Daily Brief

A severe remote code execution (RCE) flaw, CVE-2024-52875, was found in GFI KerioControl firewalls, enabling attackers to perform CRLF injections. The vulnerability affects versions 9.2.5 to 9.4.5 and was discovered by security researcher Egidio Romano in early November 2024. Attackers can manipulate HTTP response headers by injecting malicious inputs through improper input sanitization. Identified attack paths involve exploiting the 'dest' GET parameter used in generating HTTP 302 responses, leading to potential XSS and other malicious activities. GFI released a patch for the vulnerability on December 19, 2024, with version 9.4.5 Patch 1. A PoC exploit shows attackers can gain root access to firewalls by tricking an admin into clicking a malicious link, enabling the upload of a malicious .img file. Since December 28, 2024, exploitation attempts have been observed from IP addresses primarily in Singapore and Hong Kong. Over 23,800 internet-exposed instances of GFI KerioControl have been identified globally, with high concentrations in countries like Iran, the USA, and Germany.

The European General Court imposed a fine on the European Commission for violating the E.U.'s data privacy laws by transferring personal data to Meta's servers in the U.S. The data breach involved the personal data of a German citizen, including their IP address and browser metadata, during an event registration via a Commission website. The infringement occurred when the individual used a "Sign in with Facebook" option on the Commission's login page, leading to the unauthorized data transfer. The court noted that at the time of the data transfer in March 2022, there was no E.U. decision affirming that the U.S. provided adequate protection for personal data under E.U. standards. The European Commission did not demonstrate any appropriate safeguards like standard data protection clauses to justify the data transfer. The individual raised concerns about potential access to their data by U.S. security and intelligence services. The lawsuit partially focused on whether the data was also transferred to Amazon CloudFront servers in the U.S., but this claim was dismissed as the server was located in Munich, Germany. As compensation for the breach, the court mandated the Commission to pay the individual €400 for non-material damages.

Ivanti disclosed a critical flaw, CVE-2025-0282, impacting Connect Secure, Policy Secure, and ZTA Gateways, actively exploited since mid-December 2024. The vulnerability allows for unauthenticated remote code execution and has been exploited in the wild, affecting a limited number of customers. Mandiant attributes the exploitation to China-nexus threat actor UNC5337, part of group UNC5221, deploying malware including SPAWN, DRYHOOK, and PHASEJAM. Exploitation tactics include disabling SELinux, modifying system components, inserting web shells, and achieving persistence by blocking system updates. Another related high-severity flaw, CVE-2025-0283, was discovered allowing privilege escalation, though not yet exploited. U.S. CISA has added CVE-2025-0282 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply patches by January 15, 2025. Organizations are urged to scan for signs of compromise and report any incidents or anomalies.

Japan’s National Police Agency and Center of Incident Readiness and Strategy for Cybersecurity (CIRSC) have attributed a multiyear cyberattack campaign to the Chinese cyber espionage group "MirrorFace", also known as "Earth Kasha". The campaign, reported to have started in 2019 and involving at least three distinct waves of attacks, targeted Japanese think tanks, government agencies, politicians, and media outlets using sophisticated malware like "LODEINFO", "LilimRAT", and "NOOPDOOR". Attack methods included spear phishing to distribute malware, exploitation of TLS 1.0 vulnerabilities, SQL injection attacks, and misuse of client certificates, alongside deployment of tools like Neo-reGeorg tunneling and WebShells on compromised VPNs. Notable malware techniques involved manipulating Microsoft Office apps to run harmful macros and leveraging the Windows sandbox feature to execute and erase signs of malware post-reboot, thus avoiding persistent detection. Critical sectors such as semiconductor, manufacturing, information and communications, academia, and aerospace have been notably impacted, suffering from unauthorized access to systems like Microsoft 365 and exploitation of vulnerabilities in products from Fortinet and Citrix. Japanese authorities have advised local enterprises to augment their cybersecurity defenses, referencing both the current campaign and earlier warnings issued by entities like Google about APT10's activities targeting Japan since 2009.

PowerSchool, a leading education software provider, was the victim of a cyberattack which resulted in the theft of student and teacher data, including Social Security numbers and medical information. The incident compromised personal information stored in 18,000 customer databases, impacting over 60 million K-12 students and educators across the United States. The breach occurred on December 28, with unauthorized access gained using a compromised credential; it took nearly two weeks for PowerSchool to notify its customers. Two specific database tables were extracted, primarily containing contact information, but for some, included sensitive data like Social Security numbers, and limited medical and grade information. PowerSchool has engaged an independent security firm to conduct a full audit of its systems to understand the extent and specifics of the breach. There is a belief by PowerSchool that the compromised data has not been shared or made public, and preventive actions like password resets and access restrictions have been implemented. Affected adults are being offered free credit monitoring services, while minors will receive subscriptions to identity protection services. Cybersecurity firm Cyble suggests the breach may have started as early as June 2011, potentially affecting more systems and credentials than initially reported.

Outgoing National Cyber Director Harry Coker acknowledged substantial progress in cybersecurity but emphasized the continuing vulnerabilities in critical systems. Coker credited his office with enhancing federal and international cybersecurity efforts and engaging major tech companies to prioritize cybersecurity. He highlighted the success of the White House national cybersecurity strategy of 2023 and improvements in the Border Gateway Protocol's security as significant accomplishments. The Cybersecurity Service for America campaign, despite its successes, has left many cybersecurity positions unfilled, highlighting a persistent talent gap. Coker expressed a desire for the incoming administration to allocate more authoritative control over cybersecurity budgeting within the federal government. Reports of cyber intrusions by state-linked actors into US telecoms and other critical infrastructures like Microsoft’s Exchange Online were underscored as major concerns. Despite these intrusions, contracts with major companies like Verizon and Microsoft continue, raising questions about the balance of security oversight and business interests. Coker stressed that the responsibility for cybersecurity should be a priority across all governmental departments and agencies.

The Fancy Product Designer plugin for WordPress, developed by Radykal, has two unpatched critical vulnerabilities. Despite being notified by Patchstack, Radykal has not responded or updated the plugin to address these security issues. Over 20,000 sales of the plugin have been made, primarily used on WooCommerce sites for customizing products like clothing and phone cases. Patchstack discovered these vulnerabilities on March 17, 2024, and subsequently published a blog to warn users and encourage mitigation efforts. The latest version of the plugin, 6.4.3, still contains these critical flaws despite the release of 20 new versions. Patchstack’s report provides technical details potentially enabling attackers to exploit these vulnerabilities. Recommended mitigations include limiting file upload types to safe extensions and protecting against SQL injection by sanitizing input data. BleepingComputer has reached out to Radykal for comments on potential security updates but has yet to receive a response.

Ivanti has warned of a zero-day attack exploiting a Connect Secure vulnerability identified as CVE-2025-0282, facilitating remote code execution. The vulnerability affects Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways, but only Connect Secure appliances have been targeted. This critical stack-based buffer overflow issue was uncovered by the Ivanti Integrity Checker Tool after detecting malicious activities on some customer appliances. Security patches have been released for Ivanti Connect Secure with forthcoming updates scheduled for Ivanti Policy Secure and Neurons for ZTA Gateways by January 21, 2025. Ivanti advises Connect Secure administrators to perform ICT scans and potentially a factory reset before updating to the patched firmware version 22.7R2.5 to ensure removal of any installed malware. Today's security update also addressed another vulnerability, CVE-2025-0283, which allows privilege escalation but is currently not being exploited. Ivanti collaborates with Mandiant and Microsoft Threat Intelligence Center to investigate and mitigate the impacts of these vulnerabilities.

Cybercriminals are exploiting two vulnerabilities in Mitel MiCollab and a critical flaw in Oracle WebLogic Server. The US Cybersecurity and Infrastructure Security Agency (CISA) recently added three CVEs to its Known Exploited Vulnerabilities Catalog due to evidence of active exploits. The Mitel vulnerabilities are path traversal issues, with one rated as critical (CVE-2024-41713) and the other as low-severity (CVE-2024-55550); the critical flaw has been patched. Oracle's CVE-2020-2883, exploitable through WebLogic Server, has been under active exploitation since its discovery five years ago, despite being patched. Mitel's lower-severity CVE-2024-55550 remains unpatched but is considered mitigated in newer software versions. Security researchers have highlighted these vulnerabilities, stressing the potential use of such flaws by advanced persistent threats (APTs) to manipulate or access sensitive communications. Enterprises using affected products are strongly advised to apply all available security updates and monitor for possible exploitation signs. Both Mitel and Oracle did not respond promptly to inquiries about these security issues, highlighting ongoing concerns around communication and transparency in cybersecurity incident response.

Ukrainian Cyber Alliance claims responsibility for hacking and wiping the network of Russian internet provider Nodex. The attack involved theft of sensitive data followed by destruction of network infrastructure including VMware and Veeam backups. Nodex confirmed the incident on VKontakte, describing the network as “destroyed” and the attack as likely originating from Ukraine. Restoration efforts are underway at Nodex, with gradual re-establishment of services such as telephony and internet connectivity. Internet monitoring group NetBlocks reported significant disruptions in Nodex's fixed-line and mobile services. Ukrainian Cyber Alliance has a history of targeting Russian organizations in response to geopolitical tensions.

SonicWall has issued an urgent advisory to customers to upgrade SonicOS firmware due to a critical authentication bypass vulnerability in its SSL VPN and SSH management services. The vulnerability is tracked as CVE-2024-53704 with a high severity rating of 8.2, impacting generation six and seven firewalls. The flaw allows for potential exploitation, posing significant security risks if not promptly mitigated by installing the updated firmware. Additional vulnerabilities addressed include a weak PRNG in SSL VPN authentication, an SSRF vulnerability in the SSH interface, and a privilege escalation flaw specific to Gen7 SonicOS Cloud NSv in AWS and Azure environments. SonicWall recommends restricting SSH management and SSL VPN access to trusted sources and, if possible, disabling internet access to these services as part of the mitigation strategies. The company has made patches available as of January 6, 2025, and urges all affected customers to update immediately to safeguard their networks. Administrators are advised to monitor for updates regularly and implement recommended security measures to reinforce firewall integrity.

Hackers are exploiting CVE-2024-52875, a critical vulnerability in GFI KerioControl firewall that enables 1-click remote code execution. The flaw centers on non-sanitized line feed characters in HTTP responses, allowing attackers to manipulate headers and responses. Malicious injected JavaScript could steal CSRF tokens, enabling the upload of harmful scripts through guise of system updates. Active attempts to exploit this flaw were detected from multiple IP addresses by the threat monitoring platform Greynoise. Approximately 23,862 internet-visible instances of GFI KerioControl were identified, with an undetermined number vulnerable to attacks. GFI Software released a correcting patch on December 19, 2024, urging users to update their systems immediately or apply alternative protections. Recommended immediate mitigations include restricting web management interface access and disabling public exposure of critical web pages.

Cybersecurity researchers revealed ongoing successful malspam campaigns that spoof sender email addresses to appear genuine. Attackers increasingly utilize old, neglected domains to evade SPF, DMARC, and DKIM security measures, making emails less likely to be flagged as spam. A specific phishing tactic observed since December 2022 involves emails with QR code attachments leading to fraudulent payment sites. Recent campaigns also impersonate major brands like Amazon and Mastercard, aiming to harvest user credentials through fake login pages. Extortion techniques have been employed wherein attackers demand Bitcoin payments in exchange for not releasing compromising videos. Infoblox has noted that some phishing attempts use domains not actively in use, complicating efforts to track repeated malicious emails. Smishing Triad and additional actors conduct SMS phishing, targeting Middle Eastern banking customers and exploiting data from government websites. The use of generic top-level domains (.top, .xyz) for cybercrime is increasing, with such domains now linked to a higher proportion of malicious activities.

Over 4,000 active web backdoors were secured after researchers registered expired domains formerly used to command them. This proactive cybersecurity effort was led by WatchTowr Labs in collaboration with The Shadowserver Foundation. The compromised systems included high-profile targets like government and university servers, which could execute commands remotely. Various backdoor types were identified, including r57shell, c99shell, and China Chopper, with some linked to known APT groups like the Lazarus Group. The breached systems spanned multiple countries, affecting organizations in China, Nigeria, Bangladesh, Thailand, and South Korea. After taking control of the domains, WatchTowr set up a logging system to monitor and analyze the incoming requests from compromised systems. Responsibility for these domains has now been transferred to The Shadowserver Foundation to prevent future malicious use and to continue monitoring the sinkholed traffic.

Medusind, a prominent healthcare billing firm, experienced a significant data breach in December 2023, impacting personal and health information of 360,934 individuals. The breach was identified following suspicious activity detected on the company's network, leading to an immediate investigation by cybersecurity experts. Exposed data included a variety of personal information, the specifics of which varied by individual affected. Medusind responded by taking the affected systems offline and engaging a forensic cybersecurity firm to contain the breach and investigate. Affected individuals have been offered two years of free identity monitoring services through Kroll, including credit monitoring and identity theft restoration. The company has advised all affected users to monitor their account statements and credit reports for signs of unauthorized activities. This incident comes amid broader regulatory changes by the U.S. Department of Health and Human Services, aiming to enhance the security of patient data in the healthcare sector.