Apr 13, 2024Newsroom

Threat actors have been exploiting the newly disclosed zero-day flaw in Palo Alto Networks PAN-OS software dating back to March 26, 2024, nearly three weeks before it came to light yesterday.

The network security company’s Unit 42 division is tracking the activity under the name Operation MidnightEclipse, attributing it as the work of a single threat actor of unknown provenance.

The security vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), is a command injection flaw that enables unauthenticated attackers to execute arbitrary code with root privileges on the firewall.

It’s worth noting that the issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations that have GlobalProtect gateway and device telemetry enabled.

Operation MidnightEclipse entails the exploitation of the flaw to create a cron job that runs every minute to fetch commands hosted on an external server (“172.233.228[.]93/policy” or “172.233.228[.]93/patch”), which are then executed using the bash shell.

The attackers are said to have manually managed an access control list (ACL) for the command-and-control (C2) server to ensure that it can only be accessed from the device communicating with it.

While the exact nature of the command is unknown, it’s suspected that the URL serves as a delivery vehicle for a Python-based backdoor on the firewall that Volexity – which discovered in-the-wild exploitation of CVE-2024-3400 on April 10, 2024 – is tracking as UPSTYLE and is hosted on a different server (“144.172.79[.]92” and “nhdata.s3-us-west-2.amazonaws[.]com”).

The Python file is designed to write and launch another Python script (“system.pth”), which subsequently decodes and runs the embedded backdoor component that’s responsible for executing the threat actor’s commands in a file called “sslvpn_ngx_error.log.” The results of the operation are written to a separate file named “bootstrap.min.css.”

The most interesting aspect of the attack chain is that both the files used to extract the commands and write the results are legitimate files associated with the firewall –

• /var/log/pan/sslvpn_ngx_error.log
• /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css

As for how the commands are written to the web server error log, the threat actor forges specially crafted network requests to a non-existent web page containing a specific pattern. The backdoor then parses the log file and searches for the line matching the same regular expression (“img\[([a-zA-Z0-9+/=]+)\]”) to decode and run the command within it.

“The script will then create another thread that runs a function called restore,” Unit 42 said. “The restore function takes the original content of the bootstrap.min.css file, as well as the original access and modified times, sleeps for 15 seconds and writes the original contents back to the file and sets the access and modified times to their originals.”

The main goal appears to be to avoid leaving traces of the command outputs, necessitating that the results are exfiltrated within 15 seconds before the file is overwritten.

Volexity, in its own analysis, said it observed the threat actor remotely exploiting the firewall to create a reverse shell, download additional tooling, pivot into internal networks, and ultimately exfiltrate data. The exact scale of the campaign is presently unclear. The adversary has been assigned the moniker UTA0218 by the company.

“The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives,” the American cybersecurity firm said.

“UTA0218’s initial objectives were aimed at grabbing the domain backup DPAPI keys and targeting active directory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal saved cookies and login data, along with the users’ DPAPI keys.”

Organizations are recommended to look for signs of lateral movement internally from their Palo Alto Networks GlobalProtect firewall device.

The development has also prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by April 19 to mitigate potential threats. Palo Alto Networks is expected to release fixes for the flaw no later than April 14.

“Targeting edge devices remains a popular vector of attack for capable threat actors who have the time and resources to invest into researching new vulnerabilities,” Volexity said.

“It is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks.”

Apr 03, 2024NewsroomMobile Security / Zero Day

Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies.

The high-severity zero-day vulnerabilities are as follows –

• CVE-2024-29745 – An information disclosure flaw in the bootloader component
• CVE-2024-29748 – A privilege escalation flaw in the firmware component

“There are indications that the [vulnerabilities] may be under limited, targeted exploitation,” Google said in an advisory published April 2, 2024.

While the tech giant did not reveal any other information about the nature of the attacks exploiting these shortcomings, the maintainers of GrapheneOS said they “are being actively exploited in the wild by forensic companies.”

“CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking,” they said in a series of posts on X (formerly Twitter).

“Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory.”

GrapheneOS noted that CVE-2024-29748 could be weaponized by local attackers to interrupt a factory reset triggered via the device admin API.

The disclosure comes more than two months after the GrapheneOS team revealed that forensic companies are exploiting firmware vulnerabilities that impact Google Pixel and Samsung Galaxy phones to steal data and spy on users when the device is not at rest.

It also urged Google to introduce an auto-reboot feature to make exploitation of firmware flaws more difficult.

Mar 14, 2024NewsroomMalware / Cyber Attack

A DarkGate malware campaign observed in mid-January 2024 leveraged a recently patched security flaw in Microsoft Windows as a zero-day using bogus software installers.

“During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers,” Trend Micro said.

CVE-2024-21412 (CVSS score: 8.1) concerns an internet shortcut files security feature bypass vulnerability that permits an unauthenticated attacker to circumvent SmartScreen protections by tricking a victim into clicking on a specially crafted file.

It was fixed by Microsoft as part of its Patch Tuesday updates for February 2024, but not before it was weaponized by a threat actor called Water Hydra (aka DarkCasino) to deliver the DarkMe malware in attacks targeting financial institutions.

The latest findings from Trend Micro show that the vulnerability has come under broader exploitation than previously thought, with the DarkGate campaign leveraging it in conjunction with open redirects from Google Ads to proliferate the malware.

The sophisticated attack chain begins with victims clicking on a link embedded within a PDF attachment sent via a phishing email. The link deploys an open redirect from Google’s doubleclick[.]net domain to a compromised web server hosting a malicious .URL internet shortcut file that exploits CVE-2024-21412.

Specifically, the open redirects are designed to distribute fake Microsoft software installers (.MSI) masquerading as legitimate software, such as Apple iTunes, Notion, NVIDIA, which come fitted with a side-loaded DLL file that decrypted and infected users with DarkGate (version 6.1.7).

It’s worth noting that another now-fixed bypass flaw in Windows SmartScreen (CVE-2023-36025, CVSS score: 8.8) has been employed by threat actors to deliver DarkGate, Phemedrone Stealer, and Mispadu over the past few months.

The abuse of Google Ads technologies allows threat actors to increase the reach and scale of their attacks through different ad campaigns that are tailored for specific audiences.

“Using fake software installers, along with open redirects, is a potent combination and can lead to many infections,” security researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun said. “It is essential to remain vigilant and to instruct users not to trust any software installer that they receive outside of official channels.”

The development comes as the AhnLab Security Intelligence Center (ASEC) and eSentire revealed that counterfeit installers for Adobe Reader, Notion and Synaptics are being distributed via fake PDF files and seemingly legitimate websites to deploy information stealers like LummaC2 and the XRed backdoor.

It also follows the discovery of new stealer malware families like Planet Stealer, Rage Stealer (aka xStealer), and Tweaks (aka Tweaker), adding to the plethora of cyber threats that are capable of harvesting sensitive information from compromised hosts.

“Attackers are exploiting popular platforms, like YouTube and Discord, to distribute Tweaks to Roblox users, capitalizing on the ability of legitimate platforms to evade detection by web filter block lists that typically block known malicious servers,” Zscaler ThreatLabz said.

“Attackers share malicious files disguised as Frames Per Second (FPS) optimization packages with users and, in turn, users infect their own systems with Tweaks malware.”

The PowerShell-based stealer is equipped to exfiltrate sensitive data, including user information, location, Wi-Fi profiles, passwords, Roblox IDs, and in-game currency details, to an attacker-controlled server via a Discord webhook.

Malvertising and social engineering campaigns have also been observed acting as an initial access vector to disseminate a wide range of stealer and remote access trojans like Agent Tesla, CyberGate RAT, Fenix botnet, Matanbuchus, NarniaRAT, Remcos RAT, Rhadamanthys, SapphireStealer, and zgRAT.

Mar 06, 2024NewsroomVulnerability / Zero Day

Apple has released security updates to address several security flaws, including two vulnerabilities that it said have been actively exploited in the wild.

The shortcomings are listed below –

• CVE-2024-23225 – A memory corruption issue in Kernel that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections

• CVE-2024-23296 – A memory corruption issue in the RTKit real-time operating system (RTOS) that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections

It’s currently not clear how the flaws are being weaponized in the wild. Apple said both the vulnerabilities were addressed with improved validation in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6.

The updates are available for the following devices –

• iOS 16.7.6 and iPadOS 16.7.6 – iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

• iOS 17.4 and iPadOS 17.4 – iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

With the latest development, Apple has addressed a total of three actively exploited zero-days in its software since the start of the year. In late January 2024, it plugged a type confusion flaw in WebKit (CVE-2024-23222) impacting iOS, iPadOS, macOS, tvOS, and Safari web browser that could result in arbitrary code execution.

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two flaws to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply necessary updates by March 26, 2024.

The vulnerabilities concern an information disclosure flaw affecting Android Pixel devices (CVE-2023-21237) and an operating system command injection flaw in Sunhillo SureLine that could result in code execution with root privileges (CVE-2021-36380).

Google, in an advisory published in June 2023, acknowledged it found indications that “CVE-2023-21237 may be under limited, targeted exploitation.” As for CVE-2021-36380, Fortinet revealed late last year that a Mirai botnet called IZ1H9 was leveraging the flaw to corral susceptible devices into a DDoS botnet.

Feb 29, 2024NewsroomRootkit / Threat Intelligence

The notorious Lazarus Group actors exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts.

The vulnerability in question is CVE-2024-21338 (CVSS score: 7.8), which can permit an attacker to gain SYSTEM privileges. It was resolved by Microsoft earlier this month as part of Patch Tuesday updates.

“To exploit this vulnerability, an attacker would first have to log on to the system,” Microsoft said. “An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”

While there were no indications of active exploitation of CVE-2024-21338 at the time of the release of the updates, Redmond on Wednesday revised its “Exploitability assessment” for the flaw to “Exploitation Detected.”

Cybersecurity vendor Avast, which discovered an in-the-wild admin-to-kernel exploit for the bug, said the kernel read/write primitive achieved by weaponizing the flaw allowed the Lazarus Group to “perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit.”

The FudModule rootkit was first reported by ESET and AhnLab in October 2022 as capable of disabling the monitoring of all security solutions on infected hosts by means of what’s called a Bring Your Own Vulnerable Driver (BYOVD) attack, wherein an attacker a driver susceptible to a known or zero-day flaw to escalate privileges.

What makes the latest attack significant is that it goes “beyond BYOVD by exploiting a zero-day in a driver that’s known to be already installed on the target machine.” That susceptible driver is appid.sys, which is crucial to the functioning of a Windows component called AppLocker that’s responsible for application control.

The real-world exploit devised by the Lazarus Group entails using CVE-2024-21338 in the appid.sys driver to execute arbitrary code in a manner that bypasses all security checks and runs the FudModule rootkit.

“FudModule is only loosely integrated into the rest of Lazarus’ malware ecosystem and that Lazarus is very careful about using the rootkit, only deploying it on demand under the right circumstances,” security researcher Jan Vojtěšek said, describing the malware as under active development.

Besides taking steps to sidestep detection by disabling system loggers, FudModule is engineered to turn off specific security software such as AhnLab V3 Endpoint Security, CrowdStrike Falcon, HitmanPro, and Microsoft Defender Antivirus (formerly Windows Defender).

The development marks a new level of technical sophistication associated with North Korean hacking groups, continuously iterating its arsenal for improved stealth and functionality. It also illustrates the elaborate techniques employed to hinder detection and make their tracking much harder.

The adversarial collective’s cross-platform focus is also exemplified by the fact that it has been observed using bogus calendar meeting invite links to stealthily install malware on Apple macOS systems, a campaign that was previously documented by SlowMist in December 2023.

“Lazarus Group remains among the most prolific and long-standing advanced persistent threat actors,” Vojtěšek said. “The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal.”

Feb 14, 2024NewsroomZero-Day / Financial Sector Security

A newly disclosed security flaw in the Microsoft Defender SmartScreen has been exploited as a zero-day by an advanced persistent threat actor called Water Hydra (aka DarkCasino) targeting financial market traders.

Trend Micro, which began tracking the campaign in late December 2023, said it entails the exploitation of CVE-2024-21412, a security bypass vulnerability related to Internet Shortcut Files (.URL).

“In this attack chain, the threat actor leveraged CVE-2024-21412 to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe malware,” the cybersecurity firm said in a Tuesday report.

Microsoft, which addressed the flaw in its February Patch Tuesday update, said an unauthenticated attacker could exploit the flaw by sending the targeted user a specially crafted file in order to bypass displayed security checks.

However, successful exploitation banks on the prerequisite that the threat actor convinces the victim to click on the file link to view the attacker-controlled content.

The infection procedure documented by Trend Micro exploits CVE-2024-21412 to drop a malicious installer file (“7z.msi”) by clicking on a booby-trapped URL (“fxbulls[.]ru”) distributed via forex trading forums under the pretext of sharing a link to a stock chart image that, in reality, is an internet shortcut file (“photo_2023-12-29.jpg.url”).

“The landing page on fxbulls[.]ru contains a link to a malicious WebDAV share with a filtered crafted view,” security researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun said.

“When users click on this link, the browser will ask them to open the link in Windows Explorer. This is not a security prompt, so the user might not think that this link is malicious.”

The clever trick that makes this possible is the threat actor’s abuse of the search: application protocol, which is used for calling the desktop search application on Windows and has been abused in the past to deliver malware.

The rogue internet shortcut file, for its part, points to another internet shortcut file hosted on a remote server (“2.url”), which, in turn, points to a CMD shell script within a ZIP archive hosted on the same server (“a2.zip/a2.cmd”).

This unusual referencing stems from the fact that “calling a shortcut within another shortcut was sufficient to evade SmartScreen, which failed to properly apply Mark of the Web (MotW), a critical Windows component that alerts users when opening or running files from an untrusted source.”

The end goal of the campaign is to deliver a Visual Basic trojan known as DarkMe stealthily in the background while displaying the stock graph to the victim to keep up the ruse upon completion of the exploitation and infection chain.

DarkMe comes with capabilities to download and execute additional instructions, alongside registering itself with a command-and-control (C2) server and gathering information from the compromised system.

The development comes amid a new trend where zero-days found by cybercrime groups end up getting incorporated into attack chains deployed by nation-state hacking groups to launch sophisticated attacks.

“Water Hydra possess the technical knowledge and tools to discover and exploit zero-day vulnerabilities in advanced campaigns, deploying highly destructive malware such as DarkMe,” the researchers said.

Jan 31, 2024NewsroomVulnerability / Zero Day

Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild.

The list of vulnerabilities is as follows –

• CVE-2024-21888 (CVSS score: 8.8) – A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator

• CVE-2024-21893 (CVSS score: 8.2) – A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication

The Utah-based software company said it found no evidence of customers being impacted by CVE-2024-21888 so far, but acknowledged “the exploitation of CVE-2024-21893 appears to be targeted.”

It further noted that it “expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public.”

In tandem to the public disclosure of the two new vulnerabilities, Ivanti has released fixes for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1, and ZTA version 22.6R1.3.

“Out of an abundance of caution, we are recommending as a best practice that customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment,” it said. “Customers should expect this process to take 3-4 hours.”

As temporary workarounds to address CVE-2024-21888 and CVE-2024-21893, users are recommended to import the “mitigation.release.20240126.5.xml” file.

The latest development comes as two other flaws in the same product – CVE-2023-46805 and CVE-2024-21887 – have come under broad exploitation by multiple threat actors to deploy backdoors, cryptocurrency miners, and a Rust-based loader called KrustyLoader.

Jan 23, 2024NewsroomVulnerability / Device Security

Apple on Monday released security updates for iOS, iPadOS, macOS, tvOS, and Safari web browser to address a zero-day flaw that has come under active exploitation in the wild.

The issue, tracked as CVE-2024-23222, is a type confusion bug that could be exploited by a threat actor to achieve arbitrary code execution when processing maliciously crafted web content. The tech giant said the problem was fixed with improved checks.

Type confusion vulnerabilities, in general, could be weaponized to perform out-of-bounds memory access, or lead to a crash and arbitrary code execution.

Apple, in a terse advisory, acknowledged that it’s “aware of a report that this issue may have been exploited,” but did not share any other specifics about the nature of attacks or the threat actors leveraging the shortcoming.

The updates are available for the following devices and operating systems –

• iOS 17.3 and iPadOS 17.3 – iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
• iOS 16.7.5 and iPadOS 16.7.5 – iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
• macOS Sonoma 14.3 – Macs running macOS Sonoma
• macOS Ventura 13.6.4 – Macs running macOS Ventura
• macOS Monterey 12.7.3 – Macs running macOS Monterey
• tvOS 17.3 – Apple TV HD and Apple TV 4K (all models)
• Safari 17.3 – Macs running macOS Monterey and macOS Ventura

The development marks the first actively exploited zero-day vulnerability to be patched by Apple this year. Last year, the iPhone maker had addressed 20 zero-days that have been employed in real-world attacks.

In addition, Apple has also backported fixes for CVE-2023-42916 and CVE-2023-42917 – patches for which were released in December 2023 – to older devices –

• iOS 15.8.1 and iPadOS 15.8.1 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

The disclosure also follows a report that Chinese authorities revealed that they have used previously known vulnerabilities in Apple’s AirDrop functionality to help law enforcement to identify senders of inappropriate content, using a technique based on rainbow tables.

Jan 20, 2024NewsroomZero Day / Cyber Espionage

An advanced China-nexus cyber espionage group previously linked to the exploitation of security flaws in VMware and Fortinet appliances has been linked to the abuse of a critical vulnerability in VMware vCenter Server as a zero-day since late 2021.

“UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities,” Google-owned Mandiant said in a Friday report.

The vulnerability in question is CVE-2023-34048 (CVSS score: 9.8), an out-of-bounds write that could be put to use by a malicious actor with network access to vCenter Server. It was fixed by the Broadcom-owned company on October 24, 2023.

The virtualization services provider, earlier this week, updated its advisory to acknowledge that “exploitation of CVE-2023-34048 has occurred in the wild.”

UNC3886 first came to light in September 2022 when it was found to leverage previously unknown security flaws in VMware to backdoor Windows and Linux systems, deploying malware families like VIRTUALPITA and VIRTUALPIE.

The latest findings from Mandiant show that the zero-day weaponized by the nation-state actor targeting VMware was none other than CVE-2023-34048, allowing it to gain privileged access to the vCenter system, and enumerate all ESXi hosts and their respective guest virtual machines attached to the system.

The next phase of the attack involves retrieving cleartext “vpxuser” credentials for the hosts and connecting to them in order to install the VIRTUALPITA and VIRTUALPIE malware, thereby enabling the adversary to directly connect to the hosts.

This ultimately paves for the exploitation of another VMware flaw, (CVE-2023-20867, CVSS score: 3.9), to execute arbitrary commands and transfer files to and from guest VMs from a compromised ESXi host, as revealed by Mandiant in June 2023.

VMware vCenter Server users are recommended to update to the latest version to mitigate any potential threats.

In recent years, UNC3886 has also taken advantage of CVE-2022-41328 (CVSS score: 6.5), a path traversal flaw in Fortinet FortiOS software, to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands received from a remote server and exfiltrating sensitive data.

These attacks specifically single out firewall and virtualization technologies owing to the fact that they lack support for endpoint detection and response (EDR) solutions in order to persist within target environments for extended periods of time.

Jan 20, 2024NewsroomNetwork Security / Threat Intelligence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products.

The development came after the vulnerabilities – an authentication bypass (CVE-2023-46805) and a code injection bug (CVE-2024-21887) – came under widespread exploitation of vulnerabilities by multiple threat actors. The flaws allow a malicious actor to craft malicious requests and execute arbitrary commands on the system.

The U.S. company acknowledged in an advisory that it has witnessed a “sharp increase in threat actor activity” starting on January 11, 2024, after the shortcomings were publicly disclosed.

“Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems,” the agency said.

Ivanti, which is expected to release an update to address the flaws next week, has made available a temporary workaround through an XML file that can be imported into affected products to make necessary configuration changes.

CISA is urging organizations running ICS to apply the mitigation and run an External Integrity Checker Tool to identify signs of compromise, and if found, disconnect them from the networks and reset the device, followed by importing the XML file.

In addition, FCEB entities are urged to revoke and reissue any stored certificates, reset the admin enable password, store API keys, and reset the passwords of any local user defined on the gateway.

Cybersecurity firms Volexity and Mandiant have observed attacks weaponizing the twin flaws to deploy web shells and passive backdoors for persistent access to compromised appliances. As many as 2,100 devices worldwide are estimated to have been compromised to date.

The initial attack wave identified in December 2023 has been attributed to a Chinese nation-state group that is being tracked as UTA0178. Mandiant is keeping tabs on the activity under the moniker UNC5221, although it has not been linked to any specific group or country.

Threat intelligence firm GreyNoise said it has also observed the vulnerabilities being abused to drop persistent backdoors and XMRig cryptocurrency miners, indicating opportunistic exploitation by bad actors for financial gain.