Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 14 - 20 December
Apache Struts2 flaw actively exploited
ISC researchers have observed that malicious actors began exploiting a newly discovered vulnerability in Apache Struts2. The vulnerability, registered as CVE-2024-53677, has a CVSSv4 score of 9.5 and is of path-traversal type. In case of exploitation, attackers could load files into directories that should be restricted, which could lead to remote code execution or gain unauthorized control over the system, if they were to load a webshell in the web root.
The flaw appears to be related to a previous vulnerability, CVE-2023-50164, which was not properly fixed, leading to the current threat. In this regard, ISC reported that the current attack attempts have been traced to IP address 169.150.226[.]162. According to Apache, to mitigate the risk users should switch to a new Action File Upload mechanism. In addition, it is recommended to monitor network traffic to identify and mitigate potential threats.
RDP rogue campaign detected attributed to APT29
The APT Earth Koshchei, also known as APT29 and Midnight Blizzard, was discovered in October 2024 carrying out a “rogue RDP” attack campaign. According to Trend Micro researchers, this type of attack involves the use of an RDPD relay, a fake RDP server and a malicious RDP configuration file, used to allow attackers to gain access to the victim's device to steal information or distribute malware.
Although the campaign had been in preparation since at least August of the same year, the month in which Earth Koshchei began obtaining malicious domains for the operation, the peak of the attacks was detected on October 22. According to Trend Micro, on this day the APT sent phishing emails to members of government and law enforcement, as well as researchers and other Ukrainian targets, containing the attached fake RDP configuration file. When executed, the file connected to a foreign RDP server operated by Earth Koshchei.
New campaign of fake update alerts distributes CoinLurker
Threat actors are employing fake software update alerts to distribute a new stealer called CoinLurker. The alerts are sent to users via compromised WordPress sites, phishing emails, malvertising redirects, fake CAPTCHA verification requests, direct downloads, and links shared via social media and messaging apps. The alerts use Microsoft Edge Webview2 to trigger payload execution.
For its part, CoinLurker is written in Go and employs state-of-the-art obfuscation and anti-analysis techniques, most notably the EtherHiding technique. Once launched, CoinLurker initiates communications with a remote server using a socket-based approach and proceeds to collect data from specific directories associated with Discord, Telegram, FileZilla and cryptocurrency wallets including Bitcoin, Ethereum, Ledger Live and Exodus.
Phishing campaign detected targeting the theft of Microsoft Azure credentials
Unit 42 researchers at Palo Alto Networks have detected a new phishing campaign aimed at stealing credentials from Microsoft Azure cloud infrastructure accounts. Although the researchers have claimed that the campaign would have started in June 2024, it was still active as of September 2024. Specifically, the malicious actor targeted industrial sector entities in Germany and the United Kingdom. In this way, the attacker sent phishing emails to victims containing HubSpot Free Form Builder links and PDF files posing as legitimate DocuSign files to redirect victims to credential-stealing websites. Unit 42 also reports that approximately 20,000 accounts were reportedly compromised during this operation.
Increase in password spraying attacks against Citrix Netscaler devices
Recently, Cloud Software Group, Citrix's parent company, has detected an increase in password spraying attacks targeting Citrix Netscaler devices for the purpose of compromising corporate networks. Attackers employ generic usernames and a wide range of dynamic IP addresses, making it difficult for traditional mitigation strategies such as IP blocking and rate limiting to be effective. In addition, these attacks can overload devices configured for normal authentication volumes, affecting their availability.
In response, the company has recommended measures such as implementing multi-factor authentication, blocking non-essential pre-nFactor endpoints and using web application firewalls (WAFs). It should be noted that these mitigations only apply to firmware versions 13.0 or higher in on-premises or cloud environments, while Gateway Service customers do not require additional actions.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
