Weekly Security News – 7th October 2024

700,000 DrayTek routers exposed, WordPress plugin flaw, business leaders cloud security concerns and fake apps on app stores...

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

High-Severity Flaw in WordPress LiteSpeed Cache Plugin Exposes Sites to XSS Attacks

A security flaw (CVE-2024-47374) in the LiteSpeed Cache plugin for WordPress could allow attackers to execute malicious JavaScript on vulnerable sites. Impacting versions up to 6.5.0.2, this stored XSS vulnerability was patched in version 6.5.1. The flaw could lead to privilege escalation or theft of sensitive information. Users are urged to update immediately to mitigate potential exploitation.

Over 700,000 DrayTek Routers Exposed to Critical Vulnerabilities

Researchers discovered 14 security flaws, dubbed “DRAY:BREAK” affecting DrayTek routers, with two rated critical (CVSS score 10.0). These vulnerabilities could allow remote code execution or denial-of-service attacks. Over 704,000 routers are exposed online, with most instances found in the U.S. and Vietnam. DrayTek has released patches for all affected devices, including some end-of-life models. Users are urged to update their firmware and disable remote access to mitigate risks.

CUPS Flaw Allows for DDoS Amplification Attacks

A recently patched vulnerability (CVE-2024-47176) in the Common Unix Printing System (CUPS) allows for DDoS attacks with a 600x amplification factor. Attackers can exploit the flaw using a single UDP packet to cause servers to generate excessive IPP/HTTP requests, overwhelming target systems. Around 58,000 CUPS servers online are currently vulnerable. Administrators should apply the patch or disable the cups-browsed service to mitigate risks.

Cyber Attacks

Ransomware Group "PaidMemes" Targets Over 100 Organizations Monthly

A ransomware group known as “PaidMemes” has been infecting over 100 organisations monthly using a new variant of MedusaLocker called “BabyLockerKZ,” according to Cisco Talos. The attacks, which began in 2022, target small to medium-sized businesses worldwide. The group’s methods include gathering credentials and leveraging common network tools like Mimikatz. Victims have included companies in Europe, Central and South America, and other regions, with ransom demands typically ranging between $30,000 and $50,000.

Fake "Pig Butchering" Trading Apps Found on Google Play and App Store

Cybersecurity firm Group-IB discovered fraudulent trading apps on Google Play and Apple’s App Store, used in “pig butchering” scams. The apps trick victims into depositing funds with promises of high investment returns, only to steal the money when withdrawal is attempted. Disguised as financial tools, they were downloaded thousands of times before removal. Scammers have now moved to phishing websites to continue their activities.

In Other News...

Cloud Security Tops Executives' Concerns in PwC Survey

A PwC cybersecurity survey found that cloud-specific threats are the top concern for 42% of business leaders, who also feel least prepared to handle them. Other major concerns include hack-and-leak operations, third-party breaches, and attacks on connected devices. While ransomware ranks lower overall, CISOs are particularly worried about it. The survey highlights the expanding attack surface due to cloud adoption and generative AI, which increases susceptibility to cyberattacks.

Malicious Crypto Wallet Recovery Tools Found in PyPI Repository

Researchers uncovered fake crypto wallet recovery tools hosted on PyPI, which were designed to steal sensitive information like private keys and mnemonic phrases from users of wallets such as Metamask, Trust Wallet, and Exodus. These malicious packages had deceptive names and descriptions, accumulating hundreds of downloads before removal. The attack utilised obfuscation techniques to evade detection and dynamically retrieved command and control server information.