Critical Vulnerability in Telerik Report Server Poses Remote Code Execution Risk
Overview
Progress Software issues a critical alert for users of their Telerik Report Server. The warning follows the identification of a significant security flaw, CVE-2024-6327. It has been assigned a CVSS score of 9.9, which means it is highly severe. The affected versions include Telerik Report Server version 2024 Q2 (10.1.24.514) and earlier ones.
Impact
The vulnerability stems from an insecure deserialization issue. Deserialization flaws occur when apps improperly reconstruct data controlled by an attacker. Such a manoeuvring leads to unauthorized command execution. This specific flaw could allow malicious actors to execute remote code on the affected systems. So, it poses a severe risk to the integrity of the impacted servers.
Recommendation
Progress Software has now addressed the vulnerability. This alert came shortly after the company resolved another critical vulnerability (CVE-2024-4358) in the same software.
Users should update to the latest version to mitigate the risk. As an interim measure, you can change the user for the Report Server Application Pool to one with limited permissions.
To determine if your server is vulnerable, follow these steps:
- Access the Report Server web UI and log in with an admin account.
- Navigate to the Configuration page (~/Configuration/Index).
- Select the About tab; see the version number on the right.
North Korean Hackers Shift Focus to Ransomware Attacks
Overview
A significant shift occurs in the activities of North Korean-linked threat actors. They were previously known for cyber espionage towards financially motivated ransomware attacks. Now, this group has been tracked with the name APT45. They have expanded their OPs to include the deployment of ransomware. This development sets them apart from other nation-state hacking groups linked to North Korea.
Impact
APT45 is a long-standing, moderately sophisticated cyber operator. It has been active since 2009 and initially focused on espionage. APT45 has now been targeting critical infrastructure, and its activities have evolved to include financially motivated cybercrime. It is linked to the deployment of ransomware families like SHATTEREDGLASS and Maui. These ransomware have targeted entities in South Korea, Japan, the United States, etc., in recent years. The shift in these OPs suggests that APT45 may be generating funds to support North Korean state priorities.
The group also employs a backdoor known as Dtrack. It was notably used in an attack on the Kudankulam Nuclear Power Plant in India in 2019. This incident marked a publicly known instance of North Korean actors targeting critical infrastructure.
Recommendation
Organizations should enhance their measures to defend against the evolving threat of APT45. This includes implementing robust vetting processes for new hires, continuous security monitoring, better coordination between HR and security teams, etc. That said, it is crucial to adopt recommended practices to mitigate the risks mentioned above.
U.S. DoJ Indicts North Korean Hacker for Ransomware Attacks on Hospitals
Overview
On July 26, 2024, the U.S. Department of Justice (DoJ) charged North Korean operative Rim Jong Hyok with organizing ransomware attacks on U.S. healthcare facilities. The funds were allegedly used for more cyber attacks on defense, technology, government targets worldwide, etc.
Impact
Andariel hacking group had carried out ransomware attacks on U.S. hospitals and healthcare companies. They used a strain called Maui first identified in 2022. These attacks disrupted critical services and laundered proceeds through Hong Kong intermediaries. They converted funds to Chinese yuan to buy VPSs for more cyber intrusions. Their targets included U.S. Air Force bases, NASA-OIG, South Korean and Taiwanese defense contractors, a Chinese energy company, and whatnot. One major incident involved stealing over 30 GBs of sensitive data from a U.S. defense contractor.
Recommendation
The indictment of Rim Jong Hyok highlights the persistent and evolving threat posed by North Korean cyber actors.
- Implement Cyber Hygiene Practices
- Update Security Protocols
- Enhance Vetting Processes
- Compliance with Advisory Guidelines
Ongoing Cyberattack Targets Exposed Selenium Grid Services for Crypto Mining
Overview
An active campaign exploits internet-exposed Selenium Grid services for illicit cryptocurrency mining. The campaign is dubbed SeleniumGreed as it targets outdated versions of Selenium (3.141.59 and earlier). Selenium Grid is part of the Selenium automated testing framework. It enables parallel test execution across multiple workloads and browsers.
Impact
By default, the Selenium WebDriver API does not enable authentication. This allows anyone to access misconfigured, publicly exposed instances. Attackers are exploiting this flaw to run malicious code.
The campaign requests a vulnerable Selenium Grid hub to execute a Python program with a Base64-encoded payload. This payload creates a reverse shell to an attacker-controlled server. It then runs a modified version of the XMRig cryptocurrency miner. This dynamic configuration ensures the miner only communicates with servers controlled by the threat actor.
Recommendation
✔ Update Selenium
✔ Enable Authentication
✔ Implement appropriate firewall permissions
✔ Regularly monitor network traffic
✔ Scan for Exposed Instances
CrowdStrike Warns of New Phishing Scam Targeting German Customers
Overview
This campaign exploits the recent Falcon Sensor update issue to distribute malicious installers. On July 24, 2024, CrowdStrike’s team identified a spear-phishing attempt involving a fake CrowdStrike Crash Reporter installer.
Impact
The phishing campaign involves an imposter website created on July 20, just a day after the Falcon Sensor update caused a major IT disruption. The website uses JavaScript disguised as JQuery v3.7.1 to download a malicious installer. The installer includes CrowdStrike branding and German localization. It asks for a password to proceed, disguising itself as something highly credible.
Once users click the download button, they receive a ZIP archive. It contains a malicious InnoSetup installer. The installer includes a JavaScript file, “jquery-3.7.1.min.js,” that helps evade detection. Users who launch the bogus installer are prompted to enter a “Backend-Server” to continue. However, so far, CrowdStrike has not been able to identify the final payload.
The campaign’s focus on German-speaking users and the use of anti-forensic techniques indicates a sophisticated operation, i.e. registering a subdomain under it[.]com domain, encrypting the installer contents, etc.
Recommendation
To protect against this phishing scam, CrowdStrike recommends the following actions:
- Verify authenticity.
- Enable anti-phishing tools.
- Conduct regular training sessions to educate users.
- Be vigilant about unexpected requests for software downloads.
- Encourage users to report any suspicious activity