Daily Brief

A severe security flaw was uncovered in the LiteSpeed Cache plugin for WordPress, threatening over five million sites. The bug allows unauthenticated users to gain administrative privileges through an easily guessable security hash. Identified as CVE-2024-28000 with a critical CVSS score of 9.8, this issue affects versions up to 6.3.0.1. Attackers can spoof their user ID to register as an administrator, allowing full site control and the ability to install malicious plugins. The vulnerability stems from a non-cryptographically secure random number generator used in the plugin’s user simulation feature. Patched in plugin version 6.4 released on August 13, 2024, urgent updates are advised for all users. The exploit is ineffective on Windows-based WordPress installations due to platform-specific limitations. The flaw underscores the need for robust security practices, especially considering recent exploitations of similar vulnerabilities.

GitHub addressed three security vulnerabilities in its Enterprise Server, one being critically severe with a CVSS score of 9.5. The critical bug, identified as CVE-2024-6800, allowed attackers to gain administrator privileges via a SAML response forgery. Affected GitHub Enterprise Server versions were utilizing SAML SSO with certain IdPs that had publicly exposed signed federation metadata XML. Patches were released for GHES versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16, covering this and two medium-severity issues. Additionally, GitHub had previously rectified another critical security flaw in May, which had a CVSS score of 10.0. Organizations using vulnerable versions of the self-hosted GHES are strongly encouraged to update to the latest version to mitigate security risks.

Cybersecurity experts have identified a new malware, PG_MEM, targeting PostgreSQL databases to mine cryptocurrency. PG_MEM infiltrates systems through brute-force attacks on databases with weak passwords, gaining unauthorized access. Once inside, attackers use the PostgreSQL command COPY FROM PROGRAM for executing shell commands and deploying payloads. The malware avoids detection and competition by terminating other malicious processes and establishes persistence on the infected host. Key payloads deposited include PG_MEM and PG_CORE; these facilitate the mining of Monero, a popular cryptocurrency. Attackers not only use the malware for mining but can also execute commands, access server data, and control the server. The campaign primarily exploits poorly configured internet-facing PostgreSQL databases with inadequate password protections.

Automated bot attacks are escalating with cybercriminals using AI tools for sophisticated operations like credential stuffing. These bot attacks drain company resources, increase operational costs, and necessitate investment in advanced security measures. In hybrid infrastructures, bots exploit vulnerabilities across different environments (on-premise, cloud, edge), making comprehensive security challenging. AI-powered telemetry provides real-time visibility and a holistic approach to security, covering all parts of a hybrid infrastructure. Telemetry data, analyzed by AI and ML models, identifies patterns and anomalies indicating potential bot attacks, improving detection over time. Full visibility into all system components is crucial for quick detection and effective response, with AI helping to prioritize critical threats. F5’s Distributed Cloud Bot Defence utilizes AI to analyze telemetry data across environments, ensuring robust bot mitigation with near zero false positives. The deployment of AI-driven security solutions is essential in the current era of rapidly evolving cyber threats.

A critical vulnerability was identified in GitHub Enterprise Server versions 3.13.0 to 3.13.2 and older, enabling unauthorized admin access. GitHub addressed this significant security flaw, rated 9.5 on the CVSS scale, in recent updates across multiple version lines. The flaw is linked to SAML authentication and could allow attackers to forge SAML responses and obtain admin privileges. Organizations utilizing affected versions are urged to install the updated releases immediately to mitigate potential threats. Other resolved vulnerabilities include medium-severity issues that could affect public issue updates and private repository data exposure via GitHub Apps. The vulnerabilities rectified were originally reported through the GitHub Bug Bounty program. The updates come during a turbulent period for GitHub, which also saw a global outage caused by a configuration error and vulnerabilities in GitHub Actions potentially leading to token leaks.

A Kentucky man was sentenced to 81 months in federal prison for identity theft and faking his own death on government databases. Jesse Kipf illegally accessed the Hawaii Death Registry System using a stolen physician's credentials to register himself as deceased. The main motive for Kipf's actions was to evade child support obligations, effectively nullifying them by appearing deceased in U.S. government systems. In addition to tampering with the death registry, Kipf also breached private corporate networks and government systems, selling network access on the dark web. He fraudulently used a false social security number to open a credit account, widening the scope of his criminal activities. The FBI emphasized the severe, life-long consequences of identity theft for victims and vowed to pursue perpetrators rigorously. Kipf must serve approximately 69 months (85% of his sentence) and will face three years of supervised release post-incarceration. Total estimated damages from Kipf's criminal actions are over $195,750, including unpaid child support.

Google has released an emergency update for Chrome to address a zero-day vulnerability, CVE-2024-7971, exploited in the wild. The vulnerability stems from a type confusion flaw in the V8 JavaScript engine, affecting stability and security. Security experts from Microsoft Threat Intelligence Center and Microsoft Security Response Center initially reported the flaw. The updated versions for Windows, macOS, and Linux are 128.0.6613.84/.85 and 128.0.6613.84 respectively. Users can manually update Chrome via the browser’s help section to accelerate the patching process. Despite confirmation of active exploitation, specific details about the attacks remain undisclosed. This incident marks the ninth actively exploited zero-day in Chrome patched by Google in 2024 alone.

Hackers use progressive web applications (PWAs) to mimic banking apps and siphon credentials from iOS and Android users. PWAs allow attackers to bypass native app installation processes and detection systems, enabling access to device permissions without typical security prompts. Incidents first reported in Poland and the Czech Republic in 2023, with ongoing campaigns targeting OTP Bank in Hungary and TBC Bank in Georgia. Attack methods include smishing, automated calls, and deceptive Facebook ads featuring bank mascots and false promotional offers. Depending on the device type, victims are redirected to fake app store pages where they are prompted to install malicious PWAs. The malicious PWAs, appearing legitimate, can access device hardware through browser APIs without direct permissions from the OS. The attackers manage the phishing operations via separate command and control infrastructures or through encrypted messaging platforms like Telegram. Security researchers raise concerns about the growing use of PWAs for phishing, noting the potential for broader exploitation across different platforms.

Microsoft is set to roll out a new AI-powered feature, Windows Recall, to Insiders in October, aiming to enhance user interface on Copilot+ PCs. Windows Recall functions by taking screenshots of active windows, analyzing them with an AI model and NPU, and storing the data in an encrypted SQLite database. Users will be able to search for stored data using natural language queries to retrieve relevant screenshots. Privacy advocates and cybersecurity experts have raised concerns about potential data theft, labeling the feature a privacy risk. Microsoft has responded to these concerns by making Recall an opt-in feature and securing the database with encryption that requires Windows Hello authentication. The launch was initially delayed due to privacy and security concerns after significant customer pushback. Microsoft emphasizes that the October release is still a preview and pledges to prioritize security enhancements as the feature is tested and refined by Windows Insiders.

Microsoft has announced the rollout of its AI feature, Windows Recall, to Insiders with Copilot+ PCs starting October. Windows Recall uses AI to analyze screenshots on-device and store them in an encrypted SQLite database, accessible via natural language searches. Privacy concerns were raised about potential data theft by threat actors, prompting Microsoft to incorporate additional security measures such as opt-in participation and encryption. The launch was initially postponed after feedback highlighted significant privacy and security concerns from users. Microsoft plans to use the Windows Insider community to test and refine Windows Recall before its broader deployment. The company has committed to prioritizing security throughout the testing process of the Recall feature on Copilot+ PCs.

QNAP has introduced a Security Center with ransomware protection in the new QTS 5.2 operating system for NAS devices. The Security Center actively monitors file operations to detect ransomware, allowing preemptive actions to secure data. Enhanced features include setting volumes to read-only and creating snapshots for recovery during suspicious activity. Additional updates in QTS 5.2 include faster NAS startup/shutdown, support for encrypted drives, and improved backup and restoration functions. NAS devices are common targets for cyberattacks, including ransomware, due to their role in file storage and sharing. Prior ransomware campaigns like DeadBolt, Checkmate, and eCh0raix have specifically targeted QNAP devices. QNAP advises customers to take preventive measures against brute-force attacks and to secure Internet-exposed NAS devices by changing default settings and enabling security features.

An extensive extortion campaign has been identified, affecting 110,000 domains with misconfigured AWS .env files. Attackers exploited these files to gain access to secrets like cloud access and SaaS API keys, and database credentials. The perpetrators demonstrated deep knowledge of cloud systems, accessing data from poorly secured AWS storage buckets and escalating their privileges within the accounts. Common security failures included exposed environment variables, insufficient credential rotation, and non-implementation of least-privilege principles. Specifically, the attackers used stolen IAM keys to create new roles, attach admin policies, and execute scripts for further scanning and data manipulation. The campaign underscores the necessity of robust cloud security measures such as secure configurations, regular credential updates, and comprehensive monitoring and logging. Researchers recommend best practices including not storing .env files in version control systems and using secret-management tools to protect sensitive data. The simplicity and low cost of obtaining cloud credentials on the dark web highlight the persistent risks and appeal of cloud resources to cybercriminals.

A critical vulnerability in the LiteSpeed Cache WordPress plugin, identified as CVE-2024-28000, allows attackers to take over websites by creating rogue admin accounts. The flaw exists due to a weak hash check in the user simulation feature of LiteSpeed Cache versions up to 6.3.0.1. Over 5 million WordPress sites use LiteSpeed Cache, making this vulnerability particularly threatening due to its widespread usage. Attackers can exploit this flaw by brute forcing security hash values, potentially gaining admin access within hours to a week. Despite the release of a patch in LiteSpeed Cache version 6.4, only 2.5 million downloads have been recorded, suggesting many sites remain at risk. Previous vulnerabilities in LiteSpeed Cache have also been exploited for unauthorized administrative access and site takeovers. Security experts strongly recommend updating to the latest patched version, 6.4.1, to mitigate risks associated with this vulnerability.

A critical vulnerability in Microsoft's Copilot Studio, identified as CVE-2024-38206 with a CVSS score of 8.5, compromised sensitive data exposure through an SSRF attack. The flaw allowed authenticated attackers to circumvent SSRF defenses, thereby retrieving sensitive information via network systems. The vulnerability exploited the ability of Copilot Studio to make external web requests, granting attackers access to Microsoft’s internal resources, such as Instance Metadata Service and internal Cosmos DB instances. Access tokens obtained through the exploited vulnerability could potentially lead to elevated access within Microsoft's shared internal infrastructure, impacting multiple customer environments. The issue has been resolved by Microsoft, which asserted that no further customer action is necessary. The security find was part of Tenable’s larger effort, which also disclosed serious concerns in Microsoft Azure Health Bot Service, potentially allowing lateral movement and access to sensitive patient data. Microsoft announced an upcoming mandatory multi-factor authentication (MFA) for Azure services, beginning October 2024, as part of their Secure Future Initiative (SFI).

Phrack magazine, a long-standing hacker publication, has released its first issue since 2021. The publication, known for insightful articles on hacking and cybersecurity, is available for free online and in hardcopy at DEF CON. This new issue addresses the current technology landscape's transparency issues and fast adoption of untested systems. It includes advanced technical articles, fostering practical knowledge sharing among the hacking community. The revival of Phrack under a new team marks its commitment to remain influential in the evolving cybersecurity field. Plans for future publications include a potential printed issue for the magazine’s 40th anniversary in 2025, though logistical challenges remain.