Full Report
For the latest discoveries in cyber research for the week of 30th December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Clop ransomware gang exploited a zero-day vulnerability (CVE-2024-50623) in Cleo’s Secure File Transfer products and is extorting 66 companies following alleged data theft. The attackers have given the victims 48 hours […] The post 30th December – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Compilation of Recent Cyber Incidents and Vulnerabilities
## Executive Summary
This report summarizes several distinct security incidents that occurred around the last week of December, including major ransomware attacks (Clop targeting Cleo), operational disruption (PRT ransomware), data exposure (Cariad/VW), and supply chain compromises (ZAGG/FreshClick, ESA shop). Significant vulnerabilities were also disclosed, notably critical flaws in Apache Traffic Control (SQLi) and Apache MINA (RCE).
## Incident Details
- **Discovery Date:** Varied (Report published week of December 30th, 2024)
- **Incident Date:** Varied (Occurred in weeks prior/ongoing)
- **Affected Organization:** Cleo, Pittsburgh Regional Transit (PRT), Cyberhaven, Cariad (VW subsidiary), Japan Airlines, ZAGG Inc., European Space Agency (ESA) Merchandise Store.
- **Sector:** File Transfer/Software, Public Transit, Cybersecurity, Automotive, Aviation, E-commerce/Retail, Government/Space Retail.
- **Geography:** Global (Implied, specific locations for PRT and Japanese airlines mentioned).
## Timeline of Events
**Note:** Specific dates are often unavailable; progression is based on reporting context.
### Initial Access
- **Date/Time:** Varies.
- **Vector:**
* **Clop:** Zero-day vulnerability in Cleo Secure File Transfer products (CVE-2024-50623, Arbitrary File Upload).
* **PRT:** Undisclosed ransomware attack.
* **Cyberhaven:** Compromise of the Chrome browser extension infrastructure.
* **Cariad/VW:** Misconfiguration of IT applications/cloud storage.
* **Japan Airlines:** Sudden surge in network traffic (DDoS).
* **ZAGG/ESA:** Malicious code injection via third-party/e-commerce platform (FreshClick app, fake payment page).
### Lateral Movement
- **Clop:** Implied file transfer/data manipulation leading to theft.
- **PRT:** Ransomware deployment leading to service disruption.
- **Cyberhaven:** Implied ability to move from extension compromise to session/cookie exfiltration.
### Data Exfiltration/Impact
- **Clop (66 victims):** Alleged theft of data from Cleo customers.
- **Cyberhaven:** Exfiltration of users’ sensitive information, including authenticated sessions and cookies.
- **Cariad/VW:** Exposure of 800,000 electric car owners' data, including precise geo-location data (460,000 cars).
- **ZAGG:** Exposure of customer payment card information (Oct-Nov 2024).
- **ESA Shop:** Attempted theft of customer payment card details via a fake payment page.
### Detection & Response
- **PRT:** Service disruptions noted for rail and customer service; Law enforcement and cybersecurity experts engaged. Transit services resumed, but ConnectCard processing remains affected.
- **Japan Airlines:** Attacks led to domestic/international flight delays; systems resumed normal activity.
- **Clop:** Victims given 48 hours to negotiate before public disclosure.
- **Cariad:** Chaos Computer Club identified the misconfiguration.
## Attack Methodology
| Category | Method(s) Used |
| :--- | :--- |
| **Initial Access** | Zero-day exploitation (CVE-2024-50623 in Cleo MFT), Ransomware deployment, Malicious software update/injection (Cyberhaven extension, ZAGG FreshClick), Misconfiguration (Cariad/AWS S3), DDoS attack (JAL), Compromised retail payment page (ESA). |
| **Persistence** | Not explicitly detailed for most, but implied by Clop's file transfer mechanism. |
| **Privilege Escalation** | Not explicitly detailed for data-centric breaches, but Clop historically executes high privileges on MFT appliances. |
| **Defense Evasion** | N/A (Often bypasses defense via zero-day or misconfiguration). |
| **Credential Access** | Cyberhaven victims led to session/cookie exfiltration. |
| **Discovery** | Geo-location data exposure implies access to GPS/routing information in the Cariad breach. |
| **Lateral Movement** | Implied within PRT ransomware incident. |
| **Collection** | Clop collected client data; Cyberhaven collected session tokens/cookies. |
| **Exfiltration** | Clop used file transfer vulnerabilities/mechanisms for data extraction. |
| **Impact** | Service disruption (PRT), Data theft (Clop, ZAGG), Data exposure (Cariad), DDoS disruption (JAL). |
## Impact Assessment
- **Financial:** PRT services (ConnectCards) remain affected; Clop is demanding ransom. ZAGG exposed payment data.
- **Data Breach:** Sensitive customer geo-location data (800k records), raw session tokens/cookies, customer payment details (ZAGG).
- **Operational:** Rail service disruption (PRT); Flight delays (JAL).
- **Reputational:** Negative publicity for PRT, Clop victims, Cariad/VW, and ZAGG.
## Indicators of Compromise
*Data provided is for protection against the disclosed vulnerabilities, not confirmed IOCs from all incidents.*
- **Network indicators (Defanged):**
- Protection signatures for Clop exploit: *Ransomware.Win.Clop; Ransomware.Wins.Clop.ta.\**
- Protection signatures for CVE-2024-50623: *Cleo Arbitrary File Upload (CVE-2024-50623)*
- **File indicators:** N/A (Specific hashes not provided for the week's incidents).
- **Behavioral indicators:** Sudden surge in network traffic (Indicative of JAL DDoS).
## Response Actions
- **Containment:** (Implied for live incidents) Patching of known zero-days (if applicable post-discovery), firewall rule adjustments (if DDoS related), termination of malicious updates (Cyberhaven).
- **Eradication:** (Ongoing for PRT ransomware).
- **Recovery:** JAL systems resumed normal activity; PRT rail services resumed operations.
## Lessons Learned
- **Supply Chain Risk:** File transfer platforms (Cleo, MOVEit) and third-party e-commerce apps (FreshClick for ZAGG) remain prime targets for major threat groups (Clop).
- **Configuration Security:** Misconfigurations in cloud storage remain a persistent and high-impact threat (Cariad/VW exposing sensitive location data).
- **Zero-Day Exploitation:** Threat actors are actively weaponizing newly discovered zero-days immediately upon discovery (CVE-2024-50623).
- **Vulnerability Management:** Extremely critical, high-CVSS vulnerabilities (e.g., Apache MINA RCE 10.0, Apache Traffic Control SQLi 9.9) require immediate patching to prevent unauthenticated remote code execution.
## Recommendations
1. **Vendor Vetting:** Increase scrutiny and continuous auditing of third-party applications and software used in e-commerce/data handling pipelines (e.g., review FreshClick/BigCommerce security posture).
2. **Zero-Trust for MFT:** Implement rigorous monitoring and segmentation around File Transfer Management (MFT) platforms, as they are repeatedly targeted by APTs/ransomware groups.
3. **Cloud Posture Management:** Mandate automated configuration auditing tools (CSPM) to continuously scan public-facing assets, especially cloud storage buckets, for exposure of PII/location data.
4. **Patch Critical Flaws Immediately:** Prioritize patching for critical vulnerabilities (CVSS $\ge 9.0$), especially those involving RCE or SQL Injection in widely deployed frameworks (like Apache products).