Cleo campaign is getting worse
The Clop ransomware (aka TA505), an infamous Russian group responsible for the 2023 MOVEit campaign, has taken credit for the massive campaign exploiting a vulnerability in Cleo file sharing products (CVE-2024-50623). In an interview, Clop operator added that it compromised “quite a lot” of organizations. It was previously assessed that a new ransomware named Termite was the one behind the attacks, even though it is possible that Termite and Clop are connected or that both are parallelly exploiting the flaw. In the meantime, another vulnerability (CVE-2024-55956) in the same part of the code has been patched by Cleo, after evidence of in the wild exploitation. Both the flaws were used to deliver the Cleopatra Java-based backdoor, able to access data stored within Cleo MFT.
Mitigate it
Detect and delete files “healthcheck.txt” and “healthchecktemplate.txt”, as hash SHA256 6705EEA898EF1155417361FA71B1078B7AAAB61E7597D2A080AA38DF4AD87B1C
Concerns around a LDAP vulnerability
Microsoft patched a critical vulnerability (CVE-2024-49112) in the Lightweight Directory Access Protocol (LDAP) - a crucial element in Active Directory for organizing directory information and facilitating client-server communication. The flaw, resulting from an integer overflow issue in the processing of LDAP requests, allows an attacker to send crafted requests and execute arbitrary code within the context of the LDAP service. A wide range of Windows systems is impacted, particularly Windows servers version 2008 R2 onwards which are configured as Domain Controllers and LDAP servers. At the same time, Microsoft fixed two additional less severe LDAP-related vulnerabilities (CVE-2024-49124/7), which might be chained to CVE-2024-49112 .
Mitigate it
Ensure Domain Controllers are not configured to access the internet and deny RPC inbound traffic from untrusted networks
A large healthcare breach
In one of the largest data breaches in the healthcare industry for 2024, Interlock compromised the information of 1.4 million patients through an attack on Texas Tech University's Health Sciences Centers. Interlock is a new group which emerged last September, targets Windows and FreeBSD operating systems and focuses on healthcare, IT and manufacturing organizations. It claims to get initial access through vulnerability exploitation but has also been spotted using other methods. It is possibly a rebranding or a spin-off of the Rhysida ransomware group.
Mitigate it
In FortiEDR and FortiGate, apply the detections “W32/Kryptik.HXUY!tr.ransom”, “Linux/Filecoder_InterLock.A!tr” and “W64/GenKryptik.HCFC!tr”
A new vulnerability in Apache Struts
Exploitation attempts of a new vulnerability in Apache Struts (CVE-2024-53677) have been observed. The critical flaw allows attackers to upload malicious payloads to a vulnerable instance, then eventually running commands and exfiltrating data. The vulnerability shares similarities with another Apache Struts flaw (CVE-2023-50164) which has been exploited in the wild and patched in late 2023.
Mitigate it
Block access from 169.150.226[.]162
Attacks against electricity utilities
A new threat group named Lynx is behind a large ransomware operation disrupting Electra, one of Romania’s largest electricity suppliers. Lynx is possibly a rebranding or a sub-group of INC Ransom, a well-known international cybercrime group recently responsible for hacking Hungary’s defense procurement agency. In the past, it also attacked companies such as Xerox and Yamaha Motors through the exploitation of a Citrix Netscaler vulnerability (CVE-2023-3519).
HiatusRat targets web cams' vulnerabilities
The FBI warned about a campaign spreading the HiatusRAT malware through the exploitation of vulnerabilities in web cameras and DVRs (CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260). Most of the vulnerable devices lack any patch or are not supported anymore by their vendors. In the past, the same campaign has targeted a Department of Defense server for reconnaissance activities, as VPN routers in hundreds of businesses in America and Europe.
When hackers attack hackers
A threat actor dubbed MUT-1244 has targeted hundreds of cybersecurity experts and companies and stole various credentials (AWS access keys, WordPress account credentials, SSH keys, bash history etc.). Its malware also mined cryptocurrency on compromised users. Together with other initial access methods, MUT-1244 has tricked its victims to download backdoored vulnerability exploits placed on Github. Beyond cybersecurity researchers, the group also targeted other threat actors.
A Gitlab vulnerability and attacks on Bitcoin ATMs
Threat actors have exploited a Gitlab vulnerability to break into Byte Federal, a company operating 1.2K Bitcoin ATMs across the US. The personal information of around 58K Bitcoin owners has apparently been compromised.
Mitigate it
Mitigate it
Mitigate it
Sources
- https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-responsibility-for-cleo-data-theft-attacks/, https://arcticwolf.com/resources/blog-uk/cleopatras-shadow-a-mass-exploitation-campaign-uk/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49112, https://www.vicarius.io/vsociety/posts/cve-2024-49112-detect-insecure-ldap
- https://www.darkreading.com/cyberattacks-data-breaches/texas-tech-medical-data-breach
- https://thehackernews.com/2024/12/patch-alert-critical-apache-struts-flaw.html
- https://www.bleepingcomputer.com/news/security/lynx-ransomware-behind-electrica-energy-supplier-cyberattack/
- https://www.ic3.gov/CSA/2024/241216.pdf
- https://securitylabs.datadoghq.com/articles/mut-1244-targeting-offensive-actors/#annex-indicators-of-compromise
- https://www.securityweek.com/hackers-possibly-stole-personal-data-from-bitcoin-atm-operator-byte-federal/