🎓️ Vulnerable U | #095

Cybercrime marketplace takedown, Cleo attacks claimed by Clop, Struts, Fortinet, and Microsoft 0days, and more!

Author

Matt Johansen
December 20, 2024

Read Time: 10 minutes

Howdy friends!

Did you accomplish everything you set out to in 2024? Yeah, me either…

But! I am super proud of everything I have been able to do. Here we are closing in on 100 editions of the newsletter and will hit 20,000 subscribers this week. And the team has grown over here so I’m even more excited for what we have in store for you in 2025.

My studio setup is a bit of a hint at what’s to come, but I think it’s turning out halfway decent.

In the spirit of most people taking some sort of time off over the next few weeks, I wrote about some of you who I know just can’t bring yourself to do it. Let’s talk about Rest:

Here's a fun game: Ask a security professional when they last took a real vacation. Not the "checking Slack from the beach" kind. Not the "I'll just monitor alerts" kind.

An honest, phones-off, out-of-office vacation.

I'll wait.

If you work in cybersecurity, you know the feeling: stepping away can seem like an impossible luxury. There’s always another alert, another urgent 'Can you take a look at this?' that keeps you tethered to your desk.

Rest can feel like a risk you can’t afford—but what if the real risk is not resting?

The Math Doesn't Math:

Chronic stress + Sleep deprivation + Alert fatigue + Drugs/Alcohol = Worse decisions && Higher Turnover && Mental Health Issues

Yet here we are, energy drinks in hand, convincing ourselves we can outwork our shadows.

ICYMI

🖊️ Something I wrote: Isolation + Algorithms + Capital = Profitable Misery

🎧️ Something I heard: Confessions of a Toolmaker - Tom Hudson (tomnomnom) - Ekoparty 2024

🔖 Something I read: I think a lot about SaaS security and dug learning about how Reco is doing things with Clickhouse. Instead of looking at each app in isolation, they're building a complete picture of how users behave across all their SaaS apps*

🎤 Something I said: What’s the deal with these SMS spam texts with no obvious motive? Turns out its probably number warming.

*Sponsored

📣 Sponsor

Practical Guide to Cloud Detection & Response

Cloud attacks are evolving, so is detection and response.

For modern security teams, the cloud presents both a blessing and a curse. Abundant telemetry allows for unparalleled visibility and control, but traditional security tools (like SIEM and EDR) fall short in addressing the complexities and scale of cloud infrastructure.

That’s why a new category of tools is emerging – Cloud Detection and Response (CDR).

This practical guide covers
→ What is Cloud Detection and Response (CDR)
→ Why you need a CDR solution (and how other tools fall short)
→ Key benefits & capabilities of CDR tools

Vulnerable News

FBI just took down another cybercrime marketplace - this time it's Rydox, which has been slinging stolen PII and hacking tools since 2016. They nabbed three admins (two in Kosovo, one in Albania) and seized the domain along with $225k in crypto. The site had moved about $230k worth of stolen data and cybercrime tools across 7,600 sales to its 18,000 users.

This is part of that ongoing game of whack-a-mole the feds are playing with these marketplaces - they just took down PopEyeTools last month. While there are plenty more shops out there, it's still good to see some action. Two of the admins are facing multiple identity theft and fraud charges in the U.S., while the third will be prosecuted in Albania. (read more)

A wild social engineering case just dropped from Brian Krebs. Two victims lost massive crypto stacks ($450k and $4.7M) to scammers impersonating Google support. The attackers used legit Google services against their targets - calling from real Google Assistant numbers and sending phishing emails through Google Forms that came from google.com domains. They got caught on tape bragging about it to a podcaster.

The scam hinged on getting victims to click "Yes" on Google account recovery prompts, then pivoting to their synced Google Authenticator codes to drain crypto wallets and exchange accounts. (read more)

TP-Link is the latest Chinese tech company in the US government's crosshairs. The Commerce Department just launched a national security probe into the router maker, which has somehow managed to grab 60% of the US retail market for WiFi systems while flying under the radar. What's got investigators spooked isn't just their massive market share - they're seeing echoes of the "Huawei playbook" with aggressive pricing and market dominance.

The timing's interesting - this comes after Chinese state hackers have been caught using TP-Link routers (among others) in major attacks like Volt, Flax, and Salt Typhoon that targeted US infrastructure. While there's no evidence TP-Link was involved, the company's recent attempts to distance itself from China - including a corporate restructuring and the owners' convenient plans to become US citizens - are only making investigators more suspicious. (read more)

Remember those Cleo file transfer attacks from last week? Turns out Clop's behind them. Mandiant just linked the exploitation to UNC5936 (Clop's crew) who've been having a field day with file transfer tools lately - first MOVEit, then GoAnywhere, now this. They were exploiting this as a zero-day since October, way before anyone knew about it.

While they haven't seen the mass data theft that's typical of Clop's playbook yet, they're spotting Beacon and GoldTomb backdoors on compromised systems. That usually means ransomware's coming next. If you're running Cleo Harmony, VLTrader, or LexiCom, might want to check for signs of compromise even if you've already patched - and definitely grab that v5.8.0.24 update if you haven't already. (read more)

Microsoft just patched an actively exploited zero-day (CVE-2024-49138) in their December updates. CrowdStrike found it, and they don't typically cry wolf. The bug lives in the Common Log File System driver and lets attackers escalate privileges to SYSTEM on pretty much every modern Windows version.

Neither Microsoft nor CrowdStrike are sharing exploitation details yet, but CISA's already added it to their Known Exploited Vulnerabilities list. Given CrowdStrike's track record and CISA's quick action, this is probably one you want to patch sooner rather than later. (read more)

Spicy new Struts 2 vulnerability that's already seeing exploit attempts in the wild. CVE-2024-53677 lets attackers upload malicious files and potentially get remote code execution. It seems to be a redux of an older bug (CVE-2023-50164) - the patch didn't quite stick the landing.

The proof-of-concept code is already out there, and SANS is tracking active exploitation attempts from 169.150.226.162. The patch Apache released isn't backward compatible, meaning you'll need to rewrite your actions to use the new upload mechanism. No workarounds available either, so if you're running any version between Struts 2.0.0 and 6.3.0.2, you've got work to do. (Anyone else still twitchy when seeing the word “Struts” from the 2016 bug? My body still remembers that one.) (read more)

Fortinet finally patched that FortiWLM zero-day (CVE-2023-34990) that Horizon3 reported... back in May 2023. The bug lets unauthenticated attackers read log files remotely through some path traversal shenanigans, and when combined with other vulns, could lead to RCE.

The logs are super verbose and include session IDs, so attackers can basically hijack authenticated sessions. What's wild is how long this took to fix - Horizon3 found it last March and it didn't even have a CVE at the time. Given how popular Fortinet gear is with attackers (especially their wireless management stuff used by universities), you'll probably want to upgrade to 8.5.5 or 8.6.6 fast. (read more)

Good read on a new PHP backdoor called Glutton, likely tied to China's APT41/Winnti crew. They're targeting other cybercriminals' infrastructure, turning their own tools against them. The malware goes after popular PHP frameworks like Laravel and ThinkPHP, dropping backdoors and harvesting system info across China, US, Cambodia, Pakistan, and South Africa.

This seems particularly sloppy for Winnti - no encrypted C2, using plain HTTP, zero obfuscation. They're even advertising compromised hosts on cybercrime forums as bait. The malware itself is pretty capable though, with a modular framework that can infect PHP files, plant backdoors, and steal browser data. Plus it ties into that updated Mélofée backdoor we saw a few weeks back. (read more)

Enterprise surveillance cams and DVRs being targetted if ports are open to the internet. (read more)

We’ve seen a rise in Teams usage for phishing, and in this report, they outline attackers who posed as a client, called the victim (after flooding them with thousands of emails), and convinced them to install AnyDesk for "remote support." Once they had remote access, they dropped DarkGate malware via an AutoIt script, which started poking around the system and trying to connect to C2 servers.

They first tried to get the victim to install Microsoft Remote Support (which failed), then fell back to AnyDesk from the official site. After getting in, they used DLL side-loading tricks and started running discovery commands to gather system info. (read more)

Heads up on a new phishing campaign making the rounds - attackers are spoofing Google Calendar invites to trick folks into clicking malicious links. Check Point caught wind of this one after seeing about 300 organizations hit with over 4,000 emails in just four weeks. The scammers are sending what look like legit calendar invites from people you know, complete with .ics files that lead to fake Google Forms or Drawings.

The end game here is pretty standard - victims end up on bogus crypto mining or Bitcoin support pages where they're asked to hand over personal and payment info. Google's suggestion is to enable the 'known senders' setting in Calendar to get warnings about invites from strangers. (read more)

Another day, another healthcare breach - this time it's ConnectOnCall exposing data from nearly a million patients. (read more)

Iran's CyberAv3ngers crew has been busy with a new toy - a custom malware called IOCONTROL that's been targeting critical infrastructure in the US and Israel. The malware's particularly nasty because it can hijack everything from fuel pumps to water systems, and it's hitting devices from a whole bunch of manufacturers including D-Link, Hikvision, and others. Team82 found they were particularly focused on fuel management systems, potentially able to shut down gas stations and swipe payment data.

From a technical perspective, they're staying under the radar - using MQTT (an IoT messaging protocol) and Cloudflare's DNS over HTTPS to hide their traffic. The malware's been active since at least mid-2023, and while the feds initially thought they were just targeting Israeli-made gear in US facilities, turns out they're going after American-made stuff too. (read more)

Trump's incoming national security advisor is making noise about turning up the heat on China, specifically calling out their Volt Typhoon operation that's been messing with critical infrastructure through compromised Cisco routers. Mike Waltz says defense isn't cutting it anymore and wants to "impose higher costs" on adversaries, potentially by leveraging US private sector capabilities.

China's already accused the CIA of running their own hacking operations, and there's that awkward 2015 no-hacking pact that neither side seems to care about anymore. While Waltz is talking tough about "changing behaviors," he's pretty light on details about what that actually means. Sanctions? Offensive operations? (read more)

There's a nasty new stealer making rounds called CoinLurker. It spreads through fake update prompts and uses Microsoft Edge Webview2 to slip past security tools - pretty smart since sandboxes often can't properly test Webview2 stuff. They're even using stolen EV certs and something called EtherHiding that pulls payloads from Bitbucket while pretending to be legit security updates.

Once it's in, CoinLurker goes hunting for crypto wallets (Bitcoin, Ethereum, Ledger Live, Exodus), plus Telegram and Discord data. The researchers at Morphisec who caught this say it's written in Go and uses some serious obfuscation to stay hidden. What's particularly interesting is how it's being distributed - there's apparently one threat actor running 10 different malvertising campaigns through Google Search ads, specifically targeting graphic design pros. (read more)

Serbian police are using Cellebrite to physically unlock detained journalists' phones and plant their homegrown spyware called NoviSpy. Amnesty International caught them in the act when journalist Slaviša Milanov noticed his phone acting weird after a "routine" traffic stop. Turns out the cops had extracted 1.6GB of data and left behind some spyware for dessert.

Amnesty traced this back to Serbian intelligence through a rookie OPSEC mistake - the spyware was calling home to an IP address previously linked to a Serbian intelligence agent who'd been shopping for Hacking Team's products back in 2012. Based on some internal counters in the malware, they estimate Serbia's infected at least a few hundred devices this way. While fancy zero-click exploits get all the headlines, sometimes the old school "grab the phone and hack it" approach works just fine. (read more)

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay