Risky Business News: Improperly Patched Cleo Bug Exploited in the Wild

Release Date: December 11, 2024
Host: Claire Aird
Prepared by: Catalyn Kimpanu

1. Termite Ransomware Exploits Clio File Transfer Vulnerability

In the episode's lead story, Claire Aird discusses the ongoing exploitation of a vulnerability in Clio’s file transfer products by the Termite Ransomware group. The vulnerability, present in Harmony, Lexicom, and Vltrader, was originally patched in October. However, Huntress Labs has identified that the patch is faulty, allowing attackers to upload web shells and move laterally within compromised networks. As Huntress Labs reports, “[...] the attackers are abusing the bug to upload web shells and move laterally inside compromised networks” (04:30). To date, at least 10 organizations have been compromised, and over 500 vulnerable Clio systems remain exposed to the internet according to Shodan. Clio has acknowledged the issue and is actively working on a more effective patch.

2. U.S. Sanctions Chinese IT Company Sichuan Silence

Claire highlights the U.S. Treasury Department's recent sanctions against Sichuan Silence and its employee Guan Tianfang. The company is accused of developing an exploit for Sophos firewalls, which was deployed on over 80,000 devices to steal login credentials. Additionally, Tianfang was involved in deploying the Ragnarok ransomware on several hacked devices, leading to charges by the U.S. Department of Justice. “The company was exposed as a major exploit developer and supplier for Chinese APTs,” Claire notes (10:15). Sophos’s report links Sichuan Silence’s exploits to multiple Chinese APT groups, including Vault, Typhoon, Apt 31, and Apt 41.

3. Iranian Group Cyber Avengers Introduces IO Control Malware

The episode covers the emergence of IO Control, a new malware developed by the Iranian hacking group Cyber Avengers targeting IoT and OT devices. Identified on PLCs, HMIs, firewalls, routers, and IP cameras, IO Control was discovered on Gasboy Fuel control systems in Israel, as reported by Clarity and U.S. officials. Claire mentions, “[...] Cyber Avengers group is part of Iran's Islamic Revolutionary Guard Corp. Cyber Electronic Command” (15:45), highlighting the sophisticated nature of the threat and its potential impact on critical infrastructure.

4. Ransomware Disrupts Romania's Largest Electricity Provider

Electrica, Romania’s leading electricity provider, is currently facing operational disruptions due to a ransomware attack. Fortunately, Claire reassures listeners that SCADA and other critical systems remain unaffected. The Romanian energy minister has vowed to punish the attackers, emphasizing the severity of the incident. “[...] SCADA and other critical systems are unaffected by the attack” (20:00).

5. North Korean Hackers Steal $50 Million from Radiant Capital

Radiant Capital, a DeFi platform, reported a significant theft of over $50 million in October, attributed to North Korean hackers. The breach occurred when an employee opened a malicious file sent via Telegram by a trusted former contractor. Claire explains, “Ironically, the lured document was a postmortem for another Defi platform hacked days before” (25:30), illustrating the sophisticated social engineering tactics employed by the attackers.

6. Data Leaks from Dating Websites Expose Hundreds of Thousands of Users

Two dating websites, ladies.com and a senior dating app, suffered massive data leaks earlier this year due to misconfigured Firebase servers. The breaches exposed 180,000 and 750,000 user records respectively, including sensitive information such as names, email addresses, profile pictures, and locations. This leaked data has been shared online and added to the "Have I Been Pwned" database, magnifying the risks for affected users. Claire emphasizes, “[...] the leaked data was shared online and was recently added to the have I Been Pwned database” (30:45).

7. Socks55 Systems Associated with Proxy AM Malware Operation

The malware operation Socks55 Systems is identified as the force behind Proxy AM, a commercial anonymous proxy service. Active since 2016, Proxy AM was initially distributed through larger botnets like Trickbot, Smoke Loader, and Andromeda. Currently, Bitsight reports that Proxy AM is active on 120,000 systems, although it peaked at double that number last year.

8. New Backdoor 'Glutton' Linked to Chinese APT Group

Chinese security firm Xianxin has uncovered a new backdoor named Glutton, believed to be the work of the APT group Winti. This backdoor has been deployed on PHP-based websites through unknown methods. Xianxin suggests that “Glutton may be the work of Winti, an umbrella name used by Western companies for Chinese APT operations” (35:20), underscoring the ongoing cyber espionage activities attributed to Chinese actors.

9. Russian Hacker Group UAC0185 Targets Ukraine's Defense Contractors

Ukraine’s CERT has identified UAC0185, a new Russian APT group, engaging in phishing campaigns against the country’s defense contractors. Since the invasion, UAC0185 has attempted to breach military applications and has employed platforms like Signal, WhatsApp, and Telegram to phish Ukrainian servicemen. Claire notes, “[...] the group is a new Russian APT that began activity after Russia's invasion of Ukraine” (40:10).

10. China Expands Propaganda with Over 100 International Communication Centres

Recorded Future reports that China has established over 100 international communication centers to enhance its foreign propaganda efforts. These centers, part of local CCP state media organizations, were mostly established in 2023 and are tailored to specific regions and audiences. Their main functions include managing thousands of foreign social media accounts, coordinating with foreign influencers, and collaborating with international media to legitimize Beijing’s propaganda. Claire elaborates, “[...] they establish collaborations with foreign media organizations to increase the legitimacy of Beijing's propaganda” (45:00).

11. Meta Fails to Act Against Defi Platform’s Influence Operation

The Defi Study Group Check first revealed that an influence operation supported the far-right Aur party during Romania's elections, running thousands of political ads that violated both Meta’s policies and Romanian laws. Despite being reported since April, Meta, alongside TikTok, failed to take appropriate action. Claire states, “[...] Meta failed to act on the network despite public reporting on its activity going back as far as April” (50:25), highlighting significant shortcomings in social media platforms' moderation practices.

12. NATO to Establish New Cyber Coordination Centre

NATO is set to launch the NATO Integrated Cyber Defence Centre in Mons, Belgium, by 2028. This new center will consolidate the roles of the NATO Cyber Security Center, NATO Cyber Operations Centre, and the Alliance Cyber Threat Analysis Branch, enhancing coordination and defense capabilities within the alliance.

13. France’s Orange Fined €50 Million for Privacy Violations

France’s data protection agency has imposed a €50 million fine on telecommunications provider Orange for multiple privacy law breaches. The company inserted unsolicited ads into user inboxes, failed to comply with the EU cookie law, and continued tracking users even after consent withdrawal. Claire notes, “The fine represents the largest penalty ever received by an EU telco cloud storage provider” (55:40).

14. Snowflake Enhances Security by Disallowing Password-Only Authentication

In response to a major security breach where hackers exploited leaked passwords to access and ransom customer accounts, Snowflake announced it will discontinue password-only authentication starting next November. Additionally, from July, tenants will have the ability to enforce multi-factor authentication (MFA) for all users to bolster security defenses against similar attacks.

15. Vulnerability in Open WRT Firmware Leads to Rapid Patch

A security researcher uncovered a vulnerability in Open WRT’s open-source router firmware that allowed contamination of firmware images during the Sys Upgrade process. FlatSecurity reported that the bug enabled the manipulation of firmware artifacts on Open WRT servers. The OpenWRT team responded swiftly, patching the vulnerability within three hours of the report.

16. New Physical Attack 'Badram' Targets AMD CPUs in the Cloud

A team of academics has developed "Badram," a physical attack targeting AMD CPUs used in cloud environments. This attack leverages a plug-in hardware component to trick processors into granting access to encrypted memory, thereby compromising data protected by AMD’s secure encrypted virtualization technology. Notably, the hardware required for Badram costs less than $10, making it a low-barrier threat.

17. Mozilla to Remove Do Not Track Feature from Firefox

Mozilla announced the removal of the Do Not Track (DNT) feature from Firefox in early February with the release of Firefox 135. Introduced in 2011, DNT allowed users to request that websites refrain from tracking their activities. However, due to widespread non-compliance, Mozilla decided to discontinue the feature, stating, “It's removing the feature because most websites don't respect it” (60:50).

This episode of Risky Business News provides a comprehensive overview of significant cybersecurity incidents and developments from around the globe. From ransomware exploits and state-sponsored cyber operations to regulatory fines and security enhancements, Claire Aird ensures listeners are well-informed about the latest threats and industry responses.

For more detailed insights and updates, consider tuning into future episodes of Risky Business News.