News from Italy
Linate and Malpensa: DDoS attack
Among the most significant news, a cyberattack claimed by the pro-Russian group Noname057(16) targeted several critical Italian infrastructures, including the website of the Ministry of Foreign Affairs and the airports of Linate and Malpensa.
InfoCert data breach
Equally noteworthy is the cyberattack against InfoCert, one of Italy’s leading providers of SPID (digital identity services). The attack, carried out through a Distributed Denial of Service (DDoS) operation, was allegedly motivated by Italy’s so-called “Russophobic” policies. While the affected websites were temporarily taken offline, the National Cybersecurity Agency (ACN) swiftly intervened, restoring services within two hours and mitigating the impact, which did not disrupt airport operations.
This breach led to the exfiltration of approximately 5.5 million personal data records, including 1.1 million phone numbers and 2.5 million email addresses. The attackers later put this information up for sale on BreachForums, a dark web marketplace, pricing the stolen data at $1,500. However, InfoCert assured that “no credentials or passwords for InfoCert services were compromised in this attack.”
Given this data theft, a notable increase in phishing campaigns is highly likely in the coming months.
News from the world
Cyberattack by Tradertraitor: bitcoin.dmm.com shuts down
The Japanese cryptocurrency platform Bitcoin.DMM.com has fallen victim to a cyberattack orchestrated by the North Korean TraderTraitor group, which stole $308 million in cryptocurrency.
To execute the heist, the hackers leveraged social engineering techniques (e.g., phishing) to deceive an employee at Ginco, a company developing enterprise wallet software. The employee was tricked into executing malware disguised as a job interview test.
This malicious software compromised the system, enabling the attackers to redirect a legitimate transaction worth 4,502.9 bitcoins to wallets under their control.
Japanese and international authorities have launched an investigation, while Bitcoin.DMM.com has announced its closure in 2025.
New botnet: tp-link, Digiever and Teltonika
A new botnet has been discovered, built on Mirai code and designed to exploit vulnerabilities in TP-Link, DigiEver, and Teltonika RUT9XX devices. The attackers utilize a combination of remote code execution (RCE) exploits to run malicious commands. Once compromised, infected devices become part of the botnet, executing DDoS attacks and recruiting additional machines. A distinctive feature of this campaign is its use of advanced obfuscation techniques, such as XOR and ChaCha20 encryption, which enhance its resistance to detection. Additionally, the malware employs methods to maintain persistent control over infected devices.
The campaign, reportedly active since October 2024, has infected devices across x86, ARM, and MIPS architectures, demonstrating remarkable adaptability.
Cyber attacks and vulnerabilities
In December 2024, significant cyber vulnerabilities were identified, highlighting gaps in enterprise and security software, with targeted attacks on the Public Administration, Technology, and corporate networks and infrastructure sectors. We note the low number of threats, totaling 17; however, the majority of these (12) were assigned a high or critical risk level.
The Public Administration sector was attacked through malicious smishing and phishing campaigns, exploiting themes related to Poste Italiane and the Ministry of Defense. The healthcare and corporate sectors faced significant vulnerabilities in management systems and software. The last affected sector was media and entertainment, with two vulnerabilities, one of which was classified as high risk.
The situation is summarized in the following chart:
The detected vulnerabilities affected both enterprise software and security solutions, highlighting gaps in digital infrastructures that could be exploited for various types of attacks.
Among the affected software, notable cases include SolarWinds and GitLab CE/EE, which are essential for infrastructure management and monitoring, as well as Zyxel firewalls and applications such as VMware Spring, Adobe ColdFusion, and Sophos. When exploited, these weaknesses could enable unauthorized access, data exfiltration, or service disruptions. In fact, many of these vulnerabilities were actively targeted by malicious actors. At the same time, targeted attacks also took place in the form of smishing, an advanced phishing technique. These campaigns targeted Poste Italiane users, attempting to deceive them with seemingly legitimate messages related to postal correspondence. Additionally, a second phishing campaign, also highly sophisticated, exploited the branding of the Carabinieri and the Ministry of Defense to lure users into providing personal or financial information.
The technology and corporate network sectors also faced particular challenges, with vulnerabilities that could compromise network integrity and data security. While the healthcare and financial sectors were less affected in terms of volume, they remained key targets due to their high exposure to unauthorized access risks involving sensitive data. Finally, the media and entertainment sector encountered critical issues in production software, including Adobe ColdFusion and Premiere Pro.
Among the observed attack methods, the exploitation of vulnerabilities such as those in Zyxel firewalls (CVE-2024-11667) or Apache Struts (CVE-2024-53677) poses a significant threat to infrastructures. These exploits allow attackers to gain unauthorized access, execute malicious code, or even compromise entire systems.
CVE Monitoring – New Threats
Below are some examples of recently detected high and critical-risk vulnerabilities, presented in tabular form:
CVE-2024-53677
Source: https://www.cve.org/CVERecord?id=CVE-2024-53677
This vulnerability, associated with a publicly available Proof of Concept (PoC) exploit, allows attackers to maliciously exploit the system to execute arbitrary code. Its danger lies in the potential for attackers to gain full control of the server hosting the vulnerable web application, leading to data theft, service disruption, or the use of the server for illicit purposes, such as distributing malware. Fortunately, it has been patched.
CVE-2024-8785
Source: https://www.cve.org/CVERecord?id=CVE-2024-8785
A critical flaw identified in versions of WhatsUp Gold prior to 24.0.1, a network monitoring software developed by Progress Software Corporation. This vulnerability allows an unauthenticated remote attacker to exploit the NmAPI.exe component to create or modify registry values in Windows. This can lead to arbitrary code execution on the target system, potentially allowing the attacker to gain full control of the compromised system. This issue has also been resolved.
