10/24/2024-10/30/2024 OS Downgrade Vulnerability, Vulnerabilities in ASA, FMC, and FTD Products, Malicious npm Packages And More.

1. Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel

A new technique can bypass Microsoft’s Driver Signature Enforcement (DSE) on fully updated Windows systems, allowing attackers to load unsigned kernel drivers. This method, leverages a tool called Windows Downdate, which enables OS downgrades, undoing security patches to install custom rootkits for hiding activity and maintaining stealth. This exploit builds on previous findings involving Windows update vulnerabilities (CVE-2024-21302 and CVE-2024-38202), allowing attackers to roll back system components, including the critical DSE patch. Attackers can disable Virtualization-Based Security (VBS) using registry modifications, further enabling the downgrade. Microsoft notes that enabling VBS with a UEFI lock and “Mandatory” setting can prevent such attacks. Microsoft is working on a security update to revoke outdated VBS files, acknowledging SafeBreach for the discovery and pledging thorough testing to ensure user protection without disruptions.

2. Cisco Patched Vulnerabilities in ASA, FMC, and FTD Products

Cisco has patched multiple vulnerabilities in its ASA, Secure Firewall Management Center, and Firepower Threat Defense products, including a recently exploited flaw, CVE-2024-20481. This Denial of Service (DoS) vulnerability (CVSS score 5.8) affects the Remote Access VPN (RAVPN) service, allowing unauthenticated attackers to overload the system with VPN requests, potentially requiring a device reboot to restore service. Cisco’s advisory notes this flaw is actively exploited. Previously, Cisco Talos reported widespread brute-force attacks targeting VPN and SSH services, warning customers about password-spraying attacks on RAVPN services. Cisco has also addressed three critical vulnerabilities that are not yet exploited in the wild: CVE-2024-20412 (Static Credential Vulnerability in Firepower models), CVE-2024-20424 (Command Injection in Secure Firewall Management Center), and CVE-2024-20329 (SSH Remote Command Injection in ASA software).

3. BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers

Three malicious npm packages were identified containing BeaverTail malware, a JavaScript downloader and information stealer associated with a North Korean campaign called Contagious Interview. Datadog Security, tracking the campaign as Tenacious Pungsan, noted that these packages—passports-js, bcrypts-js, and blockscan-api—were downloaded over 300 times before being removed. The Contagious Interview campaign, active since 2023, involves tricking developers into installing infected software as part of coding tests. Previously, similar packages mimicked popular libraries like etherscan-api, suggesting the attackers continue to target the cryptocurrency sector. Additional counterfeit packages detected recently (e. g., eslint-module-conf) aim to steal cryptocurrencies and maintain access to compromised systems. According to Palo Alto Networks, the campaign effectively exploits job seekers’ trust when applying online, underscoring the growing misuse of the open-source supply chain to spread malware and target developers.

4. FortiManager Critical Vulnerability Under Active Attack

Fortinet has disclosed a critical flaw in its FortiManager software platform, alerting users to a major vulnerability, CVE-2024-47575, with a CVSS score of 9.8. This flaw allows remote attackers to execute code on unpatched systems, potentially spreading across networks. Fortinet’s advisory states that a “missing authentication for critical function” could let attackers use crafted requests to access the system without permission.Exploitation of the flaw requires a valid Fortinet device certificate, which attackers could extract from a legitimate device to gain unauthorized access.  CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog, urging Federal IT administrators and others to apply fixes immediately,about 60,000 users may be at risk.

5. Researchers Uncover Vulnerabilities in Open-Source AI and ML Models

Over three dozen vulnerabilities have been disclosed across various open-source AI and ML models, potentially leading to remote code execution and data breaches. These flaws, discovered through Protect AI’s Huntr platform, affect tools like ChuanhuChatGPT, Lunary, and LocalAI. Key issues include two severe vulnerabilities in Lunary (CVE-2024-7474 and CVE-2024-7475, both CVSS 9.1), enabling unauthorized data access and user impersonation by manipulating user parameters and SAML configurations. Additionally, ChuanhuChatGPT has a critical path traversal flaw (CVE-2024-5982, CVSS 9.1) that allows arbitrary code execution. LocalAI is also impacted by vulnerabilities allowing attackers to execute arbitrary code (CVE-2024-6983, CVSS 8.8) and infer API keys through response timing (CVE-2024-7010, CVSS 7.5). A separate remote code execution flaw was identified in the Deep Java Library (CVE-2024-8396). Protect AI’s new tool, Vulnhuntr, uses LLMs to identify vulnerabilities in Python code, while Mozilla’s 0Din team recently highlighted a new jailbreak technique that bypasses ChatGPT safeguards using hex-encoded prompts. Users should update affected models to the latest versions.

10/16/2024-10/23/2024 Critical OPA Vulnerability, VMware Fixes Bad Patch For Critical vCenter Server RCE Flaw And More.

1. Critical OPA Vulnerability Exposes Windows Credentials

A now-patched security flaw in Styra’s Open Policy Agent (OPA) could expose sensitive credentials on Windows systems, affecting millions of users. The vulnerability, CVE-2024-8260 had a CVSS score of 6.1, making it a medium-severity risk. Tenable found that attackers could exploit the flaw by sending a malicious command, causing OPA to authenticate with a server controlled by the attacker. This would leak NTLM credentials, used for logging into Windows systems. Organizations using OPA on Windows should update to the latest version (v0.68.0). Attackers could exploit this by using social engineering tactics, such as tricking users into running OPA via malicious files. They could also manipulate OPA’s Rego rules or command-line arguments to redirect it to their server.

2. Malicious npm Packages Target Developers’ Ethereum Wallets with SSH Backdoor

Cybersecurity researchers discovered malicious packages on the npm registry designed to steal Ethereum private keys and gain remote access via SSH. The packages attempt to add the attacker’s SSH key to the root user’s authorized keys file, giving them access to the victim’s machine, according to Phylum. The packages, posing as legitimate ones like “ethers-mew,” “ethers-web3,” and others, were likely released for testing. The most advanced package, “ethers-mew,” embeds malicious code that siphons Ethereum private keys to “ether-sign[.]com” and allows remote access to compromised systems. Unlike typical malware that executes upon installation, this attack requires the developer to use the package in their code. Phylum noted that the packages and the authors’ accounts were quickly removed by the attackers themselves. This isn’t the first such attack—similar malicious packages have been seen in the npm registry before.

3. VMware Fixes Bad Patch For Critical vCenter Server RCE Flaw

VMware has issued a new security update for CVE-2024-38812, a critical remote code execution flaw in vCenter Server that was not fully addressed in the September 2024 patch. Rated 9.8 (CVSS v3.1), the vulnerability stems from a heap overflow in the DCE/RPC protocol, affecting vCenter Server, vSphere, and Cloud Foundation. Exploiting the flaw requires no user interaction, as it triggers when a malicious network packet is received. Discovered during the 2024 Matrix Cup hacking contest, researchers also revealed CVE-2024-38813, a related privilege escalation flaw. VMware urges users to apply new patches for vCenter 7.0.3, 8.0.2, and 8.0.3, as older versions like vSphere 6.5 and 6.7 won’t receive updates. No workarounds exist, and there are no reports of active exploitation yet. These updates are critical since attackers often target vCenter vulnerabilities to gain access to virtual machines.

4. Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks

Bad actors are targeting Docker remote API servers to deploy SRBMiner crypto miners. Using the gRPC protocol over h2c, attackers bypass security measures to exploit vulnerable Docker hosts. They start by checking for public-facing Docker API servers, then request upgrades to the h2c protocol (HTTP/2 without TLS encryption). Next, they use gRPC methods to manipulate Docker functionalities, such as health checks and file synchronization, before sending a “/moby.buildkit.v1.Control/Solve” request to create a container and mine XRP cryptocurrency via SRBMiner hosted on GitHub. Trend Micro also reported attackers using Docker API servers to deploy perfctl malware, which creates a malicious container to download and execute harmful payloads. Users are advised to secure Docker remote APIs with strong access controls and monitor for unusual activity.

5. Roundcube XSS Flaw Exploited to Steal Credentials, Email (CVE-2024-37383)

Attackers exploited an XSS vulnerability (CVE-2024-37383) in the Roundcube Webmail client to target a governmental organization in a CIS country. This flaw, patched in May 2024, affects Roundcube versions 1.5.7 and 1.6.7. The exploit was sent via email in June 2024. CVE-2024-37383 allows attackers to inject malicious code using SVG animate attributes. In this case, the email contained hidden JavaScript, which ran when opened, downloading a decoy document while attempting to steal messages and login credentials. XSS vulnerabilities in Roundcube have been exploited before, including by state-sponsored actors targeting government entities. While not the most widely used email client, Roundcube is frequently targeted due to its use in government agencies.

10/09/2024-10/16/2024 GitHub Patches Critical Flaw, CISA Warns of Three Vulnerabilities, WordPress Plugin Jetpack Patches Major Vulnerability And More.

1. GitHub Patches Critical Flaw in Enterprise Server Allowing Unauthorized Instance Access

GitHub has released security updates for Enterprise Server (GHES) to fix several vulnerabilities, including a critical flaw (CVE-2024-9487) with a CVSS score of 9.5/10. This issue allows attackers to bypass SAML single sign-on (SSO) authentication and gain unauthorized access by exploiting a cryptographic signature verification weakness. The flaw is a regression from CVE-2024-4985, a maximum severity bug (CVSS 10.0) patched in May 2024. Two other issues were also fixed: CVE-2024-9539 (CVSS 5.7), which exposes user metadata, and sensitive data exposure in HTML forms.The vulnerabilities are patched in GHES versions 3.14.2, 3.13.5, 3.12.10, and 3.11.16. GitHub urges organizations using affected versions to update immediately to prevent potential security risks.

2. CISA Warns of Three Vulnerabilities Actively Exploited in the Wild

CISA has issued an urgent alert about three critical vulnerabilities being actively exploited in the wild.These affect Microsoft, Mozilla, and SolarWinds products, posing serious risks. The first, CVE-2024-30088, is a race condition in the Microsoft Windows Kernel, potentially allowing privilege escalation. Users should apply mitigations or discontinue use by November 5, 2024. The second, CVE-2024-9680, is a use-after-free flaw in Mozilla Firefox that could allow arbitrary code execution. Mozilla users must also apply fixes by the same deadline. The third, CVE-2024-28987, impacts SolarWinds Web Help Desk, involving hardcoded credentials that could allow unauthorized access.CISA urges immediate patching or mitigation to prevent exploitation. 

3. WordPress Plugin Jetpack Patches Major Vulnerability Affecting 27 Million Sites

Jetpack, a popular WordPress plugin by Automattic, has released a security update to fix a critical vulnerability. The flaw, present since version 3.9.9 (2016), allowed logged-in users to view forms submitted by others on the site. Discovered during an internal audit, the issue affects Jetpack’s Contact Form feature. Jetpack, used on 27 million sites, worked with the WordPress.org Security Team to automatically update affected sites. While there’s no evidence of exploitation, the vulnerability could be abused now that it’s public. The update addresses this flaw across 101 Jetpack versions. In related news, WordPress founder Matt Mullenweg has taken control of WP Engine’s Advanced Custom Fields (ACF) plugin, launching a fork called Secure Custom Fields (SCF) to fix a security issue. WP Engine disputes the action, claiming it was taken without consent.

4. Ransomware operators exploited Veeam Backup & Replication flaw CVE-2024-40711 in recent attacks

Sophos reports that ransomware operators are exploiting a critical flaw, CVE-2024-40711, in Veeam Backup & Replication software to create rogue accounts and deploy malware. Veeam addressed this remote code execution (RCE) vulnerability (CVSS 9.8) in September 2024, as part of a security update that fixed 18 high and critical flaws.The flaw affects Veeam Backup & Replication version 12.1.2.172 and earlier. Attackers have used compromised credentials and the vulnerability to deploy ransomware, including Fog and Akira. These attacks often target outdated VPN gateways without multifactor authentication. Sophos warns that attackers exploited Veeam’s URI trigger on port 8000 to create local admin accounts and deploy ransomware. One attack involved Fog ransomware on an unprotected Hyper-V server, using rclone for data exfiltration. Sophos emphasizes the importance of patching vulnerabilities, updating outdated VPNs, and using multifactor authentication to prevent attacks.

5. Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems

Cybersecurity researchers warn of an unpatched vulnerability (CVE-2024-9441, CVSS 9.8) in Nice Linear eMerge E3 access controllers that allows remote attackers to execute arbitrary OS commands. Despite public disclosure, no fix or workaround has been provided by the vendor.The flaw affects several versions of the Nortek Linear eMerge E3, including 0.32-03i through 1.00.07. Proof-of-concept exploits have been released, increasing the risk of malicious attacks. A similar flaw (CVE-2019-7256) was exploited in the past to recruit devices into the Raptor Train botnet, which raises concerns about the vendor’s slow response.

Nice recommends following security best practices, such as network segmentation, restricting internet access, and using firewalls to protect affected devices.