Zero-day critical vulnerability discovered in Apache OFBiz

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include a ransomware attack exploiting a Jenkins vulnerability in India’s banking sector, the discovery of the BITSLOTH malware targeting a South American Foreign Ministry, a critical zero-day vulnerability in Apache OFBiz enabling remote code execution, the active exploitation of a critical RCE flaw in Progress’s WhatsUp Gold, and the misuse of Cisco’s Smart Install feature by hackers to gain access to sensitive information. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Ransomware Strikes Jenkins Vulnerability Leading to Major Banking Sector Breach

A major ransomware attack has disrupted India’s banking sector, targeting Brontoo Technology Solutions, a partner of C-Edge Technologies. The breach originated from a misconfigured Jenkins server at Brontoo, exploited via a Local File Inclusion (LFI) vulnerability (CVE-2024-23897). The RansomEXX group, known for sophisticated attacks, is believed to be behind the breach. The attack resulted in significant operational disruptions, data breaches, and financial losses. To prevent such incidents, it’s crucial to ensure all critical vendors keep their systems updated, particularly Jenkins servers. Regularly updating and patching systems, implementing offline backups, and enforcing multi-factor authentication across all systems are vital steps to enhance security and mitigate risks.

2. BITSLOTH: New Windows Backdoor Leveraging BITS for Covert Communication

Cybersecurity researchers have discovered BITSLOTH, a new malware strain linked to a cyber-attack on a South American Foreign Ministry. Developed in December 2021, BITSLOTH uses the Background Intelligent Transfer Service (BITS) for stealthy command-and-control communication and includes advanced features like keylogging, screen capture, and system discovery. The malware, connected to known Chinese cyber espionage activities, is deployed through DLL side-loading and uses encryption tools to evade detection. To counter such threats, it is essential to monitor BITS traffic to detect unusual activities, enhance endpoint security with advanced EDR solutions, deploy network segmentation to isolate critical systems, and strengthen access controls by enforcing strict permissions and regularly updating them.

3. Critical Zero-Day Vulnerability in Apache OFBiz Enables Remote Code Execution

A critical zero-day vulnerability, CVE-2024-38856, has been discovered in Apache OFBiz, allowing remote code execution by unauthenticated users. This flaw in the authentication mechanism enables attackers to access functionalities typically reserved for logged-in users, including the ProgramExport endpoint. The vulnerability also bypasses a previously patched path traversal issue (CVE-2024-36104). Affected versions include those prior to 18.12.15.

To mitigate this risk, promptly upgrade to Apache OFBiz version 18.12.15 or newer, ensure strong authentication mechanisms for all endpoints, utilize firewalls to limit access to critical services, and implement role-based access controls (RBAC) to restrict access based on user roles. Regular security assessments are also advised to proactively identify vulnerabilities.

4. Critical RCE flaw in Progress WhatsUp Gold Under Active Exploitation

A critical vulnerability, CVE-2024-4885, in Progress Software’s WhatsUp Gold is being actively exploited, allowing unauthenticated remote code execution on affected systems. This flaw, found in the WhatsUp.ExportUtilities.Export.GetFileWithoutZip method, enables attackers to execute commands with elevated privileges, posing significant risks to organizations using the network monitoring application. Exploitation attempts began on August 1, 2024, with a proof-of-concept exploit publicly available.

To mitigate this vulnerability, organizations should immediately update to WhatsUp Gold version 23.1.3 or later, implement firewall rules to restrict access to the vulnerable endpoint, monitor for suspicious activities targeting the application, and ensure the WhatsUp Gold server is accessible only internally or through trusted IP addresses.

5. CISA Alerts on Hackers Misusing Cisco Smart Install Feature

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that threat actors are exploiting the outdated Cisco Smart Install (SMI) feature to gain access to sensitive information on Cisco devices. Attackers have been able to obtain system configuration files, modify settings, replace system images, and exfiltrate data through TFTP by exploiting this legacy protocol.

To mitigate these risks, organizations should disable the Cisco Smart Install protocol, implement strong password protections using NIST-approved Type 8 passwords, regularly audit and monitor devices for unauthorized changes, and ensure all firmware and software are up to date. Network segmentation should also be employed to isolate critical devices and limit access based on the principle of least privilege.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider