- VulnVerse
- Posts
- [VulnVerse] #4 - 1Panel BlindShot, Laravel XXE Bomb, Docker Slipstream...
[VulnVerse] #4 - 1Panel BlindShot, Laravel XXE Bomb, Docker Slipstream...
Marko Živanović
July 27, 2024
Welcome back to VulnVerse! It's our fourth weekly dispatch, and we’re here to deliver another power-packed edition. Let’s dive into the latest vulnerabilities, exploits, and cyber threats.
Contents
Vulnerabilities and Exploits: 1 to 24
Data Breaches: 25 to 34
Malware and Ransomware: 35 to 41
Software and System Issues: 42 to 44
Advanced Persistent Threats (APT): 50 to 55
Vulnerabilities and Exploits
First up, we’re diving into the freshest vulnerabilities and exploits. Here’s what you need to know to stay armed and dangerous:
A critical SQL injection vulnerability (CVE-2024-39907) in 1Panel allows remote code execution and arbitrary file writes. With a CVSS score of 9.8, this flaw impacts version v1.10.9-tls. Users should upgrade to v1.10.12-tls immediately due to an available public proof-of-concept (PoC).
A significant XXE vulnerability (CVE-2024-40075) has been found in Laravel v11.x, allowing attackers to execute arbitrary commands. This flaw is linked to the __destruct function in the Monolog\Handler\Handler class. Users should update to the latest version to secure their applications.
A severe Docker Engine vulnerability, CVE-2024-41110, allows attackers to bypass authentication via crafted API requests, leading to unauthorized actions. Docker has released patches, and users should update immediately. If updates aren't possible, disable AuthZ plugins and restrict API access. Regular updates and security vigilance are essential.
A vulnerability (CVE-2024-3246) in the LiteSpeed Cache plugin for WordPress could allow attackers to inject malicious code via CSRF attacks. The flaw affects over 5 million websites. Administrators should update to version 6.3 to mitigate risks. Regular updates and security best practices are essential to protect websites from such vulnerabilities.
A zero-day vulnerability in Telegram for Android allowed attackers to send malicious APK files disguised as videos. ESET researchers discovered the flaw, which was patched in version 10.14.5. Users should update to the latest version and scan their devices for malicious files. This incident underscores the importance of timely software updates and vigilant monitoring of application vulnerabilities.
Multiple vulnerabilities in BIND 9 software could allow attackers to destabilize DNS servers, leading to denial-of-service conditions. Critical vulnerabilities include CVE-2024-0760, allowing remote attacks via DNS messages. ISC has released patches for affected versions (9.16.0 to 9.16.36, 9.18.0 to 9.18.10, and 9.19.0 to 9.19.8). Users should update to the latest versions immediately and back up configurations before applying patches to ensure DNS service stability.
GitLab patched a high-severity cross-site scripting (XSS) vulnerability (CVE-2024-5067) affecting versions 16.6 to 17.2.1, allowing attackers to execute arbitrary scripts. Updated versions 17.2.1, 17.1.3, and 17.0.5 address this and other vulnerabilities. Users should update their GitLab installations promptly. Regular security audits and following best practices in coding can mitigate the risks of XSS and other vulnerabilities.
A critical flaw in Progress Telerik Report Server (CVE-2024-6327) allows remote code execution due to insecure deserialization. Rated with a CVSS score of 9.9, it affects versions before 2024 Q2 (10.1.24.709). Progress Software has released an update to address the issue, urging users to upgrade immediately. A temporary mitigation involves changing the Report Server Application Pool user account to one with limited permissions. Users should verify their current version and update as necessary.
A newly discovered vulnerability in the Windows 11 Kernel, termed "File Immutability," allows threat actors to execute arbitrary code with Kernel privileges. The vulnerability exploits incorrect assumptions in the Core Windows feature design. Organizations must employ comprehensive security measures, including secure remote access and regular vulnerability assessments, to mitigate such risks.
A critical vulnerability (CVE-2024-40767) in OpenStack's Nova allows authenticated users to gain unauthorized server access using crafted image files. Discovered by Arnaud Morin of OVH, it affects specific Nova versions; urgent patching is necessary to prevent security breaches.
A design flaw in Microsoft’s Windows Hello for Business allowed attackers to bypass secure authentication by downgrading to less secure methods. Discovered by Yehuda Smirnov, the exploit intercepts and alters authentication requests. Microsoft advises implementing conditional access policies, strong MFA, and monitoring to mitigate this vulnerability.
A vulnerability known as "ConfusedFunction" in Google Cloud Platform's Cloud Functions and Cloud Build services could allow attackers to escalate privileges and access various GCP services. Discovered by Tenable Research, this flaw arises from excessive permissions of the default Cloud Build service account. Google has partially remediated the issue for accounts created after mid-June 2024. Users should replace legacy Cloud Build service accounts with least-privilege accounts and monitor their environments for potential exploitation.
The PKfail vulnerability compromises over 200 device models by exploiting untrusted Platform Keys (PKs) used in the UEFI Secure Boot process. This issue allows attackers to bypass Secure Boot and install persistent malware. Affected vendors include Acer, Dell, Fujitsu, HP, Intel, Lenovo, and Supermicro. Device vendors should replace test keys with securely generated ones and issue firmware updates. Users must apply these updates and use tools like the PKfail scanner to detect vulnerabilities.
A critical vulnerability (CVE-2024-40897) in the Orc compiler has been disclosed, which could enable attackers to execute arbitrary code. The flaw, caused by a stack-based buffer overflow error, is of particular concern for developers and CI environments. The Orc project maintainers have released version 0.4.39 to address this issue. Developers are strongly advised to update immediately to prevent potential exploitation and ensure the integrity of their development environments.
Threat actors are exploiting ServiceNow flaws, specifically CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217, to breach systems and steal credentials. These exploits allow remote code execution and database access. Although patches were released on July 10, many systems remain vulnerable. Organizations should immediately apply the patches to prevent data theft and further exploitation. Regular updates and monitoring for signs of compromise are essential to maintaining security
The BookingPress WordPress plugin has multiple vulnerabilities allowing authenticated attackers to create arbitrary files, update site options, and upload arbitrary files, leading to potential site compromise. Affected versions are up to 1.1.5. Users should update to version 1.1.6 and apply security measures like using Wordfence, enforcing least privilege principles, and regularly updating software to protect against these exploits.
A report on GraphQL security reveals significant vulnerabilities, including unrestricted resource consumption, security misconfigurations, and exposed secrets. To improve security, organizations should implement access control, input validation, rate limiting, and schema whitelisting. Adopting these best practices can help protect against DoS attacks and other threats.
A high-severity vulnerability (CVE-2024-41827) in JetBrains TeamCity allows deleted or expired access tokens to remain functional, posing significant risks to CI/CD systems. Users must update to the latest version and enhance monitoring and detection to mitigate potential unauthorized access and privilege escalation. Immediate patching is crucial to protect sensitive information and maintain system integrity.
Progress Software has flagged a serious remote code execution vulnerability in Telerik Report Server (CVE-2024-6327). This issue stems from insecure deserialization of untrusted data, enabling attackers to execute malicious code on vulnerable servers. Versions affected include Report Server 2024 Q2 (10.1.24.514) and earlier. Users are urged to upgrade to version 2024 Q2 (10.1.24.709) or apply temporary mitigations.
Siemens has released crucial firmware updates to fix critical security flaws in its SICAM products, including unauthorized password resets and firmware downgrade vulnerabilities. These issues could lead to privilege escalation and data leaks. Affected products include SICAM A8000 and SICAM EGS. Siemens advises users to update their firmware and enhance security measures by disabling auto-login and securing network access with firewalls.
MonoSwap, a liquidity protocol, suffered a hack after a developer installed a phishing app, leading to significant loss of staked liquidity. The attackers gained access to wallets and contracts via a botnet. MonoSwap's inadequate security measures, such as lack of audits and over-reliance on a single executive’s access, contributed to the breach. Strengthening security protocols, conducting regular audits, and distributing critical access can help prevent similar incidents.
Hackers exploited the swap file mechanism in Magento e-commerce platforms to inject persistent credit card skimmers. This method allows malware to survive multiple removal attempts. To counter this, e-commerce sites should deploy comprehensive security measures, restrict administrative access, use firewalls, and regularly update their systems and plugins to detect and remove such malware.
Threat actors are exploiting Telegram APIs to steal login credentials through phishing emails and deceptive landing pages. These pages use JavaScript to exfiltrate user data to Telegram bots. Users should avoid clicking on suspicious links, employ robust email filtering, and educate employees about phishing risks. Organizations should implement multi-factor authentication and monitor for unusual activity to mitigate the impact of such attacks.
Hackers have exploited vulnerabilities in Secure Email Gateways (SEGs) by sending corrupted .zip archives, allowing malware like FormBook to bypass detection. These archives contain HTML files with .Mpeg extensions, evading SEG scans. Organizations should enhance SEG configurations, monitor for unusual file types, and educate employees about the risks of opening suspicious attachments.
Data Breaches
Next, we wade through the murky waters of recent data breaches. These aren’t just headlines – they’re crucial lessons on what can go wrong and how to bolster your defenses.
Red Art Games has suffered a large-scale cyberattack, compromising customer data including names, birth dates, email addresses, shipping information, and phone numbers. Order processing is suspended during the investigation. Banking information remains secure. Customers should change their account passwords and stay alert for phishing attempts.
The popular pirate e-book site Z-Library, or its phishing clone Z-lib, suffered a data breach affecting nearly 10 million users. Cybernews discovered an exposed database containing information on 9,761,948 users, including personal information, passwords, cryptocurrency wallet addresses, and payment details. The breach occurred due to the cybercriminals’ web server having directory listing enabled. Affected users are advised to change passwords, block malicious email addresses, and secure their cryptocurrency wallets.
Cybercriminals have leaked internal documents stolen from Leidos Holdings Inc., a major IT service provider for the U.S. government. The documents were stolen due to a previously disclosed breach of Diligent Corp.’s system. This incident did not impact Leidos' network or any confidential client data. The data leak has raised concerns due to Leidos' extensive work with the Department of Defense, the Department of Homeland Security, and NASA.
Michigan Medicine experienced a data breach affecting 57,000 patients, exposing personal and health information through compromised employee email accounts. The organization has notified affected individuals and taken measures to block the attackers' IP and reset passwords. Patients should monitor their accounts for suspicious activity. Organizations should strengthen email security and employee training to prevent similar breaches.
Hackers leaked documents from Leidos Holdings, a major IT services provider to the U.S. government. The breach, linked to a 2022 incident involving Diligent Corp., raises concerns over the security of sensitive government data managed by third-party contractors. Leidos is investigating the breach and emphasizes that its network and sensitive customer data were not affected.
Suffolk County, New York, has approved $25.7 million for recovery efforts following a cyberattack by the ALPHV/BlackCat group. The attack exposed personal data of 470,000 residents and 26,000 employees. Recovery includes contracts through the end of 2024 and significant expenses directed towards system support and forensic investigations.
Verizon agreed to a $16 million settlement over data breaches at its subsidiary TracFone. The breaches involved unauthorized access to customer data and SIM-swapping incidents. Verizon will implement enhanced security measures, including API vulnerability reduction and SIM change protections, to safeguard customer information.
Greece’s Land Registry faced a data breach after 400 cyberattacks, resulting in the theft of 1.2 GB of non-sensitive administrative data. The agency blocked further data exfiltration attempts and implemented emergency measures like VPN access termination and mandatory two-factor authentication. Enhancing cybersecurity defenses and monitoring for ongoing threats is crucial to prevent similar breaches.
The website for dYdX's v3 trading platform was compromised in a DNS hijacking attack, leading users to a phishing site that attempted to steal tokens. The attack exploited vulnerabilities in the Squarespace registrar used by the platform. dYdX has regained control and advises users to restart browsers and clear caches. This incident highlights the importance of robust domain security practices and prompt incident response.
A breach at Spytech exposed data from over 10,000 devices compromised with Realtime-Spy and SpyAgent spyware tools. The incident revealed unencrypted activity logs and affected devices, predominantly in the U.S. and Europe. Spytech is investigating the breach. Users should verify their devices and utilize tools like Have I Been Pwned to check for exposure. Strong security practices and regular updates are essential to prevent spyware infections.
Malware and Ransomware
Get ready to explore the dangerous world of malware and ransomware. These threats are constantly changing, and knowing the latest can help you avoid a security disaster.
FortiGuard Labs identified a campaign leveraging CVE-2024-21412 to deliver information-stealing malware, bypassing Windows SmartScreen. The attack chain includes downloading an LNK file that leads to an executable with a malicious script, injecting final stealer malware like Meduza and ACR. Organizations must prioritize patching vulnerabilities, deploying advanced threat detection systems, and educating users about the risks of interacting with unknown links and files.
In January 2024, Russian-linked FrostyGoop malware cut off heating for 600 buildings in Lviv, Ukraine, during sub-zero temperatures. The attackers exploited a Mikrotik router vulnerability, breaching the network nearly a year before the attack. The malware targeted industrial control systems using the Modbus protocol. It highlights the need for improved network segmentation and adherence to SANS 5 Critical Controls, including secure remote access and ICS network visibility.
The Krampus loader, a new malware gaining popularity on the dark web, supports multiple functionalities like archiving, PowerShell scripts, and cryptocurrency mining. It evades detection by altering code on each build. Cybersecurity experts urge organizations to update security protocols and employ advanced threat detection systems. Staying informed about emerging threats and implementing proactive cybersecurity measures are essential to protect digital assets from sophisticated malware loaders like Krampus.
The developer of EvolvedAim, a cheat program for the game Escape From Tarkov, has been exposed for distributing malware that stole user information. Known as Mythical, the developer embedded malicious software in the cheat to steal data from users' devices, including passwords and crypto wallet files. EvolvedAim has been shut down, and Mythical has been banned from gaming forums. This case highlights the risks associated with using game cheats and the severe repercussions for both developers and users involved in such activities.
A ransomware attack on the Superior Court of Los Angeles County led to the closure of 36 courts to restore systems. The attack compromised external and internal case management systems. The court is collaborating with local, state, and federal agencies to investigate the incident.
RA World ransomware group, active since March 2024, targets the manufacturing sector using multi-extortion tactics. The group has shifted from healthcare to manufacturing, seeking higher ransom payouts. To defend against such attacks, organizations should secure internet-facing servers, implement strong access controls, and maintain regular data backups. Enhanced threat detection and response capabilities are also critical.
Check Point researchers have discovered the Stargazers Ghost Network, a sophisticated network of GitHub accounts distributing malware and phishing links. Operated by Stargazer Goblin, the network uses over 3,000 accounts to create repositories with malicious links and encrypted archives, appearing legitimate through automated activities like starring and forking. This Distribution as a Service (DaaS) has been active since mid-2023, with significant activity in mid-2024. Users should be cautious of repositories with unusually high activity and ensure robust cybersecurity measures, including regular monitoring and verification of repository content.
Sofware and System Issues
Even the most secure systems can have problems. Here’s a look at recent software and system issues you need to know about. Stay informed and stay prepared.
OpenBSD has rolled out hardware acceleration support in its latest major update, significantly enhancing performance for desktop users. The update includes video acceleration (VA-API) and integration with the libva 2.22.0 open-source library. This allows the GPU to handle hardware encoding and decoding, improving performance and battery life in browsers like Chrome and Firefox.
Microsoft released the July 2024 preview update for Windows 10, fixing issues with Windows Defender Application Control (WDAC) that caused app crashes and memory leaks. Users are encouraged to install the update to enhance system stability and security. This update is crucial for maintaining optimal system performance and preventing potential security vulnerabilities.
Microsoft's KB5040527 update for Windows 11 fixes issues causing Windows backups to fail on EFI systems and addresses upgrade failures and memory leaks in Windows Defender Application Control. Users can install this optional update via Windows Update or manually download it. This update also adds drivers to the Windows Kernel Vulnerable Driver Blocklist to prevent Bring Your Own Vulnerable Driver (BYOVD) attacks. Microsoft recommends updating to the latest version to ensure continued security and functionality.
