6 December 2024

Cyber Security Week in Review: December 6, 2024


Cyber Security Week in Review: December 6, 2024

Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

Japan’s Computer Emergency Response Team (CERT) has issued a security advisory warning about ongoing exploitation of zero-day vulnerabilities in I-O Data’s UD-LT1 and UD-LT1/EX LTE routers widely used across Japan.

The three flaws (CVE-2024-45841, CVE-2024-47133, CVE-2024-52564) are information disclosure, remote arbitrary OS command execution, and the ability to disable firewalls. If exploited, the flaws allow attackers to alter device settings, execute arbitrary commands, and disable the firewall. The vendor confirmed that some users have already reported exploitation of these flaws in real-world attacks.

A vulnerability in Zyxel firewalls exploited in the wild

The United States Cybersecurity and Infrastructure Security Agency (CISA) has added a path traversal vulnerability in multiple Zyxel firewall appliances to its KEV list, indicating exploitation in the wild. The flaw, tracked as CVE-2024-11667, affects the web management interface of Zyxel ATP, USG FLEX, and USG20(W)-VPN series devices. Successful exploitation could allow attackers to manipulate file uploads and downloads using crafted URLs, potentially leading to unauthorized system access, credential theft, and the creation of backdoor VPN connections.

Cisco says decade-old bug in ASA appliances exploited in the wild

Networking giant Cisco has updated its advisory to alert users about active exploitation of a ten-year-old vulnerability in its Adaptive Security Appliance (ASA) product. The vulnerability, tracked as CVE-2014-2120, stems from insufficient input validation in ASA's WebVPN login page. Exploitation of the flaw could allow a remote, unauthenticated attacker to launch a cross-site scripting (XSS) attack. The activity involving CVE-2014-2120 has been linked to the Mozi botnet, enabling attackers to amplify the scale and scope of their malicious campaigns. 

Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

Lumen’s Black Lotus Labs has uncovered a sophisticated espionage campaign orchestrated by the Russian-based threat actor the researchers track as “Secret Blizzard,” also known as Turla. The group, linked to the Russian Federal Security Service (FSB), has infiltrated the command-and-control (C2) infrastructure of the Pakistani-based actor Storm-0156, as part of the “spy-on-spy” tactics. The operation began in December 2022, when Secret Blizzard gained initial access to a Storm-0156 C2 server. By mid-2023, the group had expanded its control, leveraging the infrastructure to deploy its malware, TwoDash and Statuezy, against networks linked to Afghan government entities. By April 2023, the Russian group had infiltrated workstations of Pakistani-based Storm-0156 operators, obtaining sensitive data, including credentials, tooling insights, and exfiltrated information from prior operations.

Separate Microsoft’s analysis reveals how Turla has systematically infiltrated the infrastructure of at least six state-sponsored and criminal hacking groups since 2017. These include Iranian (Hazel Sandstorm), Kazakhstani (Storm-0473), and other unnamed actors.

Another Russian state-sponsored hacker group Gamaredon, also known as BlueAlpha, is conducting an ongoing cyber-espionage campaign targeting Ukrainian-speaking victims. Active since 2013 and linked to Russia's Federal Security Service (FSB), the group reportedly operates from Russian-annexed Crimea. In their latest operations, they use Cloudflare Tunnels to conceal their server locations and deploy custom GammaDrop malware, maintaining stealth during attacks, according to the latest report from Recorded Future’s Insikt Group.

Suspected Chinese hackers targeted a US-based firm in a 4-month cyberattack

A China-based threat actor likely targeted a large US organization earlier this year, with the first signs of malicious activity observed in April 2024. The attackers infiltrated the network, moving laterally and compromising multiple systems, including Exchange Servers, to harvest emails and exfiltrate sensitive data.

Interestingly, the same organization was attacked last year by a group associated with Daggerfly, a Chinese state-sponsored hacking collective. Daggerfly has been active since at least 2012, conducting espionage against individuals, governments, and organizations in regions such as Taiwan, Africa, and Southeast Asia.

Chinese hackers continue to target US telecom networks in prolonged spying campaign

US telecommunications companies are still working to root out state-sponsored Chinese hackers, known collectively as ‘Salt Typhoon,’ who infiltrated telecom networks in a spying campaign that started several months ago. US officials confirmed that the cyber espionage group has collected intelligence by compromising multiple telecom providers, with targets ranging from prominent government figures to select private individuals.

North Korea's Kimsuky group employs Russian sender addresses in phishing campaigns

A North Korea-aligned cyber-espionage group known as Kimsuky has been linked to a series of phishing attacks leveraging Russian sender addresses. Initially, phishing campaigns by Kimsuky primarily used email services in Japan and South Korea until early September. However, from mid-September, there was a shift in tactics, with phishing emails being crafted to appear as though they originated from Russian domains.

Earth Minotaur uses MOONSHINE to deploy the newly discovered DarkNimbus backdoor

Trend Micro researchers analyzed the threat group Earth Minotaur, which leverages an updated version of the MOONSHINE exploit kit to target vulnerabilities in Android instant messaging apps, particularly affecting Tibetan and Uyghur communities. The group operates globally, with victims in countries including the US, Germany, India, and Japan. MOONSHINE, with over 55 active servers as of 2024, has expanded its functionality since its last reported version in 2019, incorporating new exploits like CVE-2020-6418, a patched zero-day in the V8 JavaScript engine.

Earth Minotaur uses MOONSHINE to deploy the newly discovered DarkNimbus backdoor, available for both Android and Windows platforms. The backdoor is primarily delivered via targeting apps like WeChat.

The threat actors behind the More_eggs malware linked to two new malware families

The threat actor known as Venom Spider (aka Golden Chickens), previously associated with the More_eggs malware, has expanded its malware-as-a-service (MaaS) operations with two new malware families: RevC2 and Venom Loader. RevC2 is an advanced backdoor leveraging WebSockets for C2 communication. It can steal cookies and passwords, proxy traffic, execute shell commands, take screenshots, and perform remote code execution (RCE). Venom Loader is a customizable malware loader that tailors its payloads based on a victim’s computer name.

Both malware families were deployed using VenomLNK, a tool that initiates access and displays a decoy PNG image before executing malicious payloads. Campaigns using these tools were active from August to October 2024, although the initial distribution method remains unclear.

ANEL backdoor observed in Earth Kasha spear-phishing campaign

A new spear-phishing campaign has been targeting individuals and organizations in Japan since around June 2024, according to Trend Micro. An interesting aspect of this campaign is the comeback of a backdoor dubbed ANEL, which was used in campaigns targeting Japan by APT10 until around 2018 and had not been observed since then. Additionally, NOOPDOOR, known to be used by Earth Kasha, has been confirmed to be used in the same campaign. Based on these findings, Trend Micro believes that the campaign as part of a new operation by Earth Kasha.

Solana Web3.js library compromised in a supply chain attack

The Solana JavaScript SDK, a critical library for decentralized applications (dApps) to interact with the Solana blockchain, suffered a supply chain attack involving two malicious versions. These versions (1.95.6 and 1.95.7), injected with backdoor code, were designed to steal private and secret cryptographic keys, enabling attackers to drain cryptocurrency wallets. Socket researchers believe the compromise is the result of a social engineering/phishing attack targeting maintainers of the official Web3.js open source library maintained by Solana.

Another Scattered Spider suspect arrested

US authorities have arrested 19-year-old Remington Goy Ogletree, known online as ‘remi,’ for alleged involvement in cyberattacks linked to the Scattered Spider hacking group. Ogletree is accused of breaching a US financial institution and two unnamed telecom companies by leveraging stolen employee credentials obtained through phishing campaigns.

The attacks involved text and voice phishing messages, as well as impersonation of IT support to pressure employees into accessing phishing sites designed to harvest their usernames and passwords. At the financial institution, approximately 149 employees were targeted between late October and mid-November 2023. The phishing attacks reportedly led employees to landing pages mimicking the company's systems, enabling Ogletree to gain unauthorized access to sensitive networks.

The UK dismantles multi-billion Russian money laundering networks tied to drugs, ransomware, and espionage

An international investigation led by the UK’s National Crime Agency (NCA) has dismantled Smart and TGR, two money laundering networks aiding organized crime across the globe. The operation, dubbed ‘Operation Destabilise’, has led to the arrest of 84 individuals and the seizure of over £20 million in cash and cryptocurrency. The two networks provided financial services to criminal organizations, including the notorious Kinahan cartel, as well as Russian elites circumventing sanctions. Furthermore, Smart was found to have directly funded Russian espionage operations from late 2022 to mid-2023. The Smart and TGR services were also used to support Russian espionage and cybercrime activities. For instance, the Smart network laundered $2.3 million in ransomware payments for the Ryuk ransomware group, which extorted at least £27 million from UK victims, including hospitals and schools.

In other news, a major international law enforcement operation led by Germany’s Hanover Police and Verden Public Prosecutor’s Office has disrupted a sophisticated criminal network involved in large-scale online fraud. Authorities seized over 50 servers linked to the Manson Market and secured 200 terabytes of digital evidence. Two suspects, aged 27 and 37, were arrested under European arrest warrants and are in pretrial detention.

In a separate effort, Germany's law enforcement authorities have dismantled Crimenetwork, the country’s largest marketplace, which the sale of drugs, stolen data, and illegal services. The operation also led to the arrest of the marketplace's suspected administrator, a 29-year-old known online as ‘Techmin.’ Authorities believe Techmin played a key role as a technical expert in the platform’s operations for several years.

Also, an international Joint Investigation Team (JIT) involving French and Dutch authorities has dismantled MATRIX, an encrypted messaging service designed and operated by criminals.

Romania declassifies documents exposing a propaganda campaign and cyberattacks that influenced the country's presidential elections

Romania's national security council (CSAT) declassified two documents exposing a coordinated propaganda campaign and cyberattacks that influenced the country's presidential elections. According to one of the documents, more than 85,000 cyberattacks targeted Romania's election infrastructure. Threat actors also compromised and leaked credentials for election-related websites on a Russian hacker forum days before the first voting round.

While the documents don’t directly attribute the campaign, a US State Department statement and widespread consensus in Romania point to Russian involvement.


Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025