Weekly Threat Landscape Digest – Week 1

1. Critical Windows LDAP Vulnerabilities

Details: Microsoft has disclosed two critical vulnerabilities in Windows Lightweight Directory Access Protocol (LDAP), impacting Active Directory Domain Controllers (DCs) and Windows Servers. These vulnerabilities pose severe risks of remote code execution and denial of service.

• CVE-2024-49112: Remote Code Execution vulnerability with a CVSS score of 9.8.
• CVE-2024-49113: Denial of Service vulnerability with a CVSS score of 7.5.
• Proof-of-concept (PoC) exploit for CVE-2024-49113 developed by SafeBreach Labs demonstrates the risks.

Mitigation:

• Apply Microsoft’s December 2024 security updates immediately.
• Monitor systems for unusual activity involving DNS SRV queries, CLDAP referral responses, and DsrGetDcNameEx2 calls.

References:

https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49113

2. Critical Security Update for Dell OpenManage Server Administrator

Details: A critical vulnerability (CVE-2024-52316) in Apache Tomcat within Dell OpenManage Server Administrator (OMSA) allows unauthenticated attackers to bypass authentication, potentially compromising system security.

Mitigation:

• Update affected installations to Version 11.1.0.0 or later.

References:

• Dell Security Advisory

3. High-Severity Vulnerabilities in ASUS Routers

Details: Two vulnerabilities (CVE-2024-12912 and CVE-2024-13062) in ASUS routers could allow unauthorized command execution, compromising devices and networks.

Mitigation:

• Update Firmware: Upgrade to the latest version immediately.
• Disable External Services: Turn off internet-exposed services like remote access and port forwarding.

References:

• ASUS Product Security Advisory
  
  

4. Exploited Vulnerability in Four-Faith Routers

Details: A vulnerability (CVE-2024-12856) in Four-Faith router models F3x24 and F3x36 allows remote OS command injection via the /apply.cgi endpoint. The vulnerability is actively being exploited in the wild, enabling attackers to establish a reverse shell and compromise devices.

• Severity: CVSS 7.2 (High)

Mitigation:

• Update Firmware: Install the latest firmware from Four-Faith.
• Change Default Credentials: Replace default usernames and passwords with strong, unique credentials.
• Restrict Internet Exposure: Use firewalls and VPNs to limit access to trusted networks.

References:

• VulnCheck: CVE-2024-12856 Analysis
  
  

5. Multiple Vulnerabilities in Azure Data Factory’s Apache Airflow Integration

Details: Security flaws in Azure Data Factory’s Apache Airflow integration and related services (e.g., Azure Key Vault, Amazon Bedrock) expose sensitive data and infrastructure to attacks. Exploitation could allow shadow administrative control over AKS clusters and deep penetration into Azure environments.

Mitigation:

• Access Controls: Secure DAG files and storage accounts.
• Secure Git Repositories: Rotate credentials regularly and implement strong access controls.
• Enhance Authentication: Strengthen mechanisms for Azure services like Geneva.

References:

• Unit42: Apache Airflow Vulnerabilities
  
  

6. D-Link End-of-Life Routers Vulnerable to Botnet Exploits

Details: D-Link has issued a critical advisory urging users to replace legacy router models that have reached End-of-Life (EOL) and End-of-Support (EOS) status. These devices are being exploited by botnets “Ficora” and “Capsaicin,” leveraging multiple vulnerabilities such as CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.

• Affected Models and EOL Dates:
  • DIR-645: EOL as of December 31, 2018.
  • DIR-806: EOL as of February 1, 2016.
  • GO-RT-AC750: EOL as of February 29, 2016.
  • DIR-845L: EOL as of March 1, 2016.
• Exploitation Impact:
  • Theft of sensitive data.
  • Execution of unauthorized shell scripts.
  • Large-scale Distributed Denial-of-Service (DDoS) operations.

Mitigation:

• Retire and replace affected router models immediately.
• Ensure devices are updated with the latest firmware.
• Use strong, unique passwords and enable robust Wi-Fi encryption.

References:

• D-Link Security Advisory

7. Chrome Extension Supply Chain Attack

A phishing campaign has compromised 36 Chrome browser extensions, affecting approximately 2.6 million users. Attackers injected malicious code into legitimate extensions, enabling data exfiltration and credential harvesting. Extensions affected include AI assistants, VPNs, and productivity tools.

• Impact: Data theft, access token harvesting, and exposure of sensitive user information.
• Indicators of Compromise:
  • Malicious Extension Version: 24.10.4
  • C&C Domains: cyberhavenext[.]pro, api.cyberhaven[.]pro
  • IPs: 149.28.124[.]84, 149.248.2[.]160

Mitigation:

• Remove or disable affected extensions.
• Rotate credentials and API tokens.
• Conduct an audit of Chrome extensions in use.
• Implement strict whitelisting policies and advanced monitoring.
• Educate users on browser extension risks.

References:

• https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-therecent-malicious-chrome-extension 

8. Critical Vulnerabilities in Progress Software’s WhatsUp Gold

Progress Software has disclosed three vulnerabilities in its WhatsUp Gold network monitoring software, two of which are critical. These flaws could allow attackers to gain control over the server, configure sensitive settings, or extract sensitive information.

• CVE-2024-12108: CVSS 9.6 (Critical)
  • Description: Allows attackers to control the server via the public API.
  • Impact: Full system compromise and unauthorized data access.
• CVE-2024-12106: CVSS 9.4 (Critical)
  • Description: Enables unauthenticated attackers to configure LDAP settings.
  • Impact: Potential for data breaches and unauthorized access.
• CVE-2024-12105: CVSS 6.5 (Medium)
  • Description: Allows authenticated users to extract sensitive information.
  • Impact: Disclosure of sensitive system data.

Affected Versions:

• WhatsUp Gold versions prior to 24.0.2

Mitigation:

• Update to WhatsUp Gold version 24.0.2 immediately.

References:

• Progress Software Security Bulletin

9. Exploited Vulnerability in Oracle WebLogic Server

Oracle WebLogic Server is affected by a remote code execution (RCE) vulnerability (CVE-2024-21182) that is actively being exploited in the wild. The flaw exists in the handling of the T3 and IIOP protocols, which are often enabled by default, allowing unauthenticated attackers to execute arbitrary code remotely.

• CVSS Score: 7.5 (High)
• Impact: Full system compromise and unauthorized access to critical data.
• Risk: High. The availability of a proof-of-concept (PoC) exploit increases the likelihood of active exploitation.

Affected Versions:

• Oracle WebLogic Server 12.2.1.4.0
• Oracle WebLogic Server 14.1.1.0.0

Mitigation:

• Disable the T3 and IIOP protocols immediately if not required.
• Monitor Oracle’s site for the release of an official patch and apply it as soon as available.
• Conduct network monitoring to detect exploitation attempts.
• Regularly update and harden system configurations.

References:

• NVD: CVE-2024-21182

10. High-Severity Vulnerability in TrueNAS CORE

TrueNAS CORE, a widely used open-source network-attached storage (NAS) operating system, is affected by a directory traversal vulnerability (CVE-2024-11944) in the tarfile.extractall method. This flaw allows unauthenticated, network-adjacent attackers to execute arbitrary code remotely.

• CVSS Score: 7.5 (High)
• Impact:
  • Arbitrary code execution with root-level privileges.
  • Unauthorized access to sensitive data.
  • Potential malware installation and file corruption.

Affected Versions:

• TrueNAS CORE versions prior to 13.0-U6.3

Mitigation:

• Update to TrueNAS CORE version 13.0-U6.3 or later immediately.

References:

• NVD: CVE-2024-11944

11. Exploited Vulnerability in Palo Alto Networks PAN-OS

Palo Alto Networks’ PAN-OS software is affected by a critical vulnerability (CVE-2024-3393) in its DNS Security feature. This flaw is currently being exploited in the wild, enabling attackers to disrupt firewall operations, potentially leading to a denial-of-service (DoS) state.

• CVSS Score: 8.7 (High)
• Impact: Repeated exploitation can force firewalls into maintenance mode, disrupting operations.

Affected Versions:

• PAN-OS 11.2: Versions < 11.2.3
• PAN-OS 11.1: Versions < 11.1.5
• PAN-OS 10.2: Versions >= 10.2.8 and < 10.2.10-h12, < 10.2.13-h2
• PAN-OS 10.1: Versions >= 10.1.14 and < 10.1.14-h8
• Prisma Access: Versions >= 10.2.8 and < 11.2.3

Fixed Versions:

• PAN-OS 10.1.14-h8, 10.2.10-h12, 11.1.5, 11.2.3, and later.

Exploitation Details:

• Attackers send specially crafted DNS packets through the firewall’s data plane, causing a reboot and potential DoS state.

Mitigation:

• Update to fixed PAN-OS versions immediately.

References:

• Palo Alto Networks Security Advisory

12. Critical Vulnerability in libxml2

A critical vulnerability (CVE-2024-40896) in the libxml2 XML parsing library has been identified, allowing attackers to exploit the SAX parser to conduct XML External Entity (XXE) attacks. This flaw poses significant risks, including unauthorized access, system compromise, and data theft.

• CVSS Score: 9.1 (Critical)
• Impact:
  • Unauthorized access to sensitive information.
  • Remote Code Execution (RCE) in misconfigured environments.
  • Denial of Service (DoS) attacks.

Affected Versions:

• 2.11: Versions before 2.11.9.
• 2.12: Versions before 2.12.9.
• 2.13: Versions before 2.13.3.

Mitigation:

• Update to libxml2 versions 2.11.9, 2.12.9, or 2.13.3 immediately.

References:

• NVD: CVE-2024-40896

13. Local Privilege Escalation Vulnerability in Ivanti Automation

Ivanti Automation is affected by a local privilege escalation vulnerability (CVE-2024-9845) due to insecure permissions on specific files and directories in the installation path. This flaw allows local authenticated attackers to gain elevated privileges on affected systems.

• CVSS Score: 7.8 (High)
• CWE: CWE-276 (Incorrect Default Permissions)
• Impact: Escalation to administrative or root privileges, potentially compromising system security.

Affected Versions:

• Ivanti Automation 2024.4 and prior.

Resolved Version:

• Ivanti Automation 2024.4.0.1 and later.

Mitigation:

• Update to version 2024.4.0.1 or later via the Ivanti Download Portal.

References:

https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Automation-CVE-2024-9845?language=en_US 

14. Critical Vulnerability in Angular Expressions

A critical vulnerability (CVE-2024-54152) in Angular Expressions, a module of the AngularJS web framework, allows remote attackers to exploit crafted expressions to escape the sandbox and execute arbitrary code on affected systems.

• CVSS Score: 9.3 (Critical)
• Impact: Exploitation could lead to full system compromise, particularly in web applications processing user input through this module.
• Proof-of-Concept (PoC): Available, increasing the risk of exploitation in the wild.

Affected Versions:

• Angular Expressions prior to version 1.4.3.

Resolved Version:

• Angular Expressions version 1.4.3 and later.

Mitigation:

• Upgrade to Angular Expressions version 1.4.3 or later immediately.

References:

• GitHub Security Advisory: Angular Expressions

15. FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities

Vulnerable D-Link routers are being actively exploited by two botnets, FICORA (a Mirai variant) and CAPSAICIN (a Kaiten/Tsunami variant). These botnets exploit weaknesses in the Home Network Administration Protocol (HNAP) interface via documented vulnerabilities in D-Link devices, including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.

• Impact:
  • Deployment of botnet malware for distributed denial-of-service (DDoS) attacks using UDP, TCP, and DNS protocols.
  • Brute-force attacks using hard-coded credentials.
  • Shell command execution and malware installation.

FICORA Botnet:

• Fetches payloads from 103.149.87[.]69 using downloader scripts (e.g., multi).
• Capable of conducting DDoS and brute-force attacks.

CAPSAICIN Botnet:

• Uses 87.10.220[.]221 for payload downloads.
• Communicates with a command-and-control (C2) server at 192.110.247[.]46.
• Features include executing shell commands, initiating TCP/UDP/DNS flooding attacks, and replacing other botnets on the compromised host.

Attack Activity:

• FICORA: Global targeting.
• CAPSAICIN: Primarily active in East Asia, with notable activity between October 21-22, 2024.

Mitigation:

• Update D-Link router firmware to address known vulnerabilities.
• Regularly audit network devices for outdated firmware and apply patches.
• Block known malicious IPs: 103.149.87[.]69, 87.10.220[.]221, and 192.110.247[.]46.
• Implement robust network monitoring to detect exploit attempts.

References:

https://thehackernews.com/2024/12/ficora-and-kaiten-botnets-exploit-old-d.html 

16. Malware Campaign – BellaCPP: A New Variant of BellaCiao Malware

The Charming Kitten threat group (APT35) has deployed a new malware variant, BellaCPP, written in C++. This evolution of the BellaCiao malware family was discovered on a compromised machine in Asia. While retaining much of the functionality of BellaCiao, BellaCPP lacks certain web shell features, focusing on loading additional payloads and creating SSH tunnels.

• Threat Actor: Charming Kitten (APT35, CALANQUE, ITG18).
• Capabilities:
  • Leverages social engineering and exploits vulnerabilities in Microsoft Exchange Server and Zoho ManageEngine.
  • BellaCPP loads additional DLL payloads, such as D3D12_1core.dll, and establishes SSH tunnels.

Targeting: Highly targeted attacks in the U.S., Middle East, and Asia.