Hackers are exploiting critical bug in LiteSpeed Cache plugin

Hackers are exploiting critical bug in LiteSpeed Cache plugin

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Hackers are exploiting critical bug in LiteSpeed Cache plugin

Severity  Critical CVSS Score: 9.8

Information:

LiteSpeed Cache is a popular WordPress plugin designed to significantly enhance website performance by accelerating page load times. Developed by LiteSpeed Technologies, a company renowned for its high-performance web server technology, this plugin is specifically optimized to work seamlessly with the LiteSpeed Web Server.  

  The plugin's popularity among WordPress users stems from its ability to dramatically improve website speed and user experience. By caching frequently accessed content, LiteSpeed Cache reduces server load and minimizes the time it takes for pages to load, resulting in better search engine rankings and increased user satisfaction.

Event

   This vulnerability allows attackers to escalate their privileges without any authentication in all versions of the WordPress plugin up to 6.3.0.1, which could lead to a complete takeover of the website. The vulnerability arises from a weak hash check in the plugin's user simulation feature, which attackers can exploit through brute-force attacks to find the hash value and create fake administrator accounts.The article also mentions that hackers have already started exploiting this vulnerability, with Wordfence detecting and blocking over 48,500 attacks targeting this vulnerability in the past 24 hours (as of August 21st). LiteSpeed Cache is used by over 5 million websites, and only about 30% of websites are running a secure version of the plugin, leaving millions of websites still at risk of being attacked.

Recommendation

–Upgrade to version 6.4.1

–Uninstall from the website

 

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)

 

References

-https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-critical-bug-in-litespeed-cache-plugin/

-https://www.wordfence.com/blog/2024/08/over-5000000-site-owners-affected-by-critical-privilege-escalation-vulnerability-patched-in-litespeed-cache-plugin/

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2024-22116

12/8/2024

12/8/2024

Zabbix : version 6.4.0 to 6.4.15 and 7.0.0 to 7.0.0rc2

Code Injection

9.9

An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure.

Zabbix : upgrade to 6.4.16rc1 and 7.0.0rc3

https://cybersecuritynews.com/zabbix-server-vulnerability/
2

CVE-2024-33536

12/8/2024

14/8/2024

Zimbra Mail (ZCS) 9.0 and 10.0.

Cross-site Scripting

5.4

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading a malicious JavaScript file, accessible externally, and crafting a URL containing its location in the res parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed.

upgrade to version 9.0.0/P40
and 10.0.8

https://nvd.nist.gov/vuln/detail/CVE-2024-33536
3

CVE-2024-4671

14/5/2024

14/8/2024

Google Chrome prior to 124.0.6367.201

Use After Free

9.6

Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page

Upgrade to version 124.0.6367.201

https://nvd.nist.gov/vuln/detail/CVE-2024-4671
4

CVE-2024-21114

16/4/2024

15/8/2024

Oracle VM VirtualBox versions prior to 7.0.16

Improper Access Control

8.8

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products

Update to version 7.0.16

https://nvd.nist.gov/vuln/detail/CVE-2024-21114
5

CVE-2024-36505

13/8/2024

13/8/2024

FortiOS 7.4.0 through 7.4.3,
FortiOS 7.2.5 through 7.2.7,
FortiOS 7.0.12 through 7.0.14
and FortiOS 6.4.13 through 6.4.15

Improper access control

5.1

An improper access control vulnerability [CWE-284] in FortiOS 7.4.0 through 7.4.3, 7.2.5 through 7.2.7, 7.0.12 through 7.0.14 and 6.4.13 through 6.4.15 may allow an attacker who has already successfully obtained write access to the underlying system (via another hypothetical exploit) to bypass the file integrity checking system.

upgrade to version FortiOS 7.4.4
FortiOS 7.2.8
FortiOS 7.0.15
and FortiOS 6.x Migrate to a fixed release

https://nvd.nist.gov/vuln/detail/CVE-2024-36505

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

FBI Shuts Down Dispossessor Ransomware Group's Servers Across U.S., U.K., and Germany

13/08/2024

Ransomware ​

New campaign call ValleyRAT have many techniques to evade detection and its components directly in memory, minimizing its footprint on the victim’s system. The malware using filenames such as ".exe" file to appear non-threatening. When launched, the executable drops a decoy document and loads shellcode to communicate with a C2 server and downloading two critical components: RuntimeBroker and RemoteShellcode to setting persistence on the host, gaining administrator privileges through exploitation techniques. the RuntimeBroker performing additional checks to determine if it is running in a sandbox and also scans the Windows Registry for keys related to apps like Tencent WeChat and Alibaba DingTalk to confrim that specifically targeting Chinese systems. RemoteShellcode uses network protocols like UDP or TCP to connect to the C2. The ValleyRAT is a fully-featured backdoor capable of remotely controlling compromised systems, taking screenshots, executing files, and loading additional plugins.​

1.Update software and operating systems.​

2.Review VA Scan and Pentest system to prevent vulnerability​

3.Implement Antivirus to prevent malware​

4.Train employees to recognize and handle phishing emails and suspicious links.​

Ref: https: https://any.run/cybersecurity-blog/new-valleyrat-campaign/?utm_source=ein&utm_medium=pressrelease&utm_campaign=valleyrat&utm_content=blog&utm_term=200824

 

06 September 2024

Viewed 371 time

Engine by shopup.com