In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
Cybersecurity news that you may have missed this week: the spyware used by various governments, new vulnerabilities, industrial security products, and Linux router attacks.
Ex-NSA Employee Sentenced to 22 Years for Trying to Sell U.S. Secrets to Russia
[[{“value”:”A former employee of the U.S. National Security Agency (NSA) has been sentenced to nearly 22 years (262 months) in prison for attempting to transfer classified documents to Russia.
"This sentence should serve as a stark warning to all those entrusted with protecting national defense information that there are consequences to betraying that trust," said FBI Director Christopher Wray.”}]] Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Malichus Malware Exploiting Cleo 0-day Vulnerability In Wild
Threat actors are actively exploiting a critical zero-day vulnerability (CVE-2024-50623) in Cleo’s file transfer products Harmony, VLTrader, and LexiComis.
The flaw, stemming from an unrestricted file upload and download vulnerability, allows unauthenticated remote code execution (RCE), posing a severe risk to enterprises relying on Cleo’s software for secure file transfers.
The vulnerability was first publicized by security vendor Huntress, who noted that the flaw stemmed from an incomplete patch released by Cleo in October.
Despite subsequent patches, attackers have found ways to bypass these, leading to widespread exploitation. Huntress telemetry indicates that at least ten businesses, primarily in consumer products, the food industry, trucking, and shipping, have been compromised.
A new malware family named Malichus has been identified as exploiting a zero-day vulnerability in Cleo file transfer software.
This vulnerability, tracked as CVE-2024-50623, affects Cleo’s Harmony, VLTrader, and LexiCom products, allowing attackers to execute arbitrary code remotely.
Malichus malware Employs 3 Stages
The Malichus malware operates in three distinct stages:
Attack Chain Malichus malware
Stage 1: PowerShell Downloader
The initial stage involves a small PowerShell loader that prepares the host for further exploitation. This loader is stored as a base64 blob, which, upon decoding, executes a Java Archive named `cleo.[numerical-identifier]`.
It establishes a TCP connection to a command-and-control (C2) server to retrieve the second-stage payload.
The loader also sets a variable called `Query`, which is crucial for identifying the C2 address and the victim’s IP address.
Stage 2: Java Downloader
The second stage involves downloading and decrypting a Java Archive using a unique AES key per payload. This archive contains a manifest file that triggers the execution of the `start` class.
The backdoor retrieves the `Query` environment variable, decodes it to obtain the AES key, and uses it to download the third stage payload via TLS v3.
The downloaded data is then decrypted, revealing a corrupted zip file, which is repaired by removing the first two bytes before extraction and loading.
Stage 3: Java Backdoor / Post Exploitation Framework
The final stage is a modular Java-based post-exploitation framework comprising nine class files. The primary driver, `Cli` class, is loaded by the previous stage.
This framework supports both Linux and Windows environments, although Huntress observed its usage primarily on Windows systems.
It uses parameters passed from stage 2 to communicate with the C2 server, identify the exploited system, and manage the malware’s persistence and data theft activities.
Huntress security researchers first publicized the attacks on Monday, noting that the vulnerability was being exploited en masse to steal data from at least ten businesses, primarily in consumer products, food industry, trucking, and shipping sectors.
The attacks began as early as December 3, with a significant uptick observed on December 8.
Cleo has acknowledged the vulnerability and released an advisory urging customers to upgrade to the latest product version (5.8.0.21) to address additional attack vectors.
However, Huntress has indicated that even this patch is insufficient against the exploits observed in the wild. Cleo is preparing a new CVE designation and expects to release a new patch mid-week
Rapid7 has advised Cleo customers to remove affected products from the public internet and place them behind a firewall. Additionally, disabling Cleo’s Autorun Directory can prevent the latter part of the attack chain from being executed.
This campaign echoes previous attacks by notorious groups like Clop, which targeted managed file transfer software to steal and ransom customer data. While attribution remains unclear, there are unconfirmed reports suggesting involvement by the Termite group, known for a recent attack on Blue Yonder.
.The active exploitation of Cleo’s software underscores the critical need for robust cybersecurity measures, especially in sectors handling sensitive data. Companies using Cleo products are advised to take immediate action to secure their systems and monitor for any signs of compromise dating back to at least December 3, 2024.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Hackers Exploiting Critical SolarWinds Serv-U Vulnerability In The Wild
SolarWinds is a prominent software company specializing in IT management and monitoring solutions for networks and infrastructure.
The company gained fame following a significant supply chain attack in 2020, where hackers inserted malicious code into Orion updates, compromising the networks of over 30,000 clients.
GreyNoise Labs researchers recently discovered that hackers had been actively exploiting SolarWinds Serv-U vulnerability CVE-2024-28995 in the wild.
In June 2024, SolarWinds’ “Serv-U” file transfer product was found to have a “critical path-traversal” vulnerability.
This flaw allowed attackers to read arbitrary files by manipulating the “InternalDir” and “InternalFile” parameters in ‘HTTP’ requests. A honeypot mimicking this vulnerability was deployed to study exploit attempts.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool:Try for Free
Over three months, the honeypot logged various attack patterns, starting with basic probes like accessing on “Linux” and ‘C:Windowswin.ini’ on “Windows.” attempts emerged and target sensitive files like “unattended.xml” and “sysprep.xml,” which may contain credentials in plaintext.
Threat actors also sought “Windows registry hives” (SAM for password data) and “cloud service credentials” for ‘AWS,’ ‘Azure,’ and ‘Google Cloud.’
Besides this, the “Linux” systems were initially probed, and “Windows” became the primary target, according to the GreyNoise report.
The attacks evolved from simple vulnerability scans to intense exploitation attempts, with peaks of new payload types observed on specific dates (“July 7” and “July 29”).
While the URL encoding and character set differences (“Cyrillic”) in payloads, indicate the diverse attacker origins.
The frequency and variety of exploits were decreased over time, indicating reduced interest from threat actors or improved patching by the possible targets.
Moreover, helpful insights into the lifecycle and exploitation patterns of a “high-profile vulnerability” in a widely-used “enterprise software product” are provided by this real-world data.
This analysis examines file exfiltration attempts by attackers targeting a Serv-U server, categorizing requested files into groups like “scanners,” “Windows credentials,” “web configurations,” “databases,” and “miscellaneous interesting files.”
Here the web-related requests are focused on Windows systems configuration files for “PHP,” “Apache,” “Nginx,” and “IIS.”While the database-related attempts targeted “MySQL,” “PostgreSQL,” and “SQL Server configurations and data files.”
The analysis also noted “broken” requests with typos or incorrect paths and creative guesses like “password.txt” on the administrator’s desktop.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar