Ransomware Gangs Exploit Newly Disclosed Vulnerabilities: A Call to Action for Organizations
In a troubling development for cybersecurity, two recently disclosed vulnerabilities are being actively exploited by ransomware gangs targeting organizations across the United States. The Cybersecurity and Infrastructure Security Agency (CISA), the nation’s leading cybersecurity authority, has issued urgent warnings and directives for government agencies to patch these vulnerabilities immediately.
The Vulnerabilities Unveiled
Over the past two weeks, CISA has taken the unprecedented step of confirming that ransomware actors are leveraging specific bugs to infiltrate systems. The agency has mandated that federal civilian agencies must patch these vulnerabilities by set deadlines to mitigate the risks associated with these exploits.
On December 1, CISA announced that federal agencies have until January 3 to address CVE-2024-50623, a vulnerability that has raised significant concerns among cybersecurity experts. This particular bug affects a widely used file-sharing product from Cleo, impacting three of its offerings: Cleo Harmony, VLTrader, and LexiCom. Cleo Harmony and VLTrader are designed for enterprise-level file sharing, while LexiCom serves smaller organizations with lighter file transfer needs.
The Impact of the Cleo Vulnerability
The urgency surrounding CVE-2024-50623 stems from reports indicating that dozens of organizations have already been breached through this vulnerability. Although Cleo initially released a patch for the bug in October, researchers discovered last week that the fix was ineffective. Consequently, hackers, including members of the notorious Termite ransomware gang, have been exploiting this vulnerability since December 7.
The ramifications of this vulnerability are particularly severe for sectors such as consumer products, shipping, and retail supply chains, where the compromised file-sharing systems are integral to operations. The emergence of a new family of malware associated with these attacks has further alarmed cybersecurity professionals.
Another Vulnerability in the Crosshairs
Just nine days prior to the announcement regarding the Cleo vulnerability, CISA added another bug to its catalog of exploited vulnerabilities. CVE-2024-51378, which affects products from CyberPanel, was flagged for urgent attention, with a deadline for patching set for Christmas Day. CyberPanel is widely used for managing web hosting, domains, email, and other hosting features on Linux servers.
Experts have warned that malicious actors have successfully infected several CyberPanel instances following the public release of a technical write-up detailing the vulnerability in late October. This has led to the discovery of at least three ransomware variants, including Babuk, Cerber, and PSAUX, on compromised CyberPanel systems.
The Scale of the Threat
Reports indicate that the PSAUX ransomware has targeted over 22,000 CyberPanel instances, effectively shutting down nearly all of them. Mike Walters, co-founder of cybersecurity firm Action1, emphasized the importance of updating to the latest version of CyberPanel to protect against these vulnerabilities, as the PSAUX ransomware actors have been exploiting weaknesses in web servers since their emergence in June.
CISA’s Proactive Approach
In an effort to enhance the cybersecurity posture of federal agencies and other organizations, CISA has begun to include information about ransomware exploitation in its catalog of known exploited vulnerabilities. This initiative, which started in October 2023, aims to encourage proactive measures in patching vulnerabilities.
Despite this effort, the information regarding ransomware exploitation has been sparse, with the “Known To Be Used in Ransomware Campaigns?” tab often marked as “unknown.” The recent acknowledgment of two vulnerabilities exploited by ransomware actors marks a significant shift in CISA’s approach and highlights the growing threat landscape.
Conclusion: A Call to Action
The recent disclosures of vulnerabilities CVE-2024-50623 and CVE-2024-51378 serve as a stark reminder of the persistent and evolving threats posed by ransomware gangs. Organizations must prioritize patching these vulnerabilities to safeguard their systems and data. As ransomware actors continue to exploit weaknesses in widely used software, the onus is on organizations to remain vigilant, proactive, and prepared to respond to these threats.
In an era where cyber threats are increasingly sophisticated, the importance of timely updates and security measures cannot be overstated. Organizations are urged to take immediate action to protect themselves from the looming threat of ransomware attacks.