12/11/2024-12/18/2024 Two Vulnerabilities in The Hunk Companion, 390,000+ WordPress Credentials Stolen via Malicious GitHub Repository, Critical OpenWrt Vulnerability.

1. Two Vulnerabilities in The Hunk Companion and WP Query Console WordPress Plugins 

Threat actors are exploiting two vulnerabilities in the Hunk Companion and WP Query Console WordPress plugins to gain backdoor access to websites. Hunk Companion, a plugin for ThemeHunk themes, has a missing capability check allowing unauthorized plugin installations. Tracked as CVE-2024-9707 (CVSS 9.8), this flaw can enable remote code execution if another vulnerable plugin is active. While patches were released in October and December, 90% of its 10,000 installations remain unpatched. Over the past day, Defiance blocked 56,000 attacks targeting this vulnerability. Attackers use it to install WP Query Console, an outdated plugin with a remote code execution flaw (CVE-2024-50498, CVSS 9.8). This vulnerability, disclosed in October, allows full control of websites. Admins should update Hunk Companion to version 1.9.0 immediately and check for unauthorized plugins or intrusions.

2. New Glutton Malware Exploits Popular PHP Frameworks Like Laravel and ThinkPHP

Cybersecurity researchers have uncovered a new PHP-based backdoor, Glutton, used in attacks targeting China, the U.S., Cambodia, Pakistan, and South Africa. Discovered by QiAnXin XLab in April 2024, the malware is linked with moderate confidence to the Chinese nation-state group Winnti (APT41). Glutton targets PHP frameworks like Baota, ThinkPHP, Yii, and Laravel to steal system information, inject code, and plant ELF backdoors. Despite ties to Winnti, Glutton lacks typical stealth features, such as encrypted C2 communications, and relies on HTTP for payload delivery. Notably, Glutton also targets cybercriminals by poisoning their operations. The backdoor exploits zero-day flaws and brute-force attacks, using a “task_loader” module to download additional components, including ELF malware masquerading as FastCGI Process Manager. It supports 22 commands for operations like file management and remote code execution. Glutton’s modular design ensures stealth by operating within PHP processes, leaving no traceable payloads. Researchers highlighted its dual focus on traditional victims and cybercrime operators, turning attackers’ tools against them.

3. 390,000+ WordPress Credentials Stolen via Malicious GitHub Repository Hosting PoC Exploits

A now-removed GitHub repository advertising a WordPress tool is believed to have enabled the exfiltration of over 390,000 credentials. The campaign, linked to the threat actor MUT-1244, targeted pentesters, security researchers, and malicious actors, stealing sensitive data like SSH keys and AWS credentials.MUT-1244 used phishing and trojanized GitHub repositories claiming to host proof-of-concept (PoC) exploit code but containing malware. One repository, “yawpp,” claimed to be a WordPress poster but deployed malware via a rogue npm dependency, compromising credentials and exfiltrating them to a Dropbox account. MUT-1244 also employed phishing emails, tricking victims into executing malicious shell commands. Payload delivery methods included backdoored compilation files, malicious PDFs, Python droppers, and npm packages like “0xengine/meow.” The campaign highlights attackers exploiting GitHub PoCs and targeting cybersecurity professionals to steal data for further attacks. Researchers warn of the growing trend of fake PoCs used to compromise systems and spread malware.

4. Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection

A critical security flaw (CVE-2024-54143, CVSS 9.3) in OpenWrt’s Attended Sysupgrade (ASU) feature could allow attackers to distribute malicious firmware packages. Discovered by Flatt Security researcher RyotaK and patched in ASU version 920c8a1, the flaw involves command injection and a truncated SHA-256 hash that enables hash collisions. Exploitation allows attackers to inject arbitrary commands into the build process, creating malicious firmware images signed with a legitimate build key. Worse, a 12-character hash collision could swap a legitimate image with a prebuilt malicious one, posing a severe supply chain risk.

The vulnerability does not require authentication, allowing crafted package lists to compromise build requests. OpenWrt warns that attackers could force legitimate requests to receive malicious images. While it’s unclear if this flaw has been exploited, users are urged to update to the latest version immediately to mitigate potential risks.

12/04/2024-12/11/2024 Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanel, Cleo File Transfer Vulnerability, CLFS Driver Flaw And More.

1. CISA Warns of Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanel

CISA has added vulnerabilities affecting Zyxel, North Grid Proself, ProjectSend, and CyberPanel products to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. These include CVE-2024-51378 (CVSS: 10.0), a critical flaw enabling command execution via authentication bypass; CVE-2023-45727, tied to a China-linked espionage group; CVE-2024-11680, exploited for web shell deployments; and CVE-2024-11667, abused in ransomware campaigns like PSAUX and Helldown. Agencies must address these issues by December 25, 2024. Separately, JPCERT/CC reports three exploited vulnerabilities in I-O DATA routers, including CVE-2024-52564 (CVSS: 7.5), allowing attackers to disable firewalls. While some fixes are available, others are expected by December 18, 2024. Users should restrict remote management, secure credentials, and update firmware promptly.

2. Cleo File Transfer Vulnerability Under Exploitation 

Huntress warned that an improperly patched vulnerability (CVE-2024-50623) in Cleo’s file transfer products—Harmony, VLTrader, and LexiCom—has been exploited in the wild since early December. The flaw, meant to be fixed in version 5.8.0.21, allows remote code execution. Threat actors have used it to establish persistence, perform reconnaissance, and conduct stealthy post-exploitation activities. At least 10 businesses, primarily in the consumer goods, food, trucking, and shipping sectors, have been compromised, with attack attempts targeting 1,700 servers. Exploitation surged on December 8. The incident resembles the MOVEit hack, where a zero-day was used to steal vast data from numerous organizations.Huntress and Rapid7 have observed active attacks, shared indicators of compromise, and provided mitigation guidance. Cleo is preparing a new patch, expected mid-week, and updating its advisory.

3. CISA Adds Microsoft Windows CLFS Driver Flaw To Its Known Exploited Vulnerabilities Catalog

CISA has added CVE-2024-49138, a Microsoft Windows Common Log File System (CLFS) driver vulnerability (CVSS: 7.8), to its KEV catalog. This flaw, addressed in Microsoft’s December 2024 Patch Tuesday updates, allows local attackers to escalate privileges to SYSTEM via a heap-based buffer overflow. While Microsoft has not disclosed details of the attacks exploiting this zero-day, federal agencies are required to remediate the vulnerability by December 31, 2024, under Binding Operational Directive 22-01. Private organizations are also urged to review the KEV catalog and mitigate listed vulnerabilities to secure their systems. The flaw is part of 71 vulnerabilities patched this month, highlighting the importance of timely updates to prevent potential exploitation.

4. Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities

Ivanti has issued security updates to fix critical vulnerabilities in its Cloud Services Application (CSA) and Connect Secure products, which could lead to privilege escalation and remote code execution. Key flaws include CVE-2024-11639 (CVSS: 10.0), an authentication bypass allowing remote attackers to gain admin access, and CVE-2024-11772, a command injection issue enabling code execution. Other vulnerabilities, such as CVE-2024-11773, CVE-2024-11633, and CVE-2024-11634, involve SQL injection and argument injection attacks. CVE-2024-8540 (CVSS: 8.8) addresses insecure permissions in Ivanti Sentry, allowing local attackers to modify components. Fixes are available in Ivanti CSA 5.0.3, Connect Secure 22.7R2.4, Policy Secure 22.7R1.2, and Sentry versions 9.20.2, 10.0.2, and 10.1.0. While no active exploitation has been reported, users are urged to update promptly, as Ivanti products have previously been targeted by state-sponsored attackers.

5. Researchers Uncover Flaws in Popular Open-Source Machine Learning Frameworks

Cybersecurity researchers have uncovered security flaws in open-source machine learning (ML) tools like MLflow, H2O, PyTorch, and MLeap, potentially allowing code execution. Discovered by JFrog, these issues target ML clients and libraries handling safe model formats like Safetensors.Key vulnerabilities include CVE-2024-27132 (XSS in MLflow, enabling client-side remote code execution), CVE-2024-6960 (unsafe deserialization in H2O, leading to code execution), and path traversal flaws in PyTorch and MLeap, allowing arbitrary file overwrite and potential code execution. Attackers exploiting these flaws could gain access to ML services like model registries or MLOps pipelines, enabling lateral movement, exposure of credentials, and backdooring of ML models.

