What Happened Over the Week? | CVEs Special
Hello, hello cyber-securiters. This is a special edition for CVEs. You need lots of updates this week, and a LinkedIn post is not enough for these CVEs.
Here is a catch-up for you. Let's start.
1) CVE-2024-6345: Security Flaw in Setuptools Exposes Python Projects to RCE
A severe security vulnerability has been identified in Setuptools, a widely-used library for packaging, distributing, and installing Python projects.
This flaw, designated CVE-2024-6345 with a CVSS score of 8.8, exposes systems to remote code execution (RCE) due to vulnerabilities in the package_index module.
2) New BugSleep Malware Implant Deployed in MuddyWater Attacks
The Iranian-backed MuddyWater hacking group has introduced a new malware implant named BugSleep, which is currently under active development and is used to steal files and execute commands on compromised systems.
This discovery was made by Check Point Research analysts, who found the malware being distributed through sophisticated phishing campaigns. These phishing emails, disguised as webinars or online course invitations, lead targets to download malicious payloads from the Egnyte secure file-sharing platform.
BugSleep is distributed with a custom malware loader designed to inject the backdoor into active processes of various applications, including Microsoft Edge, Google Chrome, AnyDesk, Microsoft OneDrive, PowerShell, and Opera.
3) CVE-2024-36401 (CVSS 9.8): Critical GeoServer Flaw Under Active Attack
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a severe vulnerability in OSGeo GeoServer GeoTools, identified as CVE-2024-36401.
This critical flaw, which has a CVSS severity rating of 9.8, is currently being exploited by attackers. It allows unauthenticated individuals to execute arbitrary code remotely on affected systems, posing a significant risk to any organization utilizing GeoServer for managing geospatial data.
4) ServiceNow Security Alert: Major Flaws Expose Businesses to RCE and Data Breaches
ServiceNow, a widely used platform for business transformation, has recently disclosed three critical security vulnerabilities that could have severe consequences for organizations worldwide.
Identified as CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, these vulnerabilities affect various versions of the Now Platform, including Washington D.C., Vancouver, and Utah releases.
5) CVE-2024-39202: D-Link DIR-823X Router Vulnerability
A critical security vulnerability, identified as CVE-2024-39202, has been discovered in the D-Link DIR-823X AX3000 Dual-Band Gigabit Wireless Router, potentially exposing users to remote command execution attacks.
This vulnerability affects DIR-823X Hardware Revision Ax (Non-US) and specifically Firmware version 240126.
6) CVE-2024-39929: Critical Vulnerability Found in Exim Mail Server
A critical security vulnerability has been identified in the Exim mail transfer tool. This flaw could allow threat actors to send malicious attachments to targeted users' mailboxes.
Known as CVE-2024-39929, this security vulnerability has a CVSS score of 9.1 out of 10.
7) Critical Vulnerabilities in Pepperl+Fuchs Industrial Devices
A security advisory has been issued regarding critical vulnerabilities in several Pepperl+Fuchs products. Identified as CVE-2024-6422 and CVE-2024-6421, these vulnerabilities pose significant risks, including information disclosure, denial of service, and device manipulation.
The affected devices are widely used in industrial settings, underscoring the need for immediate attention and action.
8) APT41 Enhances Malware Arsenal with DodgeBox and MoonWalk
The China-linked advanced persistent threat (APT) group APT41 has been identified using an upgraded version of the StealthVector malware, now known as DodgeBox.
This advanced loader facilitates the delivery of a new backdoor named MoonWalk. MoonWalk utilizes Google Drive for command-and-control (C2) communication and shares several evasion techniques with DodgeBox.
APT41 Aliases: Axiom, Blackfly, Brass Typhoon, Bronze Atlas, Earth Baku, HOODOO, Red Kelpie, TA415, Wicked Panda, Winnti
Recommended by LinkedIn
9) Poco RAT Phishing Campaign Targets Spanish-Speaking Sectors
Since February 2024, a targeted email phishing campaign has been delivering a new remote access trojan (RAT) called Poco RAT to Spanish-speaking victims, primarily in the mining, manufacturing, hospitality, and utilities sectors.
Do you want to learn more about the most attacked countries, sectors, etc.? Our Ransomware Trends Report | Q2 2024 is released. Download Now
10) Critical Webmin Vulnerabilities Expose Systems to Session Hijacking
Web-based system administration tools Webmin and Usermin have been found to contain multiple security vulnerabilities, as reported by Japan's CERT. These vulnerabilities can allow attackers to execute arbitrary scripts, hijack console sessions, and perform unauthorized operations.
The most critical flaw, CVE-2024-36451, has a CVSS score of 8.8 and enables attackers to hijack console sessions if users have insufficient permissions or privileges.
11) CVE-2024-38112: Long-Standing Windows MSHTML Zero-Day Exploited in Malware Campaigns
Microsoft fixed a zero-day vulnerability in Windows that was actively exploited to run malicious scripts by bypassing built-in security features. This high-severity MHTML spoofing issue, tracked as CVE-2024-38112, was addressed in the July 2024 Patch Tuesday security updates.
Attackers discovered they could force Internet Explorer to open a specified URL using the mhtml: URI handler. MHTML is a technology that bundles an entire webpage, including images, into one archive.
This method causes Windows to open the URL in Internet Explorer instead of the default browser.
12) CVE-2024-6385: GitLab Patches Critical Flaw "Pipeline Jobs"
GitLab has released another round of updates to close vulnerabilities in its software development platform, including a critical bug that allows an attacker to run pipeline jobs as an arbitrary user.
The vulnerability, tracked as CVE-2024-6385, carries a CVSS score of 9.6 out of a maximum of 10.
13) Palo Alto Networks' Expedition Hit by Critical Security Vulnerability
Palo Alto Networks, a leading cybersecurity firm, has released a critical security advisory detailing multiple vulnerabilities across its product lines, including PAN-OS, Cortex XDR, and Expedition.
These flaws vary in severity and impact, but all pose significant risks to organizations relying on Palo Alto’s solutions.
Vulnerabilities CVEs:
14) CVE-2024-22280: VMware Patches Critical SQL-Injection Flaw in Aria Automation
VMware has released patches for a high-risk SQL-injection vulnerability in its Aria Automation product, warning that authenticated malicious users could exploit the flaw to manipulate databases.
The vulnerability has a CVSS severity score of 8.5/10, categorized as "high-severity."
15) CVE-2024-6235 & CVE-2024-6236: Citrix Issues Critical Security Advisory for NetScaler
Cloud Software Group, responsible for Citrix products, has issued a critical security advisory concerning vulnerabilities discovered in their widely-used NetScaler products. These vulnerabilities pose significant risks to users and require immediate attention.
16) Critical Vulnerability CVE-2024-39696 Threatens Evmos Network Funds
The Evmos project, the first decentralized Ethereum Virtual Machine (EVM) chain on the Cosmos Network, has issued a critical security advisory regarding a severe vulnerability in its codebase. Identified as CVE-2024-39696, this flaw poses a significant risk to the security of funds across the Evmos blockchain.
17) CVE-2023-46685: Critical Vulnerability Exposes LevelOne Routers to Complete Takeover
A recently discovered, severe security vulnerability (CVE-2023-46685) is putting thousands of LevelOne WBR-6013 routers at risk of complete takeover. A hidden hard-coded password found within the router’s telnet service creates a backdoor that could grant attackers unlimited access.
18) CVE-2024-29510: Remote Code Execution Vulnerability in Ghostscript Library Exploited in Attacks
A remote code execution (RCE) vulnerability in the Ghostscript document conversion tool, widely used on Linux systems, is currently being exploited in attacks. Ghostscript, which comes pre-installed on many Linux distributions, is used in various document conversion software such as ImageMagick, LibreOffice, GIMP, Inkscape, Scribus, and the CUPS printing system.