13 December 2024

Cyber Security Week in Review: December 13, 2024


Cyber Security Week in Review: December 13, 2024

Cleo fixes a critical bug exploited in the wild

Cleo has released security updates to address a critical zero-day vulnerability in its Harmony, VLTrader, and LexiCom managed file transfer software. The flaw, initially patched in October (CVE-2024-50623), is now being exploited through a bypass discovered on December 8, enabling attackers to execute arbitrary bash or PowerShell commands via the default Autorun folder settings.

The zero-day exploitation has been linked to the Termite ransomware gang, which recently targeted SaaS provider Blue Yonder. Cleo strongly advises customers to upgrade to version 5.8.0.24 immediately. For those unable to upgrade, disabling the Autorun feature is recommended to mitigate risks.

The attackers leveraged the vulnerability to deploy Malichus, a cross-platform Java-based post-exploitation framework primarily affecting Windows devices. Malichus enables file transfers, command execution, and network communication.

On the same note, security researchers reported a surge in malicious activity exploiting a critical vulnerability in Apache ActiveMQ to deploy Mauri ransomware. The vulnerability (CVE-2023-46604) enables attackers to execute arbitrary commands on unpatched servers. The flaw stems from insecure input validation when processing serialized data in the OpenWire protocol. It allows a remote attacker to pass specially crafted data to the application and execute arbitrary code on the target system.

Microsoft has released its final Patch Tuesday updates for 2024 addressing more than 70 security vulnerabilities across its software ecosystem, including a high-risk vulnerability exploited in the wild. Tracked as CVE-2024-49138, the flaw affects the Windows Common Log File System (CLFS) Driver and can be abused by a local user for code execution with SYSTEM privileges.

Russian Turla APT exploits other threat actors’ tools to attack Ukraine

The Russian nation-state actor known as Secret Blizzard (aka Turla) has been observed leveraging malware associated with other threat groups to deploy its advanced tools, targeting devices linked to Ukraine's military. Microsoft says that Secret Blizzard used the Amadey bot malware to deliver its custom backdoor called “KazuarV2” onto specifically selected systems in Ukraine between March and April 2024.

Separately, Ukraine’s Computer Emergency Response Team (CERT-UA) discovered targeted phishing campaigns attributed to the threat actor group UAC-0185. The attacks primarily target the Ukrainian Defense Forces and enterprises within the defense-industrial complex (DIC), leveraging sophisticated methods to gain unauthorized access to sensitive systems and information.

Another Russia-linked threat actor Gamaredon, associated with the FSB, has been linked to two new Android spyware tools, BoneSpy and PlainGnome. The tools mainly target Russian-speaking victims in former Soviet states like Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan.

BoneSpy, active since 2021, operates as a standalone spyware application, while PlainGnome, first spotted in 2023, is used a dropper delivering surveillance payloads embedded within its package. Both tools collect sensitive data, including SMS messages, call logs, call audio, photos, location, and contact lists.

Chinese hackers abuse VSCode tunnels for stealthy remote access

Chinese hackers have been observed leveraging Visual Studio Code (VSCode) tunnels to maintain persistent remote access to compromised systems. The campaign, dubbed 'Operation Digital Eye', targeted large IT service providers in Southern Europe between June and July 2024. The tactic allowed hackers to disguise their malicious activity as legitimate Microsoft services.

In the observed attack, the intruders gained initial access through a widespread vulnerability exploitation campaign. They employed 'sqlmap', an automated SQL injection tool, to breach internet-facing web and database servers. After infiltrating the systems, they deployed the PHP-based web shell called PHPsert to execute remote commands and drop additional payloads.

US authorities charge a Chinese hacker for exploiting zero-day bug in Sophos firewalls

The US Department of Justice (DoJ) unsealed charges against a Chinese national accused of exploiting a zero-day vulnerability to hack tens of thousands of Sophos firewall devices worldwide. Guan Tianfeng, known online as ‘gbigmao’ and ‘gxiaomao,’ is accused of developing and deploying malware that targeted Sophos firewalls in 2020, exploiting a then-unknown zero-day vulnerability tracked as CVE-2020-12271, an SQL injection flaw that enables attackers to achieve remote code execution on vulnerable devices.

The DoJ alleges that Guan and his co-conspirators used the vulnerability to compromise approximately 81,000 Sophos firewalls globally. The attacks involved the malware designed to steal sensitive information from compromised devices while masking its activities through the use of spoofed domains disguised as legitimate Sophos resources.

New EagleMsgSpy surveillance tool linked to Chinese authorities

A sophisticated surveillance tool has been discovered believed to be employed by Chinese police departments for lawful intercept operations. Dubbed ‘EagleMsgSpy’, an Android-based tool has been in operation since at least 2017 and comprises two primary components: an installer APK and a surveillance client that operates headlessly on compromised devices. Once installed, the software enables extensive data collection, including messages from third-party chat apps, screen recordings and screenshots, audio recordings, call logs, contacts, SMS messages, geolocation data, network activity.

Iran-linked hackers use new IOCONTROL tool to attack IoT and SCADA/OT devices

Claroty’s Team82 uncovered a custom-built IoT/OT malware called IOCONTROL used by the Iran-affiliated hackers to attack Israel- and US-based OT/IoT devices. The malware targets devices such as IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), and firewalls.

IOCONTROL is modular and capable of running on various Linux-based IoT/OT platforms, making it highly versatile. The malware has been employed against systems like Orpak and Gasboy fuel management systems, with evidence suggesting its role as a nation-state cyberweapon targeting civilian infrastructure. It uses the MQTT protocol, commonly associated with IoT devices, to obfuscate command-and-control (C2) traffic between compromised devices and the attackers.

Affected vendors include Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and more.

Cybercrims exploit misconfigurations to steal source code, AWS credentials, and secrets

A large-scale cyber theft operation targeting Amazon Web Services (AWS) customers is underway, with attackers exploiting misconfigured public websites to steal sensitive information, including source code, database credentials, and API keys. Researchers spotted an open AWS S3 bucket used as a “shared drive” among the attackers, revealing 2 TB of data, including proprietary source codes, infrastructure credentials, and database access details. The misconfigured bucket also stored source code for the attackers’ tools and logs of their operations, providing insights into their tactics and the scope of the breach.

New malware botnet Socks5Systemz powers illegal proxy service

Researchers at Bitsight have uncovered a botnet dubbed ‘Socks5Systemz’ that supports the operations of the illegal proxy service known as ‘PROXY.AM’. Socks5Systemz has been around since 2013, with its deployment linked to malware like PrivateLoader, SmokeLoader, and Amadey. The botnet’s primary role is to transform infected devices into proxy exit nodes, enabling threat actors to conceal their attack origins. These nodes are then marketed on PROXY.AM, a service operational since 2016 that offers anonymous proxy servers for rent. The highest infection rates were observed in countries such as India, Indonesia, Ukraine, Algeria, Vietnam, Russia, Turkey, and the United States.

A new technique can bypass existing isolation mechanisms in modern browsers

Mandiant researchers devised a novel method to circumvent browser isolation technology, leveraging QR codes for command-and-control (C2) operations. In Mandiant’s proof of concept (PoC), the victim's machine, already compromised by malware, uses a headless browser client to capture and decode the QR code. The decoded instructions facilitate communication between the implant and the attacker-controlled server.

The method works across all types of browser isolation—remote, on-premises, and local—because it relies on visual content, not network-level interactions.

A new report from Elastic analyzes a new Linux rootkit named PUMAKIT, which employs a multi-component structure, including a dropper, memory-resident executables, and both LKM and SO userland rootkits, activating only under specific conditions. PUMAKIT hooks 18 syscalls and kernel functions using ftrace() to evade detection, hide files, directories, and itself, while also countering debugging efforts. Notably, it uses unconventional methods like hooking the rmdir() syscall for privilege escalation. Its core functionalities include privilege escalation, C2 communication, anti-debugging measures, and system manipulation for maintaining long-term control.

The US indicts 14 North Koreans involved in $88 million worker schemes

The US authorities indicted 14 North Korean nationals for a six-year scheme where they stole American identities to secure jobs at US firms, earning at least $88 million funneled back to North Korea. From 2017 to 2023, the individuals worked as IT professionals for US companies and nonprofits, often holding multiple jobs simultaneously and earning over $10,000 monthly. Some also extorted employers by threatening to leak proprietary information. Operating through North Korean-controlled firms in China and Russia they concealed their identities using false or stolen credentials.

Additionally, the US State Department announced a reward of up to $5 million for information related to North Korean-controlled firms and individuals and their activities.

In a separate case, a heist of $50 million cryptocurrencies from the crypto platform Radiant Capital has been attributed to a North Korean group known as AppleJeus or Citrine Sleet associated with North Korea’s Reconnaissance General Bureau (RGB).

Global police op shuts down major DDoS platforms

A joint law enforcement operation involving police agencies from multiple countries dismantled 27 of the most popular platforms used to launch Distributed Denial-of-Service (DDoS) attacks. The crackdown led to the seizure of major DDoS service platforms, including zdstresser.net, orbitalstress.net, and starkstresser.net. As part of the effort, three suspected administrators were arrested in France and Germany and 300 users were identified engaged in planning further DDoS attacks.

The US takes down Rydox cybercrime marketplace, three admins arrested

The US authorities announced the takedown of Rydox, a cybercrime marketplace dealing in stolen personal information and fraud tools, and unsealed charges against its alleged administrators. Three suspects from Kosovo, Ardit Kutleshi (26), Jetmir Kutleshi (28), and Shpend Sokoli, were arrested as part of the operation.

The Kutleshis were detained in Kosovo and await extradition to the US, while Sokoli was arrested in Albania, where he is expected to face prosecution. According to the indictment, Rydox had operated since February 2016, facilitating the sale of stolen personally identifiable information (PII), credit card data, and login credentials. The platform reportedly conducted over 7,600 sales, generating at least $230,000 in illicit revenue.

Germany sinkholes the BADBOX botnet

Germany's Federal Cybersecurity Agency (BSI) has sinkholed communications between BADBOX bots and the botnet’s command-and-control servers. First detected in October 2023, the BADBOX malware spread through malicious Android and iOS apps and Android TV streaming box firmware, creating a botnet of over 280,000 devices globally. The botnet’s operations has been attributed to China.

In Germany, over 30,000 infected devices have been identified, and the BSI now requires ISPs with over 100,000 customers to redirect BADBOX traffic to the sinkhole. The agency is collaborating with ISPs to notify affected users.


Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025