By the CyberWire staff
At a glance.
- Cleo urges customers to patch actively exploited vulnerability.
- Iran-linked threat actor deploys new ICS malware.
- Chinese APT abuses Visual Studio Code Tunnels for C2 purposes.
- Radiant Capital attributes $50 million cryptocurrency theft to DPRK hackers.
- I-O Data is still working on patches for two router zero-days.
- Nemesis and ShinyHunters target misconfigured websites.
- Romanian energy company hit by ransomware.
- Researchers describe Nova, a new version of the Snake Keylogger.
- Microsoft patches against technique to bypass multifactor authentication.
Cleo urges customers to patch actively exploited vulnerability.
File-transfer software company Cleo is urging customers to patch an actively exploited vulnerability affecting its Harmony, VLTrader, and LexiCom products. The vulnerability (CVE pending) "could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory." The company initially issued a patch for the flaw in October (then tracked as CVE-2024-50623), but Huntress researchers found the patch was insufficient. Cleo issued an updated fix this week.
Researchers at Huntress, Rapid7, Arctic Wolf, and Sophos have observed widespread exploitation of the flaw. Huntress stated, "We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity." Arctic Wolf describes a Java-based backdoor dubbed "Cleopatra" that's being deployed in "a mass exploitation campaign involving Cleo Managed File Transfer (MFT) products for initial access."
Iran-linked threat actor deploys new ICS malware.
Researchers at Claroty have discovered a new strain of IoT/OT malware "IOCONTROL" used by Iran-affiliated attackers to target devices in Israel and the US. The researchers state, "IOCONTROL has been used to attack IoT and SCADA/OT devices of various types including IP cameras, routers, PLCs, HMIs, firewalls, and more. Some of the affected vendors include: Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and others."
Notably, Claroty says, "One particular IOCONTROL attack wave involved the compromise of several hundred Israel-made Orpak Systems and U.S.-made Gasboy fuel management systems in Israel and the United States. The malware is essentially custom built for IoT devices but also has a direct impact on OT such as the fuel pumps that are heavily used in gas stations."
The malware has been deployed by a threat actor tracked as the "CyberAv3ngers," which is believed to have ties to Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC).
Cobalt Named “Outperformer” for Third Consecutive Year in GigaOm’s Radar Report for PTaaS
Penetration Testing as a Service (PTaaS) is crucial in today's rapidly evolving threat landscape, where traditional point-in-time security assessments are no longer sufficient. GigaOm’s third annual Radar report for PTaaS examines 13 of the top PTaaS solutions, providing an overview of the market to help decision makers evaluate these solutions and make informed investment decisions.
Download the report to learn:
- How the evolving technology and threat landscape are driving new security needs for pentesting
- Key considerations for choosing a PTaaS provider based on your organization’s evolving security challenges
- Why Cobalt is a Leader in Penetration Testing as a Service.
Chinese APT abuses Visual Studio Code Tunnels for C2 purposes.
SentinelOne has published a report on a Chinese cyberespionage campaign that targeted "large business-to-business IT service providers in Southern Europe" from late June to mid-July 2024. The threat actor used SQL injection against Internet-facing web and database servers to gain initial access. The campaign was detected and disrupted during its early stages.
Notably, the operation abused Visual Studio Code Remote Tunnels for command-and-control purposes. The researchers explain, "Originally designed to enable remote development, this technology provides full endpoint access, including command execution and filesystem manipulation. Additionally, Visual Studio Code tunneling involves executables signed by Microsoft and Microsoft Azure network infrastructure, both of which are often not closely monitored and are typically allowed by application controls and firewall rules. As a result, this technique may be challenging to detect and could evade security defenses. Combined with the full endpoint access it provides, this makes Visual Studio Code tunneling an attractive and powerful capability for threat actors to exploit."
Radiant Capital attributes $50 million cryptocurrency theft to DPRK hackers.
Decentralized finance (DeFi) protocol Radiant Capital has attributed a $50 million cryptocurrency theft to North Korean government hackers, BleepingComputer reports. The theft occurred on October 16, 2024, following a social engineering attack. Radiant Capital shared in an update, "On September 11, 2024, a Radiant developer received a Telegram message from what appeared to be a trusted former contractor. The message said that the contractor was pursuing a new career opportunity related to smart contract auditing. It included a link to a zipped PDF regarding the contractor’s new alleged endeavor and sought feedback about their work." The ZIP file was shared with other Radiant developers for feedback, and installed a "persistent macOS backdoor" when it was opened.
Build a Stronger Identity Security Program to Protect Your Organization
In our eBook, Building an Identity Security Program, we provide a step-by-step guide to creating a resilient identity security framework. You'll learn how to integrate identity security into your overall security strategy, protect against threats like MFA attacks, and secure access across your entire organization. Don’t leave your organization vulnerable to identity-based attacks. Arm yourself with the knowledge and tools to defend your business. Download the eBook.
I-O Data is still working on patches for two router zero-days.
Japanese device maker I-O Data is still working on patches for two actively exploited zero-days affecting its routers, SecurityWeek reports. One of the flaws (CVE-2024-45841) can lead to authentication information disclosure, and another (CVE-2024-47133) can "allow a remote authenticated attacker with an administrative account to execute arbitrary OS commands." The company says the fixes won't be available until at least December 18th.
According to BleepingComputer, I-O Data recommends that customers implement the following mitigations until patches are available:
- "Disable the Remote Management feature for all internet connection methods, including WAN Port, Modem, and VPN settings.
- "Restrict access to only VPN-connected networks to prevent unauthorized external access.
- "Change the default "guest" user's password to a more complex one with over 10 characters.
- "Regularly monitor and verify device settings to detect unauthorized changes early, and reset the device to factory defaults and re-configure if a compromise is detected."
Nemesis and ShinyHunters target misconfigured websites.
Security researchers Noam Rotem and Ran Locar discovered a widespread hacking operation tied to the Nemesis and ShinyHunters threat actors, targeting vulnerabilities in improperly configured public websites. The hackers accidentally exposed their stolen data, tools, and possible identities in a misconfigured AWS S3 bucket.
vpnMentor published a report on the operation, stating, "This incident resulted in the exposure of sensitive keys and secrets, granting unauthorized access to customer data. A sophisticated and extensive infrastructure, orchestrated by threat actors from a French-speaking country, conducted comprehensive scans of the internet, searching for exploitable vulnerable endpoints. These vulnerable endpoints gave the attackers access to infrastructure credentials, proprietary source code, application databases, and even credentials to additional external services in some cases."
Dropzone AI Named a Gartner Cool Vendor for the Modern SOC.
Dropzone AI has been recognized as a Gartner Cool Vendor, validating its role in transforming SOCs. With an AI SOC Analyst that autonomously investigates alerts 24/7, Dropzone AI helps security teams stay ahead by reducing alert fatigue and providing decision-ready insights. Discover how we're leading SOC innovation.
Romanian energy company hit by ransomware.
Romanian energy supplier Electrica has sustained a ransomware attack, the Record reports. The company's CEO Alexandru Chirita stated, "Teams of specialists are working closely with the national cybersecurity authorities to manage and resolve the incident, aiming to address the situation as quickly as possible, identify the source of the attack, and limit its impact....Our primary priority remains maintaining continuity in the distribution and supply of electricity, as well as protecting the managed personal data and the operational data of all entities within Electrica Group."
Romania's Ministry of Energy said in a press statement, "Initial investigations show that it was a ransomware attack. The network equipment has been removed and is not affected. The SCADA systems of Distributie Electric Power Romania are fully functional and insulated, and our technical teams, together with our security partners, are already on the ground to eliminate any risk."
Researchers describe Nova, a new version of the Snake Keylogger.
Researchers at ANY.RUN have published a report on Nova, a newly discovered fork of the Snake Keylogger. The researchers explain, "The Nova variant of the Snake Keylogger represents a significant evolution of its predecessor, with advanced evasion techniques and a broader array of data exfiltration capabilities. Written in VB.NET, Nova leverages obfuscation methods such as Net Reactor Obfuscator and utilizes process hollowing to evade detection, making it a more persistent and stealthy threat."
The malware is distributed via phishing emails with malicious Office documents or PDFs. Once installed, Nova will harvest saved passwords, credit card details, and system keys from browsers and email clients.
Microsoft patches against technique to bypass multifactor authentication.
Researchers at Oasis Security have disclosed details of a critical flaw affecting Microsoft's multifactor authentication implementation that could allow "attackers to bypass it and gain unauthorized access to the user’s account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more." The researchers reported the flaw to Microsoft earlier this year, and the company issued a permanent fix in October.
The researchers found that they could rapidly create new sessions and guess 6-digit MFA codes while trying to log into an account, with a three-minute window before a valid code would expire. Oasis explains, "Given the allowed rate we had a 3% chance of correctly guessing the code within the extended timeframe. A malicious actor would have been likely to proceed and run further sessions until they hit a valid guess. The Oasis Security Research team did not encounter any issues or limitations doing that. After 24 such sessions (~70 minutes) a malicious actor would already pass the 50% chance of hitting a valid code. This is before considering the additional codes generated within the timeframe that would make a few more guessed codes valid."
Oasis adds that Microsoft has since "introduced a much stricter rate limit that kicks in after a number of failed attempts."
Patch news.
Microsoft on Tuesday issued patches for seventy-one Windows vulnerabilities, including an actively exploited zero-day affecting the Windows Common Log File System (CLFS) driver, KrebsOnSecurity reports. The zero-day, tracked as CVE-2024-49138, is an elevation-of-privilege flaw that can allow an authenticated attacker to gain SYSTEM privileges. CrowdStrike discovered and reported the vulnerability. Microsoft's Patch Tuesday also fixed sixteen critical remote code execution vulnerabilities.
BleepingComputer has a roundup of Patch Tuesday updates from other vendors, including a critical zero-day affecting Cleo's managed file transfer software.
Crime and punishment.
A law enforcement operation coordinated by Europol has seized 27 of the most popular platforms used to launch DDoS attacks. The operation, dubbed "PowerOFF," also resulted in the arrest of three administrators of these services.
Belgian and Dutch authorities have arrested eight individuals accused of conducting phone phishing attacks across at least ten European countries, Infosecurity Magazine reports. Europol notes, "Besides committing large-scale ‘phishing’ campaigns and trying to gain access to financial data by phone or online, the suspects also pretended to be police or banking staff and approached older victims at their doors."
The US Justice Department on Thursday announced the seizure of the Rydox cybercrime marketplace, alongside the arrests of three suspected administrators. Two of the defendants were arrested in Kosovo and will be extradited to the US. A third was nabbed in Albania and will be prosecuted by the Albanian government.