For the latest discoveries in cyber research for the week of December 30th, download our Threat Intelligence Bulletin.
Main attacks and breaches
The Clop ransomware group is exploiting a zero-day vulnerability (CVE-2024-50623) in Cleo’s Secure File Transfer product to threaten 66 companies with data theft. The attackers gave the victims 48 hours to begin ransom negotiations before making their identities public. This incident reflects Clop’s previous exploitation of zero-day flaws in platforms such as Accellion FTA, GoAnywhere MFT, and MOVEit Transfer.
Check Point Harmony endpoints, threat emulation, and IPS provide protection against this threat (Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.*; Cleo Any File Upload ( CVE-2024-50623))
Pittsburgh Regional Transit Authority (PRT) suffered a ransomware attack last week that disrupted service to its rail systems and customer service operations. Although transit services have resumed normal operations, certain passenger services, such as Connect card processing, are still affected. An investigation is underway involving law enforcement and cybersecurity experts, but the data theft and the group responsible for the attack have not yet been identified. Cyberhaven became the victim of a cyberattack that led to the distribution of a malicious update to the company’s Chrome browser extension. The compromised extension was able to exfiltrate sensitive user information such as authenticated sessions and cookies. Cariad, Volkswagen’s automotive software subsidiary, leaked data on 800,000 electric vehicles, including sensitive geolocation information, due to a misconfiguration of an IT application. The leaked data included vehicle details from Volkswagen, SEAT, Audi and Skoda, as well as precise location information and pseudonymized user data for 460,000 vehicles. Chaos Computer Club identified this vulnerability, allowing access to terabytes of unsecured customer information stored in Amazon cloud storage. Japan Airlines has resumed normal flight operations after a cyber attack caused delays on domestic and international flights. The attack included a sudden spike in network traffic, indicative of a distributed denial of service (DDoS) attack, affecting data communication with external systems. No customer information was compromised and flight safety was not compromised. ZAGG Inc., a consumer electronics accessories manufacturer, has disclosed a data breach that led to the compromise of customers’ payment card information. The breach occurred between October and November 2024 when malicious code was injected into the FreshClick app, a third-party application provided by e-commerce platform BigCommerce. The European Space Agency’s (ESA) official merchandise store has been hacked and displayed a fake payment page designed to steal customers’ payment card details.
Vulnerabilities and patches
A critical SQL injection vulnerability (CVE-2024-45387) rated 9.9 on the CVSS scale has been identified in Apache Traffic Control versions 8.0.0 and 8.0.1. This vulnerability allows a privileged user with specific roles to execute arbitrary SQL commands within the database via a crafted PUT request. This issue has been fixed in version 8.0.2.
Check Point IPS provides protection against this threat: Apache Traffic Control SQL Injection (CVE-2024-45387).
A critical vulnerability (CVE-2024-52046) with a maximum CVSS score of 10.0 has been discovered in Apache MINA, a Java network application framework. The flaw occurs when the ObjectSerializationDecoder uses Java’s native deserialization protocol without appropriate security measures, allowing an attacker to send malicious serialized data and execute remote code. Palo Alto Networks has disclosed that a denial of service (DoS) vulnerability (CVE-2024-3393) affecting PAN-OS software is being actively exploited. This vulnerability could allow an unauthenticated attacker to send malicious packets to force an affected firewall to restart or enter maintenance mode, thereby disrupting firewall protection. This issue affects devices with DNS security logging enabled and is patched in versions PAN-OS 10.1.14-h8, 10.2.10-h12, 11.1.5, and 11.2.3. A high severity OS command injection vulnerability (CVE-2024-12856) has been identified in Four-Faith router models F3x24 and F3x36. Abuse of default credentials may lead to execution of unauthorized OS commands. Over 15,000 internet-connected devices are at risk, and there is evidence to suggest that the exploit has been active since at least early November 2024.
Check Point IPS provides protection against this threat (Four-Faith F3x Series Command Injection (CVE-2024-12856))
Threat intelligence report
Researchers observed a new malware called OtterCookie used in North Korea-related infected interview campaigns. This financially motivated campaign targets a wide range of victims and is active in Japan as well. OtterCookie communicates via Socket.IO, executes shell commands to extract sensitive data including cryptocurrency keys, and uses clipboard data collection to power its functionality. Researchers have identified increased activity by the Paper Werewolf (also known as GOFFEE) cluster, which has conducted at least seven campaigns targeting Russian organizations since 2022. The group uses phishing PowerShell and PowerRAT, as well as emails containing malicious macros, to carry out espionage and destructive operations, including disabling IT infrastructure. Change account credentials. This weapon includes a custom implant for harvesting credentials, a reverse shell, and a malicious IIS module. Researchers analyzed increased activity from botnets such as Mirai variant FICORA and Kaiten variant CAPSAICIN. These botnets exploit long-standing vulnerabilities in D-Link devices to execute malicious commands via the HNAP interface.
Source link