Cybersecurity Measures, Recommendations and Law
What can you do about all these threats? Here are some top cybersecurity tips and recommendations to keep you one step ahead of the bad guys.
IPFire, the open-source firewall distribution, has introduced SYN Flood Protection for its enterprise users. This feature leverages advanced SYN cookie technology to distinguish between genuine and malicious traffic, effectively filtering out illegitimate SYN packets. IPFire supports Amazon’s Graviton Instances and Elastic Network adapters, enabling high-performance, cloud-based DoS protection capable of handling hundreds of gigabits of traffic per second.
Let’s Encrypt plans to discontinue OCSP support in favor of CRLs, enhancing user privacy and operational efficiency. Users relying on OCSP should transition to CRLs and ensure their systems are compatible with certificates lacking an OCSP URL.
Linx Security raised $33 million to enhance identity security technology, which reduces attack surfaces by mapping and monitoring user identities, access, and permissions. Their advanced analytics help mitigate risks, such as detecting and revoking unsecured access to critical systems, ensuring better compliance and security.
Cyber insurance is evolving to improve organizational cybersecurity postures. Despite its benefits, only a quarter of companies have standalone policies due to cost and coverage concerns. Cyber insurance now includes AI-related risks and personal insurance for smart devices. Organizations should align cyber insurance with security policies and consider it as part of a broader risk mitigation strategy.
Oversharing travel details on social media can alert criminals to your absence, increasing burglary risks. Users should schedule content, use privacy settings, disable geo-tagging, and limit audience visibility to enhance security while traveling.
Advanced Persistent Threats (APT)
Finally, we focus on Advanced Persistent Threats (APTs). These are long-term, sneaky cyber-attacks that need a deep understanding to stop. Learn how to protect yourself from these persistent threats.
The espionage group Daggerfly, also known as Evasive Panda, has updated its cyber arsenal, including a new malware family based on the MgBot modular framework and a new version of the Macma macOS backdoor. These updates are likely in response to the public disclosure of older variants. The group targets organizations in Taiwan and a U.S. NGO based in China. Daggerfly’s tools include the Macma backdoor and a new Windows backdoor, Trojan.Suzafk.
The Patchwork group, targeting Bhutan, used updated backdoor PGoShell and new tool Brute Ratel C4. The attack involved distributing a decoy file and downloading malicious components. The group targets governmental and defense organizations in East and South Asia. Patchwork’s tools include Brute Ratel C4 for managing file systems, port scanning, and capturing screens, and PGoShell with remote control and screen capture capabilities.
Rapid7’s report reveals Kimsuky APT’s advanced tactics, using phishing and social engineering to target government and research sectors. Key methods include LNK and CHM files for payloads. Organizations should enhance email security and train staff on social engineering defenses.
The FBI and Mandiant have identified North Korean hacking group APT45, active since 2009, targeting U.S. government agencies and critical infrastructure, supporting North Korea's military and nuclear programs through espionage and ransomware attacks.
A Chinese cybercrime network involved in gambling and human trafficking uses advanced DNS and traffic systems. Organizations should boost DNS security, monitor for suspicious activities, and work with law enforcement. Implementing multi-layered security and educating employees on cyber threats are crucial to combating these complex operations.
Sekoia.io and Intrinsec have analyzed the Quad7 botnet, which targets Microsoft 365 accounts using TCP port 7777 on infected routers. The botnet's number of unique IP addresses has decreased, but it continues to evolve, mainly targeting TP-Link routers. The botnet uses password spraying attacks on Microsoft 365 accounts, and researchers urge companies to help solve remaining mysteries related to the botnet.
That’s it for this week! We've covered the latest vulnerabilities, exploits, data breaches, malware, ransomware, APTs, and some practical cybersecurity tips. Stay informed and keep your systems secure.
Have any questions, comments, or feedback? Feel free to reply directly, I'd love to hear from you!
If you find this newsletter helpful and think others would too, please consider forwarding it to them. 🙏
Thanks for reading!
exit(0);
Reply