JFrog warns against loading untrusted ML models, even from safe formats, as they may lead to remote code execution. Organizations must scrutinize their ML models to prevent significant damage from these vulnerabilities.

11/27/2024-12/04/2024 RCE Vulnerability, Critical SailPoint IdentityIQ Vulnerability, ProjectSend, North Grid Proself, and Zyxel Firewalls Bugs.

1. XML-RPC npm Library Turns Malicious, Steals Data, Deploys Crypto Miner

Researchers uncovered a year-long software supply chain attack on the npm registry involving the package @0xengine/xmlrpc, initially published as a JavaScript XML-RPC library. Malicious code was introduced in version 1.3.4, enabling the theft of SSH keys, bash history, system metadata, and environment variables every 12 hours. It also installed the XMRig cryptocurrency miner, compromising at least 68 systems. The attack spread through npm installations and a GitHub project named yawpp, which listed the malicious package as a dependency, causing automatic downloads during setup. The malware established persistence using systemd, monitored processes to evade detection, and suspended mining when user activity was detected.

This incident highlights the risks of supply chain attacks. “Even well-maintained packages can become malicious,” warned security researcher Yehuda Gelb. Additionally, Datadog Security Labs reported another campaign using fake npm and PyPI packages to deploy malware targeting Roblox developers.

2. Veeam Service Provider RCE Vulnerability Let Attackers Execute Arbitrary Code

Veeam has disclosed two major vulnerabilities in its Service Provider Console (VSPC), including a critical remote code execution (RCE) flaw. The most severe issue, CVE-2024-42448, has a CVSS score of 9.9, allowing attackers to execute arbitrary code on unpatched VSPC servers if the management agent is authorized. Another vulnerability, CVE-2024-42449, rated at 7.1, enables attackers to steal NTLM hashes and potentially delete files. Both flaws affect VSPC version 8.1.0.21377 and earlier. Veeam urges users to upgrade to the patched version (8.1.0.21999) immediately, as no mitigation methods are available. These vulnerabilities underscore the need for timely updates, especially after incidents like ransomware attacks exploiting prior Veeam flaws. Organizations must act quickly to secure their systems and safeguard data from potential threats.

3. Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

A critical vulnerability in SailPoint’s IdentityIQ software (CVE-2024-10905) has been disclosed, earning a maximum CVSS score of 10.0. This flaw affects IdentityIQ versions 8.2, 8.3, 8.4, and earlier. The issue stems from improper handling of virtual resource file names (CWE-66), enabling unauthorized HTTP access to static content in the application directory, potentially exposing sensitive files. Impacted versions include all 8.4 patch levels before 8.4p2, 8.3 versions before 8.3p5, 8.2 versions before 8.2p8, and all prior releases.

SailPoint has not yet issued a security advisory or additional details about the flaw. Organizations using affected versions should upgrade to patched levels immediately to mitigate risks.

4. Decade-Old Cisco Vulnerability Under Active Exploit 

Cisco has issued a warning about active exploitation of a decade-old vulnerability (CVE-2014-2120) in its Adaptive Security Appliance (ASA). The flaw, found in ASA’s WebVPN login page, allows unauthenticated attackers to launch cross-site scripting (XSS) attacks by tricking users into clicking malicious links. Cisco first identified the vulnerability in 2014, citing insufficient input validation. Recent in-the-wild exploitation attempts were reported in November 2024. The company urges users to upgrade to a fixed software release, as no workarounds are available.

5. CISA Adds to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2023-45727 (Proself): XXE flaw in versions before Ver5.62, Ver1.65, and Ver1.08 allows unauthenticated attackers to read server files.
• CVE-2024-11680 (ProjectSend): Improper authentication in versions before r1720 enables attackers to modify configurations, upload webshells, and embed malicious JavaScript.
• CVE-2024-11667 (Zyxel): Directory traversal flaw in firmware V5.00–V5.38 allows file upload/download via crafted URLs.

The ProjectSend flaw (CVSS 9.8) has been exploited in the wild since September 2024 using tools like Metasploit. Attackers enable user registration, modify configurations, and store webshells in predictable locations. CISA urges FCEB agencies to patch these flaws under BOD 22-01, and private organizations are advised to review and address the vulnerabilities to secure their systems.