Risky Biz News: Improperly patched Cleo bug exploited in the wild - Risky Bulletin

Summary7 min read

Risky Business News: Improperly Patched Cleo Bug Exploited in the Wild

Release Date: December 11, 2024
Host: Claire Aird
Prepared by: Catalyn Kimpanu

1. Termite Ransomware Exploits Clio File Transfer Vulnerability

In the episode's lead story, Claire Aird discusses the ongoing exploitation of a vulnerability in Clio’s file transfer products by the Termite Ransomware group. The vulnerability, present in Harmony, Lexicom, and Vltrader, was originally patched in October. However, Huntress Labs has identified that the patch is faulty, allowing attackers to upload web shells and move laterally within compromised networks. As Huntress Labs reports, “[...] the attackers are abusing the bug to upload web shells and move laterally inside compromised networks” (04:30). To date, at least 10 organizations have been compromised, and over 500 vulnerable Clio systems remain exposed to the internet according to Shodan. Clio has acknowledged the issue and is actively working on a more effective patch.

2. U.S. Sanctions Chinese IT Company Sichuan Silence

Claire highlights the U.S. Treasury Department's recent sanctions against Sichuan Silence and its employee Guan Tianfang. The company is accused of developing an exploit for Sophos firewalls, which was deployed on over 80,000 devices to steal login credentials. Additionally, Tianfang was involved in deploying the Ragnarok ransomware on several hacked devices, leading to charges by the U.S. Department of Justice. “The company was exposed as a major exploit developer and supplier for Chinese APTs,” Claire notes (10:15). Sophos’s report links Sichuan Silence’s exploits to multiple Chinese APT groups, including Vault, Typhoon, Apt 31, and Apt 41.

3. Iranian Group Cyber Avengers Introduces IO Control Malware

The episode covers the emergence of IO Control, a new malware developed by the Iranian hacking group Cyber Avengers targeting IoT and OT devices. Identified on PLCs, HMIs, firewalls, routers, and IP cameras, IO Control was discovered on Gasboy Fuel control systems in Israel, as reported by Clarity and U.S. officials. Claire mentions, “[...] Cyber Avengers group is part of Iran's Islamic Revolutionary Guard Corp. Cyber Electronic Command” (15:45), highlighting the sophisticated nature of the threat and its potential impact on critical infrastructure.

4. Ransomware Disrupts Romania's Largest Electricity Provider

Electrica, Romania’s leading electricity provider, is currently facing operational disruptions due to a ransomware attack. Fortunately, Claire reassures listeners that SCADA and other critical systems remain unaffected. The Romanian energy minister has vowed to punish the attackers, emphasizing the severity of the incident. “[...] SCADA and other critical systems are unaffected by the attack” (20:00).

5. North Korean Hackers Steal $50 Million from Radiant Capital

Radiant Capital, a DeFi platform, reported a significant theft of over $50 million in October, attributed to North Korean hackers. The breach occurred when an employee opened a malicious file sent via Telegram by a trusted former contractor. Claire explains, “Ironically, the lured document was a postmortem for another Defi platform hacked days before” (25:30), illustrating the sophisticated social engineering tactics employed by the attackers.

6. Data Leaks from Dating Websites Expose Hundreds of Thousands of Users

Two dating websites, ladies.com and a senior dating app, suffered massive data leaks earlier this year due to misconfigured Firebase servers. The breaches exposed 180,000 and 750,000 user records respectively, including sensitive information such as names, email addresses, profile pictures, and locations. This leaked data has been shared online and added to the "Have I Been Pwned" database, magnifying the risks for affected users. Claire emphasizes, “[...] the leaked data was shared online and was recently added to the have I Been Pwned database” (30:45).

7. Socks55 Systems Associated with Proxy AM Malware Operation

The malware operation Socks55 Systems is identified as the force behind Proxy AM, a commercial anonymous proxy service. Active since 2016, Proxy AM was initially distributed through larger botnets like Trickbot, Smoke Loader, and Andromeda. Currently, Bitsight reports that Proxy AM is active on 120,000 systems, although it peaked at double that number last year.

8. New Backdoor 'Glutton' Linked to Chinese APT Group

Chinese security firm Xianxin has uncovered a new backdoor named Glutton, believed to be the work of the APT group Winti. This backdoor has been deployed on PHP-based websites through unknown methods. Xianxin suggests that “Glutton may be the work of Winti, an umbrella name used by Western companies for Chinese APT operations” (35:20), underscoring the ongoing cyber espionage activities attributed to Chinese actors.

9. Russian Hacker Group UAC0185 Targets Ukraine's Defense Contractors

Ukraine’s CERT has identified UAC0185, a new Russian APT group, engaging in phishing campaigns against the country’s defense contractors. Since the invasion, UAC0185 has attempted to breach military applications and has employed platforms like Signal, WhatsApp, and Telegram to phish Ukrainian servicemen. Claire notes, “[...] the group is a new Russian APT that began activity after Russia's invasion of Ukraine” (40:10).

10. China Expands Propaganda with Over 100 International Communication Centres

Recorded Future reports that China has established over 100 international communication centers to enhance its foreign propaganda efforts. These centers, part of local CCP state media organizations, were mostly established in 2023 and are tailored to specific regions and audiences. Their main functions include managing thousands of foreign social media accounts, coordinating with foreign influencers, and collaborating with international media to legitimize Beijing’s propaganda. Claire elaborates, “[...] they establish collaborations with foreign media organizations to increase the legitimacy of Beijing's propaganda” (45:00).

11. Meta Fails to Act Against Defi Platform’s Influence Operation

The Defi Study Group Check first revealed that an influence operation supported the far-right Aur party during Romania's elections, running thousands of political ads that violated both Meta’s policies and Romanian laws. Despite being reported since April, Meta, alongside TikTok, failed to take appropriate action. Claire states, “[...] Meta failed to act on the network despite public reporting on its activity going back as far as April” (50:25), highlighting significant shortcomings in social media platforms' moderation practices.

12. NATO to Establish New Cyber Coordination Centre

NATO is set to launch the NATO Integrated Cyber Defence Centre in Mons, Belgium, by 2028. This new center will consolidate the roles of the NATO Cyber Security Center, NATO Cyber Operations Centre, and the Alliance Cyber Threat Analysis Branch, enhancing coordination and defense capabilities within the alliance.

13. France’s Orange Fined €50 Million for Privacy Violations

France’s data protection agency has imposed a €50 million fine on telecommunications provider Orange for multiple privacy law breaches. The company inserted unsolicited ads into user inboxes, failed to comply with the EU cookie law, and continued tracking users even after consent withdrawal. Claire notes, “The fine represents the largest penalty ever received by an EU telco cloud storage provider” (55:40).

14. Snowflake Enhances Security by Disallowing Password-Only Authentication

In response to a major security breach where hackers exploited leaked passwords to access and ransom customer accounts, Snowflake announced it will discontinue password-only authentication starting next November. Additionally, from July, tenants will have the ability to enforce multi-factor authentication (MFA) for all users to bolster security defenses against similar attacks.

15. Vulnerability in Open WRT Firmware Leads to Rapid Patch

A security researcher uncovered a vulnerability in Open WRT’s open-source router firmware that allowed contamination of firmware images during the Sys Upgrade process. FlatSecurity reported that the bug enabled the manipulation of firmware artifacts on Open WRT servers. The OpenWRT team responded swiftly, patching the vulnerability within three hours of the report.

16. New Physical Attack 'Badram' Targets AMD CPUs in the Cloud

A team of academics has developed "Badram," a physical attack targeting AMD CPUs used in cloud environments. This attack leverages a plug-in hardware component to trick processors into granting access to encrypted memory, thereby compromising data protected by AMD’s secure encrypted virtualization technology. Notably, the hardware required for Badram costs less than $10, making it a low-barrier threat.

17. Mozilla to Remove Do Not Track Feature from Firefox

Mozilla announced the removal of the Do Not Track (DNT) feature from Firefox in early February with the release of Firefox 135. Introduced in 2011, DNT allowed users to request that websites refrain from tracking their activities. However, due to widespread non-compliance, Mozilla decided to discontinue the feature, stating, “It's removing the feature because most websites don't respect it” (60:50).

This episode of Risky Business News provides a comprehensive overview of significant cybersecurity incidents and developments from around the globe. From ransomware exploits and state-sponsored cyber operations to regulatory fines and security enhancements, Claire Aird ensures listeners are well-informed about the latest threats and industry responses.

For more detailed insights and updates, consider tuning into future episodes of Risky Business News.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
A ransomware gang is targeting Clio file transfer servers the US Sanctions a Chinese APT exploit, supplier ransomware hits Romania's largest electricity provider and Open WRT fixes a firmware contamination attack. This is Risky Business News, prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 11th of December and this podcast episode is brought to you by Proofpoint. In today's top story, the Termite Ransomware group is exploiting an improperly patched vulnerability in Clio file transfer products. The attacks started earlier this month and have compromised at least 10 organizations, according to security firm Huntress Labs. The attacks are exploiting a bug in Clio's file transfer products, Harmony, Lexicom and Vltrader, that was patched in October. Huntress says the patch is faulty and the attackers are abusing the bug to upload web shells and move laterally inside compromised networks. It's currently unclear if the Termite Gang is deploying its ransomware against hacked organizations or if it's only stealing data for future extortion. The vendor has confirmed the attacks and says it's working on a new patch. According to Shodan, over 500 vulnerable Clio systems are exposed to the Internet. In other news, the U.S. treasury Department has sanctioned Chinese IT company Sichuan Silence in one of employees over their role in hacking Sophos firewalls. Officials say the company developed an exploit for Sophos firewalls that it deployed on over 80,000 devices to steal login credentials. Sanctions were levied against Sichuan Silence employee Guan Tianfang because he also deployed the Ragnarok ransomware on some of the hacked devices. He was also charged by the U.S. justice Department. The company was exposed as a major exploit developer and supplier for Chinese APTS in a report published by Sophos last month. Its exploits have been used in hacking campaigns carried out by Vault, Typhoon, Apt 31 and Apt 41. The incoming Trump administration is reportedly interviewing Brian Harrell for the CISA director role. Harrell previously served as CISA assistant director for infrastructure security during the first Trump administration. Harrell has also been considered for the role of DHS under Secretary of Strategy, Policy and Plans. Iranian hacking group Cyber Avengers have developed new malware designed to infect IoT and OT devices named IO Control. The malware has been spotted on PLCs, HMIs firewalls, routers and IP cameras. Security firm Clarity says it retrieved samples of the new malware from Gasboy Fuel control systems in Israel, according to US Officials. The Cyber Avengers group is part of Iran's Islamic Revolutionary Guard Corp. Cyber Electronic Command A ransomware attack is disrupting the operations of Electrica, Romania's largest electricity provider. In a stock market filing, Electrica says SCADA and other critical systems are unaffected by the attack. The country's energy minister says the attackers will be punished. Defi platform Radiant Capital says North Korean hackers were behind the theft of over $50 million worth of assets in October. Radiant says it was hacked after an employee opened a malicious file sent by a former contractor via Telegram. The message came from a trusted party and asked for feedback about their most recent work. Ironically, the lured document was a postmortem for another Defi platform hacked days before two dating websites shut down operations this month after they leaked user data through a misconfigured Firebase server. Lesbian dating site ladies.com leaked 180,000 user records, while the senior dating app shut down after leaking three quarters of a million users earlier this year. Leaked data included names, email addresses, profile pictures and locations. The leaked data was shared online and was recently added to the have I Been Pwned database. A malware operation known as Socks55 Systems is behind a commercial anonymous proxy service named Proxy AM. The malware has been around since 2016 and was often distributed as a proxy module inside larger botnets such as Trickbot, Smoke Loader and Andromeda. Bitsight says the malware is currently active on 120,000 systems, but was double that size at its peak last year. Chinese security firm Xianxin has discovered a new backdoor named Glutton that appears to be the work of an APT group. The back door has been found deployed on PHP based websites via unknown methods. Xianxin believes Glutton may be the work of Winti, an umbrella name used by Western companies for Chinese APT operations. So China attributes the Chinese attacks to China. Ukraine says that Russian hackers are targeting the country's defence contractors in a phishing campaign. Ukraine's CERT has identified identified the attackers as a group tracked as UAC0185. The group is a new Russian APT that began activity after Russia's invasion of Ukraine. Its main past operations included attempts to breach Ukraine's military apps and phishing Ukrainian servicemen via Signal, WhatsApp and Telegram. The Chinese government has established over 100 international communication centres across the country to expand its foreign propaganda capabilities. Security firm Recorded Future says the centres are part of local CCP state media organisations and most were established in 2023. The centres cater to specific audiences and countries and tailor propaganda for each region. Their primary functions are to manage thousands of foreign social media accounts and coordinate activity with networks of foreign influencers. They also establish collaborations with foreign media organizations to increase the legitimacy of Beijing's propaganda. Mehta failed to counter an influence operation in support for the far right Aur party in the Romanian presidential and parliamentary elections. Disinformation Study Group Check first says the network ran thousands of political ads that broke Metta's policies and Romanian election laws. The ads promoted the party leader as a patriot and parroted the Kremlin's anti NATO and anti EU rhetoric. Check first says Meta failed to act on the network despite public reporting on its activity going back as far as April. Meta joins TikTok as another social network that failed to take action against political ads even though they clearly broke the platform's policies and national laws. NATO will unite three cyber organizations into a new Cyber Coordination Centre. The new NATO Integrated Cyber Defence Centre is set to launch in 2028 and will be based in Mons, Belgium. It will unify the roles of the NATO Cyber Security Center, NATO Cyber Operations Centre and the Alliance Cyber threat analysis branch. France's data protection agency has fined telecommunications provider Orange 50 million euros for several breaches of privacy laws. Sunil says Orange inserted unsolicited ads in the inboxes of its users. The company also failed to comply with the EU cookie law and tracked users even if they withdrew their consent. The fine represents the largest penalty ever received by an EU telco cloud storage provider. Snowflake will stop allowing password only authentication next November. The company is making the move after hackers hijacked customer accounts in a major security breach earlier this year. The hacker exploited leaked passwords to access accounts, steal data and then ransom the companies. In July, the company announced it would also let tenants force MFA for all their users as a way to protect against similar future attacks. A security researcher has found a vulnerability in the Open WRT open Source router firmware that can be abused to contaminate firmware images. The attack targeted attended Sys Upgrade, a feature that allows users to build customized firmware based on the router features they want. Researchers at FlatSecurity say the bug allowed them to contaminate firmware artifacts on Open WRT servers where the custom firmware was being assembled. The OpenWRT team patched the bugs three hours after it was reported. A team of academics has developed a new physical attack against AMD chips that can allow threat actors to retrieve data protected by the process's secure encrypted virtualization technology. The attack is named Badram and primarily impacts AMD CPUs used in cloud environments. The attack uses a plug in hardware component to trick the processor into allowing access to encrypted memory. The hardware needed to carry out a bad RAM attack costs less than $10. And finally, Mozilla will remove the Do Not Track feature from Firefox next year. The feature was introduced in 2011 as a way for users to tell websites not to track them. Mozilla says it's removing the feature because most websites don't respect it. Do Not Track will be removed with Firefox 135 scheduled to be released in early February. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Proofpoint. Find them@proofpoint.com thanks for your company.