The Cleo exploitation campaign - a new MOVEit? 

A new ransomware nicknamed Termite is exploiting a cross-scripting vulnerability in Cleo file transfer software (CVE-2024-50623), in a way reminiscent of the 2023 MOVEit campaign. Attack attempts against 1.7K servers have been spotted since December 3 and at least 10 enterprises from the food, trucking, and shipping industries have been compromised. The flaw, letting attackers download and upload files on targeted instances, has been used to deploy a backdoor on Cleo hosts. The vendor released a patch but it apparently failed to remediate the vulnerability. Around 1.3K vulnerable Cleo instances are still Internet-exposed. Cleo is a company offering B2B integration solutions to 4.2K customers worldwide including New Balance, Barilla and Illumina. Termite is a new Russian ransomware using a variant of the leaked Babuk tool with victims in sectors like government, oil and gas and car manufacturing. It recently took credit for the attack on the IT company Blue Yonder, compromising customers such as Sainsbury and Starbucks.

Mitigate it

Disable the Autorun feature in Cleo Harmony, VLTrader and Lexicom; Detect with “Attacker Behavior - Possible Cleo MFT Exploitation 2024” rule in Rapid7 InsightIDR

AWS credentials stolen from thousands of websites

A threat actor named Nemesis led a massive campaign last summer, in which it scanned for almost 500K websites to steal AWS credentials by exploiting vulnerabilities in misconfigured ones. At first, around 27 million AWS-related IP addresses were scanned and connected to relevant domains by using Shodan’s reverse lookups. The data - infrastructure credentials, proprietary source code and application databases – has been put on sale for hundreds of euros each on a Darknet forum. Ironically, French-speaker hackers who took part in the operation stored 2TB of stolen information in an open misconfigured S3 bucket. While Nemesis was previously unknown, some of the recent activity has been related to ShinyHunters, an infamous actor behind the hacks against high profile organizations such as TicketMaster, Twilio and Mitsubishi.

NTLM disclosure flaws gaining popularity

A new NTLM disclosure zero-day has been discovered, with a wide impact on Windows servers and workstations (from Windows 7 to 11). Exploiting it allows attackers to steal NTLM credentials by having the user view a malicious file in Windows Explorer (no click required). No CVE ID has been assigned yet but it possible that the flaw is similar to another vulnerability (CVE-2024-43451), recently used by Russian groups against Ukrainian targets. Microsoft released a guidance on mitigating NTLM relay attacks but announced that a fix will not be shipped before April 2025.

Mitigate it

Enable Extended Protection for Authentication (EPA) on Active Directory Certificate Services (AD CS), Lightweight Directory Access Protocol (LDAP), and Exchange Servers

"Operation Digital Eye": SQLi flaws against European IT companies

From late June to mid-July 2024, a Chinese state actor has infiltrated different IT services providers in southern Europe, in a cyberespionage campaign dubbed “Operation Digital Eye”. The attackers used legitimate Azure infrastructure and Visual Studio code to challenge detection systems. Moreover, initial access was gained through SQLi vulnerabilities. The campaign is possibly attributed to APT41, even though it seems that tools from other Chinese groups were also utilized.

WeChat and Chromium vulns exploited for espionage

A new Chinese threat group named Earth Minotaur is leveraging the well-known Moonshine exploit kit to target a WeChat vulnerability (CVE-2023-3420), in a cyberespionage campaign against Tibetan and Uyghur ethnic communities. Along with this vulnerability, eight old Chromium flaws were also exploited. Moonshine was used to deliver the DarkNimbus backdoor that allows to exfiltrate information from Android devices.

New Windows CLFS flaw

A newly patched Windows CLFS Zero-Day (CVE-2024-49138) is under current exploitation. The flaw stems from improper data validation and allows privilege escalation on Windows servers, eventually to SYSTEM level. Its exploitation requires only limited local access and is of low complexity.

A new Zyxel vulnerability exploited

A vulnerability in Zyxel firewall devices (CVE-2024-11667) is now exploited by threat actors. They leverage it to download or upload files using crafted URLs, resulting in the theft of credentials or the deployment of a backdoor VPN connection. Another Zyxel flaw (CVE-2024-42057) has been recently targeted by the Helldown ransomware.

Mitigate it

Detect with Qualys QID 731964

No patch for a IO-Data zero-day

A zero-day in IO-Data routers (CVE-2024-52564) has been exploited in the wild. The flaw allows to disable the router’s firewall and change other configurations. The Japanese manufacturer announced that a patch is not to be expected in the coming few weeks.

RBVM gaps in Europe

A survey of the EU Cyber Agency (ENISA) reported that 15% of Operators of Essential Services (OESs) and Digital Service Providers (DSPs) maintain no risk-based vulnerability management process; 22% has a process covering only critical assets; and 26% are covering only Internet-facing assets. Moreover, while 46% of OESs and DSPs are patching critical vulnerabilities within a month, almost 14% have no visibility over the patching of 40% of their assets. OESs include critical infrastructure organizations from diverse sectors as healthcare, energy, banking or transport.

Mitigate it

Mitigate it

Mitigate it

Mitigate it