The CyberWire Daily Podcast 12.11.24
Ep 2207 | 12.11.24

When exploits go wild and patches race the clock.

Transcript

Microsoft confirms a critical Windows zero-day vulnerability. Global law enforcement agencies dismantle 27 DDoS platforms. Researchers compromise memory in AMD virtual machines. Ivanti reports multiple critical vulnerabilities in its Cloud Services Application. Group-IB researchers expose a sophisticated global phishing campaign. A zero-day vulnerability in Cleo’s managed file transfer software is under active exploitation. The U.S. sanctions a Chinese firm for a 2020 firewall exploit. Congress looks to require the FCC to regulate telecom cybersecurity. Our guest is Malachi Walker, Security Strategist at DomainTools, discussing their role in ODNI's newly established Sentinel Horizon Program. SpartanWarriorz dodge a Telegram crackdown.

Today is Wednesday December 11th 2024.. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Microsoft confirms a critical Windows zero-day vulnerability. 

Microsoft has confirmed a critical zero-day vulnerability, CVE-2024-49138, impacting all Windows editions back to Server 2008, which is currently being exploited in the wild. The flaw, a heap-based buffer overflow in the Windows Common Log File System driver, poses significant risks, including full system compromise. With a CVSSv3.1 score of 7.8, experts suggest treating this as a critical issue.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities catalog, urging immediate patching. Cybercriminals, particularly ransomware groups, are expected to exploit this flaw, given their history of targeting CLFS vulnerabilities.

While Microsoft included a fix in December’s Patch Tuesday updates, experts emphasize that the aging CLFS codebase requires a complete overhaul to prevent future issues. All Windows users are strongly advised to update their systems promptly to mitigate the risks.

Speaking of Patch Tuesday…

In total, Redmond’s update included fixes for 16 critical vulnerabilities, many targeting remote code execution (RCE). These include nine flaws in Windows Remote Desktop Services, three in Lightweight Directory Access Protocol (LDAP), and two in Microsoft Message Queuing (MSMQ). One LDAP flaw, CVE-2024-49112, stands out with a CVSS score of 9.8, allowing attackers to execute code via specially crafted LDAP calls. Microsoft advises restricting domain controller exposure to mitigate risk.

Atlassian and Splunk released patches addressing over two dozen vulnerabilities across their products. Atlassian fixed 10 high-severity flaws in Bamboo, Bitbucket, and Confluence, impacting third-party components like Apache Commons Compress, AWS SDK, Hazelcast, and Bouncy Castle. No exploitation has been reported, but updates are strongly advised.

Splunk resolved 15 vulnerabilities, including CVE-2024-53247, a high-severity deserialization flaw in Secure Gateway (CVSS 8.8) that allows remote code execution. Splunk Enterprise versions 9.3.2, 9.2.4, and 9.1.7 also received fixes for additional bugs. No active exploitation of these flaws has been reported.

Google has released a critical Chrome update (version 131.0.6778.139/.140 for Windows and Mac, and 131.0.6778.139 for Linux) to address three high-severity vulnerabilities. These include a Type Confusion flaw in the V8 JavaScript engine (CVE-2024-12381), a use-after-free bug in the Translate feature (CVE-2024-12382), and an undisclosed flaw to prevent exploitation during the rollout. 

The December 2024 ICS Patch Tuesday brought critical security updates from CISA and major industrial automation companies. Schneider Electric addressed a critical flaw in Modicon controllers allowing unauthenticated disruption, a high-severity vulnerability in Harmony and Pro-face HMI products enabling device control via malicious code, and a medium-severity DoS bug in PowerChute Serial Shutdown.

Siemens released 10 advisories, including high-severity issues in Ruggedcom ROX II devices, Simatic S7 products, and engineering tools like Teamcenter Visualization. Some vulnerabilities lack patches but offer mitigations.

Rockwell Automation disclosed high-severity code execution flaws in its Arena software, while CISA issued seven advisories, highlighting vulnerabilities in Horner Cscape, National Instruments LabVIEW, and MOBATIME’s Network Master Clock. Phoenix Contact also warned of security issues in PLCnext firmware. 

Global law enforcement agencies dismantle 27 DDoS platforms. 

Global law enforcement agencies have dismantled 27 platforms used for launching Distributed Denial-of-Service (DDoS) attacks, arresting three administrators in France and Germany and identifying over 300 users. Dubbed Operation PowerOFF, the effort targeted “booter” and “stresser” websites used by cybercriminals and hacktivists to disrupt websites with illegal traffic.

Europol provided analytical and forensic support, while prevention measures included online ad campaigns warning against DDoS activities, targeting potential offenders through YouTube and Google Ads. Over 250 warning letters and 2,000 emails were also issued to deter future misuse.

Researchers compromise memory in AMD virtual machines. 

Researchers have uncovered a vulnerability dubbed “BadRAM” that compromises AMD’s Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) feature in its Epyc processors, designed to protect memory in virtual machines. Using only $10 of hardware, attackers can exploit the vulnerability by tampering with the SPD chip on DRAM modules, tricking the CPU into accessing unauthorized memory areas.

BadRAM allows attackers to bypass memory protections, expose sensitive data, and compromise SEV-protected virtual machines, including faking remote attestation reports and inserting backdoors. While primarily a concern for cloud environments, insider threats or unlocked BIOS settings could enable attacks without physical access.

AMD has worked with researchers to mitigate the issue, releasing firmware updates to validate memory configurations at boot. Organizations are urged to update their processors. 

Ivanti reports multiple critical vulnerabilities in its Cloud Services Application. 

Ivanti has issued a security advisory for three critical vulnerabilities in its Cloud Services Application (CSA), including a maximum CVSS 10-rated flaw, CVE-2024-11639, which allows unauthenticated attackers to gain administrative privileges via authentication bypass in the admin web console.

Two additional vulnerabilities, both rated 9.1, include a command injection flaw (CVE-2024-11772) enabling remote code execution and an SQL injection bug (CVE-2024-11773) that allows arbitrary SQL commands. These flaws are exploitable in CSA versions 5.0.2 and earlier, with patches available in version 5.0.3.

Ivanti stated there is no evidence of exploitation but urges immediate updates to prevent potential attacks. This follows previous high-profile CSA vulnerabilities flagged by CISA due to active exploitation risks.

Group-IB researchers expose a sophisticated global phishing campaign. 

A sophisticated phishing campaign is targeting employees of over 30 companies across 12 industries, including energy, finance, and government sectors. Using trusted domains, dynamic company branding, and document platform impersonation, attackers bypass email security to steal login credentials via over 200 malicious links. Stolen credentials are sent in real-time to attackers via C2 servers or Telegram bots. Group-IB researchers exposed the campaign and urge organizations to implement multi-factor authentication, advanced email filters, and employee training to mitigate risks.

A zero-day vulnerability in Cleo’s managed file transfer software is under active exploitation. 

Hackers are actively exploiting a zero-day vulnerability in Cleo’s managed file transfer software, impacting products like Harmony, VLTrader, and LexiCom. The flaw, CVE-2024-50623, allows unrestricted file uploads and remote code execution, bypassing a prior patch from October 2024. Attackers use PowerShell commands to steal data, deploy webshells, and compromise systems.

With over 390 exposed servers globally, most in the U.S., researchers at Huntress recommend immediate mitigations, including firewall restrictions, disabling autorun features, and checking for malicious files. Cleo plans to release a patch soon.

The U.S. sanctions a Chinese firm for a 2020 firewall exploit. 

The U.S. government has sanctioned Chinese firm Sichuan Silence and employee Guan Tianfeng for exploiting a firewall vulnerability (CVE-2020-12271) in a 2020 attack affecting 81,000 devices globally, including U.S. critical infrastructure. The attackers deployed the Asnarök Trojan to steal credentials and attempted to install Ragnarok ransomware, risking serious damage and potential loss of life, such as oil rig malfunctions.

Sichuan Silence, linked to Chinese intelligence, specialized in offensive cyber techniques. Sanctions freeze their U.S. assets, and a $10M reward is offered for further information.

Congress looks to require the FCC to regulate telecom cybersecurity. 

Sen. Ron Wyden introduced legislation to require the FCC to regulate telecom cybersecurity under the 1994 Communications Assistance for Law Enforcement Act (CALEA). This response follows the Salt Typhoon breach, where Chinese-linked hackers infiltrated U.S. telecom networks, compromising calls and messages in a yearslong espionage campaign.

The proposed bill mandates FCC action within a year, with input from CISA and the Office of the Director of National Intelligence, and includes annual testing of telecom systems for vulnerabilities. It also requires independent audits to ensure compliance. Wyden criticized the FCC for previously allowing telecom companies to self-regulate cybersecurity, calling it a failure that enabled foreign spying.

The legislation builds on FCC efforts to strengthen telecom security and Wyden’s broader push to address Salt Typhoon’s devastating impact on national security.

Coming up after the break, we share my conversation with Malachi Walker from DomainTools about their role in ODNI's newly established Sentinel Horizon Program. And, <kicker>

We’ll be right back

Welcome back

SpartanWarriorz dodge a Telegram crackdown. 

And finally, SpartanWarriorz, a prolific phishing scam group, is proving it takes more than a Telegram channel shutdown to stop their operation. Known for selling and distributing over 300 phishing kits targeting brands across industries—financial institutions, retail, delivery services, and social media—they lost their Telegram channel on November 21, which had 5,300 subscribers. Within hours, they launched a new one, inviting old subscribers while scouting for fresh recruits.

The group’s kits, while not the flashiest, are highly effective. They enable phishing campaigns with features like credential theft, CAPTCHA prompts, and redirections to Google or fake 404 pages. They even let criminals exfiltrate stolen data through Telegram’s API. SpartanWarriorz also provides access to compromised websites and email spamming tools, solidifying their foothold in the phishing ecosystem.

Though Telegram promised a crackdown on criminal channels following the arrest of its CEO Pavel Durov in August, SpartanWarriorz has adapted, taking precautions to avoid further disruptions. Their persistence and willingness to distribute free kits for popular brands have cemented their reputation as determined operators in the cybercriminal world.

For now, SpartanWarriorz remains a thorn in the side of cybersecurity professionals, showing that while they might not reinvent the phishing wheel, they’ve mastered the art of persistence and adaptability.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.