WEEKLY TOP TEN: December 16, 2024, 16:00 GMT
- OpenWrt Flaw Allows Distribution of Malicious Firmware
A security researcher at Flatt Security named ‘RyotaK’ discovered a command injection with a truncation flaw in the OpenWrt Attended Sysupgrade feature. This feature allows users to create custom, on-demand firmware for embedded devices such as routers, access points, and other IoT hardware. The flaw discovered is being tracked as CVE-2024-54143 and allows an attacker to deliver malicious firmware builds to users downloading images from their official site ‘downloads.openwrt.org.’ OpenWrt has fixed this vulnerability and found no evidence it was exploited but still suggests installing newly generated firmware images to replace the potentially insecure images. - Hacking Group Use Visual Studio Code Remote Tunnels for Remote Command Execution
In a recent joint report from SentinelOne, SentinelLabs, and Tinexta Cyber describe that a suspected China-nexus cyber-espionage group was targeting large business-to-business IT service providers in Southern Europe during a campaign codenamed Operation Digital Eye from late June to mid-July 2024. They observed this group gained initial access through SQL Injections against internet-facing applications and database servers to deploy PHPsert, a PHP-based web shell, and establish SSH access and Visual Studio Code Remote Tunnels for remote command execution. - Vulnerability in WPForms Allows for Arbitrary Stripe Refunds
The security researcher ‘vullu164’ discovered a vulnerability tracked as CVE-2024-11205. This vulnerability impacts the WordPress plugin WPForms version 1.8.4 – 1.9.2.1. It allows an authenticated user to invoke 2 Ajax functions: ‘ajax_single_payment_refund(),’ which executes Stripe refunds, and ‘ajax_single_payment_cancel(),’ which cancels subscriptions. This vulnerability has a patch available in the most recent version, 1.9.2.2. - Cleo Zero-Day Actively Exploited In-The-Wild
Attackers are actively exploiting a flaw in Cleo-managed file transfer software. It allows them to upload and download files unrestricted, leading to remote code execution. Cleo attempted to patch this flaw in the newest version, 5.8.0.21, and it is being tracked as CVE-2024-60623. However, the patch was ineffective, allowing attackers to bypass and exploit the flaw. - Nemesis and ShinyHunters Cyber Gangs Collected Thousands of AWS Credentials
Cybersecurity researchers Noam Rotem and Ran Locar of CyberCyber Labs discovered that the cyber gang’s Nemesis and ShinyHunters were scanning millions of IP addresses in efforts to find exploitable flaws that could steal Amazon Web Service (AWS) credentials and other data, such as proprietary source code and application databases. - AuthQuake Attack Allows MFA Bypass for Microsoft Accounts and Windows Popular AI Models
The cybersecurity firm Oasis Security released a report describing an MFA bypass for Microsoft accounts dubbed ‘AuthQuake.’ The attack takes advantage of the lack of rate limiting which allows 10 failed attempts per session without notifying users and the 3-minute time to live for Time-Based One-Time Password (TOTP) generated by authenticator apps. Using this attack, the researchers showed that they could gain access to the targeted account in under 70 minutes with a success rate of 50% without triggering alerts or having user interaction. After Oasis Security reported this flaw to Microsoft they implemented stricter rate limits on October 9th, 2024, fixing this issue. - Critical Authentication Bypass Found in Ivanti CSA
A new security flaw discovered by CrowdStrike’s Advanced Research Team allows attackers to gain administrative privileges in Ivanti’s Cloud Services Appliance (CSA) without requiring authentication or user interaction. This flaw, tracked under CVE-2024-11639, has since been patched in version 5.0.3. - New Linux RootKit ‘Pumakit’ Discovered in the Wild
The newly found rootkit, ‘Pumakit,’ was initially uploaded to VirusTotal on September 4th, 2024. Since then, Elastic Security has reverse-engineered the rootkit and discovered multiple functions that aid the kit in stealthy operation, privilege escalation, and command execution. Before Pumakit is loaded, it goes through an initial checklist checking for specific kernel symbols, secure boot status, and other prerequisites. - New Iranian Malware IOCONTROL Targets IOT and OT/SCADA Systems
Claroty’s Team82 researchers discovered a new malware called “IOCONTROL” that targets IOT devices and OT/SCADA systems in Israel and the United States. This malware has been attributed to the Iranian threat actors CyberAv3ngers. The malware has a wide range of capabilities and is intended to disrupt critical infrastructure and facilitate data theft. - WordPress Plugin Hunk Companion Allows for Installation of Other Plugins
The recent vulnerability CVE-2024-11972 discovered by WPScan affects the WordPress plugin Hunk Companion versions 1.8.4 – 1.9.2.1, allowing a threat actor to install other plugins that are vulnerable to exploitation. In the recent report detailing the new vulnerability, WPScan said they have seen threat actors leveraging this vulnerability in the wild to install the plugin ‘WP Query Console’ and leverage an RCE bug (CVE-2024-50498) in the plugin to execute PHP code.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: