Later Ctrl + ↑

Programmer’s Digest #107

10/31/2024-11/06/2024 LiteSpeed Cache Plugin Vulnerability, Zero-Day Vulnerability in SQLite Database Engine And More.

1. LottieFiles Issues Warning About Compromised “lottie-player” npm Package

LottieFiles has revealed that its npm package “lottie-player” was compromised as part of a supply chain attack, prompting it to release an updated version of the library. According to the company, “a large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release.” The malicious versions of the package contained code that prompted users to connect their cryptocurrency wallets, with the likely goal of draining their funds. Users who are on versions 2.0.5, 2.0.6, and 2.0.7 are recommended to update to 2.0.8 . Even with 2FA configured, the threat actors somehow got the npm automation token set in the CI/CD pipeline to automate version releases to publish the malicious versions 2.0.5, 2.0.6, and 2.0.7 of the npm package.

2. LiteSpeed Cache Plugin Vulnerability Poses Significant Risk to WordPress Websites

A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions. The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), has been addressed in version 6.5.2 of the plugin. The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain administrator level access after which malicious plugins could be uploaded and installed. The newly identified issue, per Patchstack, is rooted in a function named is_role_simulation and is similar to an earlier flaw that was publicly documented back in August 2024 (CVE-2024-28000, CVSS score: 9.8). It stems from the use of a weak security hash check that could be brute-forced by a bad actor, thus allowing for the crawler feature to be abused to simulate a logged-in user, including an administrator. CVE-2024-50550 is the third security flaw to be disclosed in LiteSpeed within the last two months, the other two being CVE-2024-44000 (CVSS score: 7.5) and CVE-2024-47374 (CVSS score: 7.2). Users who fail to manually install plugins removed from the WordPress.org repository risk not receiving new updates which can include important security fixes.

3. Researchers Uncover Python Package Targeting Crypto Wallets with Malicious Code

Cybersecurity researchers have identified a malicious Python package called “CryptoAITools,” which pretends to be a cryptocurrency trading tool but is actually designed to steal sensitive data and drain crypto wallets. Distributed on both the Python Package Index (PyPI) and GitHub, it was downloaded over 1,300 times before PyPI removed it. The malware activates immediately upon installation on Windows and macOS, deploying a deceptive interface to distract users while it performs data theft in the background. Embedded in the code is a function that downloads further malicious payloads from a fake cryptocurrency trading site, enabling multi-stage infections. CryptoAITools gathers a range of sensitive data, including cryptocurrency wallet information, passwords, cookies, SSH keys, and files. It even targets Apple-specific data on macOS. In addition, a related GitHub repository, “Meme Token Hunter Bot,” and a Telegram channel are used to promote the malware, extending its reach to cautious users across multiple platforms.

4. Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine

Google recently uncovered a zero-day vulnerability in the SQLite open-source database using its AI-powered Big Sleep framework (formerly Project Naptime). This marks the “first real-world vulnerability” found by an AI tool, according to Google.The vulnerability is a stack buffer underflow in SQLite, caused by referencing memory locations outside a buffer’s bounds, potentially leading to crashes or unauthorized code execution. Following responsible disclosure, the issue was addressed as of October 2024. Big Sleep, initially detailed in June 2024, leverages large language models to automate vulnerability detection. It enables AI to simulate human analysis, using tools to navigate code, perform sandboxed tests, and debug. While Big Sleep shows promise for pre-release security, Google notes it’s experimental and that specialized fuzzers might still be as effective for certain targets.

5. Massive Git Config Breach Exposes 15,000 Credentials; 10,000 Private Repos Cloned

Cybersecurity researchers have uncovered a large-scale campaign, dubbed EMERALDWHALE, that targets exposed Git configurations to steal credentials, clone private repositories, and access cloud services.EMERALDWHALE is believed to have compromised over 10,000 private repositories, with the stolen data stored in an Amazon S3 bucket linked to a prior victim. The operation has obtained at least 15,000 credentials from cloud providers and email services, reportedly for phishing and spam. Although not highly advanced, EMERALDWHALE uses private tools to scan for exposed Git config files and Laravel `.env` files, scraping sensitive information. The group employs tools like MZR V2 and Seyzo-v2, which exploit exposed IPs and are available on underground markets. Additionally, lists of vulnerable Git paths are sold on Telegram, highlighting a growing market for configuration files with sensitive data.

