FlagThis

A critical vulnerability, CVE-2024-10470, has been discovered in the WPLMS WordPress theme, putting thousands of LMS-driven websites at risk of Remote Code Execution (RCE) attacks. This vulnerability arises from a path traversal flaw, allowing attackers to read and delete arbitrary files on the server, even without authentication. The vulnerability affects all versions of WPLMS up to 4.962, and attackers could exploit it by sending crafted HTTP POST requests to delete essential files like wp-config.php, potentially leading to complete system compromise. Administrators using the WPLMS theme are advised to take immediate action to secure their WordPress environments. This includes deactivating and removing the WPLMS theme, strengthening access controls, implementing file integrity monitoring, taking regular backups, deploying a Web Application Firewall (WAF), and staying updated with the latest WPLMS patches. These steps are crucial for mitigating the risk of unauthorized access and safeguarding critical site functions.

Cisco’s Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul (URWB) Access Points has been found to contain a critical command injection vulnerability. This vulnerability, tracked as CVE-2024-39123, allows unauthenticated attackers to execute commands with root privileges on affected systems. The flaw stems from insufficient validation within the web-based management interface, making it susceptible to malicious HTTP requests. Successful exploitation of this vulnerability could grant attackers complete control over the targeted device, posing significant risks to networked devices and potentially disrupting critical operations. Cisco has released a software update to address the issue, and users are urged to upgrade immediately to mitigate potential impacts.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent advisories about two critical vulnerabilities: CVE-2024-20481, a denial-of-service (DoS) vulnerability affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD), and CVE-2024-37383, a cross-site scripting (XSS) vulnerability in RoundCube Webmail. CVE-2024-20481 allows unauthenticated attackers to crash Cisco ASA/FTD devices with a crafted HTTP request, impacting network availability and security posture. CVE-2024-37383 allows attackers to inject malicious scripts into web pages viewed by RoundCube users, leading to potential data theft or other malicious activities. CISA urges organizations to promptly apply patches for both vulnerabilities and implement mitigation strategies such as input validation, user education, and WAFs to reduce the risk of exploitation.

The recent Cisco data breach, which involved the exposure of API tokens and other sensitive information, highlights the ongoing danger of unsecured APIs. Even breaches in seemingly low-risk, public-facing environments can be exploited by attackers to gain access to sensitive data and launch more sophisticated attacks. Attackers can use exposed source code, hardcoded credentials, and even seemingly harmless data to compromise an organization’s security posture. This underscores the importance of comprehensive API security measures, including strict access controls, robust authentication mechanisms, and thorough security testing, to protect against these threats.

Cisco has released its October 2024 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication. This publication addresses multiple vulnerabilities within Cisco’s ASA, FMC, and FTD products, some of which are actively being exploited by attackers. These vulnerabilities, if left unpatched, could allow attackers to gain control of affected systems. CISA strongly encourages users and administrators to review the provided advisory and apply the necessary updates promptly to mitigate the risk of compromise.

Akira ransomware, a prominent threat actor, is continuously evolving its tactics and targeting vulnerable systems, particularly network appliances. Their latest ransomware encryptor targets both Windows and Linux hosts. Akira affiliates have been exploiting vulnerabilities in SonicWall SonicOS, Cisco ASA/FTD, and FortiClientEMS for initial access, followed by credential harvesting, privilege escalation, and lateral movement. The group’s recent shift back to encryption methods, coupled with data theft extortion, emphasizes their focus on stability and efficiency in affiliate operations.

Multiple Chinese Advanced Persistent Threat (APT) groups, including Volt Typhoon, Salt Typhoon, Flax Typhoon, and Velvet Ant, are engaging in sophisticated cyber espionage and disruptive campaigns. These groups employ various techniques, including “living off the land” (LOTL) methods, to compromise critical infrastructure, ISPs, and IoT devices. Volt Typhoon’s focus is on U.S. communication infrastructure, often leveraging compromised Fortinet devices for data exfiltration. Salt Typhoon targets U.S. Internet Service Providers (ISPs), seeking to compromise routers and network devices for data collection. Flax Typhoon utilizes compromised IoT devices to build botnets for command and control purposes, aiming at entities in Taiwan and expanding globally. Velvet Ant, a lesser-known group, targets software supply chains, aiming to indirectly infiltrate larger networks. These groups pose a serious threat to critical infrastructure and national security, requiring vigilant defense strategies to combat their stealthy operations.

A new phishing campaign discovered by Cisco Talos utilizes the open-source Gophish toolkit to distribute malware. This campaign leverages modular infection chains, either Maldoc or HTML-based, that require user interaction to activate. This attack delivers a previously undocumented PowerShell RAT, dubbed PowerRAT, along with the infamous Remote Access Tool (RAT) DCRAT. This indicates the threat actors are actively developing their tools and targeting Russian-speaking users. The attack uses malicious Microsoft Word documents and HTML files containing malicious JavaScript as initial infection vectors. These vectors lead to the download and activation of either PowerRAT or DCRAT based on the initial vector, with the attacker-controlled hosting domains disk-yanbex[.]ru and e-connection[.]ru delivering the payloads. The campaign is highly concerning due to its use of a readily available toolkit and the potential for further development and refinement of the PowerRAT malware. It highlights the importance of maintaining strong cybersecurity practices to protect against phishing attacks and the need for vigilance against emerging threats.

APT41, a sophisticated threat actor, has been observed targeting the gambling industry with custom tools and achieving prolonged persistence, spanning nine months. Their tactics involve phantom DLL hijacking and WMIC JavaScript loading, allowing for stealthy operations and extended presence within victim networks. This activity highlights the growing interest of advanced threat actors in the gambling sector, demanding enhanced security measures to counter such persistent threats.

A Russian-speaking threat actor, tracked as UAT-5647 (also known as RomCom), has been observed targeting Ukrainian government entities and potentially Polish entities. The group has been utilizing a range of malware variants, including SingleCamper, RustyClaw, MeltingClaw, DustyHammock, and ShadyHammock, to establish long-term access, exfiltrate data, and potentially deploy ransomware. The malware variants demonstrate the group’s sophistication and diversity in their tooling and infrastructure. The targeting of edge devices within compromised networks suggests an escalation of the threat actor’s activity, potentially seeking to evade detection and gain even more control over the victim’s environment. Organizations in Ukraine and Poland should be particularly vigilant against this threat actor and implement robust security measures to protect their systems and data.

Cisco experienced a significant data breach, allegedly perpetrated by the IntelBroker hacking group. The breach, which occurred on Thursday, exposed sensitive information of Cisco’s customers, including Microsoft, Barclays, and SAP developer data. The stolen data, which is being sold on the dark web, includes confidential information and potentially compromise systems and accounts. This incident highlights the growing threat of data breaches and the importance of robust security measures for organizations, especially those handling sensitive information.