⚡ Weekly Highlights from THN: Key Cybersecurity Threats, Tools, and Best Practices

The past week has brought significant developments in cybersecurity, with new threats emerging and critical vulnerabilities exposed. From attacks on widely-used business tools to hidden flaws in everyday devices, cybercriminals are evolving their tactics, targeting systems of all sizes.

At the same time, law enforcement has made progress in dismantling illegal online marketplaces, while tech companies race to address vulnerabilities before they escalate into major crises.

If you haven’t been able to keep up, here’s a quick recap of what you might have missed:

⚡ Threat of the Week
Cleo Vulnerability Actively Exploited — A critical flaw (CVE-2024-50623) in Cleo’s file transfer solutions—Harmony, VLTrader, and LexiCom—is being actively targeted by cybercriminals. This vulnerability allows unauthorized remote code execution through an unrestricted file upload feature, posing severe risks to organizations globally.

Cybersecurity firms Huntress and Rapid7 reported widespread exploitation starting December 3, 2024, with attackers leveraging PowerShell commands and Java-based tools to compromise over 1,300 exposed systems across various industries. The ransomware group Termite is believed to be behind the attacks, employing sophisticated malware techniques reminiscent of those used by the Cl0p ransomware group.

🔔 Top Cybersecurity News

Iranian Hackers Deploy IOCONTROL Malware
Iran-linked threat groups have been associated with a newly developed malware named IOCONTROL, specifically targeting IoT and operational technology (OT) systems in the U.S. and Israel. This malware can execute system commands, scan IP ranges, and self-delete. It has been used to attack various IoT and SCADA devices, including IP cameras, routers, PLCs, HMIs, and firewalls, from multiple vendors such as D-Link, Hikvision, Phoenix Contact, and Unitronics.

Law Enforcement Shuts Down Criminal Operations
Global law enforcement agencies have successfully dismantled the Rydox marketplace and 27 websites offering distributed denial-of-service (DDoS) services. Additionally, German authorities disrupted the BADBOX malware operation, which had infected over 30,000 internet-connected devices sold in the country.

U.S. Charges Chinese Hacker for Sophos Exploits
The U.S. government has indicted Chinese national Guan Tianfeng for exploiting a zero-day vulnerability (CVE-2020-12271) in Sophos firewalls in April 2020. The exploit reportedly compromised 81,000 devices globally, with Guan accused of developing and deploying the attack.

Windows UI Automation Exploited in New Attack
Researchers have uncovered a method for malware to abuse Windows’ UI Automation framework, allowing malicious activities to bypass detection by endpoint security tools. This technique requires users to run a program that exploits the framework, enabling command execution and potential data theft.

Spyware Linked to Chinese Police
A surveillance tool named EagleMsgSpy has reportedly been used by Chinese law enforcement since 2017 to extract data from Android devices. It is believed an iOS version of the spyware also exists, requiring physical access to install and activate.

PUMAKIT Linux Rootkit Detected
A stealthy Linux rootkit called PUMAKIT has been observed in the wild, used by unknown attackers. The rootkit hides files, escalates privileges, and communicates with command-and-control servers while evading detection.

️‍🔥 Trending CVEs to Watch
Recent vulnerabilities affecting widely-used software include:

• CVE-2024-11639 (Ivanti CSA)
• CVE-2024-49138 (Windows CLFS Driver)
• CVE-2024-44131 (Apple macOS)
• CVE-2024-54143 (OpenWrt)
• CVE-2024-12254 (Python)
• CVE-2024-53677 (Apache Struts)
• CVE-2024-23474 (SolarWinds Access Rights Manager)

📰 Around the Cyber World

• Apple Faces Class Action Lawsuit Over CSAM Detection
  Apple is facing a $1.2 billion lawsuit over its alleged failure to detect and report child sexual abuse material (CSAM). The company previously scrapped plans for an iCloud photo scanning tool due to privacy concerns, stating it could create vulnerabilities for mass surveillance.
• Active Exploitation of Apache ActiveMQ Flaw
  Threat actors are exploiting a vulnerability in Apache ActiveMQ (CVE-2023-46604), targeting South Korea with malware such as cryptocurrency miners, Quasar RAT, and ransomware. Administrators are urged to update their systems promptly.
• Citrix Warns of Password Spraying Attacks
  Citrix has issued a warning about password spraying attacks targeting NetScaler appliances, potentially causing system instability. Organizations are advised to enable multi-factor authentication and implement security measures to block suspicious IPs.
• BadRAM Exploit Undermines AMD SEV Security
  Researchers have developed a $10 exploit named BadRAM (CVE-2024-21944) that bypasses AMD’s Secure Encrypted Virtualization (SEV) protections. This attack manipulates memory module metadata, compromising cloud computing security. AMD has released firmware updates to address the issue.
• WhatsApp Fixes View Once Privacy Flaw
  WhatsApp has resolved an issue where a browser extension could bypass the “View Once” feature, allowing users to save restricted media. The flaw involved a flag in the WhatsApp Web app that was exploited by third-party tools.

🎥 Expert Webinar
Why Even the Best Companies Get Hacked – And How to Prevent It
Join Silverfort’s CISO, John Paul Cunningham, for insights into why even well-prepared organizations fall victim to cyberattacks and how to strengthen defenses against evolving threats.

Key Takeaways:

• Hidden Security Gaps: Learn about vulnerabilities that often go unnoticed, even with advanced security measures in place.
• Attacker Tactics: Understand how cybercriminals bypass traditional defenses and exploit overlooked weaknesses.
• Strategic Alignment: Discover how to align cybersecurity strategies with business objectives.
• Actionable Steps: Gain practical insights to enhance your security framework and stay ahead of evolving threats.

👉 Register Now to fortify your defenses against modern cyber risks.

---

Cybersecurity Tools

• XRefer: Mandiant FLARE has released XRefer, a free plugin for IDA Pro designed to streamline malware analysis. It provides a clear overview of binary structures, highlights APIs and execution paths, and supports Rust binaries. With features to filter out irrelevant data, XRefer is ideal for both quick and in-depth investigations.
• TrailBytes: Simplify forensic investigations with TrailBytes, a free tool designed to quickly analyze Windows systems and build event timelines. It helps investigators identify key actions and uncover the truth efficiently.
• Malimite: A robust iOS decompiler based on Ghidra, Malimite supports Swift and Objective-C, reconstructs Swift classes, decodes iOS resources, and skips unnecessary library code. Compatible with Mac, Windows, and Linux, it aids researchers in finding vulnerabilities and understanding app functionalities.

---

Security Tip of the Week

Monitor Clipboard Activity to Prevent Data Leaks
The clipboard on your device can inadvertently expose sensitive data. Clipboard monitoring tools, such as Sysmon (Event ID 10), can track clipboard activities in real time. Enterprise solutions like Symantec DLP and Microsoft Purview offer advanced tracking capabilities to detect unusual patterns like bulk copying or credential exfiltration attempts.

For individual users, tools like Clipboard Logger can help maintain a clipboard history and flag potential issues. To minimize risks:

• Disable clipboard syncing when unnecessary.
• Configure alerts for sensitive keywords.
• Educate users about clipboard risks.

By monitoring clipboard activity, organizations can strengthen their data protection measures and mitigate insider threats.

---

Conclusion

Cybersecurity isn’t just about safeguarding systems; personal device security plays a critical role too. Attackers increasingly target employees’ personal devices to infiltrate corporate networks. Strengthen defenses by securing personal devices, using password managers, and enabling multi-factor authentication (MFA). Remember, the security of an organization is only as strong as its weakest link, which could be an unsecured smartphone or home network.