This month focuses again on a Chrome vulnerability being exploited in the wild, Flutterwave gaining PSP License in Ghana, new Qilin Ransomware attacks targeting Chrome browsers and a vulnerability in a popular WordPress cache plugin.

Google warns of Chrome Vulnerability CVE-2024-7965

Google announced that a recently patched security vulnerability in its Chrome browser, identified as CVE-2024-7965, is still being actively exploited by attackers.

Summary

• Google patched an actively exploited security vulnerability in Chrome as part of a recent software update, tracked as CVE-2024-7965.
• The vulnerability exists in the V8 JavaScript and WebAssembly engine and is described as an inappropriate implementation bug.
• The vulnerability could allow remote attackers to exploit heap corruption via a crafted HTML page, according to the NIST National Vulnerability Database.
• Security researcher TheDog discovered and reported the bug on July 30, 2024, earning a $11,000 bug bounty.
• Details about the specific attacks or threat actors exploiting the flaw have not been disclosed, but Google acknowledged the flaw is being actively exploited.
• It’s unclear if CVE-2024-7965 was exploited as a zero-day before disclosure, though exploitation was reported after the patch release.
• Google has patched nine zero-day vulnerabilities in Chrome so far in 2024, including several demonstrated at Pwn2Own 2024, and recommends users update to Chrome version 128.0.6613.84/.85.
• Read more about the vulnerability here

Flutterwave gets PSP License in Ghana

Flutterwave, a Nigerian fintech, received a Payment Service Provider license (Enhanced Category) from the Bank of Ghana, enabling it to operate independently without third-party services.

Summary

• The license allows Flutterwave to simplify payment processes for businesses and customers by offering direct services such as automated invoicing, payment links, and multi-method checkout options.
• Flutterwave can now support other licensed fintechs in Ghana, fostering a more integrated and efficient financial ecosystem.
• The company aims to enhance secure money transfers and payment collection services across Ghana, benefitting businesses with streamlined financial solutions.
• Ghana is seen as a key growth market for Flutterwave, with its high mobile internet penetration (71%), tech-savvy population, and stable democracy driving rapid digital adoption.
• Ghana’s digital payments market is projected to reach $7 billion in 2024, growing at a rate of 15.78% to a value of $12.96 billion by 2028.
• Flutterwave’s CEO, Olugbenga ‘GB’ Agboola, views the license as crucial to uniting Africa’s fragmented payment infrastructure and promoting economic growth in Ghana and beyond.
• This expansion follows Flutterwave’s approval in Mozambique.
• Read more about it here.

Qilin Ransomware targets Chrome browsers in recent campaign

A new wave of attacks using the Qilin ransomware made the news for most of August.

Summary

• The attackers stole credentials from Google Chrome browsers on a small set of compromised endpoints, adding an unusual twist of credential harvesting to the ransomware attack.
• The attack began with compromised credentials for a VPN portal lacking MFA and involved post-exploitation actions 18 days after initial access.
• Threat actors deployed a PowerShell script via Group Policy Objects (GPO) to harvest credentials from Chrome browsers during user logins, leaving it active for over three days.
• Stolen credentials were exfiltrated before encrypting files and dropping ransom notes, requiring affected users to change their login credentials for third-party sites.
• Researchers noted that ransomware groups are increasingly mining for endpoint-stored credentials, potentially opening new avenues for future attacks.
• Other ransomware groups like Mad Liberator and Mimic have been seen using tactics like AnyDesk and Microsoft SQL servers to disguise their malicious activities and exfiltrate data.
• Despite law enforcement efforts, ransomware remains highly profitable, with 2024 likely to be the highest-grossing year, including a record $75 million payment to Dark Angels ransomware.
• The median ransom payment spiked from $200,000 in early 2023 to $1.5 million in mid-2024, with ransomware groups targeting larger organizations and critical infrastructure.
• Russian-speaking threat actors accounted for 69% of ransomware-related cryptocurrency proceeds in the previous year, exceeding $500 million.
• Ransomware attacks are on the rise, with attackers strategically timing their operations to maximize disruption and ransom payments.
• Read more about the campaign here

Widely used cache plugin, Litespeed, subject of a recent vulnerability

A critical security vulnerability has been discovered in the Litespeed Cache plugin, potentially leaving millions of WordPress websites susceptible to takeover.

Summary

• Litespeed Cache is a widely used free caching plugin, with over 5 million active installations aimed at improving website performance.
• The vulnerability, tracked as CVE-2024-28000, allows unauthenticated attackers to escalate privileges and gain administrator access to the affected website.
• Researcher John Blackbourn identified the vulnerability and reported it through the Patchstack bug bounty program, earning $14,400 for the disclosure.
• A patch was released on August 13, 2024, in version 6.4 of the plugin, but only 30% of installations have been updated, leaving around two million websites vulnerable.
• The vulnerability exploits a weak security hash in the plugin’s user simulation feature, allowing attackers to create administrator accounts.
• The security hash has only one million possible values, making it vulnerable to brute-force attacks, which could take between a few hours and a week to succeed.
• Debugging mode on websites may leak the security hash in logs, providing another avenue for exploitation.
• While mass exploitation is less likely, the vulnerability could be used in targeted attacks, with WordPress security firm Defiant expecting active exploitation soon.
• Researchers recommend a software update for organizations that use the LiteSpeed plugin.
• Read more about the attack campaign here

August saw a considerable number of software vulnerabilities being exploited actively in the wild. Vulnerable software can lead to much wider compromise and affect the overall confidentiality, integrity, and availability of websites and information systems.

If you or your organization suspect a breach or any suspicious activity, kindly reach out to help@cchub.africa for assistance.

Sources

• https://thehackernews.com/2024/08/google-warns-of-cve-2024-7965-chrome.html
• https://techpoint.africa/2024/08/01/flutterwave-gets-ghana-psp-licence/
• https://thehackernews.com/2024/08/new-qilin-ransomware-attack-uses-vpn.html
• https://www.securityweek.com/exploitation-expected-for-flaw-in-caching-plugin-installed-on-5m-wordpress-sites/
• https://www.qnx.com/developers/docs/8.0/com.qnx.doc.neutrino.prog/topic/hat_ProblemsWithHeapCorruption.html