07/31/2024-08/07/2024 New Linux Kernel Exploit Technique ‘SLUBStick, Critical Security Flaw in WhatsUp Gold, Malicious Python Packages And More.

1. New Linux Kernel Exploit Technique ‘SLUBStick’ Discovered by Researchers

Cybersecurity researchers have discovered a new Linux kernel exploitation technique called SLUBStick, which can elevate a limited heap vulnerability to an arbitrary memory read-and-write primitive. Researchers from Graz University of Technology explained that SLUBStick exploits a timing side-channel of the allocator for a reliable cross-cache attack, achieving a success rate above 99% for frequently used generic caches.

Memory safety vulnerabilities in the Linux kernel are typically hard to exploit due to security features like SMAP, KASLR, and kCFI. Traditional cross-cache attack methods have a success rate of only 40%. SLUBStick, demonstrated on Linux kernel versions 5.19 and 6.2, uses nine security flaws found between 2021 and 2023 to achieve root privilege escalation and container escapes. This method effectively bypasses defenses like KASLR, assuming the presence of a heap vulnerability and code execution capabilities by an unprivileged user.

The researchers noted SLUBStick’s ability to exploit recent systems with a variety of heap vulnerabilities.

2. Critical Security Flaw in WhatsUp Gold Under Active Attack – Patch Now

 A critical security flaw in Progress Software’s WhatsUp Gold is under active exploitation, urging users to quickly apply the latest updates. The vulnerability, CVE-2024-4885 (CVSS score: 9.8), is an unauthenticated remote code execution bug in versions before 2023.1.3. It allows execution of commands with iisapppool\nmconsole privileges due to inadequate validation of user-supplied paths in the GetFileWithoutZip method.

Exploitation attempts have been observed since August 1, 2024, with a proof-of-concept exploit released by researcher Sina Kheirkhah. Version 2023.1.3 also addresses two other critical flaws (CVE-2024-4883 and CVE-2024-4884) and a high-severity privilege escalation issue (CVE-2024-5009). Admins must apply updates and restrict traffic to trusted IP addresses to mitigate threats.

3. 0.0.0.0 Day exploit reveals 18-year-old security flaw in Chrome, Safari, and Firefox

An 18-year-old vulnerability, the “0.0.0.0 Day” flaw, allows malicious websites to bypass security protocols in major browsers like Google Chrome, Mozilla Firefox, and Apple Safari. This flaw mainly impacts Linux and macOS devices, enabling threat actors to change settings, access sensitive information, and execute remote code. Initially reported in 2008, the issue remains unresolved, though developers are working on fixes.

The vulnerability stems from inconsistent security mechanisms and the use of the “wildcard” IP address 0.0.0.0, which attackers exploit to target local services. Researchers at Oligo Security have noted active exploitation by threat actors, with campaigns targeting AI workloads and Selenium Grid servers.
Browser developers are planning updates to block access to 0.0.0.0. Meanwhile, Oligo recommends using PNA headers, verifying HOST headers, and employing HTTPS and CSRF tokens for added security.

4. Hackers Distributing Malicious Python Packages via Popular Developer Q&A Platform

Threat actors are tricking users into downloading malware via Stack Exchange, targeting developers with bogus Python packages that drain cryptocurrency wallets. 

The rogue packages include:

• raydium (762 downloads)
• raydium-sdk (137 downloads)
• sol-instruct (115 downloads)
• sol-structs (292 downloads)
• spl-types (776 downloads)

These packages, downloaded 2,082 times, contained malware that stole data, including web browser passwords, cryptocurrency wallets, and messaging app information. They also captured screenshots and searched for sensitive files. The data was exfiltrated to Telegram bots. The malware included a backdoor for persistent remote access.

The attackers used Stack Exchange to promote these packages by posting seemingly helpful answers to developer questions. This campaign highlights the need for developers and organizations to reassess their security strategies to prevent supply chain attacks.

5. North Korea-Linked Malware Targets Developers on Windows, Linux, and macOS

Threat actors in an ongoing malware campaign, dubbed DEV#POPPER and linked to North Korea, have expanded their tactics to target Windows, Linux, and macOS systems. This campaign targets software developers globally, including South Korea, North America, Europe, and the Middle East.

Securonix researchers revealed that the attackers pose as interviewers, urging candidates to download a ZIP file for a coding assignment. This file contains a malicious npm module that triggers the BeaverTail malware, which identifies the operating system and exfiltrates data.

The malware can also download additional payloads, including the InvisibleFerret Python backdoor, which steals system metadata, browser cookies, and logs keystrokes. Enhanced obfuscation and AnyDesk remote monitoring software are used for persistence. Despite heavy sanctions, North Korea continues to import foreign technology to enhance its operational security.

07/24/2024-07/31/2024 Flaw in Telerik, ConfusedFunction Flaw in Google Cloud, Critical Docker Engine Flaw And More.

1. Critical Flaw in Telerik Report Server Poses Remote Code Execution Risk

Progress Software urges users to update their Telerik Report Server instances due to a critical security flaw (CVE-2024-6327) with a CVSS score of 9.9. This vulnerability affects versions 2024 Q2 (10.1.24.514) and earlier and can lead to remote code execution via insecure deserialization. The flaw has been fixed in version 10.1.24.709.
For temporary mitigation, change the user for the Report Server Application Pool to one with limited permissions. Check server vulnerability by logging into the Report Server web UI, opening the Configuration page, and checking the version number under the About tab.

This disclosure follows another critical flaw (CVE-2024-4358) patched nearly two months ago, which CISA added to its Known Exploited Vulnerabilities catalog on June 13.

2. Researchers Uncover ConfusedFunction Flaw in Google Cloud

Tenable researchers discovered a privilege escalation flaw in Google Cloud Platform’s (GCP) Cloud Functions service, named ‘ConfusedFunction’. This vulnerability allows attackers to gain higher privileges to the Default Cloud Build Service Account and access services like Cloud Build, storage, and container registry without authorization.

The exploit enables attackers to move laterally and upgrade privileges, accessing and modifying unauthorized data. Cloud Functions, a serverless environment, attaches a default Cloud Build service account with excessive permissions when a function is created or updated.

After Tenable reported the issue, Google partially fixed it for accounts created after mid-June 2024. However, existing accounts remain vulnerable. Google updated the default behavior for Cloud Build to use a Compute Engine default service account and released additional policies to control default service account usage.

3. Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins

Docker warns of a critical flaw (CVE-2024-41110) in certain Docker Engine versions that allows attackers to bypass authorization plugins (AuthZ), carrying a CVSS score of 10.0. The flaw occurs when an API request with Content-Length set to 0 causes the Docker daemon to forward the request without the body to the AuthZ plugin, potentially approving it incorrectly. The issue, originally fixed in 2019, reappeared in later versions and has been resolved in Docker Engine versions 23.0.14 and 27.1.0 as of July 2024.

Affected versions include:

• <= v19.03.15
• <= v20.10.27
• <= v23.0.14
• <= v24.0.9
• <= v25.0.5
• <= v26.0.2
• <= v26.1.4
• <= v27.0.3, and
• <= v27.1.0

Docker Desktop up to version 4.32.0 is also affected, but a fix is expected in version 4.33.

Users should update to the latest version to mitigate potential threats.
 

4. CISA Warns of Exploitable Vulnerabilities in Popular BIND 9 DNS Software

The Internet Systems Consortium (ISC) has released patches for multiple vulnerabilities in the BIND 9 DNS software that could trigger denial-of-service (DoS) attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified four key vulnerabilities:

• CVE-2024-4076 (CVSS 7.5): Logic error in lookups could cause an assertion failure.
• CVE-2024-1975 (CVSS 7.5): Validating DNS messages with SIG(0) can overload CPU.
• CVE-2024-1737 (CVSS 7.5): Excessive resource record types slow down processing.
• CVE-2024-0760 (CVSS 7.5): Malicious queries over TCP can render the server unresponsive.

These flaws can cause unexpected termination, CPU resource depletion, and slow query processing. The issues are fixed in BIND 9 versions 9.18.28, 9.20.0, and 9.18.28-S1. There is no evidence of these vulnerabilities being exploited in the wild.

5. CrowdStrike Software Update Leads to Significant Global Tech Outage

CrowdStrike announced a major global outage caused by a recent update to its Falcon security software, impacting 8.5 million devices. The update, intended to gather telemetry on new threat techniques, inadvertently caused Windows systems to crash on July 19, 2024. The issue primarily affected Windows 10 and later versions, leaving Mac and Linux systems unaffected.

The outage disrupted airlines, banking, and media sectors worldwide. CrowdStrike quickly identified the problem, working with Microsoft to develop and deploy fixes. The recovery involved installing backups, booting into safe mode, and manually deleting files. Full restoration is expected to take several days. CrowdStrike and Microsoft provided recovery tools and support. The financial impact is estimated at $5.4 billion, with minimal insurance coverage. For continuous updates, visit CrowdStrike’s official website.

07/17/2024-07/24/2024 CISA Adds Twilio Authy and IE Flaws to Exploited Vulnerabilities, SocGholish Malware Exploits BOINC Project And More.

1. CISA Adds Twilio Authy and IE Flaws to Exploited Vulnerabilities List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation evidence:

• CVE-2012-4792 (CVSS score: 9.3) – A use-after-free vulnerability in Microsoft Internet Explorer allowing remote code execution via a crafted site.
• CVE-2024-39891 (CVSS score: 5.3) – An information disclosure bug in Twilio Authy that reveals if a phone number is registered with Authy.

Twilio resolved CVE-2024-39891 in recent Android and iOS versions after threat actors exploited it to access Authy account data. CISA warns that such vulnerabilities pose significant risks and mandates Federal Civilian Executive Branch (FCEB) agencies to remediate these by August 13, 2024.

2. SocGholish Malware Exploits BOINC Project for Covert Cyberattacks

The SocGholish malware (FakeUpdates) is now delivering AsyncRAT and the legitimate BOINC project. BOINC, managed by the University of California, uses volunteer computing for distributed tasks and rewards users with Gridcoin cryptocurrency. Researchers noted that these installations connect to malicious domains (“rosettahome[.]cn” or “rosettahome[.]top”), acting as command-and-control servers to collect data and transmit payloads.

As of July 15, over 10,000 clients are connected to these domains. Although no additional activities have been observed, infected hosts might be sold as access vectors for further attacks, including ransomware. SocGholish attacks begin with fake browser updates that lead to AsyncRAT or BOINC installations. BOINC is disguised as “SecurityHealthService.exe” to evade detection. The misuse of BOINC has been tracked since June 26, 2024.

3. SolarWinds Patches 8 Critical Flaws in Access Rights Manager Software

SolarWinds has fixed critical security flaws in its Access Rights Manager (ARM) software that could lead to sensitive data access or arbitrary code execution. Of the 13 vulnerabilities, eight are rated Critical (CVSS score 9.6), and five are rated High (CVSS scores 7.6 and 8.3).
The most severe flaws include:

• CVE-2024-23472: Directory Traversal and Information Disclosure
• CVE-2024-28074: Deserialization Remote Code Execution
• CVE-2024-23469: Dangerous Method Remote Code Execution

Exploitation could allow attackers to read, delete files, and execute code with elevated privileges. These issues were resolved in version 2024.3, released on July 17, 2024, after disclosure through Trend Micro’s Zero Day Initiative.

This follows CISA’s inclusion of a high-severity path traversal flaw in SolarWinds Serv-U (CVE-2024-28995) in its Known Exploited Vulnerabilities catalog due to active exploitation reports.

4. TAG-100: New Threat Actor Uses Open-Source Tools for Widespread Attacks

Threat actors, tracked as TAG-100 by Recorded Future’s Insikt Group, are using open-source tools for cyber espionage against global government and private sector entities. Since February 2024, they have targeted organizations across ten countries. The group uses open-source Go backdoors like Pantegana and Spark RAT, exploiting security flaws in products such as Citrix NetScaler, Microsoft Exchange, and Palo Alto Networks GlobalProtect. Starting April 16, 2024, TAG-100 targeted Palo Alto Networks GlobalProtect appliances, exploiting CVE-2024-3400 (CVSS score: 10.0).

This campaign also involved reconnaissance of internet-facing appliances in fifteen countries, including Cuba, France, and Japan. The use of PoC exploits with open-source tools lowers entry barriers for attackers, complicating detection and attribution. Recorded Future highlights the appeal of targeting internet-facing appliances for their limited security defenses.