Weekly Cybersecurity Digest: Top 5 News Stories in the Digital Sphere

1. Critical WordPress Vulnerabilities Put Millions of Sites at Risk

A critical authentication bypass vulnerability (CVE-2024-10924, CVSS 9.8) in the "Really Simple Security" WordPress plugin has exposed over 4 million websites to potential exploitation. Attackers can remotely gain administrative access, particularly when two-factor authentication is enabled. A patch (version 9.1.2) was released on November 13, 2024, with WordPress enforcing auto-updates. Another flaw in the WPLMS WordPress theme (CVE-2024-10470) allows unauthenticated attackers to delete files, potentially enabling site takeovers.

Key Details:

• Plugins/Themes Affected: Really Simple Security (versions 9.0.0–9.1.1.1).WPLMS theme (versions below 4.963).
• Risks: Administrative access via insecure two-factor authentication implementation. Arbitrary file deletion, including wp-config. php, enabling site hijacking.
• Recommendations: Update plugins and themes to patched versions. Enable WordPress auto-updates. Use robust two-factor authentication mechanisms. Regularly back up site data and implement firewalls.

2. Warning: DEEPDATA Malware Exploits Unpatched Fortinet Flaw

The DEEPDATA malware, linked to the BrazenBamboo threat actor and China-associated APT41, is exploiting an unresolved vulnerability in Fortinet's FortiClient for Windows to steal VPN credentials. The flaw, reported to Fortinet in July 2024, remains unpatched, allowing the malware to extract credentials directly from memory using a malicious plugin. DEEPDATA, along with related tools like DEEPPOST and LightSpy, exhibits sophisticated cyber espionage capabilities, targeting communication platforms, sensitive data, and system credentials across multiple devices and operating systems.

Key Details:

• Threat Actor: Brazen Bamboo, associated with Chinese cyber-espionage.
• Malware Capabilities: DEEPDATA extracts application passwords, browser info, and VPN credentials. Light Spy spyware targets macOS, iOS, and Windows with functionalities like webcam recording, keystroke logging, and file exfiltration. DEEPPOST exfiltrates files to remote endpoints.
• Unpatched Flaw: FortiClient vulnerability reported in July 2024 remains unresolved. Malware uses a DLL plugin to extract VPN credentials from memory.

Implications:

• Increased risk of data breaches, system hijacking, and government espionage.
• Malware tools like DEEPDATA and Light Spy showcase sophisticated development likely supported by state-sponsored operations.

Recommendations:

• For Organizations: Restrict or monitor the use of FortiClient until a patch is available. Enhance endpoint monitoring and network defenses against suspicious activity.
• For Vendors: Expedite patch development for known vulnerabilities.
• For Users: Avoid using unpatched software. Employ robust multi-factor authentication (MFA) and endpoint security solutions.

3. High-Severity Vulnerability in PostgreSQL Could Allow Code Execution

A high-severity flaw (CVE-2024-10979, CVSS 8.8) has been identified in PostgreSQL, an open-source database system, allowing unprivileged users to exploit environment variables. This vulnerability could lead to arbitrary code execution or information disclosure by altering sensitive process variables like PATH. The issue has been patched in PostgreSQL versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21.

Key Details:

• Vulnerability :Incorrect control of environment variables in PostgreSQL’s PL/Perl extension. Allows attackers to modify variables dynamically, potentially leading to: Arbitrary code execution. Extraction of sensitive system information.
• Discovery and Patch: Discovered by Varonis researchers Tal Peleg and Coby Abrams. Fixed in updated PostgreSQL versions as of November 2024.
• Risk Level: High severity with potential for significant exploitation, especially in unpatched systems.

Recommendations:

• Update Immediately: Upgrade to the latest PostgreSQL versions (17.1, 16.5, 15.9, 14.14, 13.17, or 12.21).
• Restrict Permissions: Limit CREATE EXTENSIONS permissions to necessary extensions. Use the principle of least privilege to restrict CREATE FUNCTION permissions. Configure shared preload libraries to load only required extensions.
• Monitor and Mitigate: Audit database permissions and environment variable configurations. Implement strict role-based access controls.

4. Researchers Uncover Privilege Escalation Risks in Google’s Vertex AI Platform

Security researchers have identified two vulnerabilities in Google’s Vertex AI platform that could enable privilege escalation and exfiltration of sensitive machine learning (ML) models. These flaws, tied to Vertex AI Pipelines and poisoned model deployments, pose significant risks to cloud-hosted ML environments. Both vulnerabilities have been addressed by Google following responsible disclosure.

Key Details:

• Platform: Google Vertex AI, used for large-scale ML model training and deployment.
• Vulnerabilities:

Privilege Escalation via Vertex AI Pipelines: Exploited by running a custom job with a crafted image to launch a reverse shell. Enabled unauthorized access to project data services, storage buckets, and Big Query tables.

Exfiltration via Poisoned Models: Malicious models deployed in tenant projects could extract Kubernetes credentials. Leveraged read-only permissions of the “custom-online-prediction” service account for lateral movement and data exfiltration.

• Impact: Threat actors could exfiltrate proprietary ML models and fine-tuned LLMs. Poisoned models could compromise an entire AI environment.

Recommendations:

• For Organizations: Enforce strict model deployment controls and verify the source of all deployed models. Audit and limit permissions for service accounts in tenant projects.
• For Developers: Avoid deploying unverified or public repository models directly to production systems. Monitor MLOps workflows and pipelines for unauthorized activities.

5. Experts Uncover 70,000 Hijacked Domains in Widespread 'Sitting Ducks' Attack Scheme

Multiple threat actors have been exploiting a technique known as Sitting Ducks to hijack legitimate domains for use in phishing attacks and investment fraud schemes. Recent findings from Infoblox reveal that nearly 800,000 vulnerable registered domains were identified over the past three months, with approximately9% (70,000)already hijacked.

Overview of the Sitting Ducks Attack

The Sitting Ducks attack vector allows cybercriminals to gain control of a domain by manipulating its Domain Name System (DNS)settings. This typically involves scenarios where the DNS points to an incorrect authoritative name server. Although the technique was first documented by security researcher Matthew Bryant in 2016, it gained significant attention only recently due to the scale of the hijacks disclosed earlier this year.

Key Characteristics

• Ease of Execution: The attack is relatively simple for attackers to carry out but difficult for victims to detect.
• Stealthy Operations: Hijacked domains often maintain a positive reputation, making them less likely to be flagged by security tools.

Impact on Victims

The hijacked domains include those belonging to well-known brands, non-profits, and government entities. The threat actors leverage the established reputation of these domains to conduct various malicious activities without raising alarms.

Notable Threat Actors

Several groups have been identified utilizing the Sitting Ducks technique:

• Vacant Viper: Engages in spam operations and malware distribution.
• Horrid Hawk: Conducts investment fraud schemes via short-lived ads.
• Hasty Hawk: Executes phishing campaigns mimicking reputable services.
• Vex Trio Viper: Operates a traffic distribution system (TDS) using hijacked domains.

Recommendations for Mitigation

To combat the threat posed by Sitting Ducks attacks, organizations are advised to:

• Enforce strict controls on model deployments and verify the source of all deployed models.
• Audit and limit permissions for service accounts within tenant projects.
• Monitor MLOps workflows and pipelines for unauthorized activities.

Stay ahead of the curve!🚀 Follow us on LinkedIn and Subscribe to our newsletter 📩 for the latest cyber security updates, insightful articles, and exclusive content to help you navigate the ever-changing threat landscape. Don't forget to check out our Website 🌐 to make your cyberspace safe and secure 🔒, and join our growing community on Instagram 📸 for bite-sized cyber security tips and trends. 💻 🔍