MSP cybersecurity news digest, December 19, 2024

Microsoft’s December 2024 Patch Tuesday addresses 71 vulnerabilities, including one actively exploited zero day. Sixteen of these flaws are critical remote code execution vulnerabilities, highlighting their severity.

The breakdown includes 27 privilege escalation flaws, 30 remote code execution bugs, seven information disclosure issues, five denial-of-service vulnerabilities and one spoofing flaw.

The zero-day, CVE-2024-49138, is an elevation of privilege flaw in the Windows Common Log File System Driver that allows attackers to gain SYSTEM privileges. No information has been released as to how the flaw was exploited in attacks.

The Clop ransomware gang has claimed responsibility for the recent Cleo data theft attacks, exploiting zero-day vulnerabilities in Cleo’s file transfer platforms (Harmony, VLTrader and LexiCom) to breach corporate networks.

In October, Cleo patched a critical flaw (CVE-2024-50623), but it was discovered later that the fix was incomplete, allowing attackers to bypass it and conduct further data theft. Clop used a JAVA backdoor to steal data, execute commands, and gain deeper access to compromised networks. While initially thought to be linked to a new group named Termite, the attacks mirrored Clop’s methods, which has later claimed responsibility as mentioned.

Clop has since announced the deletion of older stolen data and will focus only on new breaches from the Cleo attacks. Since 2020, Clop has specialized in exploiting file transfer vulnerabilities, including zero days in platforms like Accellion, SolarWinds Serv-U and MOVEit Transfer, affecting thousands of organizations. The Cleo breach’s full impact remains unclear, and no companies have publicly confirmed being compromised through it. The U.S. State Department is offering a $10 million reward for information tying Clop to a foreign government.

SmokeLoader malware has re-emerged, targeting manufacturing, healthcare, and IT sectors in Taiwan through phishing emails with malicious Excel attachments. 

Known for its modular design, SmokeLoader serves as both a downloader for secondary payloads and a tool for direct attacks via plugins fetched from command-and-control (C2) servers. The malware employs a loader called Ande Loader to exploit old vulnerabilities, decrypt its main module, and inject it into explorer.exe for persistence and C2 communication. Its plugins enable a range of malicious activities, including stealing credentials, cookies, and sensitive data from browsers, email clients and FTP software.

SmokeLoader also supports DDoS attacks and cryptocurrency mining, using advanced evasion techniques like code obfuscation and fake network traffic. Despite significant disruptions like Europol’s Operation Endgame, which dismantled over 1,000 C2 domains, cracked versions of the malware remain active.

The Romanian National Cybersecurity Directorate (DNSC) confirmed that the Lynx ransomware gang breached Electrica Group, a major electricity supplier in Romania.

Electrica, which serves over 3.8 million customers across Muntenia and Transylvania, is investigating the attack with national authorities and assured that critical systems like SCADA remain unaffected. DNSC provided a YARA script for organizations to detect compromises and strongly advised against paying ransoms.

Lynx ransomware, active since July 2024, has listed over 78 victims, including entities in the energy, oil and gas sectors. Its encryptor appears to be based on the INC Ransom malware, possibly rebranded to avoid law enforcement scrutiny. Although Electrica has not been added to Lynx's data leak site, this may indicate ongoing ransom negotiations.

Chinese attackers targeting large IT providers in Southern Europe have been observed abusing Visual Studio Code (VSCode) tunnels to maintain persistent remote access.

VSCode tunnels, part of Microsoft’s Remote Development feature, allow secure remote access and file system control via Azure infrastructure, using executables signed by Microsoft. Initial access was achieved through SQL injection using 'sqlmap,' followed by deploying the PHPsert webshell for command execution and additional payloads. The attackers then used RDP and pass-the-hash techniques, leveraging a legitimate portable version of VSCode configured with a tunnel parameter to establish persistent backdoors.

Activity was primarily during work hours in China, with no security alerts triggered due to the trustworthiness of Microsoft’s signed executables. While this tactic isn’t entirely new, its use remains rare, raising concerns about broader adoption.