4 mo digest programmers'

Programmer’s Digest #106

10/24/2024-10/30/2024 OS Downgrade Vulnerability, Vulnerabilities in ASA, FMC, and FTD Products, Malicious npm Packages And More.

1. Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel

A new technique can bypass Microsoft’s Driver Signature Enforcement (DSE) on fully updated Windows systems, allowing attackers to load unsigned kernel drivers. This method, leverages a tool called Windows Downdate, which enables OS downgrades, undoing security patches to install custom rootkits for hiding activity and maintaining stealth. This exploit builds on previous findings involving Windows update vulnerabilities (CVE-2024-21302 and CVE-2024-38202), allowing attackers to roll back system components, including the critical DSE patch. Attackers can disable Virtualization-Based Security (VBS) using registry modifications, further enabling the downgrade. Microsoft notes that enabling VBS with a UEFI lock and “Mandatory” setting can prevent such attacks. Microsoft is working on a security update to revoke outdated VBS files, acknowledging SafeBreach for the discovery and pledging thorough testing to ensure user protection without disruptions.

2. Cisco Patched Vulnerabilities in ASA, FMC, and FTD Products

Cisco has patched multiple vulnerabilities in its ASA, Secure Firewall Management Center, and Firepower Threat Defense products, including a recently exploited flaw, CVE-2024-20481. This Denial of Service (DoS) vulnerability (CVSS score 5.8) affects the Remote Access VPN (RAVPN) service, allowing unauthenticated attackers to overload the system with VPN requests, potentially requiring a device reboot to restore service. Cisco’s advisory notes this flaw is actively exploited. Previously, Cisco Talos reported widespread brute-force attacks targeting VPN and SSH services, warning customers about password-spraying attacks on RAVPN services. Cisco has also addressed three critical vulnerabilities that are not yet exploited in the wild: CVE-2024-20412 (Static Credential Vulnerability in Firepower models), CVE-2024-20424 (Command Injection in Secure Firewall Management Center), and CVE-2024-20329 (SSH Remote Command Injection in ASA software).

3. BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers

Three malicious npm packages were identified containing BeaverTail malware, a JavaScript downloader and information stealer associated with a North Korean campaign called Contagious Interview. Datadog Security, tracking the campaign as Tenacious Pungsan, noted that these packages—passports-js, bcrypts-js, and blockscan-api—were downloaded over 300 times before being removed. The Contagious Interview campaign, active since 2023, involves tricking developers into installing infected software as part of coding tests. Previously, similar packages mimicked popular libraries like etherscan-api, suggesting the attackers continue to target the cryptocurrency sector. Additional counterfeit packages detected recently (e. g., eslint-module-conf) aim to steal cryptocurrencies and maintain access to compromised systems. According to Palo Alto Networks, the campaign effectively exploits job seekers’ trust when applying online, underscoring the growing misuse of the open-source supply chain to spread malware and target developers.

4. FortiManager Critical Vulnerability Under Active Attack

Fortinet has disclosed a critical flaw in its FortiManager software platform, alerting users to a major vulnerability, CVE-2024-47575, with a CVSS score of 9.8. This flaw allows remote attackers to execute code on unpatched systems, potentially spreading across networks. Fortinet’s advisory states that a “missing authentication for critical function” could let attackers use crafted requests to access the system without permission.Exploitation of the flaw requires a valid Fortinet device certificate, which attackers could extract from a legitimate device to gain unauthorized access. CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog, urging Federal IT administrators and others to apply fixes immediately,about 60,000 users may be at risk.

5. Researchers Uncover Vulnerabilities in Open-Source AI and ML Models

Over three dozen vulnerabilities have been disclosed across various open-source AI and ML models, potentially leading to remote code execution and data breaches. These flaws, discovered through Protect AI’s Huntr platform, affect tools like ChuanhuChatGPT, Lunary, and LocalAI. Key issues include two severe vulnerabilities in Lunary (CVE-2024-7474 and CVE-2024-7475, both CVSS 9.1), enabling unauthorized data access and user impersonation by manipulating user parameters and SAML configurations. Additionally, ChuanhuChatGPT has a critical path traversal flaw (CVE-2024-5982, CVSS 9.1) that allows arbitrary code execution. LocalAI is also impacted by vulnerabilities allowing attackers to execute arbitrary code (CVE-2024-6983, CVSS 8.8) and infer API keys through response timing (CVE-2024-7010, CVSS 7.5). A separate remote code execution flaw was identified in the Deep Java Library (CVE-2024-8396). Protect AI’s new tool, Vulnhuntr, uses LLMs to identify vulnerabilities in Python code, while Mozilla’s 0Din team recently highlighted a new jailbreak technique that bypasses ChatGPT safeguards using hex-encoded prompts. Users should update affected models to the latest versions.

5 mo digest programmers'

Programmer’s Digest #105

10/16/2024-10/23/2024 Critical OPA Vulnerability, VMware Fixes Bad Patch For Critical vCenter Server RCE Flaw And More.

1. Critical OPA Vulnerability Exposes Windows Credentials

A now-patched security flaw in Styra’s Open Policy Agent (OPA) could expose sensitive credentials on Windows systems, affecting millions of users. The vulnerability, CVE-2024-8260 had a CVSS score of 6.1, making it a medium-severity risk. Tenable found that attackers could exploit the flaw by sending a malicious command, causing OPA to authenticate with a server controlled by the attacker. This would leak NTLM credentials, used for logging into Windows systems. Organizations using OPA on Windows should update to the latest version (v0.68.0). Attackers could exploit this by using social engineering tactics, such as tricking users into running OPA via malicious files. They could also manipulate OPA’s Rego rules or command-line arguments to redirect it to their server.

2. Malicious npm Packages Target Developers’ Ethereum Wallets with SSH Backdoor

Cybersecurity researchers discovered malicious packages on the npm registry designed to steal Ethereum private keys and gain remote access via SSH. The packages attempt to add the attacker’s SSH key to the root user’s authorized keys file, giving them access to the victim’s machine, according to Phylum. The packages, posing as legitimate ones like “ethers-mew,” “ethers-web3,” and others, were likely released for testing. The most advanced package, “ethers-mew,” embeds malicious code that siphons Ethereum private keys to “ether-sign[.]com” and allows remote access to compromised systems. Unlike typical malware that executes upon installation, this attack requires the developer to use the package in their code. Phylum noted that the packages and the authors’ accounts were quickly removed by the attackers themselves. This isn’t the first such attack—similar malicious packages have been seen in the npm registry before.

3. VMware Fixes Bad Patch For Critical vCenter Server RCE Flaw

VMware has issued a new security update for CVE-2024-38812, a critical remote code execution flaw in vCenter Server that was not fully addressed in the September 2024 patch. Rated 9.8 (CVSS v3.1), the vulnerability stems from a heap overflow in the DCE/RPC protocol, affecting vCenter Server, vSphere, and Cloud Foundation. Exploiting the flaw requires no user interaction, as it triggers when a malicious network packet is received. Discovered during the 2024 Matrix Cup hacking contest, researchers also revealed CVE-2024-38813, a related privilege escalation flaw. VMware urges users to apply new patches for vCenter 7.0.3, 8.0.2, and 8.0.3, as older versions like vSphere 6.5 and 6.7 won’t receive updates. No workarounds exist, and there are no reports of active exploitation yet. These updates are critical since attackers often target vCenter vulnerabilities to gain access to virtual machines.

4. Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks

Bad actors are targeting Docker remote API servers to deploy SRBMiner crypto miners. Using the gRPC protocol over h2c, attackers bypass security measures to exploit vulnerable Docker hosts. They start by checking for public-facing Docker API servers, then request upgrades to the h2c protocol (HTTP/2 without TLS encryption). Next, they use gRPC methods to manipulate Docker functionalities, such as health checks and file synchronization, before sending a “/moby.buildkit.v1.Control/Solve” request to create a container and mine XRP cryptocurrency via SRBMiner hosted on GitHub. Trend Micro also reported attackers using Docker API servers to deploy perfctl malware, which creates a malicious container to download and execute harmful payloads. Users are advised to secure Docker remote APIs with strong access controls and monitor for unusual activity.

5. Roundcube XSS Flaw Exploited to Steal Credentials, Email (CVE-2024-37383)

Attackers exploited an XSS vulnerability (CVE-2024-37383) in the Roundcube Webmail client to target a governmental organization in a CIS country. This flaw, patched in May 2024, affects Roundcube versions 1.5.7 and 1.6.7. The exploit was sent via email in June 2024. CVE-2024-37383 allows attackers to inject malicious code using SVG animate attributes. In this case, the email contained hidden JavaScript, which ran when opened, downloading a decoy document while attempting to steal messages and login credentials. XSS vulnerabilities in Roundcube have been exploited before, including by state-sponsored actors targeting government entities. While not the most widely used email client, Roundcube is frequently targeted due to its use in government agencies.