Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label File Share Servers. Show all posts
MFT
Cleo Server Cyber Attacks File Share Servers Firewalls MFT

File-Sharing Tools Under Attack: What Users Need to Know

 


A serious flaw has been found in three widely used file-sharing tools, putting several organizations at risk of security breaches. The three tools affected, LexiCom, VLTransfer, and Harmony, are all developed by Cleo, a company focused on managed file transfer (MFT) solutions. Experts have warned that the flaw could be exploited and urged users to take preventive measures immediately.


The Vulnerability and Its Impact

This vulnerability, identified as CVE-2024-50623, has been known to allow unrestricted file uploads and downloads. This might allow hackers to execute malicious code remotely. Huntress, a cybersecurity firm, reported that the flaw has already been exploited, with at least 24 businesses confirmed as compromised. Companies in sectors like logistics, consumer products, and food supply are included in the list.

Although Cleo has issued a patch in October 2024, Huntress believes that the update is not enough to protect the users, hence exposing the systems to attackers. According to Shodan, a search engine that monitors internet-connected devices, there are hundreds of vulnerable servers running Cleo's tools, mostly located in the United States.


What Is Happening After Exploitation?

Once the vulnerability has been exploited, attackers are engaging in activities that might reflect data theft or other malicious activities. According to Huntress, the motives of the hackers are unknown and no data breaches have so far been confirmed. But from the available evidence, files may have been accessed or stolen with huge risks to the organizations affected.


Cleo's Response and Recommended Actions

Cleo has acknowledged the vulnerability and is currently working on an improved fix. In the meantime, the company advises users to secure their systems by placing file-sharing tools behind a firewall. This added layer of protection can help minimize exposure to attackers until a robust patch is released.


A Broader Issue in File-Sharing Security

This is not the first time MFT tools have been attacked with security issues. In 2023, a Russian ransomware group exploited a similar vulnerability in MOVEit, another MFT solution, to steal sensitive data from numerous organizations worldwide. These incidents highlight the growing risks associated with such tools, emphasizing the need for stronger security measures.

Users of file-sharing tools need to be watchful and prioritize cybersecurity. Regular application of updates, use of firewalls, and monitoring for unusual activity can help minimize the exploitation risk. Since file-sharing is an integral part of modern business operations, it is essential that these tools are secure in order to protect sensitive information.




Read more »
User Security
Banking Trojan File Share Servers Malicious Payload malware Phishing Campaign User Security

Threat Actors Exploit WeTransfer to Spread Lampion Malware

 

In a new phishing campaign unearthed by Cofense researchers, the Lampion malware is being distributed massively, with hackers exploiting WeTransfer as part of their campaign.

WeTransfer is an internet-based computer file transfer service that can be utilized free of cost, hence it's a no-cost way to circumvent security software that may not detect URLs in emails. 

The malware authors are sending phishing emails from exploited firm accounts requesting customers to download a "Proof of Payment" document from WeTransfer. 

The file sent to the targets is a ZIP archive containing a VBS (Virtual Basic script) file that the user must open in order for the attack to begin. Upon clicking on the file, the script launches a WScript process that manufactures four VBS files with random names. The first is empty, the second has limited functionality, and the third's sole motive is to launch the fourth script. 

According to Cofense researchers, this extra step is unclear, but modular execution approaches are typically preferred for their versatility, allowing easy file swaps. The fourth script initiates a new WScript process that links to two hardcoded URLs to retrieve two DLL files concealed inside password-protected ZIPs. The malicious links lead to Amazon AWS instances. 

The ZIP file password is concealed in the script, so the archives are extracted without user communication. The contained DLL payloads are loaded into memory, allowing Lampion to be stealthily executed on compromised systems. 

Subsequently, the malware initiates extracting data from the computer, and bank accounts, and overlaying its own login forms on login pages. These fake bogus forms are stolen and sent to the hacker when users enter their credentials. 

The Lampion trojan has been active since at least 2019, primarily targeting Spanish-speaking users and employing exploited servers to deploy its malicious ZIPs. 

Last year, the malware was identified exploiting cloud services for hosting the malware for the first time, including Google Drive and pCloud. Recently, in March 2022, Cyware reported an increase in trojan distribution, identifying a hostname link to Bazaar and LockBit operations.

Prevention Tips 

Researchers advised users to apply the following mitigations to defend against malware attacks: 
  • Update software, including operating systems, applications, and firmware frequently 
  • Install OS patches when they are available 
  • Enforce MFA to the greatest extent possible 
  • If you use RDP and/or other potentially risky services, secure and monitor them closely 
  • Employ cryptographic vaults for data safety
Read more »
Lakehead University
Computer Systems Cyber Attacks File Share Servers Lakehead University

Cyber Attack: Computer Systems of Lakehead University Remains Offline

 

Lakehead University (LU) based in Ontario; Canada is currently dealing with the cyber-attack that hit the institution on Tuesday; Consequently, the computer systems remain offline as of now. Soon after the attack, the university shut down the computers at Thunder Bay and Orillia campuses as a precautionary measure.

Lakehead provided the update on the cyber-attack investigation by stating that the attack was directed at the file share servers of the university. Technology Services Centre staff were quick enough to respond to the attack and managed to remove all access to those services which were directly linked to the file share servers. 

However, it remains unclear in the text sent by the university to the students and staff, how the threat actors managed to secure access to the information system of the university: “Lakehead University’s Technology Services Centre (TSC) team is currently managing a cyber attack that is affecting our campuses’ server. In order to protect our systems and data as much as possible, TSC has removed all access to our servers which affects both our campuses.” 

The university staff is working to determine specifically which servers, and data, were affected by the assault. To figure out the source of the attack university has collaborated with the security experts and to help the staff to resolve the issue. Later on Thursday, Lakehead released another update stating they have postponed the two virtual tours of their campuses due to this cyber-attack. The attack has also impacted the academic year of the students and the university is reviewing the key dates. 

The statement released by the university reads, “As course requirements and deadlines differ across programs, individual students may be impacted in multiple and varying ways. Faculties are currently reviewing the situation and students will be updated by program or individual instructors about how concerns relating to assignments, exams, and similar issues will be addressed.”
Read more »
Subscribe to: Posts (Atom)