Posts - Intrucept

Critical Flaw in WordPress Hunk Companion Plugin Enables Unauthorized Plugin Installation

Summary

OEM	WordPress
Severity	Critical
Date of Announcement	2024-12-13
CVSS score	9.8
CVE	CVE-2024-11972
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

A Critical flaw in the WordPress Hunk Companion plugin has been actively exploited to enable unauthorized installation and activation of plugins. This vulnerability stems from insufficient authorization checks on a REST API endpoint. Exploited sites may see attackers silently install malicious or outdated plugins, leading to severe security risks, including remote code execution (RCE), unauthorized access, and website compromise.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Hunk Companion Plugin Vulnerability	CVE-2024-11972	Hunk Companion Plugin for WordPress	Critical	9.8

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-11972	Hunk Companion plugin versions prior to 1.8.4	This vulnerability is caused by improper validation mechanisms in the file hunk-companion/import/app/app.php, a script responsible for handling plugin import and installation processes. At its core, the bug permits unauthenticated requests to bypass critical permission checks intended to ensure that only authorized users can install plugins.	This vulnerability potentially leads to remote code execution, unauthorized access, and full website compromise.

Remediations

“Hunk Companion” WordPress plugin, should update to version 9.0 or later.

General Recommendations

Regularly inspect your WordPress site for unknown plugins or modifications.
Reducing the risk of delayed patching can be achieved by enabling automatic updates for all plugins
Review server and WordPress logs for unauthorized login attempts to detect possible compromise.
Keep all plugins, themes, and WordPress core updated. Use strong, unique passwords and enable two-factor authentication for admin accounts.

References

Zero-Day Vulnerability in Windows Exposes NTLM Credentials

Summary

OEM	Microsoft
Severity	Critical
Date of Announcement	2024-12-12
CVE	Not yet assigned
Exploited in Wild	No
Patch/Remediation Available	Yes (No official patch)
Advisory Version	1.0
Vulnerability Name	NTLM Zero-Day

Overview

A recently discovered zero-day vulnerability in Windows, enables attackers to steal user credentials through a malicious file viewed in File Explorer. This “clickless” exploit bypasses the need for user interaction, creating significant security risks. While Microsoft investigates, 0patch has released an unofficial micropatch to mitigate the threat. Users are advised to apply the patch or implement mitigations to reduce exposure.

Vulnerability Name	CVE ID	Product Affected	Severity
NTLM zero-day	Not Yet Assigned	Microsoft Windows	Critical

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
Not Yet Assigned	Windows 7 to 11 (24H2), Server 2008 R2 to 2022	A zero-day vulnerability that allows NTLM credential theft by viewing a malicious file in File Explorer. The flaw forces an outbound NTLM connection, leaking NTLM hashes. Exploitation requires no user interaction beyond viewing a malicious file, which can be delivered through shared folders, USB drives, or malicious downloads in the browser's default folder.	Enables attackers to steal NTLM credentials and gain unauthorized access of the affected systems.

Remediations

Apply the 0patch Micropatch:
- Register for a free account at 0patch Central.
- Install the 0patch agent to automatically receive the micropatch.
Disable NTLM Authentication:
- Navigate to Security Settings > Local Policies > Security Options in Group Policy.
- Configure “Network security: Restrict NTLM” policies to limit NTLM usage.

General Recommendations

Only enable patches or configurations after testing them on non-critical devices to ensure minimal impact.
Stay updated on Microsoft’s response and the availability of an official patch through trusted news sources or Microsoft’s advisories.
Inform users about the risks of handling unfamiliar files and downloading content from untrusted sources.
Monitor systems for suspicious NTLM-related activity.

References

Microsoft December 2024 Patch Tuesday: Critical Fixes for Zero-Day and Remote Code Execution

Summary

OEM	Microsoft
Severity	High
Date of Announcement	2024-12-12
NO. of Vulnerabilities Patched	71
Actively Exploited	01
Exploited in Wild	Yes
Advisory Version	1.0

Overview

Microsoft released updates addressing 71 vulnerabilities across its product suite, including 1 actively exploited zero-day vulnerability. Critical patches include fixes for remote code execution (RCE) flaws in Windows TCP/IP and Windows Common Log File System (CLFS). Immediate attention is required for systems running Windows Server, Microsoft Exchange, and other affected components. The patch targets a range of critical issues across Microsoft products, categorized as follows:

30 Remote Code Execution (RCE) Vulnerabilities
27 Elevation of Privilege (EoP) Vulnerabilities
7 Information Disclosure Vulnerabilities
4 Denial of Service (DoS) Vulnerabilities
1Defense-in-depth improvement
1 Spoofing Vulnerabilities

The highlighted vulnerabilities include one zero-day flaw and critical RCE vulnerabilities, one of which is currently being actively exploited.

Vulnerability Name	CVE ID	Product Affected	Impact	CVSS Score
Unauthenticated Remote Code Execution in Windows LDAP	CVE-2024-49112	Windows	Critical	9.8
Remote Code Execution in Windows Hyper-V	CVE-2024-49117	Windows	High	8.8
Remote Code Execution via Use-After-Free in Remote Desktop Services	CVE-2024-49132	Windows	High	8.1
Windows Common Log File System Driver Elevation of Privilege Vulnerability	CVE-2024-49138	Windows	High	7.8

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-49112	Microsoft Windows Lightweight Directory Access Protocol (LDAP)	This vulnerability allows attackers to execute arbitrary code at the LDAP service level by sending specially crafted LDAP calls to a Windows Domain Controller. While Microsoft recommends disconnecting Domain Controllers from the Internet as a mitigation, applying the patch is the best course of action.	Remote Code Execution
CVE-2024-49117	Microsoft Windows Hyper-V	This vulnerability can be exploited by an authenticated attacker to execute code on the host operating system from a guest virtual machine. Cross-VM attacks are also possible. Although the attacker must have basic authentication, the vulnerability poses significant risks to virtualized environments.	Remote Code Execution
CVE-2024-49132	Microsoft Windows Remote Desktop Services	An attacker can exploit a use-after-free memory condition in Remote Desktop Gateway, allowing RCE. Exploitation requires precise timing, which makes this an advanced attack. Successful exploitation grants attackers control over the affected system.	Allows an attacker to execute remote code on systems using Remote Desktop Gateway
CVE-2024-49138	Windows Common Log File System Driver	This critical security flaw affects the Windows Common Log File System Driver and is classified as an Elevation of Privilege vulnerability.	It allows attackers to gain SYSTEM privileges on Windows devices, potentially giving them full control over the affected system.

Additional Critical Patches Address High-Severity Vulnerabilities

These are the eight other critical vulnerabilities that are rated 8.1 on the CVSS scale in Remote Desktop Services (CVE-2024-49116, CVE-2024-49108, CVE-2024-49106, CVE-2024-49115, CVE-2024-49128, CVE-2024-49123, CVE-2024-49120, CVE-2024-49119).
Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49077).
Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49132).

Remediation

Ensure all December 2024 Patch Tuesday updates are applied promptly.
Implement a routine patch management process to regularly check for and apply the latest Microsoft security updates and patches for all affected products.
Create and test an incident response plan with defined communication channels and responsibilities to ensure readiness for any security breaches.

References

https://msrc.microsoft.com/update-guide/releaseNote/2024-Dec

Blue Yonder SaaS giant breached by Termite Ransomware Gang

The company acknowledged it is investigating claims by a public threat group linked to the November ransomware attack.

Advisory on MUT-8694: Threat Actors Exploiting Developer Trust in Open-Source Libraries

MUT-8694: Threat Actors Exploiting Developer Trust in Open-Source Libraries

Overview

In November 2024, a supply chain attack designated as MUT-8694 was identified, targeting developers relying on npm and PyPI package repositories. This campaign exploits trust in open-source ecosystems, utilizing typosquatting to distribute malicious packages. The malware predominantly affects Windows users, delivering advanced infostealer payloads.

MUT-8694 Campaign Details

The threat actors behind MUT-8694 use malicious packages that mimic legitimate libraries to infiltrate developer environments. The campaign employs techniques such as:

Typosquatting: Using package names that closely resemble popular or legitimate libraries.
Payload Delivery: Embedded scripts download malware such as Blank Grabber and Skuld Stealer hosted on GitHub and repl.it.
Targeted Ecosystems: npm and PyPI, critical platforms for developers.

Source: Datadog

Key Findings

One identified package, larpexodus (version 0.1), executed a PowerShell command to download and run a Windows PE32 binary from github[.]com/holdthaw/main/CBLines.exe. Analysis revealed the binary was an infostealer malware, Blank Grabber, compiled from an open-source project hosted on GitHub. Further inspection of the repository exposed another stealer, Skuld Stealer, indicating the involvement of multiple commodity malware samples.

Capabilities of Malware

The deployed malware variants include advanced features that allow:

Credential Harvesting: Exfiltrating usernames, passwords, and sensitive data.
Cryptocurrency Wallet Theft: Targeting and compromising crypto assets.
Application Data Exfiltration: Stealing configuration files from popular applications

Affected Packages

Some known malicious packages include:

larpexodus (PyPI): Executes a PowerShell script to download malware.
Impersonations of npm libraries: Host binaries leading to infostealer deployment.

Remediation:

To mitigate the risks associated with this attack, users should:

Audit Installed Packages: Use tools like npm audit or pip audit to identify vulnerabilities.
Validate Package Sources: Verify package publishers and cross-check names carefully before installation.
Monitor Network Activity: Look for unusual connections to GitHub or repl.it domains.
Use Security Tools: Implement solutions that detect malicious dependencies.

General Recommendations:

Avoid downloading software from unofficial or unverified sources.
Regularly update packages and dependencies to the latest versions.
Conduct periodic security awareness training for developers and IT teams.

References:

https://securitylabs.datadoghq.com/articles/mut-8964-an-npm-and-pypi-malicious-campaign-targeting-windows-users/

RCE and File Deletion Vulnerabilities in Veeam Service Provider Console

Summary

OEM	Veeam
Severity	Critical
Date of Announcement	2024-12-05
CVSS Score	9.9
CVE	CVE-2024-42448, CVE-2024-42449
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

Two critical vulnerabilities in the Veeam Service Provider Console (VSPC) enable attackers to perform unauthenticated remote code execution (RCE) and arbitrary file deletion. These flaws present severe threats to the infrastructure of managed service providers that depend on VSPC for their operations.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Veeam Service Provider Console RCE	CVE-2024-42448	Veeam Service Provider Console	Critical	9.9
NTLM Hash Leak and Arbitrary File Deletion on Server	CVE-2024-42449	Veeam Service Provider Console	High	7.1

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-42448	VSPC v8.1.0.21377 and all earlier versions.	This critical remote code execution (RCE) vulnerability allows unauthenticated attackers to execute arbitrary code on the Veeam Service Provider Console server. It exploits a flaw in the server's handling of input, enabling attackers to compromise the entire system.	Allows attackers to execute arbitrary code on the server remotely.
CVE-2024-42449	VSPC v8.1.0.21377 and all earlier versions.	This vulnerability allows attackers, via an authorized VSPC management agent, to leak the NTLM hash of the VSPC server service account and delete arbitrary files on the server. Exploitation requires valid credentials for an agent authorized by the VSPC server.	Permits authorized management agents to delete arbitrary files from the VSPC server.

Remediations

Update Veeam Service Provider Console to version 8.1.0.21999 or later version, which addresses this vulnerability.
Limit network exposure of VSPC and allow access only to trusted management agents.

General Recommendations

Monitor VSPC logs to detect suspicious activities and respond promptly.
Use strong, unique passwords for service accounts and enable multi-factor authentication (MFA) where possible.

References

Godot Hijacked with Malware to infect Thousands of PC’s

Godot is a platform that host open source game development, where new Malware loader installed in its programming language

At least 17,000 devices were infected with infostealers and cryptojackers so far.

As per researchers cyber criminals have been building malicious code written in GDScript (Godot’s Python-like scripting language) calling on some 200 GitHub repositories and more than 220 Stargazer Ghost accounts.

Earlier hackers targeted the open sources gaming platform targeting users of the Godot Gaming Engine and researcher’s spotted that GodLoader would drop different malware to the infected devices mostly in RedLine stealer, and XMRig, a popular cryptojacker.

GodLoader, the researchers further explained, was downloaded at least 17,000 times, which is a rough estimate on the number of infected devices. However, the attack surface is much, much larger.

Check Point argues that in theory, crooks could hide malware in cheats, cracks, or modes, for different Godot-built games. Check Point detected four separate attack waves against developers and gamers between September 12 and October 3, enticing them to download infected tools and games.

Looking at the number of popular games developed with Godot, that would put the attack surface at approximately 1.2 million people.

Hackers delivered the GodLoader malware through the Stargazers Ghost Network, a malware Distribution-as-a-Service (DaaS) that masks its activities using seemingly legitimate GitHub repositories.

Technical Details

Godot does not register a file handler for “.pck” files. This means that a malicious actor always has to ship the Godot runtime together with a .pck file. The user will always have to unpack the runtime together with the .pck to the same location and then execute the runtime.

There is no way for a malicious actor to create a “one click exploit”, barring other OS-level vulnerabilities. If such an OS-level vulnerability were used then Godot would not be a particularly attractive option due to the size of the runtime.

LogoFAIL Exploited to Deploy Bootkitty, the first UEFI bootkit for Linux

Researchers have uncovered the first UEFI bootkit designed specifically for Linux systems, named Bootkitty.

Tailored Security Solutions for Maritime Operations by Intrucept 

Tailored Security Solutions from Maritime Operations by Intrucept 

Security Update for NVIDIA Base Command & Bright Cluster Managers

NVIDIA has issued a security advisory addressing a critical vulnerability (CVE-2024-0138) discovered in its Base Command Manager software. This flaw, located within the CMDaemon component, poses significant risks, including the potential for remote code execution, denial of service, privilege escalation, information disclosure, and data tampering.

What does the Vulnerability mean

The source of the vulnerability was from insecure temporary file handling, which could lead to a denial of service (DoS) condition on affected systems.

NVIDIA has released patches to address the issue and prevent potential exploitation. This critical flaw can be exploited remotely without any prerequisites, such as user interaction or special privileges, making it highly dangerous.

Vulnerability Name	CVE ID	Product Affected	Impact	Fixed Version
Insecure Temporary File Vulnerability	CVE-2024-0139	NVIDIA Base Command Manager, Bright Cluster Manager	Medium	Base Command Manager: 10.24.09a; Bright Cluster Manager: 9.0-22, 9.1-19, 9.2-17

Technical Summary

NVIDIA confirmed earlier versions, including 10.24.07 and earlier, are not impacted by this vulnerability.

To mitigate the issue, NVIDIA recommends updating the CMDaemon component on all head nodes and software images.

Remediation:

1. Base Command Manager

Update to version 10.24.09a to address the vulnerability.

2. Bright Cluster Manager

Depending on your version, update to one of the following:

9.0-22

9.1-19

9.2-17

3. CMdaemon Update

Ensure the most recent version of CMdaemon is installed on the head nodes and in all software images.

4. Node Update .

After applying the update, systems should be rebooted or resynchronized with the updated software image to ensure the fix is fully implemented. These measures are essential to eliminate the root cause that created vulnerability and protect systems from potential exploitation.

References:

For additional details on the vulnerability and patch instructions, visit NVIDIA’s security bulletin.

CVE ID	System Affected	Platform	Vulnerability Details	Impact
CVE-2024-0139	NVIDIA Base Command Manager (Versions 3, 10) NVIDIA Bright Cluster Manager (Versions 9.0-9.2)	Linux	The vulnerability stems from insecure handling of temporary files in both Base Command Manager and Bright Cluster Manager. Exploiting this flaw could disrupt system availability, potentially causing a denial of service.	Potential denial of service on affected systems.