May/June ‘24 Cybersecurity News Roundup: RAT Malware & Vulnerabilities Target Network Security 

Summer isn’t the only thing that’s heating up. So far in 2024, there have been at least 20 major cyber attacks, according to Tech Radar, with at least six of those happening in May alone. 

From late April through early June, threat actors have exploited vulnerabilities in VPN products as well as server software and hardware and have deployed malware under the guise of VPN installers. Below, we’ve compiled everything you need to know about these recent attacks, including our recommendations if you are in one of the affected groups.  

Malware disguised as OpenVPN Installer

Earlier in May, cybersecurity professionals became aware of a remote access Trojan (RAT) malware named Nestdoor that allows attackers to gain remote access and control of infected systems – ultimately allowing file transfer, shell access, and command execution. The attackers are suspected to be part of the Lazarus Group, which have historically utilized proxy tools and open-source Socks5 tools. However, the Nestdoor malware has also been linked to the Andariel group, and it is unknown which group is responsible for this attack. 

In this instance, attackers are distributing malware disguised as legitimate software, which is hidden within a compressed file named “OpenVPN Installer.exe” and leverages a DLL file to launch. It then executes a copy of the Nestdoor malware named “openvpnsvc.exe." The primary targets of this attack appear to be South Korean domestic companies in the manufacturing, construction, and education sectors. 

Security recommendations

It’s important to patch and update software regularly. Encourage your team to ask IT or the security team to review any updates before the user opens or installs them. Additionally, ensure that a multi-factor authentication (MFA) tool or an SSO is used to verify that all users are legitimate, should their passwords become compromised. 

We also advise that IT admins and security professionals review any log streams possible to identify potential breaches or changes in your network security. 

Zero day attacks on Check Point VPN gateway products

In late May, Check Point discovered and reported a zero-day vulnerability in its Network Security Gateways with IPsec VPN in Remote Access VPN community and the Mobile Access software blade (CVE-2024-24919). Exploiting this vulnerability can result in accessing sensitive information on the Security Gateway. This, in certain scenarios, can potentially lead the attacker to move laterally and gain domain admin privileges.

CVE-2024-24919 (CVSS score: 7.5) impacts Check Point’s VPN products including their CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances.

According to information provided by Check Point: "By May 24, 2024, we identified a small number of login attempts using old VPN local-accounts relying on [an] unrecommended password-only authentication method. This has now been traced back to a new high-severity zero-day discovered in Security Gateways with IPSec VPN, Remote Access VPN and the Mobile Access software blade. The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled."

Security recommendations

Check Point has released a hotfix for users and has recommended that all users update their Check Point software. They have also recommended that users update passwords and reach out to their support team for further assistance. 

We also advise that any Check Point users and admins monitor for suspicious network activity. 

Oracle WebLogic Server OS Command Injection Vulnerability

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation: CVE-2017-3506 Oracle WebLogic Server OS Command Injection Vulnerability. 

According to CISA: “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” 

This vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion, or modification access to critical data or all Oracle WebLogic Server-accessible data, as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server-accessible data. 

If you are using the Oracle WebLogic Server to host your VPN or network security, this can pose an additional risk if the vulnerability is exploited. CISA has observed that China-based hackers were exploiting this vulnerability to deploy cryptocurrency mining tools. The attacks were carried out through customized HTTP requests.

Security recommendations

CISA has advised that all Oracle users apply fixes as they are released. Additionally, we advise all Oracle users to review your security measures and activity logs for any suspicious activity — and ensure that all security protocols are up-to-date and in place. 

Steps to improve your security before and after an attack

Regardless of whether your security provider has been compromised or your business has been attacked, we encourage you to take the following steps to improve your network security and prevent possible breaches or attacks: 

How OpenVPN can help 

If your VPN provider or security solutions have been breached or compromised, it's a great time to reevaluate your strategy. OpenVPN can help. Download OpenVPN’s award-winning CloudConnexa or Access Server for free, and improve your security posture in under 20 minutes. Get started with free connections today.

Want to check out our platform without downloading a trial? We’ve got you covered. Try our interactive product demo today.

Share this story: