Versa Networks Flaw, Hezbollah Supply Chain, MediaTek Wi-Fi Vulnerability – Cybersecurity News [September 23, 2024]

by Duocircle

 

We’re back with the latest cybersecurity updates to inform you about recent threats and help you stay protected. This week, we’ll dive into how hackers are exploiting Versa Director through a critical vulnerability, the supply chain attack linked to Hezbollah device explosions, a zero-click vulnerability in MediaTek Wi-Fi chipsets, Transport for London’s (TfL) data breach affecting 5,000 customers, and the latest campaign by the North Korean-linked group Gleaming Pisces using poisoned Python packages to deliver backdoors. Let’s explore the news descriptions provided below!

 

Versa Networks Identifies Critical Flaw in Versa Director (CVE-2024-45229)

Versa Networks recently disclosed a severe vulnerability (CVE-2024-45229) in their Versa Director software, which allows unauthorized access to critical system APIs. Due to this critical-natured vulnerability, the software stands susceptible and/or vulnerable to exploitation by attackers since it has poor input validation checks in REST APIs like login and registration pages. By injecting legitimate arguments into a GET request, attackers can retrieve authentication tokens from logged-in users.

Further API calls can be initiated by having unauthorized access to these authentication tokens, allowing hackers to perform unauthorized actions. Importantly, this vulnerability has not led to the exposure of usernames or passwords, but it affects all versions released before September 12, 2024.

 

hackers

 

Organizations using Versa Director should promptly upgrade to the latest hotfix versions. Versions affected include 22.1.4, 22.1.3, 22.1.2, and 21.2.3 (before September 9, 2024), while safe versions include identical versions updated after September 12, 2024. Although there are no direct workarounds for the issue, utilizing a Web Application Firewall (WAF) or API Gateway can help block access to vulnerable APIs. The Versa Directors not connected to the internet remain unvulnerable to the threat. Versa Networks encourages its customers to upgrade their systems and monitor for malicious activity.

 

Supply Chain Attack Theorized in Hezbollah Explosions

Over 12 fatalities and 2,800 injuries were reported on September 17, when multiple pagers exploded across Lebanon and Syria. Worsening the present situation at hand, the following day, another wave of explosions from walkie-talkies caused 20 additional deaths and injured more than 450 people. Lebanese authorities suspect that Israeli military intelligence may have intercepted the supply chain and altered the devices—purchased by Hezbollah as part of a communications strategy using older technology.

According to the concerned officials, the use of embedded explosives was found during these incidents. These explosives resulted in the most devastating and detrimental impact that no one could have ever imagined.

 

 security practices

 

This incident strongly emphasizes the importance of protecting supply chains, particularly in the hardware sector. We learned that even frequently used digital items, like USB sticks, could be meticulously compromised, leading to such sophisticated planned attacks. Organizations must verify the integrity of devices beforehand and ensure that their supply chains are secure. Establishing clear communication with third-party vendors about safe security practices and creating contingency plans for alternative communication methods is crucial in mitigating and efficiently handling these types of risks.

 

Zero-Click Vulnerability in MediaTek Wi-Fi Chipsets CVE-2024-20017

A significant zero-click vulnerability recognized as CVE-2024-20017 has been discovered in MediaTek Wi-Fi chipsets. This loophole can adversely affect many devices, including routers and smartphones mainly produced by manufacturers such as Ubiquiti, Xiaomi, and Netgear. With a CVSS 3.0 score of 9.8, this vulnerability allows remote code execution without any user interaction due to an out-of-bounds write issue in the Wappd network daemon, which manages wireless interfaces. Although MediaTek released patches in March 2024, a recent public proof-of-concept (PoC) has increased the risk of exploitation.

 

Wi-Fi Chipsets

 

The vulnerability exists in the IAPP_RcvHandlerSSB function, where crucial bounds checking on packet lengths is absent. This security issue can consequently lead to the stack buffer overflow problem. Due to this, attackers can freely bypass validation checks and use return-oriented programming (ROP) techniques to execute commands on affected devices, such as establishing reverse shells.

After pondering the adverse situation closely, SonicWall released two intrusion prevention system (IPS) signatures (20322 and 20323) to help detect and block future exploitation attempts. Users are urged to update their firmware immediately with the available preventive and safeguarding measures to avoid being compromised in the worst scenarios.

 

Approx 5,000 Customers were notified of the Data Breach by Transport for London (TfL)

Transport for London (TfL) recently notified its 5,000 customers and individuals that their personal data may have been compromised in a recent cybersecurity attack. The breach exposed sensitive information of the victims, such as bank account details, sort codes, names, addresses, and Oyster refund data

 

exposed sensitive information

 

The victims of the attack were informed via a letter warning them of the unauthorized access to their data by malicious hackers, including sensitive data. The organization made necessary arrangements to help verify the authenticity of the notifications; TfL included unique identifiers in the letters and provided customer service contacts for further assistance.

A 17-year-old was found guilty, and severe charges were imposed on him when evidence were found relating to the hack. The TfL services stopped for almost three weeks after the incident. Customers could not apply for new concession cards or access refunds, resulting in significant losses for the organization. TfL has made substantial amendments to its security infrastructure after facing the adverse situation.

The National Crime Agency has raised concerns regarding the significant impact of such attacks on local communities and national infrastructure. TfL has apologized for the disruption and is working closely with the Information Commissioner’s Office and relevant government agencies to investigate the matter further.

 

 

Gleaming Pisces Poisoned Python Packages Campaign

Researchers at Unit 42 have uncovered a new cyber campaign primarily led by the group Gleaming Pisces (also known as Citrine Sleet), which proved to have links with the North Korean country. This campaign mainly distributes backdoors to Linux and macOS systems by leveraging poisoned Python packages available on the popular PyPI repository. PondRAT, the revised version of the previously known POOLRAT malware, a lightweight malware, was discovered during the investigation’s findings.

The attacker’s main aim is to seek access to vendor-customer systems by targeting the software supply chain system, often targeting developer endpoints. While the compromised packages have been removed from PyPI, organizations must remain alert and update their systems with the latest recommended patches.

 

software supply chain system

 

The attacking methodology involves decoding malicious code embedded in the Python packages, which then runs several bash commands to download and install the backdoor. Cortex XDR by Palo Alto Networks has been successfully deployed to detect and prevent PondRAT and POOLRAT variants.

According to the report, many similarities were found between the Linux and macOS versions of PondRAT, including shared encryption keys and command functions, providing an added advantage to this campaign being carried out by Gleaming Pisces. Organizations are recommended to update their systems with the latest patches and standards and also use tools like Advanced WildFire and behavioral threat detection to safeguard against these attacks. 

Pin It on Pinterest

Share This