Vulnerability Recap 6/10/24 – RCE Attacks in Major Platforms

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Last week’s vulnerability news revealed a significant increase in serious flaws targeted by cyber threat actors across multiple large platforms. The recent remote code execution (RCE) attacks and other critical vulnerability exploits emphasized the persistent challenges in patch and vulnerability management.

Exploits targeted Progress Telerik Report Servers and PHP weaknesses allowing remote code execution on Windows. Threats like DarkGate’s switch to AutoHotkey, the Muhstik botnet’s Apache RocketMQ exploits, and Chinese hackers targeting ThinkPHP applications also showed the significance of proactive security. Quickly fix, upgrade, and secure your systems to maintain resilience against these increasing threats.

June 3, 2024

Exploit Chain Enables RCE in Progress Telerik Report Servers

Type of vulnerability: Chained remote code execution.

The problem: A proof-of-concept exploit demonstrates a chained RCE vulnerability in Progress Telerik Report Servers. The exploit combines an authentication bypass (CVE-2024-4358) with a deserialization issue (CVE-2024-1800). The authentication bypass permits the establishment of rogue admin accounts, but the deserialization flaw allows remote code execution, potentially giving attackers complete control over the affected servers.

The fix: To fix both issues, update to version or later. Administrators should also verify user lists for unrecognized accounts and ensure their servers are fixed to prevent exploitation.

Cox Communications Fixes Vulnerability in Modems

Type of vulnerability: Authorization bypass.

The problem: Cox Communications fixed an authorization bypass flaw that allowed remote attackers to use backend APIs to reset modem settings and steal user data. Sam Curry discovered the vulnerability, which allows attackers permissions equivalent to ISP tech support. This lets threat actors change setups and access sensitive personal information of millions of Cox customers, such as MAC addresses and Wi-Fi passwords.

The fix: Cox Communications removed the exposed API calls within six hours of receiving the report and resolved the vulnerability the next day. They performed a follow-up security review to ensure that the vulnerability had not been exploited previously. Cox asks customers to keep informed and report any unusual activity to ensure security.

SonicWall Identifies RCE Vulnerability in Atlassian Confluence

Type of vulnerability: Remote code execution.

The problem: SonicWall Capture Labs’ research team uncovered a critical remote code execution vulnerability (CVE-2024-21683) in Atlassian Confluence Data Center and Server. With a CVSS score of 8.3, this weakness allows authorized attackers with network access to upload malicious JavaScript files, allowing arbitrary code execution. Confluence’s critical position in organizational knowledge management makes this vulnerability alarming.

The fix: SonicWall developed IPS signatures 4437 and 4438 to identify and prevent exploits. Users should upgrade to the most recent Confluence versions to address CVE-2024-21683. Given Confluence’s widespread use in enterprise situations, conduct timely patching to prevent potential attacks.

Explore our guide on automated patch management techniques, how the process works, and the essential tools you can use.

June 4, 2024

Zyxel Networks Issues Emergency Update for Critical NAS Vulnerabilities

Type of vulnerability: Command injection and RCE.

The problem: Zyxel Networks has issued an emergency upgrade to address three severe vulnerabilities in older, end-of-life NAS devices (NAS326, NAS542). These security vulnerabilities enable unauthenticated attackers to carry out command injection and remote code execution. Timothy Hjort discovered these vulnerabilities, which allow the execution of OS commands and the uploading of malicious files, compromising the security of affected devices.

The fix: Zyxel issued firmware patches 5.21(AAZF.17)C0 for NAS326 and 5.21(ABAG.14)C0 for NAS542 to address serious issues CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974. Users should apply these updates right away to protect their devices. Despite the products’ end-of-life status, Zyxel released these updates to mitigate the severity of the vulnerabilities.

CISA Adds Oracle Vulnerability to Exploited List Due to Active Attacks

Type of vulnerability: OS command injection.

The problem: The Cybersecurity and Infrastructure Security Agency (CISA) discovered an actively exploited OS command injection vulnerability in Oracle WebLogic Server (CVE-2017-3506). With a CVSS score of 7.4, this issue enables attackers to obtain unauthorized access and control over servers by sending maliciously crafted HTTP requests containing XML documents.

The 8220 Gang, a China-based cryptojacking group, leveraged this vulnerability to take over unpatched servers for crypto-mining operations. They used subtle approaches including hexadecimal encoding and HTTP via port 443.

The fix: To prevent the risk, federal agencies and companies that use Oracle WebLogic Server should apply the most recent fixes before June 24, 2024. This involves updating to the most recent WebLogic versions. Follow Oracle’s security advisories to protect against potential threats and maintain network security.

June 5, 2024

DarkGate MaaS Switches to AutoHotkey for Stealthier Malware Delivery

Type of vulnerability: Malware delivery mechanism.

The problem: The DarkGate malware-as-a-service (MaaS) operation, notorious for its powerful remote access trojan (RAT) capabilities, has switched from using AutoIt scripts to AutoHotkey in version 6. This update, seen from March 2024, improves the malware’s evasion techniques, making detection more difficult.

DarkGate, developed by RastaFarEye and active since 2018, exploits security holes in Microsoft Excel and HTML attachments to overcome defenses and deliver malicious payloads, primarily targeting healthcare, telecommunications, and finance sectors around the world.

The fix: Improve email filtering to detect and prevent harmful attachments, and adopt strong endpoint security solutions. Regularly update anti-malware software and educate your personnel about phishing dangers. Watch your network traffic for suspicious activity and use multi-factor authentication to protect you and your organization from advanced malware operations.

June 6, 2024

Muhstik Botnet Exploits Critical Apache RocketMQ Flaw for RCE Attacks

Type of vulnerability: Remote code execution.

The problem: The Muhstik botnet exploited a severe RCE issue in Apache RocketMQ (CVE-2023-33246) to attack Linux systems and IoT devices for DDoS and cryptomining. The attack starts with the execution of a shell script from a remote IP that downloads the Muhstik malware binary (“pty3”). Then, it copies the malware to several directories and modifies system files to ensure persistence. More than 5,000 Apache RocketMQ instances remain vulnerable.

The fix: To reduce the risk of exploitation, immediately update Apache RocketMQ to the newest version. Protect MS-SQL servers from brute-force attacks by using strong, frequently changed passwords and installing the most recent security patches. Implement strong security measures and continual monitoring to combat the Muhstik botnet and related attacks.

Threat Actors Exploit ThinkPHP Vulnerabilities for Dama Deployment

Type of vulnerability: Remote code execution.

The problem: Chinese threat actors targeted ThinkPHP applications vulnerable to CVE-2018-20062 and CVE-2019-9082 and installed Dama, a persistent web shell. Attackers can compromise underlying content management systems (CMS) on infiltrated endpoints by exploiting these vulnerabilities, which allow remote code execution.

The Dama web shell has advanced capabilities for system navigation, file upload, privilege escalation, and network scanning. This effectively transforms compromised systems into nodes in the attackers’ network.

The fix: Given this campaign’s broad targeting breadth, companies should remain cautious and implement proactive security measures to protect against opportunistic assaults. To reduce the risk of exploitation, update to ThinkPHP version 8.0. To prevent future attacks, use vulnerability management procedures and update software on a regular basis.

June 7, 2024

New PHP Flaw Enables Remote Code Execution on Windows

Type of vulnerability: CGI argument injection.

The problem: A severe security issue in PHP affects all versions deployed on Windows and permits remote code execution via CGI argument injection. This vulnerability (CVE-2024-4577) exploits a Windows encoding conversion feature to bypass CVE-2012-1823 protections.

Attackers can run arbitrary code on PHP servers by modifying particular character sequences. DEVCORE pointed out that XAMPP installations employing traditional Chinese, simplified Chinese, or Japanese settings are particularly vulnerable.

The fix: PHP has issued updates (versions 8.3.8, 8.2.20, and 8.1.29) to resolve the vulnerability. Administrators should promptly upgrade PHP installations and consider switching from obsolete PHP CGI to more secure options such as Mod-PHP, FastCGI, or PHP-FPM. As exploitation attempts have already been detected, you must apply these updates immediately.

Read next:

Featured Partners: Vulnerability Management Software

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Maine Basan Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis