Weekly Threat Landscape Digest – Week 52
This week’s cybersecurity digest highlights critical vulnerabilities across widely-used platforms, advanced threat actor activities, and emerging security advisories. Organizations are urged to address these threats to mitigate potential risks promptly.
Vulnerabilities
- High-Severity Vulnerability in Next.js
Details:
A high-severity vulnerability (CVE-2024-51479) in Next.js allows unauthorized access to pages directly under the root directory when authorization is performed in middleware.
- Severity: CVSS 7.5 (High)
- Impact: Attackers can bypass authorization to access sensitive data.
Affected Versions:
Next.js 9.5.5 through 14.2.14.
Mitigation:
Upgrade to version 14.2.15 or later. For Vercel-hosted applications, the vulnerability is automatically mitigated.
References:
National Vulnerability Database
- Critical Vulnerabilities in Sophos Firewall
Details:
Sophos has released patches for three vulnerabilities:
- CVE-2024-12727 (SQL Injection): Allows remote attackers to access databases, potentially leading to remote code execution.
- CVE-2024-12728 (Insecure SSH Passphrase): Enables privilege escalation via reused SSH passphrases.
- CVE-2024-12729 (Code Injection): Allows authenticated users to execute arbitrary code.
Affected Versions:
Sophos Firewall v21.0 GA and older.
Mitigation:
Apply hotfixes or upgrade to v21 MR1 and newer. Restrict WAN access to management portals and SSH.
References:
Sophos Security Advisories
- Critical Adobe ColdFusion Bug with PoC Exploit Code
Details:
CVE-2024-53961 is a path traversal vulnerability that allows arbitrary file access. PoC exploit code is publicly available.
- Severity: Priority 1 (Critical)
Affected Versions:
ColdFusion 2023 (before Update 12) and 2021 (before Update 18).
Mitigation:
Install emergency patches within 72 hours and review security configurations as per Adobe’s lockdown guides.
References:
BleepingComputer
- Zero-Day Vulnerability in Craft CMS
Details:
CVE-2024-56145 allows unauthenticated remote code execution due to default PHP configurations.
- Impact: Exploitation via template injection for arbitrary code execution.
Affected Versions:
Craft CMS prior to 5.5.2 and 4.13.2.
Mitigation:
Upgrade to 5.5.2 or 4.13.2 immediately. Disable register_argc_argv in PHP configurations if upgrading is not possible.
References:
Assetnote Report
- Severe Denial-of-Service Vulnerability in Palo Alto PAN-OS
Details:
CVE-2024-3393 is a critical vulnerability in Palo Alto PAN-OS that allows unauthenticated attackers to send malicious DNS packets, resulting in denial-of-service (DoS) attacks. Repeated exploitation could force firewalls into maintenance mode via reboot, significantly disrupting network operations.
- Severity: CVSS 8.7 (High)
- Impact: Remote DoS without requiring user interaction or elevated privileges.
- Exploitation Trigger: DNS Security logging enabled on affected devices.
Affected Versions:
- PAN-OS 11.2: All versions prior to 11.2.3
- PAN-OS 11.1: All versions prior to 11.1.5
- PAN-OS 10.2: Versions >= 10.2.8 and < 10.2.10-h12; < 10.2.13-h2
- PAN-OS 10.1: Versions >= 10.1.14 and < 10.1.14-h8
Mitigation:
Upgrade to the fixed versions:
- PAN-OS 10.1.14-h8
- PAN-OS 10.2.10-h12
- PAN-OS 11.1.5
- PAN-OS 11.2.3 or later
Workarounds:
- Temporarily disable DNS Security logging:
- Navigate to Objects → Security Profiles → Anti-spyware → DNS Policies → DNS Security.
- Set “Log Severity” to “none” for all DNS Security categories.
- Commit the changes.
References:
SOCRadar Report
- Authentication Bypass Vulnerability in Apache HugeGraph-Server
Details:
CVE-2024-43441 is a critical authentication bypass vulnerability in Apache HugeGraph-Server. Disclosed by the Apache Software Foundation on December 25, 2024, this flaw stems from improper handling of JWT (JSON Web Tokens), allowing attackers to bypass authentication mechanisms. Exploitation can lead to unauthorized access to sensitive graph data and operations.
- Severity: Important
- Affected Product: Apache HugeGraph-Server
- Exploit Type: Authentication Bypass
- Exploitable via: JWT token manipulation
Affected Versions:
Apache HugeGraph-Server 1.0 to 1.3
Mitigation:
Upgrade to Apache HugeGraph-Server version 1.5.0 as soon as possible.
References:
Apache Advisory
- Critical Remote Code Execution Vulnerability in Apache MINA
Details:
CVE-2024-52046 is a critical vulnerability in Apache MINA, a network application framework. The flaw exists in the ObjectSerializationDecoder component, which fails to perform adequate security checks on serialized data. Attackers can exploit this to execute arbitrary code by sending specially crafted serialized data, potentially gaining full control of affected systems.
- Severity: CVSS 10.0 (Critical)
- Exploit Type: Remote Code Execution (RCE)
Affected Versions:
- Apache MINA 2.0 through 2.0.26
- Apache MINA 2.1 through 2.1.9
- Apache MINA 2.2 through 2.2.3
Mitigation:
- Upgrade to patched versions:
- Apache MINA 2.0.27
- Apache MINA 2.1.10
- Apache MINA 2.2.4
- After upgrading, configure explicit class allowances for deserialization using the new methods:
- accept(ClassNameMatcher classNameMatcher)
- accept(Pattern pattern)
- accept(String… patterns)
- Review and limit the use of the IoBuffer#getObject() method.
- Implement additional security measures such as input validation and network segmentation.
Important Notes:
- Upgrading alone is insufficient; configuration changes are also required.
- Sub-projects like FtpServer, SSHd, and Vysper are not affected.
- By default, the updated decoder rejects all classes unless explicitly allowed.
References:
National Vulnerability Database
- Critical Vulnerabilities Patched in WPLMS and VibeBP Plugins
Details:
Multiple critical vulnerabilities have been discovered in the WPLMS WordPress theme and its associated VibeBP plugin. Exploiting these flaws could allow attackers to execute remote code, escalate privileges, and inject malicious SQL queries, posing significant risks to website security and data integrity.
WPLMS Theme Vulnerabilities:
- CVE-2024-56046 (CVSS 10.0): Unauthenticated attackers can upload malicious files, potentially leading to remote code execution (RCE).
- CVE-2024-56050 (CVSS 9.9): Authenticated users with subscriber privileges can bypass file upload restrictions.
- CVE-2024-56052 (CVSS 9.9): Similar to CVE-2024-56050, exploitable by users with student roles.
- CVE-2024-56043 (CVSS 9.8): Attackers can register as any role, including Administrator, without authentication.
- CVE-2024-56048 (CVSS 8.8): Low-privilege users can escalate to higher roles, such as Administrator, by exploiting weak role validation.
- CVE-2024-56042 (CVSS 9.3): Permits SQL injection to extract sensitive data or compromise the database.
- CVE-2024-56047 (CVSS 8.5): Allows low-privilege users to execute SQL queries, compromising data integrity or confidentiality.
VibeBP Plugin Vulnerabilities:
- CVE-2024-56040 (CVSS 9.8): Allows attackers to register as privileged users without authentication.
- CVE-2024-56039 (CVSS 9.3): Enables unauthenticated users to inject SQL queries via poorly sanitized inputs.
- CVE-2024-56041 (CVSS 8.5): Authenticated users with minimal privileges can perform SQL injection to compromise or extract database information.
Affected Versions:
- WPLMS Theme: Versions prior to 1.9.9.5.3.
- VibeBP Plugin: Versions prior to 1.9.9.7.7.
Mitigation:
- Upgrade to WPLMS 1.9.9.5.3 or later.
- Upgrade to VibeBP 1.9.9.7.7 or later.
References:
Patchstack Advisory
- Critical Command Injection Vulnerability in Webmin
Details:
CVE-2024-12828 is a critical command injection vulnerability in Webmin, a popular web-based system administration tool. The flaw arises from improper sanitization of user-supplied input in Webmin’s CGI request handling. Authenticated attackers, even with low privileges, can exploit this vulnerability to execute arbitrary commands with root privileges.
- Severity: CVSS 9.9 (Critical)
- Impact:
- Full server compromise.
- Unauthorized access to sensitive data.
- Deployment of malicious scripts and ransomware.
- Use of compromised servers for further attacks.
Affected Versions:
- Webmin versions prior to 2.111.
Mitigation:
- Upgrade to Webmin version 2.111 or later.
References:
- Critical SQL Injection Vulnerability in Apache Traffic Control
Details:
CVE-2024-45387 is a critical SQL injection vulnerability in Apache Traffic Control, an open-source platform for building large-scale content delivery networks (CDNs). The flaw exists in the Traffic Ops component, allowing privileged users with specific roles (admin, federation, operations, portal, or steering) to execute arbitrary SQL commands against the database via specially crafted PUT requests.
- Severity: CVSS 9.9 (Critical)
- Impact:
- Data manipulation and unauthorized access.
- Potential compromise of the Traffic Control system.
- Risk of broader operational disruption.
Affected Versions:
- Apache Traffic Control 8.0.0 through 8.0.1
Mitigation:
- Upgrade to Apache Traffic Control version 8.0.2 or later.
References:
National Vulnerability Database
Threat Actors
- Cloud Atlas Exploits Microsoft Office Vulnerability
Details:
The Cloud Atlas group exploits CVE-2018-0802 to target high-value organizations in aerospace, government, and economics.
- Attack Chain: Phishing emails deliver malicious RTF templates, downloading the VBShower backdoor and PowerShower module.
Targets:
Countries in Eastern Europe, Central Asia, and others.
Mitigation:
- Apply patches for Microsoft Office.
- Educate employees on phishing risks.
- Monitor traffic for unusual RTF and HTA file activity.
References:
Cybersecurity News
- Rockwell PowerMonitor Exploits Threaten Industrial Systems
Details:
Three critical vulnerabilities in Allen-Bradley PowerMonitor 1000 devices allow unauthorized administrative access, DoS attacks, and remote code execution.
- CVE-2024-12371, CVE-2024-12372, CVE-2024-12373
Mitigation:
Update to firmware version 4.020 or later, restrict device exposure, and implement network segmentation.
References:
SCWorld
- Google Ads Exploited in Malvertising Campaign Targeting Graphic Design Professionals
Details:
A sophisticated malvertising campaign leverages Google Search ads to redirect users in the graphic design and CAD sectors to malicious websites. These websites distribute harmful payloads under the guise of legitimate software.
- Method: Fake domains mimic CAD and graphic design tools to lure users.
- Infrastructure:
- Two primary IP addresses:
- 185.11.61[.]243: Active since July 29, 2024, hosting 109 unique domains.
- 185.147.124[.]110: Active since November 25, 2024, hosting 85 unique domains.
- Malicious payloads often hosted on platforms like Bitbucket.
- Two primary IP addresses:
Indicators of Compromise (IoCs):
- Malicious IP Addresses:
- 185.11.61[.]243
- 185.147.124[.]110
- Malicious Domains:
- Examples include frecadsolutions[.]cc, planner5design[.]net, onshape3d[.]org, and more. (Full list in advisory links).
Impact:
- Malware infections compromising victim systems.
- Phishing attacks harvesting user credentials.
- System compromise and unauthorized data access.
- Potential data breaches affecting sensitive files and user information.
Mitigation:
For individuals:
- Avoid clicking on ads from unverified sources.
- Download software only from official websites.
- Use browser ad blockers and updated antivirus tools.
For organizations:
- Train employees to recognize phishing and malvertising campaigns.
- Monitor traffic for interactions with malicious domains or IPs.
References:
GBHackers Report
Security Online
AlienVault Pulse
- Skuld Malware Targeting npm Developers Through Supply Chain Attacks
Details:
Skuld info stealer targets npm developers with malicious packages uploaded via typosquatting. These packages disguise themselves as legitimate tools and exfiltrate sensitive data like passwords, cookies, and browsing history.
- Attack Chain:
- Malicious packages download and execute Skuld as download.exe.
- Data exfiltration is conducted via Discord webhooks and C2 servers.
Impact:
- Over 600 downloads of malicious npm packages.
- Credential theft and compromise of development environments.
Mitigation:
- Employ automated tools to detect malicious dependencies.
- Verify npm packages before installation.
- Adopt layered security measures for supply chain threats.
References:
GBHackers Report
- Lazarus Group Employs New VNC-Based Malware in Operation DreamJob
Details:
The Lazarus Group uses malicious ISO and ZIP archives disguised as job offers to deliver advanced malware strains like CookiePlus. This campaign targets employees in critical industries, including nuclear energy.
- Key Techniques:
- DLL side-loading using trojanized VNC utilities.
- Encrypted payload delivery from WordPress-based C2 servers.
Impact:
- Espionage and operational disruptions in critical sectors.
- Persistent system compromises via modular malware techniques.
Mitigation:
- Avoid opening unsolicited archives or attachments.
- Employ robust endpoint detection tools.
- Monitor for C2 traffic and implement least privilege access controls.
References:
GBHackers Report
- NodeStealer Malware Campaign Targets Facebook Ads Manager Credentials
Details:
NodeStealer malware evolves into a Python-based variant to execute advanced data theft, including financial data and Facebook Ads Manager credentials, via spear-phishing campaigns.
- Infection Chain:
- Delivered through spear-phishing emails containing malicious links.
- Utilizes DLL sideloading and PowerShell commands to deploy a Python-based infostealer.
IoCs:
- Malicious DLL: oledlg.dll
- Malicious download link: hxxps://t[.]ly/MRAbJ
Impact:
- Theft of credit card data, browser credentials, and Facebook Ads Manager accounts.
- Potential financial fraud and data compromise.
Mitigation:
- Avoid suspicious emails and links.
- Deploy advanced endpoint protection solutions.
- Regularly update software to patch known vulnerabilities.
References:
ADGM Advisory Report
- OilRig Cyber Espionage Campaign Targeting Middle Eastern Sectors
Details:
OilRig, also known as APT34 or Helix Kitten, continues to target critical sectors in the Middle East through advanced cyber espionage campaigns. The group specializes in leveraging sophisticated malware, zero-day vulnerabilities, and supply chain compromises.
Key Observations:
- Evolution of Tools and Tactics:
- Early campaigns featured the Helminth backdoor for stealth and persistence.
- Recent campaigns employ advanced malware like QUADAGENT, ISMAgent, and STEALHOOK.
- Exploitation of vulnerabilities such as CVE-2024-30088 (Windows Kernel) for SYSTEM-level access.
- Notable Campaigns:
- Supply Chain Attacks: Targeting compromised accounts within technology providers.
- QUADAGENT Campaign (2018): PowerShell-based malware used for stealthy network infiltration.
- Tactics, Techniques, and Procedures (TTPs):
- Initial Access: Spearphishing via platforms like LinkedIn.
- Execution: PowerShell scripting for stealthy command execution.
- Persistence: Scheduled tasks and obfuscated payloads.
- Defense Evasion: Techniques like base64 encoding and Invoke-Obfuscation.
- Credential Access: Tools like Mimikatz and LaZagne for extracting plaintext credentials.
- Exfiltration: Use of FTP and DNS tunneling for undetected data extraction.
Indicators of Compromise (IoCs):
File Name | SHA256 Hash |
|---|---|
QUADAGENT | d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de |
OilRig ThreeDollars | 1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c |
mscom.exe | 0ca0febadb1024b0a8961f21edbf3f6df731ca4dd82702de3793e757687aefbc |
People List.xls | 9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777 |
Dell.exe | 5db93f1e882f4d7d6a9669f8b1ab091c0545e12a317ba94c1535eb86bc17bd5b |
Mitigation:
- Review and block IoCs.
- Implement robust email filtering and provide user awareness training.
- Regularly patch and update systems for critical vulnerabilities.
- Deploy endpoint detection and response (EDR) solutions.
- Monitor for suspicious PowerShell and scripting activities.
- Enforce strong access controls and multi-factor authentication.
- Conduct regular security assessments and penetration testing.
References:
Picus Security Analysis
Advisories
- Microsoft 365 Deactivation Errors
Details:
“Product Deactivated” errors due to licensing changes were resolved via a service-side patch.
- Impact: Temporary disruptions for users.
Mitigation:
Reactivate affected apps or sign out and sign back in.
References:
BleepingComputer
- Exploitation of G-Door Vulnerability in Microsoft 365 Security via Google Docs
Details:
The G-Door vulnerability allows malicious actors to exploit unmanaged Google Docs accounts linked to corporate email domains. This bypasses Microsoft 365 security controls, such as Conditional Access, device compliance, and multi-factor authentication (MFA).
- Attack Method:
- Attackers create Google accounts using corporate email domains, bypassing Conditional Access policies and avoiding visibility in Microsoft 365 Admin Center logs.
- Sensitive data on Google Docs is outside Microsoft’s DLP or Azure Information Protection controls.
Impact:
- Circumvents Conditional Access, device compliance, and geolocation controls.
- Exposes sensitive data outside corporate security policies.
- Maintains persistent access to third-party applications.
Mitigation:
- Implement strict domain verification for Google Workspace.
- Audit and manage unmanaged accounts linked to corporate domains.
- Educate users about the risks of using work emails for personal accounts.
References:
Cybersecurity News Report