Bulletins //

NormCyber Threat Bulletin: 26th June 2024

SolarWinds Serv-U Vulnerability Under Active Exploitation – Immediate Patching Recommended

A recently discovered vulnerability within the SolarWinds Serv-U file transfer software has now begun to be actively exploited in the wild. Tracked as CVE-2024-28995 and awarded a CVSS Score of 8.6, this security flaw can allow threat actors to access and read sensitive files stored on the target host.

Threat Bulletin Exclamation Point

This vulnerability affects all versions of Serv-U software prior to and including Serv-U 15.4.2 HF 1. The security flaw was later patched in Serv-U 15.4.2 HF 2.

The list of products featuring CVE-2024-28995 can be seen below:

  • Serv-U FTP Server 15.4
  • Serv-U Gateway 15.4
  • Serv-U MFT Server 15.4
  • Serv-U File Server 15.4

Hussein Daher, a security researcher with Web Immunify was credited with the discovery and reporting of this security flaw. Following on from the public disclosure of the vulnerability, a Proof-of-Concept exploit and additional technical details have been made available, furthering the need to patch the vulnerability as soon as possible.

The cyber security organisation Rapid7 commented on the vulnerability, noting that it is trivial to exploit and can allow external unauthenticated attackers to read any arbitrary file on disk if they know the file path, and that the file itself is not locked.

In a quote from their own post regarding this vulnerability, Rapid7 stated that “High-severity information disclosure issues like CVE-2024-28995 can be used in smash-and-grab attacks where adversaries gain access to and attempt to quickly exfiltrate data from file transfer solutions with the goal of extorting victims”.

According to Greynoise, a Threat Intelligence firm, threat actors have already begun to conduct opportunistic attacks utilising the flaw against Greynoise’s honeypot servers to access sensitive files. With evidence such as this, it is imperative that users apply the patches as soon as possible to mitigate threats.

By utilising norm.’s Vulnerability Patch Management module, customers can ensure they are protected against vulnerabilities disclosed via vendor bug bounty programs.

References

SolarWinds Serv-U Vulnerability Under Active Attack – Patch Immediately (thehackernews.com)
CVE-2024-28995: Trivially Exploitable Information Disclosure Vulnerability in SolarWinds Serv-U (Rapid7)
CVE-2024-28995 (NIST)
SolarWinds Serv-U (CVE-2024-28995) exploitation: We see you! (Greynoise)

Rafel RAT Malware: An Android Device’s Nightmare

Introduction

Rafel RAT is an open-source malware tool that operates stealthily on Android devices. It provides malicious actors with a powerful toolkit for remote administration and control, enabling a range of malicious activities from data theft to device manipulation.

Threat Landscape

Android, Google’s most popular mobile operating system, powers billions of smartphones and tablets globally. However, with its widespread adoption and open environment comes the risk of malicious activity. Android malware poses a significant threat to users’ privacy, security, and data integrity.

Rafel RAT: A Potent Threat

Rafel RAT is a potent tool for conducting covert operations and infiltrating high-value target. Its features and capabilities, such as remote access, surveillance, data exfiltration, and persistence mechanisms, make it a significant threat.

Espionage to Ransomware Operations

Check Point Research has identified multiple threat actors utilising Rafel, indicating the tool’s efficacy across various threat actor profiles and operational objectives. An espionage group leveraging Rafel in their operations was of particular significance.

Victims Analysis

Around 120 different malicious campaigns were observed, some of which successfully targeted high-profile organisations, including the military sector. While most of the targeted victims were from the United States, China, and Indonesia, the geography of the attacks is pretty vast.

Conclusion

The Rafel RAT malware is a serious threat to Android devices. Users are advised to update their Android devices to protect their information. The evolving landscape of Android malware presents challenges for users, developers, and security experts. As attackers employ increasingly sophisticated techniques to evade detection and compromise devices, understanding the nature of Android malware, its distribution methods, and effective prevention and mitigation strategies become paramount.

References:

Rafel RAT, Android Malware from Espionage to Ransomware Operations – Check Point Research
Rafel RAT, Android Malware from Espionage to Ransomware Operations – Check Point Blog
Rafel RAT, Android Malware from Espionage to Ransomware Operations (sechub.in)
Dangerous RAT mostly lurks in outdated Android phones | Cybernews

An Overview of Smart Devices

What is a smart device?

A smart device is an appliance that is connected to the internet and can do more than its non-smart counterparts. This can be due to voice commands, remote control functions or automation. For example, smartwatches not only allow you to tell the time but also can track your fitness goals, play music and receive notifications.

Types of smart devices on the market

Smart kitchen appliances such as fridges can create shopping lists for you, create recipes based on items you have and monitor expiry dates. A smart coffee machine can brew a cup of coffee for a programmed time.

Smart thermostats can help you control the temperature of your home remotely, programming the start times and temperature. Smart thermostats can learn the user’s habits to automatically adjust settings and can also report energy usage.

Smart security systems like ring doorbells can help users monitor their homes whilst they are away. The motion sensor technology can alert the user of any residents, animals or unwanted visitors within the range of the doorbell.

The dangers of smart devices

A study into smart device usage found that voice-activated devices have the potential for eavesdropping. The devices have been found to inadvertently record and transmit audio data. Many of these devices also share the user’s data with third parties and there is a lack of transparency around how it is stored, collected and shared due to the data policies often being concealed under large volumes of text.

Smart home devices are also susceptible to being hacked. Andrew Laughlin, a researcher at ‘Which?’ worked with the Global Cyber Alliance to create a smart home. They found 12,807 unique scanning and attack attempts in their busiest week of testing. During that week 2,435 unique, malicious attempts were made to log into the devices with weak usernames and passwords.

How to secure smart devices

On the 29th of April 2024, a new law was introduced known as the: Product Security and Telecommunications Infrastructure Act. This ensures that all smart devices must now meet specific safety requirements. Manufacturers must not give smart devices easily discoverable default passwords; they must also state the minimum length of time required for the device to receive security updates and a point of contact for security issues is also required.

As a user, ensure your device receives the latest software updates, if the device is given a default password make sure you change this to something more secure. If multi-factor authentication is offered for the device, enable it, as it will give you another layer of protection. These steps will help protect the device from potential exploitation attempts.

References:

Are Your Smart Home Devices Spying On You? (Experts Say, Yes!) | Data Pacific Limited
Smart device definition – Glossary | NordVPN
Smart devices: new law helps citizens to choose secure… – NCSC.GOV.UK
What is a Smart Home? Everything You Need to Know|Definition from TechTarget
How a smart home could be at risk from hackers – Which? News

Get norm.’s threat bulletin direct to your inbox

norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below: