Massive cyberattack strikes 600K routers in the U.S.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. FlyingYeti abuses WinRAR flaw to distribute COOKBOX malware

A Russia-aligned group, FlyingYeti, targeted Ukraine with a phishing campaign that exploited fears of housing and utility loss using debt-themed lures. The attack, observed in mid-April 2024, deployed the PowerShell malware COOKBOX via malicious files linked to a GitHub page impersonating Kyiv Komunalka.

The campaign exploited the WinRAR vulnerability CVE-2023-38831, using Cloudflare Workers to process HTTP requests before executing the malware. Once the RAR file was opened, COOKBOX established a presence on the device and communicated with the command-and-control domain postdock[.]serveftp[.]com. To mitigate such threats, users should be educated about phishing, keep software updated, implement advanced email filtering, use browser isolation, and deploy robust endpoint protection.

2. Large-scale cyber-attack bricks over 600,000 routers in the U.S.

A devastating cyber-attack, codenamed Pumpkin Eclipse, disabled over 600,000 small office/home office (SOHO) routers, primarily targeting ActionTec T3200, ActionTec T3260, and Sagemcom models provided by a U.S. internet service provider (ISP), suspected to be Windstream.

The method of initial access remains unclear, but weak credentials or exposed administrative interfaces are suspected. The attackers leveraged Lua scripts to deploy the destructive payload, marking an unprecedented event in router sabotage, emphasizing the importance of router security measures such as strong passwords, firmware updates, network segmentation, security audits, and intrusion detection and prevention systems (IDS/IPS).

3. Zero-day vulnerability in Check Point’s VPN Gateway actively exploited

CVE-2024-24919 is a critical vulnerability affecting Check Point Quantum Security Gateways’ VPN functionalities, exploited as a zero-day with incidents involving Active Directory credential theft. The flaw allows unauthorized information disclosure through a directory traversal flaw in HTTP POST requests, enabling access to sensitive files like /etc/shadow.

Check Point has released hotfixes for affected versions, including R81.20, R81.10, R81, R80.40, and additional updates for End-of-Life versions. Recommendations include applying the latest security updates, changing LDAP Account Unit passwords, resetting passwords for local accounts using password-only authentication, preventing such accounts from VPN access, and renewing server certificates for HTTPS Inspection to prevent interception or spoofing.

4. TargetCompany ransomware’s Linux variant targets VMware ESXi systems

A new Linux variant of the TargetCompany ransomware family has emerged, targeting VMware ESXi environments by leveraging a custom shell script to deliver and execute its payloads. Initially known for attacking databases, the ransomware group shifted focus to encrypting ESXi machines, with the new variant ensuring administrative privileges before proceeding.

The ransomware encrypts files with VM-related extensions and exfiltrates critical victim information to command-and-control servers. Recommendations include implementing multi-factor authentication (MFA), maintaining regular backups, keeping systems updated, segmenting networks, and monitoring system logs for suspicious activities.

5. Zyxel releases urgent patch for remote code execution in end-of-life NAS devices

Zyxel Networks has issued an emergency security update for older NAS devices that have reached end-of-life, addressing three critical vulnerabilities that could lead to command injection and remote code execution. While the company fixed these flaws, two vulnerabilities enabling privilege escalation and information disclosure remain unaddressed in the end-of-life products.

The vulnerabilities include command injection flaws in CGI programs and a remote code execution bug in the file_upload-cgi program. Zyxel provided patched versions for affected NAS models but cautioned owners to apply the updates promptly due to the availability of public proof-of-concept exploits.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.