12.8 million auth secrets leaked by GitHub users in 2023

Last week witnessed a surge in cybersecurity threats across various fronts, including exploits targeting critical vulnerabilities in Cisco Secure Client and Fortinet systems, as well as the exposure of millions of authentication secrets on GitHub. Malware like WogRAT and DarkGate leveraged sophisticated techniques, targeting Windows and Linux systems. These developments highlight the pressing need for organizations to bolster their defenses with timely patching and enhanced security measures.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. WogRAT malware exploits aNotepad for covert attacks on Windows and Linux systems

The recently discovered malware ‘WogRAT’ poses a significant threat to both Windows and Linux systems, utilizing the online notepad platform ‘aNotepad’ as a covert channel for storing and retrieving malicious code. This malware has been active since late 2022, primarily targeting Asian countries such as Japan, Singapore, China, and Hong Kong. Its distribution methods remain undisclosed, but the malware disguises itself with executable names resembling popular software titles, potentially indicating malvertising tactics. By leveraging aNotepad, the malware evades detection by security tools, enhancing its stealth during the infection process.

Upon execution, WogRAT dynamically compiles and executes an encrypted downloader, retrieving additional malicious payloads from aNotepad to establish a backdoor and communicate with a command-and-control server. Security researchers advise enhancing detection mechanisms, strengthening endpoint security, and maintaining regular security updates.

2. More than 12 million auth secrets and keys exposed on GitHub in 2023

GitGuardian reported that in 2023, GitHub users inadvertently exposed 12.8 million authentication and sensitive secrets across over 3 million public repositories, with only 1.8% responding promptly to rectify the issue. The leaked data encompassed passwords, API keys, certificates, and more, posing significant risks of unauthorized access and potential data breaches. Most exposed secrets remained viable for at least five days, with India, the United States, Brazil, China, and France being the top countries affected.

The IT sector endured most of the leaks, followed by education, with commonly leaked secrets including Google API and Cloud keys, MongoDB credentials, and others. Despite some secrets being revoked quickly, the majority remained valid after five days. Recommendations include enforcing strict access controls, implementing real-time monitoring, adopting a shift-left security approach, and utilizing tools like GGshield to detect and prevent leaky commits organization-wide.

3. Cisco issues patch for high-severity VPN hijacking bug in Secure Client

Cisco has issued updates to address two critical vulnerabilities in its Secure Client software, labeled as CVE-2024-20337 and CVE-2024-20338, with respective CVSS scores of 8.2 and 7.3. CVE-2024-20337 involves a SAML authentication CRLF injection flaw, allowing remote attackers to execute arbitrary script code or access sensitive information by manipulating a user’s browser during VPN session establishment.

Meanwhile, CVE-2024-20338 enables local attackers to escalate privileges on Cisco Secure Client for Linux by introducing a malicious library file and persuading an administrator to restart a specific process. Organizations are urged to promptly apply the security updates, review Cisco Security Advisories for comprehensive details, and configure VPN headends securely to mitigate the risk of exploitation.

4. Critical Fortinet vulnerability could affect 150,000 vulnerable devices

Approximately 150,000 Fortinet FortiOS and FortiProxy systems are vulnerable to CVE-2024-21762, a critical flaw allowing remote code execution without authentication. CISA (Cybersecurity and Infrastructure Security Agency) has confirmed active exploitation of this vulnerability, prompting concerns about targeted attacks by sophisticated adversaries.

Most vulnerable devices are in the United States, with significant numbers also in India, Brazil, and Canada. Mitigation strategies include immediate upgrading to patched versions, disabling SSL VPN on FortiOS devices if upgrading is not feasible, and prioritizing patching and securing Fortinet systems to prevent potential exploitation of CVE-2024-21762.

5. DarkGate malware exploits recently patched Microsoft flaw in zero-day attack

The DarkGate malware operation has launched a new wave of attacks exploiting a previously patched vulnerability in Windows Defender SmartScreen (CVE-2024-21412), allowing for the automatic installation of counterfeit software installers. By leveraging a sophisticated technique involving Windows Internet shortcuts and open redirects from Google DoubleClick, attackers bypass email security checks to deliver malicious payloads, triggering automatic execution upon opening.

Exploiting DLL sideloading, the malware payload (version 6.1.7) executes, enabling various malicious activities such as data theft, keylogging, and remote access. The evolving sophistication of malware distribution tactics highlights the critical need for robust cybersecurity measures, including regular patch management, enhanced email security, and comprehensive endpoint protection.