WEEKLY TOP TEN: November 25, 2024, 16:00 GMT
- Critical Flaw in End-of-Life D-Link VPN Routers
An independent security researcher, ‘del sploit,’ discovered a flaw in D-Link VPN routers DSR-150, DSR-150N, DSR-250, and DSR-250N, which have been end-of-life (EOL) since 05/01/2024. The exploit allows an attacker to execute unauthenticated remote code. In the advisory D-Link put out, they described there will be no security update patching this flaw due to the products being EOL. - Critical Authentication Bypass in WordPress Plugin ‘Really Simple Security’
Security researchers at Wordfence discovered a critical vulnerability that affects versions 9.0.0 – 9.1.1.1 of the WordPress plugin ‘Really Simple Security’, formerly known as ‘Really Simple SSL’. The vulnerability is an authentication bypass that arises due to the improper error handling in the ‘check_login_and_get_user’ function. It allows an unauthenticated attacker to log in as any user when two-factor authentication is enabled. - Actively Exploited RCE Flaw Impacting VMware vCenter
Researchers from TZL showcased an RCE vulnerability impacting VMware vCenter during China’s 2024 Matrix Cup hacking contest. This vulnerability is being tracked as CVE-2024-38812 and has been seen actively exploited in the wild. The same researchers also reported another actively exploited vulnerability affecting vCenter, this time a privilege escalation flaw that allows an attacker to gain root privileges through a crafted network packet. This flaw is being tracked under CVE-2024-38813. - Mozilla’s 0Din Discovered a Flaw in ChatGPT’s Sandbox, Allowing Python Execution
Security researchers at Mozilla’s 0Din discovered multiple security flaws allowing for the upload and execution of Python scripts. Through prompt injections, the researchers could execute Python scripts that could list, modify, and relocate the files with the sandbox. They could even extract the model’s core configurations and knowledge base. Out of the five flaws enabling this activity, OpenAI has addressed only one and has no current plans to mitigate the other four issues. - Akira Ransomware Group Compromised Over 30 Companies in One Day
The Akria ransomware group updated its victim list on November 13th, adding more than 30 new victims. Most (25) of the targets are from the U.S., with the others from Europe and various industries. - Python Packages Impersonating Popular AI Models
Cybersecurity researchers discovered that two packages, ‘gptplus’ and ‘claudeai-eng’, were uploaded to the Python Package Index (PyPI) repository by the user ‘Xeroline’. These packages advertised that they offered a way to access the APIs for GPT-4 Turbo and Claude AI API, but they contained malicious code that would deliver an information stealer called JarkaStealer. - Russian Linked Threat Actor Linked in Cyber Espionage Campaign
The threat actor codenamed TAG-110 has been seen using a custom malware loader, HATVIBE, to load a Python backdoor, CHERRYSPY, which is used for data exfiltration and espionage. CERT-UA first saw this group in May 2023 and has since compromised 62 unique victims across 11 countries. - Apple Patches Two Actively Exploited Zero-Days
In the recent Apple IOS update 18.1.1 and 17.7.2, as well as the recent MacOS update 15.1.1, they patched 2 vulnerabilities that are tracked as CVE-2024-44308, an arbitrary code execution flaw in JavaScriptCore and CVE-2024-44309, a cookie management flaw that leads to a cross-site scripting attack in WebKit. - Operation Lunar Peek Compromised 2,000 Palo Alto Firewalls
Researchers at Shadowserver released a report revealing that roughly 2,000 Palo Alto firewalls with their publicly exposed PAN-OS interface have been compromised. These firewalls were targeted with 2 recently identified zero-days, CVE-2024-0012 and CVE-2024-9474, which are, respectively, an authentication bypass flaw and a privilege escalation flaw. Unit 42 of Palo Alto Networks has high confidence that a functional exploit chaining these two vulnerabilities is publicly available - Threat Group ‘Water Barghest’ Compromised Over 20,000 IoT Devices
Researchers at Trend Micro uncovered a cyber gang named ‘Water Barghest’ that has been targeting IoT devices by using automated scripts to compromise vulnerable devices. Once the devices are compromised, they deploy custom malware called ‘Ngioweb’ to register them as proxies in an effort to sell them on a residential proxy marketplace.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: