Share Blog Post
Old bugs die hard! A new report emphasized the persistence and exploitation of legacy vulnerabilities, including the Log4j flaw, over zero-day threats. Log4j remains a top exploit, comprising 30% of outbound and 18% of inbound vulnerability exploitations in Q1 2024. Even if patching is challenging, one must replace outdated systems. Multiple WordPress websites with outdated LiteSpeed Cache and Email Subscribers plugins were infiltrated by digital adversaries who injected malicious code to create admin users.
A critical vulnerability in PDF.js, a browser and React application tool for rendering PDFs, enabled arbitrary code execution. Additionally, security researchers uncovered active exploitation of security holes in Ivanti Pulse Secure VPNs, facilitating Mirai botnet delivery.
Top Malware Reported in the Last 24 Hours
New CHM malware variant targets Korean
ASEC reported the discovery of a new variant of CHM malware targeting Korean users. This malware strain disguises itself within seemingly innocuous files and employs multiple scripts to exfiltrate user information and perform keylogging activities. Some notable changes from its previous version included a switch in the operation process and obfuscation methods to evade detection.
RemcosRAT distributed through steganography
In a different report, ASEC uncovered an attack campaign distributing RemcosRAT via steganography. Initially, attackers use a Word document employing template injection to initiate the attack, followed by an RTF file exploiting a vulnerability in the equation editor. The RTF file downloads obfuscated VBScripts, executing PowerShell scripts to decode Base64 data hidden within images. This decoded data ultimately loads RemcosRAT.
Google Search ads exploited for malware distribution
Threat actors were observed using Google search ads to spread malware via MSI packages. The operation leads to the deployment of the FakeBat loader. Users are lured by seemingly legitimate ads resembling popular software like Notion, directing them to phishing sites hosting disguised MSIX installers. Executing these installers triggers hidden PowerShell scripts, fetching the zgRAT payload from FakeBat's command and control server.
Top Vulnerabilities Reported in the Last 24 Hours
Chrome bugs pose code execution threat
Google Chrome versions prior to 124.0.6367.155/.156 for Windows and Mac and 124.0.6367.155 for Linux, were found containing multiple vulnerabilities. These included use-after-free flaw in ANGLE (CVE-2024-4558) and heap buffer overflow flaw in WebAudio (CVE-2024-4559), posing risks of arbitrary code execution. Exploitation could lead to unauthorized program installation, data manipulation, or account creation with elevated privileges.
WordPress sites targeted via plugin bugs
Cybercriminals targeted several WordPress sites using outdated LiteSpeed Cache and Email Subscribers plugins to create administrator users and gain control. The reason was a high-severity cross-site scripting flaw (CVE-2023-40000) in LiteSpeed Cache versions before 5.7.0.1 and a critical SQL injection vulnerability (CVE-2024-2876) affecting Email Subscribers versions 5.7.14 and older. Attackers created rogue admin accounts by injecting malicious JavaScript code into critical WordPress files or the database.
Log4j and other legacy flaws
Cato Networks' Q1 2024 SASE Threat Report revealed that the Log4j vulnerability remains a prevalent exploit, constituting 30% of outbound and 18% of inbound vulnerability exploitations. Additionally, CVE-2017-9841 targeting PHPUnit is the most common vulnerability exploited, comprising 33% of all exploits. Insecure protocols like HTTP, Telnet, and SMBv1 further exacerbate network vulnerabilities in agriculture, real estate, and travel industries.
Critical RCE flaw patched in Veeam
Veeam Service Provider Console versions 7.x and 8.x were found vulnerable to RCE due to unsafe deserialization methods. Although CVEs are awaited, the company addressed these flaws in its latest release, along with other bug fixes and enhancements. Users are urged to upgrade to the latest versions (VSPC 8.0.0.16877 for version 8.x) to mitigate the risk of exploitation. For version 7.x, a cumulative patch addressing only the RCE issue was provided.
Critical flaw in PDF.js puts millions at risk
A high-severity vulnerability in PDF.js, affecting both Mozilla PDF.js and React-PDF, allowed threat actors to execute arbitrary code by exploiting malicious PDF files. This vulnerability impacted multiple browsers and applications, including Mozilla Firefox, Safari, Google Chrome, and Edge. Officials have patched the flaws and labeled them under CVE-2024-34342 and CVE-2024-4367. Users are urged to update their software to mitigate the risk of exploitation.
Ivanti VPN exploited for Mirai Botnet infection
Juniper Threat Labs spotted active exploitation attempts targeting vulnerabilities, CVE-2023-46805 and CVE-2024-21887, in Ivanti Pulse Secure VPN appliances. Exploiting these flaws, threat actors delivered the Mirai botnet. CVE-2023-46805 permits authentication bypass in Ivanti Connect Secure and Ivanti Policy Secure gateways, while CVE-2024-21887 allows command injection. A detected attack sequence involves wiping files, setting executable permissions, and downloading and executing a script for infection.
Tags
Posted on: May 08, 2024
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
