Weekly Threat Landscape Digest – Week 46
As cybersecurity threats and challenges continually adapt, organizations must remain vigilant against emerging threats and vulnerabilities. This week’s digest highlights critical vulnerabilities in widely used software, sophisticated malware campaigns, and significant data breaches.
Vulnerabilities
SQL Injection Vulnerabilities in ManageEngine Products
Multiple SQL injection vulnerabilities have been identified in ManageEngine’s ADAudit Plus, Exchange Reporter Plus, and ADManager Plus. Exploiting these vulnerabilities could allow authenticated attackers to execute arbitrary SQL queries, potentially compromising sensitive data and escalating access within the system.
- Affected Products and CVEs–
- ADAudit Plus– CVE-2024-5608, CVE-2024-36485 (Builds below 8121)
- Exchange Reporter Plus– CVE-2024-9459 (Builds 5718 and below)
- ADManager Plus– CVE-2024-48878 (Version 7241 and older)
- Mitigation–
- Immediate patching is advised by updating affected products to their respective fixed versions.
- Conduct an access review to ensure only essential personnel have access to these applications.
Multiple Vulnerabilities in HPE Aruba Networking Access Points
The UAE Cyber Security Council has flagged multiple vulnerabilities in HPE Aruba Networking Access Points that enable unauthorized access and control over devices. These critical issues could lead to unauthorized command execution and file manipulation, posing significant risks to network infrastructure.
- CVE Details
- CVE-2024-42509– Unauthenticated command injection via CLI service (CVSS 9.8)
- CVE-2024-47460 to CVE-2024-47464– Command injection and path traversal vulnerabilities enabling privilege escalation
- Affected Versions–
- AOS-10.4.x.x– 10.4.1.4 and below
- Instant AOS-8.12.x.x– 8.12.0.2 and below
- Mitigation–
- Update to secure versions- AOS-10.7.0.0+, AOS-10.4.1.5+, Instant AOS-8.12.0.3+
- Further details can be found in HPE’s Advisory
Veeam Backup Enterprise Manager Vulnerability
A critical authentication bypass vulnerability in Veeam Backup Enterprise Manager (VBEM) could allow attackers to intercept and manipulate data via a Man-in-the-Middle (MITM) attack, posing severe risks to sensitive backup data and configurations.
- CVE ID– CVE-2024-40715
- Affected Version– 12.2.0.334 and earlier
- Impact– Unauthorized access to sensitive backup data and alteration of backup configurations
- Mitigation–
- Apply the hotfix for version 12.2.0.334 or upgrade older versions as advised.
Critical Remote Code Execution Vulnerability in Palo Alto Networks PAN-OS Management Interface
On November 8, 2024, Palo Alto Networks issued a security advisory concerning a potential Remote Code Execution (RCE) vulnerability affecting the PAN-OS management interface of their next-generation firewalls. While specific details about the vulnerability are still under investigation, the company has emphasized the importance of securing the management interface to prevent unauthorized access.
Affected Versions:
- PAN-OS versions with internet-exposed management interfaces
Recommended Mitigation Measures:
- Restrict Management Interface Access: Ensure the management interface is not accessible from the internet. Limit access exclusively to trusted internal IP addresses.
- Isolate the Management Interface: Place the management interface on a dedicated management VLAN to segregate it from other network traffic.
- Utilize Jump Servers: Employ jump servers for administrative access. Administrators should authenticate and connect to the jump server before accessing the firewall or Panorama.
- Enforce IP Whitelisting: Configure the management interface to accept connections only from approved management devices, reducing the risk of unauthorized access.
- Permit Secure Protocols Only: Allow only secure communication protocols such as SSH and HTTPS for management activities.
- Limit ICMP Access: Restrict the use of PING to testing connectivity to the interface, preventing potential misuse.
Threat Actors
SteelFox Trojan Campaign
SteelFox is a sophisticated trojan bundle that targets users globally through fake software activators and cracked software downloads. Distributed through torrent sites and forums, this malware campaign includes stealer and cryptocurrency mining components that pose a significant threat to users’ data and computing resources.
- Infection Chain– SteelFox masquerades as software updates for applications like Foxit PDF Editor or AutoCAD. Once downloaded, it establishes persistence on systems as a Windows service and uses C++ libraries (Boost.Asio) for encrypted communication with command and control (C2) servers.
- Capabilities–
- Steals credentials, credit card information, and browser data.
- Persistent backdoor access using SSL and TLSv1.3 encryption.
- Indicators of Compromise (IoCs)–
- File Hashes–
- Payload– fb94950342360aa1656805f6dc23a1a0
- Loader Files–
- 5029b1db994cd17f2669e73ce0a0b71a (lpsad.exe)
- 69a74c90d0298d2db34b48fa6c51e77d (AGSService.exe)
- 84b29b171541c8251651cabe1364b7b6 (FoxitPDFEditorUpdateService.exe)
- Additional Hashes–
- 015595d7f868e249bbc1914be26ae81f, 040dede78bc1999ea62d1d044ea5e763, and others
- File Paths–
- C-\Program Files (x86)\Foxit Software\Foxit PDF Editor\plugins\FoxitPDFEditorUpdateService.exe
- C-\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
- C-\Program Files\Autodesk\AdODIS\V1\Setup\lpsad.exe
- Domains and IPs–
- C2 Domain– hxxps-//ankjdans[.]xyz
- IP Address– 205.185.115[.]5
- Malicious URLs–
- File Hashes–
- hxxps-//github[.]com/DavidNguyen67/CrackJetbrains
- hxxps-//github[.]com/TrungGa123/Active-all-app-Jetbrains/
- hxxps-//github[.]com/tranquanghuy-09/activate-intellij-idea-ultimate/
- hxxps-//github[.]com/TaronSargsyan123/ScaraSimulation
- hxxps-//raw.githubusercontent[.]com/tranquanghuy-09/activate-intellij-idea-ultimate/main/jetbrains-activator.exe
- hxxps-//raw.githubusercontent[.]com/TaronSargsyan123/ScaraSimulation/main/jetbrains-activator.exe
- hxxps-//raw.githubusercontent[.]com/TrungGa123/Active-all-app-Jetbrains/main/jetbrains-activator.exe
- hxxps-//raw.githubusercontent[.]com/DavidNguyen67/CrackJetbrains/main/jetbrains-activator.exe
- hxxps-//www.cloudstaymoon[.]com/2024/05/06/tools-1
- hxxps-//squarecircle[.]ru/Intelij/jetbrains-activator.exe
- hxxps-//drive.google[.]com/file/d/1bhDBVMywFg2551oMmPO3_5VaeYnj7pe5/view?usp=sharing
- hxxps-//github[.]com/cppdev-123
SYS01 Infostealer – Malvertising Campaign
The SYS01 Infostealer is spread through a malvertising campaign that leverages compromised Facebook Business accounts. These accounts impersonate popular brands and trick users into downloading malware-laden ZIP files.
- TTPs–
- Ads mimic well-known brands like Office 365, Netflix, and popular VPN services.
- Malicious ZIP files are bundled with ElectronJS-based applications that steal sensitive information.
- Indicators of Compromise–
- TTPs–
- Malware Hosting Domains
- hxxps-//krouki.com
- hxxps-//kimiclass.com
- hxxps-//goodsuccessmedia.com
- hxxps-//wegoodmedia.com
- hxxps-//socialworldmedia.com
- hxxps-//superpackmedia.com
- hxxps-//eviralmedia.com
- hxxps-//gerymedia.com
- hxxps-//wakomedia.com
- Command and Control (C2) Domains
- hxxps-//musament.top
- hxxps-//enorgutic.top
- hxxps-//untratem.top
- hxxps-//matcrogir.top
- hxxps-//ubrosive.top
- hxxps-//wrust.top
- hxxps-//lucielarouche.co
FakeCall Malware – Targeting Android Users
FakeCall is a highly sophisticated Android malware that uses vishing tactics to manipulate users into disclosing sensitive financial data. It mimics legitimate banking apps and intercepts calls, redirecting users to fraudulent phone numbers.
- Capabilities–
- Call and SMS Interception– Redirects calls to fraudsters and captures SMS messages.
- Remote Device Control– Enables unauthorized access to device functions like camera, microphone, and accessibility permissions.
- Indicators of Compromise–
- Capabilities–
- IP Addresses
- 47.242.149.4
- 47.242.20.245
- 47.242.38.176
- 47.245.63.185
- 47.91.14.5
- 8.209.241.108
- 8.209.250.15
- 8.210.198.162
- 8.218.68.96
- Domains
- allcallpush01.]com
- allcallpush02.]com
- allcallpush09.]com
- allcallpush12.]com
- allcallpush15.]com
- chaowen000.]com
- chaowen006.]com
- chaowen105.]com
- ending052.]com
- tewen006.]com
- tewen007.]com
- vipyaooba.]com
- wending015.]com
Advisory
Amazon Employee Data Breach via Vendor Hack
In November 2024, Amazon confirmed a data breach involving employee information, which resulted from a third-party vendor’s compromise. This breach was linked to the MOVEit Transfer vulnerability, a managed file transfer software developed by Progress Software that has been widely exploited since May 2023.
- Details–
- The threat actor, known as Nam3L3ss, leaked over 2.8 million lines of Amazon employee data on a hacking forum.
- Exposed information includes employee names, contact details, email addresses, and building locations.
- Amazon’s internal systems remain secure, and the breach was limited to third-party vendor systems.
This incident highlights the need for organizations to vet third-party vendors carefully and ensure prompt application of patches to known vulnerabilities.
Reference
- https-//www.manageengine.com/products/exchange-reports/advisory/CVE-2024-9459.html
- https-//www.manageengine.com/products/ad-manager/admanager-kb/cve-2024-48878.html
- https-//www.manageengine.com/products/active-directory-audit/cve-2024-5608.html
- https-//www.manageengine.com/products/active-directory-audit/cve-2024-36485.html
- https-//support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04722en_us&docLocale
- https-//www.veeam.com/kb4682
- https-//securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/
- https-//www.bitdefender.com/en-us/blog/labs/unmasking-the-sys01-infostealer-threat-bitdefender-labs-tracks-global-malvertising-campaign-targeting-meta-business-pages/
- https-//www.zimperium.com/blog/mishing-in-motion-uncovering-the-evolving-functionality-of-fakecall-malware/
- https-//www.bleepingcomputer.com/news/security/amazon-confirms-employee-data-breach-after-vendor-hack/
- https-//assets.adgm.com/download/assets/20241108+Cyber+Security+Council+Alert+615.pdf/c8afe66e9d9411ef972bc6d72b7e357e
- https-//assets.adgm.com/download/assets/20241108+Cyber+Security+Council+Alert+614.pdf/c8d77c2e9d9411efa0cd36797a16522a