LiteSpeed Cache Plugin Vulnerability Poses Significant Risk to WordPress Websites
A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions.
The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), has been addressed in version 6.5.2 of the plugin.
“The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain administrator level access after which malicious plugins could be uploaded and installed,” Patchstack security researcher Rafie Muhammad said in an analysis.
LiteSpeed Cache is a popular site acceleration plugin for WordPress that, as the name implies, comes with advanced caching functionality and optimization features. It’s installed on over six million sites.
The newly identified issue, per Patchstack, is rooted in a function named is_role_simulation and is similar to an earlier flaw that was publicly documented back in August 2024 (CVE-2024-28000, CVSS score: 9.8).
Source: The hacker news / Bleeping computer / Infosecurity magazine
Link: https://thehackernews.com/2024/10/litespeed-cache-plugin-vulnerability.html
Link: https://www.infosecurity-magazine.com/news/litespeed-cache-plugin-flaw-admin/
Massive Git Config Breach Exposes 15,000 Credentials; 10,000 Private Repos Cloned
Cybersecurity researchers have flagged a “massive” campaign that targets exposed Git configurations to siphon credentials, clone private repositories, and even extract cloud credentials from the source code.
The activity, codenamed EMERALDWHALE, is estimated to have collected over 10,000 private repositories and stored in an Amazon S3 storage bucket belonging to a prior victim. The bucket, consisting of no less than 15,000 stolen credentials, has since been taken down by Amazon.
“The stolen credentials belong to Cloud Service Providers (CSPs), Email providers, and other services,” Sysdig said in a report. “Phishing and spam seem to be the primary goal of stealing the credentials.”
Source: The hacker news / Infosecurity magazine
Link: https://thehackernews.com/2024/11/massive-git-config-breach-exposes-15000.html
Link: https://www.infosecurity-magazine.com/news/emeraldwhale-targets-misconfigured/
LottieFiles Issues Warning About Compromised “lottie-player” npm Package
LottieFiles has revealed that its npm package “lottie-player” was compromised as part of a supply chain attack, prompting it to release an updated version of the library.
“On October 30th ~6:20 PM UTC – LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code,” the company said in a statement on X. “This does not impact our dotlottie player and/or SaaS service.”
LottieFiles is an animation workflow platform that enables designers to create, edit, and share animations in a JSON-based animation file format called Lottie. It’s also the developer behind an npm package named lottie-player, which allows for embedding and playing Lottie animations on websites. According to the company, “a large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release.”
Source: The hacker news / Bleeping computer / Helpnet security
Link: https://thehackernews.com/2024/10/lottiefiles-issues-warning-about.html
Link: https://www.helpnetsecurity.com/2024/10/31/lottie-player-compromise/
Synology hurries out patches for zero-days exploited at Pwn2Own
Synology, a Taiwanese network-attached storage (NAS) appliance maker, patched two critical zero-days exploited during last week’s Pwn2Own hacking competition within days.
Midnight Blue security researcher Rick de Jager found the critical zero-click vulnerabilities (tracked together as CVE-2024-10443 and dubbed RISK:STATION) in the company’s Synology Photos and BeePhotos for BeeStation software.
As Synology explains in security advisories published two days after the flaws were demoed at Pwn2Own Ireland 2024 to hijack a Synology BeeStation BST150-4T device, the security flaws enable remote attackers to gain remote code execution as root on vulnerable NAS appliances exposed online.
Source: Bleeping computer
QNAP patches second zero-day exploited at Pwn2Own to get root
QNAP has released security patches for a second zero-day bug exploited by security researchers during last week’s Pwn2Own hacking contest.
This critical SQL injection (SQLi) vulnerability, tracked as CVE-2024-50387, was found in QNAP’s SMB Service and is now fixed in versions 4.15.002 or later and h4.15.002 and later.
The zero-day flaw was patched one week after allowing YingMuo (working with the DEVCORE Internship Program) to get a root shell and take over a QNAP TS-464 NAS device at Pwn2Own Ireland 2024.
On Tuesday, the company fixed another zero-day in its HBS 3 Hybrid Backup Sync disaster recovery and data backup solution, exploited by Viettel Cyber Security’s team at Pwn2Own to execute arbitrary commands and hack a TS-464 NAS device.
Team Viettel won Pwn2Own Ireland 2024 after four days of competition, during which more than $1 million in prizes were awarded to hackers who demonstrated over 70 unique zero-day vulnerabilities.
Source: Bleeping computer / Qnap security advisory
Link: https://www.qnap.com/en/security-advisory/qsa-24-41
A Sherlock Holmes Approach to Cybersecurity: Eliminate the Impossible with Exposure Validation
Sherlock Holmes is famous for his incredible ability to sort through mounds of information; he removes the irrelevant and exposes the hidden truth. His philosophy is plain yet brilliant: “When you have eliminated the impossible, whatever remains, however improbable, must be the truth.” Rather than following every lead, Holmes focuses on the details that are needed to move him to the solution.
In cybersecurity, exposure validation mirrors Holmes’ approach: Security teams are usually presented with an overwhelming list of vulnerabilities, yet not every vulnerability presents a real threat. Just as Holmes discards irrelevant clues, security teams must eliminate exposures that are unlikely to be exploited or do not pose significant risks.
Exposure validation (sometimes called Adversarial Exposure Validation) enables teams to concentrate on the most significant issues and minimize distractions. Similar to Holmes’ deductive reasoning, validation of exposures directs organizations toward vulnerabilities that, if unaddressed, have the potential to result in a security breach.
Source: The hacker news
Link: https://thehackernews.com/2024/10/a-sherlock-holmes-approach-to.html
Understanding the Black Basta Ransomware Service
To bring this back to the present and apply it to cybersecurity, a recent severe and ever-present threat to many companies is ransomware. While it’s not necessarily life-threatening (though it can come close when healthcare facilities are held ransom), it’s also not just a specter or apparition that is part of a kid’s tale.
Some years ago, when cyber insurance was taking hold, having an incident response (IR) plan was one of the primary requirements. There are many more requirements now that the insurance industry has grown through the struggles of what all is entailed in the policies, but that IR requirement has become much more prevalent across the board for various regulations and contracts.
The main concern was ransomware. It still is. There are plenty of threats, and there’s no way to truly prioritize the threats out there – each industry and organization has its unique challenges. But ransomware is at the top.
In this article, I want to point out one of the many ransomware groups and provide the requisite actions to protect from ransomware.
Source: Secjuice
Link: https://www.secjuice.com/black-basta-ransomware/
Talos IR trends Q3 2024: Identity-based operations loom large
Threat actors are increasingly conducting identity-based attacks across a range of operations that are proving highly effective, with credential theft being the main goal in a quarter of incident response engagements.
These attacks were primarily facilitated by living-off-the-land binaries (LoLBins), open-source applications, command line utilities, and common infostealers, highlighting the relative ease at which these operations can be carried out. In addition to outright credential harvesting, we also saw password spraying and brute force attacks, adversary-in-the-middle (AitM) operations, and insider threats, underscoring the variety of ways in which actors are compromising users’ identities.
Identity-based attacks are concerning because they often involve actors launching internal attacks from a compromised, valid account–making such activity difficult to detect. Moreover, once account compromise is achieved, an actor can carry out any number of malicious activities, including account creation, escalating privileges to gain access to more sensitive information, and launching social engineering attacks, like business email compromise (BEC), against other users on the network.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/incident-response-trends-q3-2024/