Threat Alerts

BeyondTrust has disclosed a critical command injection vulnerability, tracked as CVE-2024-12356 with a CVSS score of 9.8, affecting its Privileged Remote Access (PRA) and Remote Support (RS) solutions. This vulnerability allows unauthenticated remote attackers to execute operating system commands within the context of the site user by leveraging specially crafted client requests. The flaw affects PRA and RS versions 24.3.1 and earlier, creating substantial security risks for organizations relying on these tools.

The vulnerability was uncovered during a forensic investigation into a security incident involving unauthorized access to several customers’ Remote Support SaaS instances. BeyondTrust identified that an API key for Remote Support SaaS had been compromised, facilitating potential exploitation of the vulnerability.

Researchers have identified a critical vulnerability in Apache Struts 2, tracked as CVE-2024-53677 (CVSS score of 9.5), which is currently being exploited. This flaw, found within the file upload logic of the framework, enables path traversal and the uploading of malicious files, leading to remote code execution.

The flaw is being exploited by manipulating file upload parameters to upload harmful files, such as web shells, which facilitate unauthorized command execution and data theft. This vulnerability is suspected to be a resurgence of the previously patched CVE-2023-50164, potentially due to an incomplete earlier fix.

A recent campaign highlights the evolving tactics of cyber attackers, leveraging voice phishing (vishing) techniques to gain initial access. In this case, attackers impersonated an employee of an external supplier during a Microsoft Teams call, ultimately leading to the deployment of the DarkGate malware. This campaign demonstrates the sophistication of attackers who combine social engineering with advanced malware distribution methods to compromise systems.

In this campaign, attackers used vishing, posing as an employee of an external supplier on a Microsoft Teams call. They instructed the victim to download and install the remote desktop application AnyDesk. Once executed, AnyDesk was configured to run as a local service, enabling elevated privileges and automated operation. The AnyDesk.exe file then dropped and executed SystemCert.exe, which created and launched two additional files: script.a3x and AutoIt3.exe.

The malicious script script.a3x was executed by AutoIt3.exe, injecting itself into the process MicrosoftEdgeUpdateCore.exe. This process established a connection to an external Command-and-Control (C&C) server at IP 179.60.149[.]194:80. Subsequently, a VBScript was executed via cscript.exe, culminating in the deployment of the DarkGate malware payload.

DarkGate is typically disseminated through phishing emails, malvertising, and SEO poisoning. However, in this campaign, attackers utilized vishing as their initial access vector. Similar techniques have been observed in prior cases, such as using QuickAssist to gain remote access and distribute ransomware.

Sophos has recently remediated multiple security vulnerabilities in its Sophos Firewall products, which could have allowed unauthenticated attackers to exploit SQL injection, remote code execution (RCE), and gain unauthorized SSH access.

The first vulnerability, CVE-2024-12727 (CVSS 9.8), involves a pre-authentication SQL injection that could potentially lead to remote code execution, specifically when the Secure PDF eXchange (SPX) is enabled alongside High Availability (HA) mode.

The next flaw, CVE-2024-12728 (CVSS 9.8), is associated with the HA cluster initialization process.

Finally, CVE-2024-12729 (CVSS 8.8), allows an authenticated user to inject code through the User Portal, leading to the potential for remote code execution and privilege escalation.

A sophisticated phishing campaign has been identified targeting European companies, aiming to harvest Microsoft Azure credentials and take over cloud infrastructures. The campaign leveraged deceptive techniques such as urgent messaging and impersonation of trusted services, posing significant risks to sensitive corporate data and operational integrity. Approximately 20,000 users were targeted, demonstrating the scale and effectiveness of the operation.

The campaign, active since mid-2024, utilized a multi-layered infection chain beginning with phishing emails that contained either malicious PDFs or embedded HTML links. These links redirected victims to fake forms hosted on third-party services, mimicking legitimate platforms to extract credentials. Once credentials were compromised, the attackers infiltrated Microsoft Azure environments, establishing persistence by linking their devices to victim accounts and evading mitigation efforts through password resets and VPN-based location masking.

The attackers demonstrated advanced capabilities, spoofing email authentication protocols and reusing infrastructure for scalability. This approach enabled them to evade detection while targeting specific organizations.

PUMAKIT is a highly sophisticated loadable kernel module (LKM) rootkit that demonstrates advanced stealth and persistence capabilities, posing a significant threat to Linux environments. This multi-stage malware employs a layered architecture comprising a dropper, memory-resident executables, an LKM rootkit, and a userland rootkit to avoid detection and maintain control. By hooking system calls and kernel functions, PUMAKIT enables privilege escalation, conceals its presence, and establishes covert communication with command-and-control (C&C) servers. Its ability to exploit Linux kernel mechanisms for stealth and control makes it a critical risk to organizational security.

PUMAKIT’s infection chain begins with a dropper disguised as a legitimate process, deploying memory-resident executables that execute payloads without leaving traces on disk. Using advanced fileless execution techniques it loads its rootkit components entirely in memory. A key stage involves executing a custom script that evaluates kernel conditions and decompresses the target kernel image for further exploitation. The LKM rootkit uses function hooks and symbol resolution techniques to manipulate core system behaviors, including hiding files, processes, and directories. Tools like rmdir, repurposed for privilege escalation, and custom scripts for kernel image processing are employed to evade detection while achieving persistence.

The rootkit’s capabilities extend to intercepting system calls for hiding directories and leveraging hooks for advanced kernel manipulation. Additionally, its integration of a userland shared object (SO) rootkit enables further stealth and persistence through user-space interactions.