Cloudflare Tunnels exploited to deliver Malware & avoid Detection

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the discovery of the “lr-utils-lib” PyPI malware targeting macOS for Google Cloud credential theft, a critical ACI vulnerability exploited in the wild, ransomware groups exploiting VMware ESXi for elevated access via a critical vulnerability, the emergence of the BingoMod Android RAT, and the abuse of Cloudflare’s TryCloudflare service for malware delivery. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Malware Targets macOS Systems for Google Cloud Credential Theft

Cybersecurity researchers discovered a malicious PyPI package, “lr-utils-lib,” targeting macOS systems to steal Google Cloud credentials. Uploaded in June 2024, it was downloaded 59 times before removal. The malware identifies specific macOS machines using UUIDs, then accesses Google Cloud authentication files and sends the data to a remote server.

Researchers also uncovered a fake LinkedIn profile linked to the attacker. This follows a similar attack with the “requests-darwin-lite” package, suggesting targeted knowledge of specific macOS systems. Developers are advised to verify package authenticity, implement security scanning, monitor system behavior, and use best practices for package management.

2. Critical ACI Vulnerability Exploited: Urgent Patching recommended

Researchers have discovered a critical vulnerability (CVE-2023-45249) in Acronis Cyber Infrastructure (ACI) that allows unauthenticated attackers to bypass authentication using default credentials. This flaw, which affects multiple versions and enables remote code execution, was patched nine months ago but has been exploited in the wild. Users must promptly update their installations to secure their systems.

Recommendations include regularly checking for updates, verifying server vulnerability via the Help -> About dialog, and installing the latest build from the Acronis account.

3. VMware ESXi Authentication Bypass Exploited for Elevated Access

A critical vulnerability (CVE-2024-37085) in VMware ESXi hypervisors, allowing attackers to bypass authentication and gain administrative access through Active Directory (AD) integration, is being actively exploited by ransomware groups. This flaw lets attackers manipulate the ‘ESX Admins’ group to gain full control over ESXi hosts, leading to ransomware deployment, data theft, and lateral network movement.

Attacks have included the use of Qakbot, Cobalt Strike, and Pypykatz for privilege escalation. Users must promptly apply patches, review and secure AD groups, check for unauthorized changes, and enhance AD security to mitigate these risks.

4. New Android Malware Exploits Banking Apps and Wipes Devices Clean

Cybersecurity researchers have discovered BingoMod, a new Android remote access trojan (RAT) designed for fraudulent money transfers and device wiping to eliminate traces. Identified in May 2024, BingoMod is distributed via smishing campaigns and disguises itself as legitimate security tools. It requests Accessibility Services permissions to gain extensive control, enabling remote operators to steal credentials, take screenshots, and intercept SMS messages.

The malware also uses advanced evasion techniques and can remove security apps or wipe devices. Believed to be developed by a Romanian-speaking threat actor, BingoMod is still under active development. Users are advised to avoid suspicious links, verify app sources, and scrutinize app permissions.

5. Threat Actors Exploit Cloudflare Tunnels to Avoid Detection and Distribute Malware

Cybersecurity researchers report a rise in the abuse of Cloudflare’s TryCloudflare service for malware delivery. Attackers use this service to create tunnels from attacker-controlled servers to local machines, often initiated through phishing emails containing malicious ZIP archives. These emails lead to TryCloudflare-proxied WebDAV servers hosting malicious Windows shortcut files. Once executed, these files run batch scripts that download additional payloads and display decoy PDFs to evade detection.

This method has been used to deliver various malware families, including AsyncRAT and Venom RAT, targeting organizations globally with emails in multiple languages. Recommendations include modifying script file settings, restricting access to external file-sharing services, implementing email filtering, using behavioral analysis tools, and deploying EDR solutions.