At a glance.
- Cleo urges customers to patch actively exploited vulnerability.
- Iran-linked threat actor deploys new ICS malware.
- Law enforcement shutters the Rydox cybercrime marketplace.
Cleo urges customers to patch actively exploited vulnerability.
File-transfer software company Cleo is urging customers to patch an actively exploited vulnerability affecting its Harmony, VLTrader, and LexiCom products. The vulnerability (CVE pending) "could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory." The company initially issued a patch for the flaw in October (then tracked as CVE-2024-50623), but Huntress researchers found the patch was insufficient. Cleo issued an updated fix this week.
Researchers at Huntress, Rapid7, Arctic Wolf, and Sophos have observed widespread exploitation of the flaw. Huntress stated, "We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity." Arctic Wolf describes a Java-based backdoor dubbed "Cleopatra" that's being deployed in "a mass exploitation campaign involving Cleo Managed File Transfer (MFT) products for initial access."
Iran-linked threat actor deploys new ICS malware.
Researchers at Claroty have discovered a new strain of IoT/OT malware "IOCONTROL" used by Iran-affiliated attackers to target devices in Israel and the US. The researchers state, "IOCONTROL has been used to attack IoT and SCADA/OT devices of various types including IP cameras, routers, PLCs, HMIs, firewalls, and more. Some of the affected vendors include: Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and others."
Notably, Claroty says, "One particular IOCONTROL attack wave involved the compromise of several hundred Israel-made Orpak Systems and U.S.-made Gasboy fuel management systems in Israel and the United States. The malware is essentially custom built for IoT devices but also has a direct impact on OT such as the fuel pumps that are heavily used in gas stations."
The malware has been deployed by a threat actor tracked as the "CyberAv3ngers," which is believed to have ties to Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC).
Law enforcement shutters the Rydox cybercrime marketplace.
The US Justice Department yesterday announced the seizure of the Rydox cybercrime marketplace, alongside the arrests of three suspected administrators. Two of the defendants were arrested in Kosovo and will be extradited to the US. A third was nabbed in Albania and will be prosecuted by the Albanian government.
The Justice Department stated, "[T]he Rydox marketplace has conducted over 7,600 sales of personally identifiable information (PII), stolen access devices, and cybercrime tools, which generated at least $230,000 in revenue since its inception in or around February 2016. These sales included PII, credit card information, and login credentials stolen from thousands of victims residing in the United States. In addition, the Rydox site has offered for sale at least 321,372 cybercrime products to over 18,000 users including stolen PII such as names, addresses, and social security numbers; access devices such as stolen credentials for online accounts and credit card information; and cybercrime tools such as scam pages, spamming logs, and spamming tutorials."