Akira exploits SonicWall firewalls
A vulnerability in SonicWall firewalls (CVE-2024-40766) is apparently exploited in the wild by affiliates of the Akira ransomware group to reach initial access to SSLVPN accounts. The flaw, lying in the SonicOS management access and SSLVPN, allows attackers to reach resources or even result in a firewall crash. Akira is a Russian notorious triple extortion group that, since its emergence in March 2023, has impacted more than 250 organizations and earned 42 million USD. The group has recently pivoted to target Linux servers and has been observed exploiting a flaw in ESXi Hypervisors (CVE-2024-37085).
Mitigate it
Monitor Qualys QID 731723; Follow SonicWall guidance to restrict firewall management access to trusted internal sources.
Unit 29155: a very aggressive Russian state actor
The US and its allies published an advisory about Unit 29155 (aka Cadet Blizzard, UNC2589) – a unit of the Russian military intelligence (GRU), and more secretive than other GRU-affiliated groups such as Sandworm (APT44) and Fancy Bear (APT28). Unit 29155 is leading cyber operations against Ukraine and NATO countries for reputational harm, systematic sabotage, data destruction, espionage and intelligence gathering for political assassinations. The unit, intensively using the WisperGate wiper malware, is exploiting vulnerabilities in Confluence data centers and servers (CVE-2022-26134/8) and in Sophos firewalls (CVE-2022-3236).
GeoServer vulnerability exploited
A vulnerability in GeoServer (CVE-2024-36401), a popular open-source geospatial data sharing server, has been exploited to compromise American tech companies, Indian IT service providers, Belgian government entities, and telecom companies in Thailand and Brazil. The flaw was leveraged in post-compromise for multiple purposes, such as establishing connection with a C2 server, deploying cryptominers or installing a backdoor identified with the Chinese state actor APT41.
Mitigate it
Apply FortiGuard Labs IPS signature “GeoServer.OGC.Eval.Remote.Code.Execution”.
A Chinese group is pivoting towards the Middle East
Amid the ongoing Israel-Gaza conflict, a Chinese cyberespionage state actor named Tropic Trooper (related to APT23) has recently pivoted to attack Middle Eastern targets, especially compromising human rights research organizations. The group was previously known for focusing on the government, healthcare and transportation sectors in East Asian countries. In its Middle East campaign, it has been observed exploiting vulnerabilities in Microsoft Exchange (CVE-2021-34473,CVE-2021-34523, CVE-2021-31207) and in Adobe ColdFusion (CVE-2023-26360) to deploy webshells.
UNC251 (aka Mustang Panda), a Chinese cyberespionage group, is compromising Visual Studio code to target governments in Southeast Asia. The group runs the portable version of code.exe to login to GitHub with its own account, then being redirected to a Visual Studio Code web environment connected to an infected machine. The technique has recently been identified as related to the exploitation of a CheckPoint vulnerability (CVE-2024-24919).
Mitigate it
In Cortex XDR, use the Behavioral Threat Protection, the Credential Gathering Protection and the Anti-Webshell Protection.
Multiple campaigns exploiting old DrayTek flaws
Two old vulnerabilities in DrayTek VigorConnect routers (CVE-2021-20123/4) are actively exploited by multiple threat groups to attack various industries like finance payroll, networking, manufacturing, real estate, telecom, and technology.
Mitigate it
Apply Tenable plugin 154966.
Chinese actors use old Word vulnerabilities against Taiwan
A previously unidentified Chinese state actor, nicknamed Tidrone, has led a cyberespionage campaign against Taiwanese drone manufacturers since early 2024. The attackers apparently used old Microsoft Word vulnerabilities to deploy two backdoors and get persistence on infected systems.
A Microsoft flaw enables the rollback of Windows 10 patches
Microsoft fixed a critical RCE vulnerability (CVE-2024-43491), which might be exploited by threat actors to roll back patches for flaws released between March and August 2024, that affect “optional components” in Windows 10 version 1507. Some of the Windows 10 vulnerabilities are known for having been exploited in the wild.
A MotW bypass vulnerability exploited since 2018
Another actively exploited flaw patched by Microsoft is a vulnerability that allows attackers to bypass the Mark of the Web (MotW) security mechanism (CVE-2024-38217). By exploiting it, attackers crafting shortcut files (.LNK) with non-standard target paths can remove the MotW flag and get around Smart App Control (SAC) protections. The flaw has been exploited, at least, since 2018.
A vulnerability allows to bypass airport security check
CISA is monitoring eventual exploitations of a vulnerability in FlyCASS, a third-party service for airlines, after cybersecurity researchers discovered an SQL injection flaw allowing to bypass airport security systems. The researchers even succeeded in gaining admin privileges to the system of a specific airline, and in registering new employees as pilots – which would eventually let them board a flight without any security check.
Vulnerabilities potentially affecting election polls
Two XSS vulnerabilities have been found in Gallup’s website, potentially leading to account takeover. Amid accusations against Russian and Iranian campaigns aimed at spreading disinformation about the upcoming US elections, the issue has raised concerns of potential exploitation. Gallup is the leading polling organization in the US.
NoName joins RansomHub
NoName (aka Cosmic Beetle), a notorious cybercrime group that in the past utilized the leaked LockBit builder and mostly targeted SMBs, has recently become an affiliate of RansomHub – one of the leading ransomware groups worldwide, recently responsible for various high-profile attacks. With a new ransomware strain nicknamed ScRansom, NoName is now targeting various sectors, such as manufacturing, pharmaceuticals, healthcare, technology, hospitality, financial services, and regional government. To get initial access, NoName exploits diverse vulnerabilities such as in Veeam (CVE-2023-27532), FortiOSSSL-VPN (CVE-2022-42475), Microsoft Active Directory (CVE-2021-42287, CVE-2021-42278) and the ZeroLogon flaw (CVE-2020-1472).
Mitigate it
Mitigate it
Mitigate it
Sources
- https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/
- https://media.defense.gov/2024/Sep/05/2003537870/-1/-1/0/CSA-Russian-Military-Cyber-Target-US-Global-CI.PDF
- https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401
- https://securelist.com/new-tropic-trooper-web-shell-infection/113737/
- https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/
- https://www.securityweek.com/draytek-vulnerabilities-added-to-cisa-kev-catalog-exploited-in-global-campaign/
- https://www.acronis.com/en-us/cyber-protection-center/posts/operation-worddrone-drone-manufacturers-are-being-targeted-in-taiwan/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43491
- https://thehackernews.com/2024/08/researchers-uncover-flaws-in-windows.html
- https://www.securityweek.com/cisa-responds-after-disclosure-of-controversial-airport-security-bypass-vulnerability/
- https://checkmarx.com/blog/critical-xss-vulnerabilities-identified-on-gallup-com/
- https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/