Weekly Threat Landscape Digest – Week 2

1. Malicious Chrome Extensions Targeting Users

A sophisticated phishing campaign has compromised 36 Chrome extensions, affecting approximately 2.6 million users. These extensions exfiltrate sensitive data through a command-and-control (C&C) server.

• Impact: Data theft, credential harvesting, and exposure of corporate environments.
• Affected Extensions: Includes “AI Assistant – ChatGPT and Gemini for Chrome,” “VPNCity,” and “Reader Mode.”
• Mitigation:
  • Remove affected extensions from devices.
  • Revoke and rotate credentials for affected accounts.
  • Implement a browser extension whitelist in corporate environments.
• IoCs:
  • Malicious Version: 24.10.4.
  • Hash: DDF8C9C72B1B1061221A597168F9BB2C2BA09D38D7B3405E1DACE37AF1587944.
  • C&C IPs: 149.28.124[.]84.

Reference: Cyberhaven Blog

2. OpenVPN Vulnerability (CVE-2024-8474)

A vulnerability in OpenVPN Connect (prior to version 3.5.0) logs private keys in plaintext, risking unauthorized decryption of VPN traffic.

• Impact: Exposure of sensitive data.
• Mitigation: Update to OpenVPN Connect version 3.5.0 or newer.

Reference: CVE Details

3. OpenSSH Race Condition (CVE-2024-6387)

A race condition vulnerability in OpenSSH’s sshd signal handler enables unauthenticated remote attackers to execute arbitrary code.

• Impact: Privilege escalation to root and full system compromise.
• Mitigation:
  • Update OpenSSH to patched versions.
  • Restrict SSH access and limit authentication attempts.
• PoC Available: Public proof-of-concept escalates risk.

Reference: PoC Exploit Details

4. Malicious EditThisCookie Extension

A malicious impersonation of “EditThisCookie” targets Chrome users, engaging in data theft, phishing, and ad injections.

• Impact: Privacy invasion and increased phishing risk.
• Mitigation:
  • Uninstall malicious extensions.
  • Use alternatives like “Cookie Editor.”

Reference: GBHackers

5. Nessus Agent Outage

Nessus Agent versions 10.8.0 and 10.8.1 are offline due to a plugin update issue, disrupting vulnerability scans globally.

• Mitigation:
  • Upgrade to version 10.8.2 or downgrade to 10.7.31.
  • Perform plugin resets using Tenable scripts or commands.

Reference: Tenable Advisory

6. PhishWP Plugin: A WordPress Threat

The “PhishWP” plugin transforms legitimate WordPress websites into phishing platforms, targeting payment systems.

• Impact: Theft of credit card data, OTPs, and browser metadata.
• Mitigation:
  • Audit WordPress plugins regularly.
  • Use MFA for administrative accounts.
  • Educate users about phishing risks.

Reference: SiliconANGLE Report

8. Command Injection Vulnerability in DrayTek Gateways (CVE-2024-12987)

A command injection vulnerability in DrayTek gateway devices allows attackers to execute unauthorized commands via the web management interface. The issue stems from improper input sanitization in the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint.

• Impact:
  • Unauthorized command execution.
  • Configuration manipulation.
  • Extraction of sensitive information.
  • Potential internal network attacks.
• Affected Versions:
  • DrayTek Vigor2960 and DrayTek Vigor300B with firmware versions 1.5.1.4 and earlier.
• Mitigation:
  • Apply firmware updates (version 1.5.1.5 or newer).
  • Restrict access to the web management interface using IP whitelisting.
  • Enforce input validation to prevent injection attacks.
• PoC Availability: Public proof-of-concept increases the urgency for mitigation.

Reference: NVD Advisory

9. EAGERBEE Backdoor Targeting ISPs and Government Entities

EAGERBEE is a sophisticated malware framework targeting ISPs and governmental entities, particularly in the Middle East and East Asia. Leveraging the ProxyLogon vulnerability (CVE-2021-26855) in Exchange servers, it deploys a memory-resident backdoor with modular plugins for various malicious activities.

• Key Details:
  • Deployment Method: A service injector (ntusers0.dat) injects the backdoor into the Windows Themes service process.
  • Plugins: File Manager, Process Manager, Service Manager, and Network Manager allow detailed system control and exploration.
  • Persistence: Operates entirely in memory, integrating with legitimate processes to evade detection.
  • Threat Actor: Attributed to the CoughingDown group.
• Impact:
  • Unauthorized access to sensitive systems and data.
  • System manipulation via plugins for file operations, process execution, and service management.
  • Evasion of traditional security mechanisms.
• Indicators of Compromise (IoCs):
  • Service Injector Hash: 183f73306c2d1c7266a06247cedd3ee2.
  • Backdoor Hashes: 9d93528e05762875cf2d160f15554f44, c651412abdc9cf3105dfbafe54766c44.
  • Domains and IPs: 62.233.57[.]94, 82.118.21[.]230, 151.236.16[.]167, www.rambiler[.]com.
• Mitigation:
  • Patch Exchange Servers: Address the ProxyLogon vulnerability (CVE-2021-26855).
  • Monitor Services: Watch for unusual behavior in services like IKEEXT, MSDTC, and SessionEnv.
  • Network Security: Isolate critical systems and monitor outgoing traffic to detect connections to known C2 IPs.
  • Enhance Endpoint Security: Use EDR solutions to identify in-memory malware activity.
  • Application Whitelisting: Prevent unauthorized DLLs from being loaded.

Reference: Kaspersky Report on EAGERBEE

11. New Mirai Botnet Variant “Gayfemboy” Targets Industrial Routers

The “Gayfemboy” botnet, a variant of the Mirai malware, has been targeting industrial routers and IoT devices worldwide using zero-day exploits and weak credential attacks. Initially discovered in February 2024, it has rapidly expanded its scope and sophistication.

• Key Vulnerabilities:
  • CVE-2024-12856: A remote command injection vulnerability in Four-Faith industrial routers, exploited via default credentials.
  • CVE-2023-26801: LB-Link router vulnerability.
  • CVE-2017-17215: Huawei router vulnerability.
  • Custom exploits for Neterbit routers, Vimar smart home devices, and other IoT targets.
• Technical Details:
  • Infection Vectors: Exploits over 20 known vulnerabilities, including weak Telnet credentials.
  • Capabilities:
    • Brute-forces Telnet passwords.
    • Uses custom UPX packing with unique signatures.
    • Deploys Mirai-based command structures for client updates, network scanning, and high-intensity DDoS attacks.
  • Targets: Routers, DVRs, cameras, and 5G/LTE devices, impacting sectors in China, the US, Germany, the UK, and Singapore.
• DDoS Attack Patterns:
  • Duration: Short bursts of 10–30 seconds.
  • Intensity: Exceeds 100 Gbps, capable of overwhelming robust infrastructures.
• Vulnerable Devices:
  • ASUS Routers: N-day exploits.
  • Huawei Routers: CVE-2017-17215.
  • Neterbit Routers: Custom exploits.
  • Four-Faith Industrial Routers: CVE-2024-12856.
  • PZT Cameras: CVE-2024-8956, CVE-2024-8957.
  • Various DVRs, including Kguard and Lilin.
• Mitigation:
  • Update all devices with the latest patches.
  • Change default admin credentials and disable Telnet where possible.
  • Monitor network traffic for signs of DDoS attacks and implement rate-limiting.
  • Use robust endpoint protection and network segmentation to limit attack spread.

References:

https://fastnetmon.com/2025/01/13/new-mirai-botnet-targeting-industrial-routers-with-zero-day-exploits/ 

https://www.csoonline.com/article/3716843/new-mirai-botnet-targets-industrial-routers.html 

12. Ivanti Connect Secure Zero-Day Exploited in the Wild (CVE-2025-0282 & CVE-2025-0283)

Ivanti disclosed two critical vulnerabilities affecting its Connect Secure, Policy Secure, and Neurons for ZTA gateways. CVE-2025-0282 is a remote code execution vulnerability already exploited in the wild, while CVE-2025-0283 enables local privilege escalation.

• Key Details:
  • CVE-2025-0282: A stack-based buffer overflow vulnerability allowing remote, unauthenticated attackers to execute arbitrary code.
  • CVE-2025-0283: A stack-based buffer overflow vulnerability allowing local authenticated attackers to escalate privileges.
• Affected Products:
  • CVE-2025-0282:
    • Ivanti Connect Secure: Versions 22.7R2 to 22.7R2.4.
    • Ivanti Policy Secure: Versions 22.7R1 to 22.7R1.2.
    • Ivanti Neurons for ZTA: Versions 22.7R2 to 22.7R2.3.
  • CVE-2025-0283:
    • Ivanti Connect Secure: Versions 22.7R2.4 and prior, 9.1R18.9 and prior.
    • Ivanti Policy Secure: Versions 22.7R1.2 and prior.
    • Ivanti Neurons for ZTA: Versions 22.7R2.3 and prior.
• Mitigation:
  • Patches:
    • Ivanti Connect Secure: Patch 22.7R2.5 addresses both CVEs.
    • Patches for Ivanti Policy Secure and Neurons for ZTA are expected by January 21, 2025.
  • Detection: Use Ivanti’s Integrity Checker Tool (ICT) to identify exploitation attempts.
  • Action: Apply available patches immediately, prioritize systems vulnerable to CVE-2025-0282, and closely monitor ICT outputs.
• Attribution: Google’s Mandiant and Microsoft’s Threat Intelligence Center discovered these vulnerabilities, suggesting active threat campaigns targeting these systems.

Reference: Ivanti Security Advisory

13. Infoblox Research Highlights Malicious Spam Campaigns Using Spoofed Domains

Infoblox Threat Intelligence researchers have uncovered new insights into the use of spoofed domains in modern malicious spam (malspam) campaigns. These campaigns exploit neglected domains and advanced techniques like domain generation algorithms to bypass traditional security measures and target users globally.

• Key Findings:
  • Domain Spoofing: Threat actors spoof email sender addresses using neglected domains to evade security mechanisms that flag suspicious domain age.
  • QR Code Phishing: Campaigns in greater China employ QR codes in email attachments to redirect victims to phishing sites, leveraging registered domain generation algorithms (RDGAs) for short-lived domain creation.
  • Japanese Phishing: Impersonation of brands like Amazon and SMBC targets Japanese users. Traffic distribution systems (TDS) redirect victims based on criteria to fake login pages.
  • Extortion Campaigns: Emails claiming device compromise spoof the recipient’s own email address and demand Bitcoin payments to prevent the release of fabricated sensitive information.
  • Mysterious Campaigns: “Shanghai Yakai” spam emails send harmless-looking Excel attachments with no discernible motive or malicious payload, leaving researchers puzzled.
• Notable Techniques:
  • Use of trusted-sounding domains to enhance credibility.
  • Advanced phishing mechanisms like QR codes and domain generation algorithms.
  • Targeted redirects using traffic distribution systems.
• Mitigation Recommendations:
  • Deploy advanced email filtering solutions to detect and block spoofed domains.
  • Educate users about recognizing phishing attempts, particularly those involving QR codes.
  • Monitor neglected domains to prevent abuse and strengthen domain verification mechanisms.

Reference: Infoblox Research Report

14. Google Chrome Security Updates for High-Severity Vulnerabilities

Google has released updates for the Chrome browser to address multiple vulnerabilities, including a high-severity type confusion issue in the V8 JavaScript engine. The vulnerability, tracked as CVE-2025-0291, could be exploited to execute arbitrary code on vulnerable systems.

• Affected Products:
  • Chrome for Windows, Mac, and Linux (various stable and extended stable versions).
  • Chrome 131 for Android.
• Fixed Versions:
  • Stable Channel Update:
    • 131.0.6778.264/.265 for Windows and Mac.
    • 131.0.6778.264 for Linux.
  • Extended Stable Update:
    • 130.0.6723.191 for Windows and Mac.
  • Chrome 131 (131.0.6778.260) for Android.
• Mitigation Recommendations:
  • Update Chrome browsers on all platforms to the latest versions as listed above.
  • Inform organizational subsidiaries and partners about the importance of applying these updates promptly.
• Impact of Exploitation:
  • If left unpatched, the vulnerabilities could allow attackers to compromise systems through maliciously crafted web content.
• References:
  • Chrome Release Notes

15. High-Severity Vulnerability in UpdraftPlus WP Backup & Migration Plugin

A high-severity vulnerability in the popular WordPress plugin UpdraftPlus WP Backup & Migration. The vulnerability, tracked as CVE-2024-10957, could allow attackers to gain full control of affected websites under specific conditions.

• Vulnerability Details:
  • CVE ID: CVE-2024-10957.
  • CVSS Score: 8.8 (High).
  • Root Cause: PHP Object Injection in the recursive_unserialized_replace function, which improperly deserializes untrusted input.
• Potential Impact:
  • File Deletion: Critical website files could be deleted, leading to outages.
  • Data Theft: Sensitive information, such as credentials and financial data, may be stolen.
  • Code Execution: Attackers could execute arbitrary code to gain full control of the site.
• Exploit Conditions:
  • An administrator must initiate a search-and-replace operation within the plugin.
  • The presence of vulnerable third-party plugins or themes that enable exploitation through a PHP Object POP (Property-Oriented Programming) chain.
• Affected Versions:
  • UpdraftPlus versions up to and including 1.24.11.
• Mitigation Recommendations:
  • Update Plugin: Upgrade to UpdraftPlus 1.24.12 or later immediately.
  • Audit Third-Party Extensions: Ensure all third-party plugins and themes are updated and free from vulnerabilities.
  • Limit Admin Access: Restrict plugin operations to trusted administrators to reduce risk.
  • Regular Monitoring: Implement monitoring tools to detect file changes or suspicious activity.

References:

• NVD Advisory on CVE-2024-10957

16. Critical Vulnerability in WordPress File Upload Plugin (CVE-2024-11613)

A critical vulnerability in the WordPress File Upload plugin, allowing unauthenticated attackers to execute remote code, read arbitrary files, and delete files on affected WordPress sites.

• Vulnerability Details:
  • CVE ID: CVE-2024-11613.
  • CVSS Score: 9.8 (Critical).
  • Impact:
    • Remote Code Execution: Attackers can execute arbitrary code remotely.
    • Arbitrary File Read: Sensitive files on the server could be accessed.
    • File Deletion: Attackers can delete critical files, potentially disrupting operations.
  • Affected Versions: All versions of WordPress File Upload plugin up to and including 4.24.15.
• Mitigation Recommendations:
  • Upgrade Plugin: Update to version 4.25.0 or later immediately.
  • Audit Logs: Review server logs for any unusual file access or modifications to identify potential exploitation.
  • Restrict Access: Implement strict access controls and ensure only trusted administrators can manage plugins.
  • Monitor Activity: Use monitoring tools to detect anomalous behavior indicative of exploitation.
• References:
  • Wordfence Advisory on CVE-2024-11613

17. Critical Zero-Day in Ivanti Connect Secure (CVE-2025-0282)

A critical zero-day vulnerability (CVE-2025-0282, CVSS 9.0) in Ivanti Connect Secure allows unauthenticated remote code execution and is being actively exploited. A related high-severity vulnerability (CVE-2025-0283, CVSS 7.0) enables local privilege escalation.

• Affected Versions:
  • CVE-2025-0282: Connect Secure 22.7R2–22.7R2.4, Policy Secure 22.7R1–22.7R1.2, ZTA Gateways 22.7R2–22.7R2.3.
  • CVE-2025-0283: Connect Secure 22.7R2.4 and earlier, Policy Secure 22.7R1.2 and earlier, ZTA Gateways 22.7R2.3 and earlier.
• Mitigation:
  • Patch Connect Secure to 22.7R2.5 immediately.
  • Policy Secure and ZTA patches available January 21, 2025.
  • Use Ivanti’s Integrity Checker Tool (ICT) to detect exploitation.
  • Isolate unpatched systems and apply strict access controls.

Reference: Ivanti Security Advisory

18. Command Injection Vulnerabilities in HPE Aruba 501 Wireless Client Bridge

HPE Aruba Networking has disclosed two high-severity command injection vulnerabilities (CVE-2024-54006 and CVE-2024-54007) in the 501 Wireless Client Bridge. These flaws allow authenticated attackers to execute arbitrary commands with administrative privileges.

• Vulnerability Details:
  • Severity: High (CVSS 7.2).
  • Impact: Attackers can gain full control over the device’s operating system.
  • Exploitability: Requires administrative credentials.
  • Affected Versions: V2.1.1.0-B0030 and earlier.
• Mitigation:
  • Update to V2.1.2.0-B0033 or later immediately.
  • Conduct security audits for all Aruba devices.
  • Monitor for suspicious activities and unauthorized access.
  • Enforce strong authentication and regularly rotate admin credentials.

Reference: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04763en_us&docLocale 

19. Critical Vulnerabilities in Fancy Product Designer WordPress Plugin

The Fancy Product Designer WordPress plugin, widely used for product customization in WooCommerce, contains critical vulnerabilities exposing websites to severe risks. The latest version (6.4.3) remains unpatched, emphasizing the need for immediate action.

• Vulnerability Details:
  1. Unauthenticated Arbitrary File Upload (CVE-2024-51919):
     • CVSS Score: 9.0 (Critical).
     • Impact: Allows attackers to upload malicious files (e.g., PHP scripts), enabling remote code execution (RCE).
     • Cause: Inadequate input validation in plugin functions.
  2. Unauthenticated SQL Injection (CVE-2024-51818):
     • CVSS Score: 9.3 (Critical).
     • Impact: Enables attackers to execute arbitrary SQL queries, leading to potential database breaches or modifications.
     • Cause: Insufficient sanitization in the plugin’s SQL query functions.
• Affected Versions:

• Fancy Product Designer 6.4.3 and earlier.

• Mitigation Recommendations:

• Deactivate Plugin: Disable Fancy Product Designer immediately.
• Monitor for Updates: Regularly check for patch announcements from the developer.
• Use Web Application Firewalls (WAFs): Deploy a WAF to block exploitation attempts.
• Audit Systems: Review logs for signs of exploitation or unauthorized changes.

Reference: Patchstack Advisory

20. Banshee Stealer Targets macOS Users

The Banshee macOS Stealer, a sophisticated malware, targets macOS users to steal browser credentials, cryptocurrency wallets, macOS passwords, and 2FA data. It uses advanced evasion techniques, including Apple’s XProtect-based encryption, and is distributed via phishing websites and fake GitHub repositories.

• Impact:
  • Data theft, financial losses, and undetected activity.
  • Increased risk for cryptocurrency users.
• Mitigation:
  • Update macOS and antivirus software.
  • Enable Gatekeeper, XProtect, and SIP.
  • Use EDR tools and implement MFA.
  • Educate users on phishing risks and avoid untrusted downloads.

Reference: https://blog.checkpoint.com/research/cracking-the-code-how-banshee-stealer-targets-macos-users/