionals to steal data for further attacks. Researchers warn of the growing trend of fake PoCs used to compromise systems and spread malware.

4. Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection

A critical security flaw (CVE-2024-54143, CVSS 9.3) in OpenWrt’s Attended Sysupgrade (ASU) feature could allow attackers to distribute malicious firmware packages. Discovered by Flatt Security researcher RyotaK and patched in ASU version 920c8a1, the flaw involves command injection and a truncated SHA-256 hash that enables hash collisions. Exploitation allows attackers to inject arbitrary commands into the build process, creating malicious firmware images signed with a legitimate build key. Worse, a 12-character hash collision could swap a legitimate image with a prebuilt malicious one, posing a severe supply chain risk.

The vulnerability does not require authentication, allowing crafted package lists to compromise build requests. OpenWrt warns that attackers could force legitimate requests to receive malicious images. While it’s unclear if this flaw has been exploited, users are urged to update to the latest version immediately to mitigate potential risks.