Windows Systems Compromised by Backdoored Linux VMs

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. The EMERALDWHALE Campaign exploits exposed Git and Laravel configuration files, compromising over 10,000 Git repositories to steal credentials, including cloud and database access keys. The Microsoft SharePoint RCE Exploit (CVE-2024-38094), a critical vulnerability, is being actively exploited for remote code execution (RCE), allowing attackers to deploy web shells for persistent access and disable defenses. CISA’s Alert on Palo Alto Networks Expedition Vulnerability warns of the active exploitation of CVE-2024-5910, a severe authentication vulnerability in the Expedition tool. The CRON#TRAP Phishing Campaign is a sophisticated phishing attack that uses a Linux virtual machine (VM) on Windows systems, masquerading as a OneAmerica survey. Finally, the VEILDrive Attack Using Microsoft Services targets organizations by exploiting Microsoft cloud services, such as Teams, SharePoint, Quick Assist, and OneDrive, to gain access and evade detection. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Exposed Git Configurations Exploited to Steal Credentials and Cloud Access

The “EMERALDWHALE” campaign has compromised over 10,000 Git repositories by exploiting exposed Git and Laravel configuration files to steal credentials, such as cloud and database access keys. These credentials were used to clone private repositories and sold in underground markets. Attackers employed automated tools to identify vulnerabilities, highlighting the critical need for improved source code and credential management practices. Cybersecurity researchers reported the use of specialized toolkits to scan IP ranges, leveraging data from sources like Google Dorks and Shodan. Recommendations to mitigate these threats include implementing multi-factor authentication (MFA), enforcing least privilege access controls, regularly rotating and expiring secrets, segregating sensitive data, and employing a zero-trust architecture. These measures, along with user training on phishing awareness and conducting security audits, can significantly reduce the risk posed by such large-scale credential theft campaigns.

2. Microsoft SharePoint RCE Exploit Enables Lateral Movement and Compromise 

A critical Microsoft SharePoint vulnerability, CVE-2024-38094, is actively exploited to gain unauthorized network access. This high-severity flaw allows remote code execution (RCE) and lets attackers install web shells for persistent access, often disabling defenses to expand control. Despite Microsoft’s July 2024 patch, unpatched systems remain at risk. Cybersecurity researchers observed attackers using this vulnerability to disable legitimate security tools, harvest credentials, scan networks, and attempt backup deletion, commonly linked to ransomware. To mitigate risk, organizations should update SharePoint, enforce MFA, segment networks, monitor for unauthorized applications, use intrusion detection, ensure secure backups, and configure EDR tools to detect known attack behaviors. Educating users on compromise signs and phishing tactics is also recommended.

3. Exploitation of Authentication Vulnerability in Palo Alto Networks Expedition

CISA has issued a warning regarding active exploitation of CVE-2024-5910, a severe authentication vulnerability in Palo Alto Networks’ Expedition tool, which allows attackers to reset admin credentials on exposed servers and access sensitive data. Rated 9.3 in severity, this flaw can expose configuration details and credentials on internet-facing servers. Cybersecurity researchers revealed an exploit that combines CVE-2024-5910 with a command injection flaw (CVE-2024-9464), enabling unauthorized control over PAN-OS firewalls. CISA has mandated that U.S. federal agencies secure affected servers by November 28. Organizations are urged to patch affected systems, restrict network access, rotate credentials, and monitor for suspicious activity on Expedition servers and firewalls.

4. Windows Systems Compromised by Backdoored Linux VMs

The CRON#TRAP phishing campaign is a sophisticated attack that uses a backdoored Linux virtual machine (VM) on Windows systems, disguising itself as a OneAmerica survey. Leveraging QEMU and PowerShell, the campaign installs a TinyCore Linux VM called ‘PivotBox’, containing a backdoor for covert access and network tunneling, allowing attackers to bypass firewalls and evade detection. The backdoor persists by setting auto-start configurations and generating SSH keys for re-access. Attackers gain control through commands that escalate privileges and evade security measures.

To mitigate this, organizations should educate employees on phishing risks, restrict virtualization software, monitor for unusual PowerShell and tunneling activity, and log SSH key generation. Implementing EDR solutions, network segmentation, and monitoring automated reboots for boot modifications can further enhance protection against this stealthy threat. network.

5. A Sophisticated Attack Using Microsoft Services for Stealthy Malware Distribution

The VEILDrive threat campaign targets organizations by exploiting Microsoft cloud services like Teams, SharePoint, Quick Assist, and OneDrive, making detection challenging. First observed in September 2024, it targeted a U.S. critical infrastructure organization (“Org C”) with spear-phishing tactics, using compromised accounts from other organizations (Org A and Org B) for phishing and malware distribution. The attack involved Java-based malware with dual command-and-control (C2) channels and multiple persistence techniques.

Attackers impersonated IT support via Quick Assist and shared malicious ZIP files on SharePoint to install LiteManager and Java-based malware. The C2 used OneDrive and an HTTPS connection to maintain control. VEILDrive evades detection by utilizing Microsoft services and layered persistence tactics.

Recommendations include disabling Microsoft Teams’ external access if unnecessary, restricting remote tools like Quick Assist, monitoring OneDrive and Microsoft Graph API traffic, tracking scheduled tasks for persistence signs, and training employees on phishing risks.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider