This Threat Intelligence Report summarizes significant cyber threats and vulnerabilities observed during the second week of July 2024.
Ransomware
1. ShadowRoot Ransomware Targets Turkish Businesses
Victim: Turkish Businesses
The ransomware arrives through suspicious emails with PDF attachments, likely disguised as invoices, originating from the “.ru” domain. The embedded links within the PDF facilitate the download of a subsequent stage exe payload upon user interaction. It encrypts files with the “.shadowroot” extension.
Reference: https://www.forcepoint.com/blog/x-labs/shadowroot-ransomware-targeting-turkish-businesses
2. New Eldorado Ransomware Attacking Windows And Linux Systems
Victim: Windows And Linux Systems
Eldorado, an emerging ransomware-as-a-service (RaaS) operation, offers locker variations for encrypting files on Windows and Linux systems. The ransomware spreads through phishing emails and can target network shares using the Server Message Block (SMB) protocol.
It uses Golang for cross-platform functionality and encrypts files using a combination of Chacha20 and RSA-OAEP encryption algorithms
Eldorado’s encryptor comes in four formats: esxi, esxi_64, win, and win_64, and its data leak site already lists 16 victims as of June 2024. Thirteen targets are in the United States, two in Italy, and one in Croatia.
Reference:
- https://thehackernews.com/2024/07/new-ransomware-as-service-eldorado.html
- https://gbhackers.com/new-eldorado-ransomware-attacks-windows-linux/
3. Nigerian cloud provider affected in Phobos ransomware attack
Victim: Nigerian cloud
The Nigerian Computer Emergency Response Team (ngCERT) reported a rise in Phobos ransomware attacks targeting the country’s cloud service providers in early July 2024
ngCERT did confirm that at least one Nigerian cloud provider was compromised by Phobos ransomware, but the specific company name remains undisclosed
Phobos attackers obtain access to vulnerable networks by sending phishing emails or using IP scanning tools to find vulnerable Remote Desktop Protocol (RDP) ports. When successful, such attacks cause system compromise, ransom payments, data loss, financial losses, and fraudulent behavior, according to ngCERT.
Reference: https://techcabal.com/2024/07/10/cloud-providers-ransomware-attack/
4. ARRL finally confirms ransomware gang stole data in a cyberattack
Victim: American Radio Relay League (ARRL)
Date: July 11, 2024
The American Radio Relay League (ARRL) finally confirmed that some of its employees’ data was stolen in a ransomware attack in May 2024.
In early June, it also revealed that its systems were hacked by a “malicious international cyber group” in a “sophisticated network attack.”
Although ARRL discovered no evidence that the stolen personal information was misused, it decided to provide people affected by the data breach with 24 months of free identity monitoring through Kroll out of “an abundance of caution.”
Reference: https://www.bleepingcomputer.com/news/security/arrl-finally-confirms-ransomware-gang-stole-data-in-cyberattack/
5. Rite Aid confirms data breach after June ransomware attack
Victim: Rite Aid
Pharmacy giant Rite Aid confirmed a data breach after suffering a cyberattack in June, which was claimed by the RansomHub ransomware operation.
While Rite Aid didn’t share what customer data was accessed in the breach or how many individuals were affected, it said that the data breach doesn’t impact health or financial information.
Reference: https://www.bleepingcomputer.com/news/security/rite-aid-confirms-data-breach-after-june-ransomware-attack/
6. American Golf Corporation Hit by MEDUSA Ransomware
Victim: American Golf Corporation (AGC)
Attacker: The MEDUSA ransomware group is believed to be behind the attack on AGC
The hackers allegedly exfiltrated 154.9 GB of data, including email correspondence, members’ data, orders, full access account credentials (User ID, Passwords, Secret Keys), reports, licenses, passports, and financial data.
Reference: https://thecyberexpress.com/american-golf-corporation-medusa-ransomware/
Vulnerabilities
| CVE | Date | Base Score | Description |
|---|---|---|---|
| CVE-2024-1305 | 07/08/2024 | 9.8 CRITICAL | tap-windows6 driver version 9.26 and earlier does not properly check the size data of incoming write operations which an attacker can use to overflow memory buffers, resulting in a bug check and potentially arbitrary code execution in kernel space |
| CVE-2024-27903 | 07/08/2024 | 9.8 CRITICAL | OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service. |
| CVE-2024-3604 | 07/09/2024 | 9.9 CRITICAL | This vulnerability that affects the OSM – OpenStreetMap plugin for WordPress versions up to and including 6.0.2. It is a SQL injection vulnerability. |
| CVE-2024-28747 | 07/09/2024 | 9.8 CRITICAL | An unauthenticated remote attacker can use the hard-coded credentials to access the SmartSPS devices with high privileges. |
| CVE-2024-38074 | 07/09/2024 | 9.8 CRITICAL | Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability |
| CVE-2024-39872 | 07/09/2024 | 9.8 CRITICAL | A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). |
| CVE-2024-39171 | 07/09/2024 | 9.8 CRITICAL | Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which can lead to code execution via writing specific statements to .htaccess and code to a file with a .png suffix. |
| CVE-2023-38049 | 07/09/2024 | 9.9 CRITICAL | A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low-privileged user to fetch, modify, or delete an appointment of any user (including admin). |
| CVE-2024-37418 | 07/09/2024 | 9.9 CRITICAL | Unrestricted Upload of File with Dangerous Type vulnerability in Andy Moyle Church Admin allows Upload a Web Shell to a Web Server. This issue affects Church Admin: from n/a through 4.4.6. |
| CVE-2024-6611 | 07/09/2024 | 9.8 CRITICAL | A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. This vulnerability affects Firefox < 128. |
| CVE-2024-6365 | 07/09/2024 | 9.8 CRITICAL | The Product Table by WBW plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.1 via the ‘saveCustomTitle’ function. |
| CVE-2024-38077 | 07/09/2024 | 9.8 CRITICAL | Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability |
| CVE-2024-37424 | 07/09/2024 | 9.9 CRITICAL | Unrestricted Upload of File with Dangerous Type vulnerability in Automattic Newspack Blocks allows Upload a Web Shell to a Web Server. This issue affects Newspack Blocks: from n/a through 3.0.8. |
| CVE-2024-6606 | 07/09/2024 | 9.8 CRITICAL | Clipboard code failed to check the index on an array access. This could have lead to an out-of-bounds read. This vulnerability affects Firefox < 128. |
| CVE-2024-6314 | 07/09/2024 | 9.8 CRITICAL | The IQ Testimonials plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the ‘process_image_upload’ function in versions up to, and including, 2.2.7. |
| CVE-2024-37420 | 07/09/2024 | 9.9 CRITICAL | Unrestricted Upload of File with Dangerous Type vulnerability in WPZita Zita Elementor Site Library allows Upload a Web Shell to a Web Server. This issue affects Zita Elementor Site Library: from n/a through 1.6.1. |
| CVE-2024-6602 | 07/09/2024 | 9.8 CRITICAL | A mismatch between allocator and deallocator could have lead to memory corruption. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13. |
| CVE-2024-6313 | 07/09/2024 | 9.8 CRITICAL | The Gutenberg Forms plugin for WordPress is vulnerable to arbitrary file uploads due to the users can specify the allowed file types in the ‘upload’ function in versions up to, and including, 2.2.9. |
| CVE-2023-38051 | 07/09/2024 | 9.9 CRITICAL | A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user |
| CVE-2024-37112 | 07/09/2024 | 10.0 CRITICAL | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Membership Software WishList Member X. |
| CVE-2024-38076 | 07/09/2024 | 9.8 CRITICAL | Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability |
| CVE-2024-38089 | 07/09/2024 | 9.9 CRITICAL | Microsoft Defender for IoT Elevation of Privilege Vulnerability |
| CVE-2024-5488 | 07/09/2024 | 9.8 CRITICAL | The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present. |
| CVE-2023-48194 | 07/09/2024 | 9.8 CRITICAL | Vulnerability in Tenda AC8v4 .V16.03.34.09 due to sscanf and the last digit of s8 being overwritten with \x0. After executing set_client_qos, control over the gp register can be obtained. |
| CVE-2023-38055 | 07/09/2024 | 9.6 CRITICAL | A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user |
| CVE-2024-37555 | 07/09/2024 | 9.1 CRITICAL | Unrestricted Upload of File with Dangerous Type vulnerability in ZealousWeb Generate PDF using Contact Form 7 |
| CVE-2024-28751 | 07/09/2024 | 9.1 CRITICAL | An high privileged remote attacker can enable telnet access that accepts hardcoded credentials. |
| CVE-2024-6422 | 07/09/2024 | 9.8 CRITICAL | An unauthenticated remote attacker can manipulate the device via Telnet, stop processes, read, delete and change data. |
| CVE-2024-39071 | 07/09/2024 | 9.8 CRITICAL | Fujian Kelixun <=7.6.6.4391 is vulnerable to SQL Injection in send_event.php. |
| CVE-2024-4879 | 07/10/2024 | 9.8 CRITICAL | This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. |
| CVE-2024-37770 | 07/10/2024 | 9.1 CRITICAL | This vulnerability allows attackers to execute arbitrary commands via a crafted payload. |
| CVE-2024-5217 | 07/10/2024 | 9.2 CRITICAL | This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. |
| CVE-2024-37310 | 07/10/2024 | 9.0 CRITICAL | EVerest is an EV charging software stack. An integer overflow in the “v2g_incoming_v2gtp” function in the v2g_server.cpp implementation can allow a remote attacker to overflow the process’ heap. This vulnerability is fixed in 2024.3.1 and 2024.6.0. |
| CVE-2024-37870 | 07/09/2024 | 9.8 CRITICAL | SQL injection vulnerability in processscore.php in Learning Management System Project In PHP With Source Code 1.0 allows attackers to execute arbitrary SQL commands via the id parameter. |
| CVE-2024-40618 | 07/10/2024 | 9.6 CRITICAL | Whale browser before 3.26.244.21 allows an attacker to execute malicious JavaScript due to improper sanitization when processing a built-in extension. |
| CVE-2024-6397 | 07/11/2024 | 9.8 CRITICAL | This vulnerability was partially fixed in 0.1.0.44, but was still exploitable via Cross-Site Request Forgery. |
| CVE-2024-6385 | 07/11/2024 | 9.8 CRITICAL | An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. |
| CVE-2024-40541 | 07/12/2024 | 9.8 CRITICAL | my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/dept/build. |
| CVE-2024-36435 | 07/11/2024 | 9.8 CRITICAL | vulnerability in Supermicro BMC firmware for select X11 and X12 models. |
| CVE-2024-6328 | 07/12/2024 | 9.8 CRITICAL | The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. |
| CVE-2024-37933 | 07/12/2024 | 9.3 CRITICAL | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in anhvnit Woocommerce OpenPos.This issue affects Woocommerce OpenPos: from n/a through 6.4.4. |
| CVE-2024-37927 | 07/12/2024 | 9.8 CRITICAL | Improper Privilege Management vulnerability in NooTheme Jobmonster allows Privilege Escalation. This issue affects Jobmonster: from n/a through 4.7.0. |
| CVE-2024-38736 | 07/12/2024 | 9.1 CRITICAL | Unrestricted Upload of File with Dangerous Type vulnerability in Realtyna Realtyna Organic IDX plugin allows Code Injection. |
| CVE-2024-39914 | 07/12/2024 | 9.8 CRITICAL | FOG is a cloning/imaging/rescue suite/inventory management system. |