WEEKLY TOP TEN: February 17, 2025, 16:00 GMT
- SonicWall Vulnerability Allows for Unauthenticated VPN Hijacking
Security firm Bishop Fox discovered CVE-2024-53704, a critical vulnerability in SonicWall firewalls that allows unauthenticated attackers to hijack active SSL VPN sessions. By exploiting flaws in session management, attackers can impersonate legitimate users and gain full access to internal networks without credentials.
The attack requires access to the VPN portal and can be executed remotely. Versions vulnerable to this attack include SonicOS 7.1.x (7.1.1-7058 and earlier), 7.1.2-7019, and 8.0.0-8035 across multiple Gen 7 and Gen 6 firewall models. SonicWall has released patches, and administrators are urged to update immediately since the working exploit code is publicly available. - DragonRank Seen Exploiting IIS Servers Across Asia
Trend Micro has seen the threat group DragonRank exploiting IIS servers in Asia to deploy ‘BadIIS’ malware. This malware manipulates search engine rankings and redirects users to gambling sites or rouge servers that harvest credentials or further attempt to deploy malware. It targets various sectors, including government, universities, and telecom companies. The ‘BadIIS’ malware specifically inspects HTTP headers and redirects users to malicious content when specific search terms are detected. - Threat Actors Seen Exploiting Old ThinkPHP and ownCloud Vulnerabilities
Security researchers at GreyNoise have observed a significant increase in attacks targeting outdated versions of ThinkPHP Framework and ownCloud. These threat actors are exploiting CVE-2022-47945, a local file inclusion flaw in ThinkPHP, and CVE-2023-49103, an issue in ownCloud, to execute arbitrary commands and access sensitive data. These vulnerabilities allow unauthenticated remote attackers to compromise these outdated servers. - Astaroth Phishing Kit Bypasses 2FA for Gmail and Microsoft Accounts
SlashNext Threat Researchers have identified a new phishing kit named Astaroth that can bypass two-factor authentication (2FA) and steal login credentials and cookies from Gmail, Yahoo, and Microsoft accounts. This phishing kit utilizes a reverse proxy, acting as a man-in-the-middle between victims and legitimate authentication services, capturing usernames, passwords, and 2FA tokens in real-time. - Sarcoma ransomware Operation Breached Unimicron
The Sarcoma ransomware group has claimed responsibility for a cyberattack on Unimicron, a leading Taiwanese printed circuit board (PCB) manufacturer, claiming they have exfiltrated 377 GB of SQL files and documents. Unimicron confirmed the ransomware attack, which occurred on January 30, affecting its China-based subsidiary, though Unimicron did not confirm a data breach occurred. - FortiOS Vulnerability Allows for Super-Admin Privilege Escalation
Fortinet identified a critical vulnerability in their FortiOS Security Fabric, tracking it as CVE-2024-4059. This flaw was caused due to improper privilege management, allowing an authenticated administrator with Security Fabric permissions to escalate their privileges to super-admin. The vulnerability affected versions 7.6.0, 7.4.0 – 7.4.4, 7.2.0 – 7.2.9, 7.0.0 – 7.0.15, and all versions of 6.4. Fortinet has released patches for this vulnerability in versions 7.6.1, 7.4.5, 7.2.10, and 7.0.16, respectively. - PostgreSQL Vulnerabilities Used to Breach BeyondTrust
In December, attackers exploited a zero-day vulnerability in PostgreSQL (CVE-2024-12356 and CVE-2024-12686) and used a stolen API key to breach BeyondTrust’s network and 17 Remote Support SaaS instances. Rapid7’s vulnerability research team discovered the flaw, which allowed unauthorized access and led to data compromise. A month later, the attackers compromised the U.S. Treasury Department using a stolen Remote Support SaaS API key to compromise its BeyondTrust instance. - Salt Typhoon Uses Older Cisco Vulnerabilities in Recent Attacks
The Chinese state-sponsored espionage group Salt Typhoon has recently exploited known vulnerabilities in Cisco devices such as CVE-2023-20198 and CVE-2023-20273 to infiltrate telecommunications companies, internet service providers, and universities across six continents. In December and January, the group compromised over a thousand Cisco devices, leveraging these older, unpatched bugs to gain unauthorized access. Then, it configured Generic Routing Encapsulation (GRE) tunnels to establish persistence and enable data exfiltration. - New ‘whoAMI’ Attack Exploit AWS AMI Allowing for Remote Code Execution
Datadog Security Labs researcher Seth Art has identified a new supply chain attack, dubbed ‘whoAMI,’ targeting Amazon Web Services (AWS). The attack leverages the ec2:DescribeImages API, where omitting the ‘–owners’ attribute allows attackers to publish malicious Amazon Machine Images (AMIs) with names matching legitimate ones.
This misconfiguration can lead to the deployment of compromised EC2 instances, granting attackers remote code execution capabilities. AWS has addressed this issue and recommends that customers implement the new ‘Allowed AMIs’ security control to mitigate this vulnerability. - Lazarus Group Linked to Marstech1 JavaScript Implant Targeting Developers
The Lazarus Group has been linked to a new JavaScript implant named ‘Marstech1’, used in targeted attacks against developers. Active since December 2024, the malware collects system data, manipulates Chromium browser extensions, and specifically targets MetaMask cryptocurrency wallet settings, as well as download additional payload. Over its lifespan, it has infected at least 233 victims across the U.S., Europe, and Asia.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: