The CyberWire Daily Briefing.
"Cleo urges customers to patch actively exploited vulnerability."
Views expressed in this cybersecurity, cyber crime update are those of the reporters and correspondents. Accessed on 14 December 2024, 1512 UTC.
Content and Source: https://thecyberwire.com/newsletters/daily-briefing/13/235
Please check link or scroll down to read your selections. Thanks for joining us today.
Russ Roberts (https://www.hawaiicybersecurityjournal.net).
Daily Briefing for 12.13.24
Announcement
CSO Perspectives Live | Thursday, December 19th at 2pm ET
Don’t miss Rick Howard’s final time in the host seat for CSO Perspectives Live! Join Rick, along with Hash Table members Kim Jones and Steve Winterfeld, for a live discussion on the most impactful stories, threats, and events of the past 90 days. Be part of this special moment — register now!
Summary
Don’t miss Rick Howard’s final time in the host seat for CSO Perspectives Live! Join Rick, along with Hash Table members Kim Jones and Steve Winterfeld, for a live discussion on the most impactful stories, threats, and events of the past 90 days. Be part of this special moment — register now!
At a glance.
- Cleo urges customers to patch actively exploited vulnerability.
- Iran-linked threat actor deploys new ICS malware.
- Law enforcement shutters the Rydox cybercrime marketplace.
- Cleo urges customers to patch actively exploited vulnerability.
- Iran-linked threat actor deploys new ICS malware.
- Law enforcement shutters the Rydox cybercrime marketplace.
Cleo urges customers to patch actively exploited vulnerability.
File-transfer software company Cleo is urging customers to patch an actively exploited vulnerability affecting its Harmony, VLTrader, and LexiCom products. The vulnerability (CVE pending) "could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory." The company initially issued a patch for the flaw in October (then tracked as CVE-2024-50623), but Huntress researchers found the patch was insufficient. Cleo issued an updated fix this week.
Researchers at Huntress, Rapid7, Arctic Wolf, and Sophos have observed widespread exploitation of the flaw. Huntress stated, "We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity." Arctic Wolf describes a Java-based backdoor dubbed "Cleopatra" that's being deployed in "a mass exploitation campaign involving Cleo Managed File Transfer (MFT) products for initial access."
Cobalt Named “Outperformer” for Third Consecutive Year in GigaOm’s Radar Report for PTaaSPenetration Testing as a Service (PTaaS) is crucial in today's rapidly evolving threat landscape, where traditional point-in-time security assessments are no longer sufficient. GigaOm’s third annual Radar report for PTaaS examines 13 of the top PTaaS solutions, providing an overview of the market to help decision makers evaluate these solutions and make informed investment decisions.
- How the evolving technology and threat landscape are driving new security needs for pentesting
- Key considerations for choosing a PTaaS provider based on your organization’s evolving security challenges
- Why Cobalt is a Leader in Penetration Testing as a Service.
File-transfer software company Cleo is urging customers to patch an actively exploited vulnerability affecting its Harmony, VLTrader, and LexiCom products. The vulnerability (CVE pending) "could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory." The company initially issued a patch for the flaw in October (then tracked as CVE-2024-50623), but Huntress researchers found the patch was insufficient. Cleo issued an updated fix this week.
Researchers at Huntress, Rapid7, Arctic Wolf, and Sophos have observed widespread exploitation of the flaw. Huntress stated, "We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity." Arctic Wolf describes a Java-based backdoor dubbed "Cleopatra" that's being deployed in "a mass exploitation campaign involving Cleo Managed File Transfer (MFT) products for initial access."
Penetration Testing as a Service (PTaaS) is crucial in today's rapidly evolving threat landscape, where traditional point-in-time security assessments are no longer sufficient. GigaOm’s third annual Radar report for PTaaS examines 13 of the top PTaaS solutions, providing an overview of the market to help decision makers evaluate these solutions and make informed investment decisions.
- How the evolving technology and threat landscape are driving new security needs for pentesting
- Key considerations for choosing a PTaaS provider based on your organization’s evolving security challenges
- Why Cobalt is a Leader in Penetration Testing as a Service.
Iran-linked threat actor deploys new ICS malware.
Researchers at Claroty have discovered a new strain of IoT/OT malware "IOCONTROL" used by Iran-affiliated attackers to target devices in Israel and the US. The researchers state, "IOCONTROL has been used to attack IoT and SCADA/OT devices of various types including IP cameras, routers, PLCs, HMIs, firewalls, and more. Some of the affected vendors include: Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and others."
Notably, Claroty says, "One particular IOCONTROL attack wave involved the compromise of several hundred Israel-made Orpak Systems and U.S.-made Gasboy fuel management systems in Israel and the United States. The malware is essentially custom built for IoT devices but also has a direct impact on OT such as the fuel pumps that are heavily used in gas stations."
The malware has been deployed by a threat actor tracked as the "CyberAv3ngers," which is believed to have ties to Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC).
Build a Stronger Identity Security Program to Protect Your OrganizationIn our eBook, Building an Identity Security Program, we provide a step-by-step guide to creating a resilient identity security framework. You'll learn how to integrate identity security into your overall security strategy, protect against threats like MFA attacks, and secure access across your entire organization. Don’t leave your organization vulnerable to identity-based attacks. Arm yourself with the knowledge and tools to defend your business. Download the eBook.
Researchers at Claroty have discovered a new strain of IoT/OT malware "IOCONTROL" used by Iran-affiliated attackers to target devices in Israel and the US. The researchers state, "IOCONTROL has been used to attack IoT and SCADA/OT devices of various types including IP cameras, routers, PLCs, HMIs, firewalls, and more. Some of the affected vendors include: Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and others."
Notably, Claroty says, "One particular IOCONTROL attack wave involved the compromise of several hundred Israel-made Orpak Systems and U.S.-made Gasboy fuel management systems in Israel and the United States. The malware is essentially custom built for IoT devices but also has a direct impact on OT such as the fuel pumps that are heavily used in gas stations."
The malware has been deployed by a threat actor tracked as the "CyberAv3ngers," which is believed to have ties to Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC).
In our eBook, Building an Identity Security Program, we provide a step-by-step guide to creating a resilient identity security framework. You'll learn how to integrate identity security into your overall security strategy, protect against threats like MFA attacks, and secure access across your entire organization. Don’t leave your organization vulnerable to identity-based attacks. Arm yourself with the knowledge and tools to defend your business. Download the eBook.
Law enforcement shutters the Rydox cybercrime marketplace.
The US Justice Department yesterday announced the seizure of the Rydox cybercrime marketplace, alongside the arrests of three suspected administrators. Two of the defendants were arrested in Kosovo and will be extradited to the US. A third was nabbed in Albania and will be prosecuted by the Albanian government.
The Justice Department stated, "[T]he Rydox marketplace has conducted over 7,600 sales of personally identifiable information (PII), stolen access devices, and cybercrime tools, which generated at least $230,000 in revenue since its inception in or around February 2016. These sales included PII, credit card information, and login credentials stolen from thousands of victims residing in the United States. In addition, the Rydox site has offered for sale at least 321,372 cybercrime products to over 18,000 users including stolen PII such as names, addresses, and social security numbers; access devices such as stolen credentials for online accounts and credit card information; and cybercrime tools such as scam pages, spamming logs, and spamming tutorials."
Dropzone AI Named a Gartner Cool Vendor for the Modern SOC.Dropzone AI has been recognized as a Gartner Cool Vendor, validating its role in transforming SOCs. With an AI SOC Analyst that autonomously investigates alerts 24/7, Dropzone AI helps security teams stay ahead by reducing alert fatigue and providing decision-ready insights. Discover how we're leading SOC innovation.
The US Justice Department yesterday announced the seizure of the Rydox cybercrime marketplace, alongside the arrests of three suspected administrators. Two of the defendants were arrested in Kosovo and will be extradited to the US. A third was nabbed in Albania and will be prosecuted by the Albanian government.
The Justice Department stated, "[T]he Rydox marketplace has conducted over 7,600 sales of personally identifiable information (PII), stolen access devices, and cybercrime tools, which generated at least $230,000 in revenue since its inception in or around February 2016. These sales included PII, credit card information, and login credentials stolen from thousands of victims residing in the United States. In addition, the Rydox site has offered for sale at least 321,372 cybercrime products to over 18,000 users including stolen PII such as names, addresses, and social security numbers; access devices such as stolen credentials for online accounts and credit card information; and cybercrime tools such as scam pages, spamming logs, and spamming tutorials."
Dropzone AI has been recognized as a Gartner Cool Vendor, validating its role in transforming SOCs. With an AI SOC Analyst that autonomously investigates alerts 24/7, Dropzone AI helps security teams stay ahead by reducing alert fatigue and providing decision-ready insights. Discover how we're leading SOC innovation.
Notes.
Today's issue includes events affecting Albania, Iran, Israel, Kosovo, and the United States.
Sponsored EventsUpcoming Cybersecurity Summits (Multiple locations, Dec 6 2024 - Jan 31 2025) Join us In-Person and network over breakfast, lunch & a cocktail reception on 12/6 in Scottsdale, 12/12 in Jacksonville, 1/24 in Tampa and 1/31 in Atlanta! Learn about the latest threats and solutions from Huntington National Bank, Coca Cola, IBM and more. Earn CPE/CEU credits with your attendance. Get 50% off admission w/ code CSS24-CYBERWIRE at CyberSecuritySummit.com (Only $125 with code)GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting (Virtual, Jan 23, 2025) Join Chris Ray, GigaOm Analyst, and Jason Lamar, Cobalt’s SVP of Product, for an insightful discussion on how to choose the right PTaaS provider. Learn to evaluate providers, uncover key criteria, and adapt strategies to tackle evolving cyber threats. Register now!Selected Reading
Today's issue includes events affecting Albania, Iran, Israel, Kosovo, and the United States.
Attacks, Threats, and Vulnerabilities
Cleopatra’s Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor Through Zero-Day Exploitation of Cleo MFT Software - Arctic Wolf (Arctic Wolf) Arctic Wolf Labs has observed a zero-day vulnerability being used against Cleo MFT products to deploy Cleopatra, a Java-based backdoor.
New Yokai Side-loaded Backdoor Targets Thai Officials (Netskope) During threat hunting activities, the Netskope team discovered a legitimate iTop Data Recovery application side-loading a backdoor we named Yokai that, to the best of our knowledge, has not been publicly documented yet.
Japanese game and anime publisher reportedly pays $3 million ransom to Russia-linked hackers (The Record) Kadokawa, known for manga, anime and video games, appears to have made an extortion payment to cybercriminals, according to Kyodo News.
Cleopatra’s Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor Through Zero-Day Exploitation of Cleo MFT Software - Arctic Wolf (Arctic Wolf) Arctic Wolf Labs has observed a zero-day vulnerability being used against Cleo MFT products to deploy Cleopatra, a Java-based backdoor.
New Yokai Side-loaded Backdoor Targets Thai Officials (Netskope) During threat hunting activities, the Netskope team discovered a legitimate iTop Data Recovery application side-loading a backdoor we named Yokai that, to the best of our knowledge, has not been publicly documented yet.
Japanese game and anime publisher reportedly pays $3 million ransom to Russia-linked hackers (The Record) Kadokawa, known for manga, anime and video games, appears to have made an extortion payment to cybercriminals, according to Kyodo News.
Trends
Arctic Wolf Labs 2025 Predictions Report (Arctic Wolf Networks) Use this report, and the predictions and recommendations within, to help secure your organization against growing and evolving threats.
Arctic Wolf Labs 2025 Predictions Report (Arctic Wolf Networks) Use this report, and the predictions and recommendations within, to help secure your organization against growing and evolving threats.
Products, Services, and Solutions
Bitdefender Achieves Superior Results in AV-Comparatives Business Security Test (Bitdefender) Independent Testing Illustrates Bitdefender’s Excellence in Preventing Malware and Other Threats in Corporate Environments
zeroRISC Successfully Implements Post-Quantum Cryptographic Algorithm for Firmware Signing in Chip Provisioning Platform (BusinessWire) Post-Quantum Readiness is Paramount to zeroRISC’s Commitment to Ensuring Long-Term Trustworthy, Transparent, and Secure Open-Source Silicon in the Supply Chain
Managed Service Provider (MSP), Cybernet Evolution Achieves Nearly 100% Client Password Management Adoption via Bitwarden Partner Program (BusinessWire) Global MSP leverages Bitwarden to enhance security practices, streamline operations, and meet diverse client security needs across industries
SAP and Onapsis Partner to Help Customers Detect and Respond to Cybersecurity Incidents (Onapsis) Discover how to accelerate your SAP transformation with RISE with SAP and overcome security and compliance challenges with the Onapsis Secure RISE Accelerator™.
Industry EventsFor a complete running list of events, please visit the Event Tracker.
Bitdefender Achieves Superior Results in AV-Comparatives Business Security Test (Bitdefender) Independent Testing Illustrates Bitdefender’s Excellence in Preventing Malware and Other Threats in Corporate Environments
zeroRISC Successfully Implements Post-Quantum Cryptographic Algorithm for Firmware Signing in Chip Provisioning Platform (BusinessWire) Post-Quantum Readiness is Paramount to zeroRISC’s Commitment to Ensuring Long-Term Trustworthy, Transparent, and Secure Open-Source Silicon in the Supply Chain
Managed Service Provider (MSP), Cybernet Evolution Achieves Nearly 100% Client Password Management Adoption via Bitwarden Partner Program (BusinessWire) Global MSP leverages Bitwarden to enhance security practices, streamline operations, and meet diverse client security needs across industries
SAP and Onapsis Partner to Help Customers Detect and Respond to Cybersecurity Incidents (Onapsis) Discover how to accelerate your SAP transformation with RISE with SAP and overcome security and compliance challenges with the Onapsis Secure RISE Accelerator™.
For a complete running list of events, please visit the Event Tracker.
Events
Hacking 4 Humanity 2025 (Virtual, Jan 24 - Feb 7, 2025) Online hate is on the rise, leading to real-world devastating effects on individuals and communities around the world. Join Carnegie Mellon, Duquesne, Pitt, and other undergrad and grad students from Pittsburgh at a multidisciplinary hackathon to develop new tech and policy solutions that mitigate online hate and create safer communities. Hacking4Humanity is a tech and policy hackathon for undergraduate and graduate students, which offers students a new way to engage with real-world social problems that can be improved with novel technical and policy solutions.
Sponsor & SupportGrow your brand, generate leads, and fill your funnel.With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.
Hacking 4 Humanity 2025 (Virtual, Jan 24 - Feb 7, 2025) Online hate is on the rise, leading to real-world devastating effects on individuals and communities around the world. Join Carnegie Mellon, Duquesne, Pitt, and other undergrad and grad students from Pittsburgh at a multidisciplinary hackathon to develop new tech and policy solutions that mitigate online hate and create safer communities. Hacking4Humanity is a tech and policy hackathon for undergraduate and graduate students, which offers students a new way to engage with real-world social problems that can be improved with novel technical and policy solutions.
Comments
Post a Comment
Please leave a comment about our recent post.