Welcome to Picus Security's monthly cyber threat intelligence roundup!
Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.
Our Picus CTI platform will enable you to identify threats targeting your region, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.
In this section, we will provide information on the latest vulnerabilities and exploits being targeted by adversaries in the wild, the affected products, and the available patches.
Victim Location: Global
Threat Actor: UNC5820 Threat Group
Actor Motivation: Espionage, Financial
CVEs: CVE-2024-47575
In October 2024, a critical vulnerability (CVE-2024-47575) in Fortinet’s FortiManager was found under active exploitation by the UNC5820 threat group. This flaw (CWE-306) allows attackers to bypass authentication in the fgfmsd service [1], gaining control over FortiManager devices to execute arbitrary commands and steal sensitive data, including hashed passwords from managed FortiGate devices. The vulnerability has been exploited since June, with attackers staging and exfiltrating configuration files to launch broader attacks across networks.
Figure 1. CISA Added CVE-2024-47575 to its KEV
To protect against this threat, Fortinet recommends updating affected FortiManager versions or applying workaround measures [2]. For further information, read our latest blog for detailed patching and workaround recommendations [3].
Victim Location: Global
Sectors: Any sector using Windows, including government, finance, healthcare, and tech
Actor Motivation: Financial gain, espionage, or domain control
CVEs: CVE-2024-43532
A proof-of-concept (PoC) exploit for CVE-2024-43532, affecting Microsoft's Remote Registry (WinReg) client, has been released. This vulnerability allows attackers to perform an NTLM relay attack by exploiting a fallback mechanism in the WinReg client. When the SMB transport is unavailable, the client switches to older, less secure protocols, enabling attackers to relay NTLM authentication to Active Directory Certificate Services (ADCS) and obtain user certificates for domain access.
The flaw affects Windows Server versions 2008 through 2022, as well as Windows 10 and 11. Discovered by the researcher Stiv Kupchik, Microsoft initially dismissed the report but later confirmed the vulnerability and issued a fix [4]. If exploited, this flaw could allow attackers to fully compromise a Windows domain.
CISA has added CVE-2024-9537, a critical vulnerability in ScienceLogic SL1, to its Known Exploited Vulnerabilities (KEV) catalog following reports of active zero-day exploitation. The flaw, with a CVSS score of 9.3, involves a third-party component that could lead to remote code execution [5]. ScienceLogic has released patches for versions 10.1.x through 12.3.x and later [6].
Figure 2. CISA Added CVE-2024-9537 to its KEV
Rackspace confirmed that the vulnerability led to unauthorized access to three internal monitoring servers [7]. Federal agencies are required to apply the fixes by November 11, 2024 (as shown in Fig 2).
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical flaw in SolarWinds Web Help Desk (WHD) software, tracked as CVE-2024-28987, due to active exploitation [8]. The vulnerability, with a CVSS score of 9.1, involves hard-coded credentials that allow unauthorized access and data modification [9].
Disclosed by SolarWinds in August 2024, the flaw enables attackers to remotely access sensitive help desk ticket information, including passwords and service account credentials. CISA has mandated Federal Civilian Executive Branch (FCEB) agencies to apply the latest updates by November 5, 2024, to mitigate the risk.
Figure 3. CISA Added CVE-2024-28987 to its KEV
This comes shortly after a similar vulnerability (CVE-2024-28986) was added to CISA's Known Exploited Vulnerabilities catalog. The extent of real-world exploitation remains unclear.
Here are the most active threat actors that have been observed in October in the wild.
Victim Location: United States, Netherlands, Belgium
Sectors: Government
Threat Actor: Maxim Rudometov (one of RedLine’s developers)
Actor Motivation: Financial Gain, Data Theft
Malware: RedLine, META Infostealers
On October 29, 2024, the U.S. Department of Justice joined an international coalition to disrupt RedLine and META, two widespread infostealers responsible for compromising millions of computers worldwide [10]. This operation, named “Operation Magnus,” was a coordinated effort involving U.S. agencies such as the FBI, IRS Criminal Investigation, and international partners including Europol, Eurojust, and the Dutch and Belgian police.
Infostealers like RedLine and META are malicious software designed to capture sensitive data—such as usernames, passwords, financial details, and cryptocurrency accounts—from infected computers. This stolen information, often referred to as “logs,” is sold on cybercrime forums and used in further attacks. RedLine and META operate under a "Malware as a Service" (MaaS) model, allowing affiliates to purchase licenses and run their own cyber campaigns, often distributed through phishing and fraudulent downloads.
As part of Operation Magnus, law enforcement seized domains, servers, and Telegram channels associated with the malware's administrators. The DOJ also unsealed charges against Maxim Rudometov, one of RedLine’s developers, accusing him of access device fraud, conspiracy, and money laundering. If convicted, he faces up to 35 years in prison.
Victim Organization: Multiple Critical Infrastructure Entities
Victim Location: Global (North America, Europe, Middle East)
Sectors: Healthcare, Government, Energy, Information Technology
Threat Actor: Iranian Cyber Actors
Actor Motivations: Geopolitical, Economic Disruption, Espionage
Malware: Built-in tools, Open-Source Tools (e.g., Cobalt Strike)
CVE: CVE-2020-1472
On October 16, 2024, the FBI, CISA, NSA, CSE, and ASD issued a joint advisory warning about Iranian cyber actors targeting critical infrastructure sectors such as healthcare, government, energy, and information technology. These actors use brute force attacks and multifactor authentication (MFA) push-bombing to gain unauthorized access to networks.
Once inside, they exploit vulnerabilities like Zerologon (CVE-2020-1472) to escalate privileges, perform credential harvesting, and maintain persistent access. Their tactics include lateral movement, credential theft, and exploiting MFA weaknesses, aiming to destabilize critical services and steal sensitive information. The advisory emphasizes the importance of continuous exposure management to defend against these persistent threats.
For further information, please visit our latest blog on Iranian cyber attackers [11].
In October 2024, a variety of malware attacks were recorded, highlighting the persistent threat landscape. Below is a detailed list of the active malware incidents for the month.
Victim Location: United Kingdom, United States
Sectors: Technology
Actor Motivation: Financial Gain
Malware: Akira, Fog
CVEs: CVE-2024-40711
A critical vulnerability in Veeam Backup & Replication (CVE-2024-40711), rated 9.8/10 on the CVSS scale, is being actively exploited by threat actors to spread Akira and Fog ransomware [12].
This flaw, which allows unauthenticated remote code execution, was patched in September 2024. Attackers are leveraging compromised VPN credentials and exploiting Veeam's URI /trigger on port 8000 to create local accounts and deploy ransomware. In one instance, Fog ransomware was dropped on an unprotected Hyper-V server, while other attempts were unsuccessful. The exploitation has led to warnings from NHS England, highlighting backup and disaster recovery applications as prime targets for cybercriminals.
Additionally, other ransomware variants like Lynx, Trinity, and BabyLockerKZ are emerging ([13], [14], [15] respectively), often using publicly available tools for credential theft and lateral movement within compromised systems. These ransomware attacks typically use double extortion tactics, exfiltrating data before encrypting it to increase pressure on victims to pay.
[1] “FGFM - FortiGate to FortiManager Protocol.” Available: https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/373486/fgfm-fortigate-to-fortimanager-protocol. [Accessed: Oct. 30, 2024]
[2] “PSIRT,” FortiGuard Labs. Available: https://fortiguard.com/psirt/FG-IR-24-423. [Accessed: Oct. 30, 2024]
[3] S. Özeren, “CVE-2024-47575: FortiManager Missing Authentication Zero-Day Vulnerability Explained,” Oct. 24, 2024. Available: https://www.picussecurity.com/resource/blog/cve-2024-47575-fortimanager-missing-authentication-zero-day-vulnerability-explained. [Accessed: Oct. 30, 2024]
[4] “Security Update Guide - Microsoft Security Response Center.” Available: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43572. [Accessed: Oct. 30, 2024]
[5] The Hacker News, “CISA Adds ScienceLogic SL1 Vulnerability to Exploited Catalog After Active Zero-Day Attack,” The Hacker News, Oct. 22, 2024. Available: https://thehackernews.com/2024/10/cisa-adds-sciencelogic-sl1.html. [Accessed: Oct. 30, 2024]
[6] ATCP, “ScienceLogic Security Update Advisory (CVE-2024-9537),” ASEC, Oct. 21, 2024. Available: https://asec.ahnlab.com/en/84007/. [Accessed: Oct. 30, 2024]
[7] “Detailed Status - Rackspace System Status.” Available: https://rackspace.service-now.com/system_status?id=detailed_status&service=4dafca5a87f41610568b206f8bbb35a6. [Accessed: Oct. 30, 2024]
[8] The Hacker News, “CISA Warns of Active Exploitation in SolarWinds Help Desk Software Vulnerability,” The Hacker News, Oct. 16, 2024. Available: https://thehackernews.com/2024/10/cisa-warns-of-active-exploitation-in.html. [Accessed: Oct. 30, 2024]
[9] The Hacker News, “Hardcoded Credential Vulnerability Found in SolarWinds Web Help Desk,” The Hacker News, Aug. 22, 2024. Available: https://thehackernews.com/2024/08/hardcoded-credential-vulnerability.html. [Accessed: Oct. 30, 2024]
[10] Dissent, “U.S. Joins International Action Against RedLine and META Infostealers; unseals charges against Maxim Rudometov (1).” Available: https://databreaches.net/2024/10/29/u-s-joins-international-action-against-redline-and-meta-infostealers-unseals-charges-against-maxim-rudometov/. [Accessed: Oct. 30, 2024]
[11] S. Özeren, “Iranian Cyber Actors’ Brute Force and Credential Access Attacks: CISA Alert AA24-290A,” Oct. 18, 2024. Available: https://www.picussecurity.com/resource/blog/cisa-alert-aa24-290a-iranian-cyber-actors-brute-force-and-credential-access-attacks. [Accessed: Oct. 30, 2024]
[12] The Hacker News, “Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware,” The Hacker News, Oct. 14, 2024. Available: https://thehackernews.com/2024/10/critical-veeam-vulnerability-exploited.html. [Accessed: Oct. 30, 2024]
[13] P. K. Chhaparwal, M. Yates, and B. Chang, “Lynx Ransomware: A Rebranding of INC Ransomware,” Unit 42, Oct. 10, 2024. Available: https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/. [Accessed: Oct. 30, 2024]
[14] “Trinity Ransomware.” Available: https://www.broadcom.com/support/security-center/protection-bulletin/trinity-ransomware. [Accessed: Oct. 30, 2024]
[15] T. Pereira, “Threat actor believed to be spreading new MedusaLocker variant since 2022,” Cisco Talos Blog, Oct. 03, 2024. Available: https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/. [Accessed: Oct. 30, 2024]