Pro-Russian hackers attack UK councils, credential theft at Git and critical patches for Chrome and Opera browsers...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
LiteSpeed Cache Plugin Vulnerability Poses Significant Risk to WordPress Websites
A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions. The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), has been addressed in version 6.5.2 of the plugin. “The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain administrator level access after which malicious plugins could be uploaded and installed,” Patchstack security researcher Rafie Muhammad said in an analysis. LiteSpeed Cache is a popular site acceleration plugin for WordPress that, as the name implies, comes with advanced caching functionality and optimization features. It’s installed on over six million sites. The newly identified issue, per Patchstack, is rooted in a function named is_role_simulation and is like an earlier flaw that was publicly documented back in August 2024 (CVE-2024-28000, CVSS score: 9.8).
Google Patches Critical Chrome Vulnerability Reported by Apple
Google and Mozilla on Tuesday announced security updates for their Chrome and Firefox web browsers, and some of the vulnerabilities they patch are potentially severe. Google has announced the release of Chrome 130, which patches two vulnerabilities. One of them, tracked as CVE-2024-10487, has been described as a critical out-of-bounds write issue in Dawn, the cross-platform implementation of the WebGPU standard. The issue was reported to Google by Apple’s Security Engineering and Architecture (SEAR) team just one week ago. Different implementations of the WebGPU graphics API are used in Firefox and Safari as well, but it’s unclear if these browsers are also impacted by CVE-2024-10487. While there is no information on what CVE-2024-10487 can be exploited for, in general, exploitation of out-of-bounds write issues can lead to arbitrary code execution. Google has not mentioned anything about in-the-wild exploitation. The second vulnerability patched with the release of Chrome 130 is CVE-2024-10488, a high-severity use-after-free in WebRTC.
Google has yet to determine the bug bounties that it will pay out for these vulnerabilities.
Cyber Attacks
Massive cloud credential theft conducted via exposed Git configuration breach
More than 15,000 cloud account credentials belonging to private repositories have been exfiltrated by the EmeraldWhale threat operation from exposed Git configuration files, which are leveraged for repository paths and authentication details. Attacks by EmeraldWhale involved the utilization of the ‘httpx’ and ‘Masscan’ open-source tools to scan websites and determine exposure of the /.git/config file and environment files in Laravel apps, according to a Sysdig report. Verification of the exposed tokens would then be followed by the download of the private repositories, which have been subjected to another scan aimed at uncovering AWS, cloud, and email service authentication secrets, said researchers. Such stolen data — which had been exfiltrated to another victim’s S3 bucket — was obtained from 67,000 URLs, more than a third of which were Git repositories, with GitHub accounting for most of the compromised credentials. Attackers also engaged in the trade of exposed Git configuration file URL lists on Telegram, researchers added.
Pro-Russia hackers claim council cyber attacks
Pro-Russian hackers have claimed to have targeted several councils in a cyber-attack. A group named NoName057(16), pictured with a Russian flag in its profile, posted on X, external about its plans to target UK town halls, including in Greater Manchester. It claimed to have hit the Salford, Bury, Trafford and Tameside council websites this week with a distributed denial-of-service (DDoS) attack, flooding the websites with internet traffic to put them out of use. Salford, Bury and Trafford councils confirmed their web pages were temporarily affected by a cyber-attack, but said they were now back online. A National Cyber Security Centre (NCSC) spokesperson said the organisation provided guidance to affected councils. They told the Local Democracy Reporting Service: “Whilst DDoS attacks are relatively low in sophistication and impact, they can cause disruption by preventing legitimate users from accessing online services.” Salford and Bury councils said residents were still able to access services in person and over the phone while their websites were out of use. Trafford Council said personal data “remained secure throughout”, adding: “We continue to remain vigilant and monitor for cyber threats”. Tameside Council was also contacted for comment.
In Other News...
Opera Browser Fixes Big Security Hole That Could Have Exposed Your Information
Opera has fixed a worrying security vulnerability, which could have allowed threat actors to access permissive APIs in the browser, and thus take over accounts, tweak browser settings, and even take screenshots. Cybersecurity researchers GuardioLabs disclosed their findings and dubbed the vulnerability “CrossBarking”. The flaw revolves around the fact that multiple Opera-owned, publicly accessible subdomains, have privileged access to private APIs embedded within the browser. These domains support different features of the browser, such as the Pinboard, Opera Wallet, and others. By abusing browser extensions, crooks could inject malicious JavaScript into these domains, and thus gain access to the APIs. “The content script does have access to the DOM (Document Object Model),” the researchers explained in a blog post. “This includes the ability to dynamically change it, specifically by adding new elements”. Access to the APIs then allow crooks to screenshot open tabs, pull session cookies to access different accounts, and modify the browser’s DNS-over-HTTPS settings to resolve domains through malicious DNS servers. This, the researchers further explain, could lead to victims opening fake bank sites and losing banking credentials.
Sophos reveals 5-year battle with Chinese hackers attacking network devices
Sophos has disclosed a series of reports dubbed “Pacific Rim” that detail how the cybersecurity company has been sparring with Chinese threat actors for over 5 years as they increasingly targeted networking devices worldwide, including those from Sophos. For years, cybersecurity firms have warned enterprises that Chinese threat actors exploit flaws in edge networking devices to install custom malware that allows them to monitor network communications, steal credentials, or act as proxy servers for relayed attacks. These attacks have targeted well-known manufacturers, including Fortinet, Barracuda, SonicWall, Check Point, D-Link, Cisco, Juniper, NetGear, Sophos, and many more. Sophos has attributed this activity to multiple Chinese threat actors, known as Volt Typhoon, APT31, and APT41/Winnti, all of which have been known to target networking devices in the past. “For more than five years, Sophos has been investigating multiple China-based groups targeting Sophos firewalls, with botnets, novel exploits, and bespoke malware,” Sophos explains in a report that outlines the activity.