Malware Activity
Emerging Cyber Threats: Mirai Botnet, Apple Silicon Vulnerabilities, and ChatGPT Exploit
A Mirai botnet variant called Aquabot has been observed exploiting a medium-severity security flaw (CVE-2024-41710) in Mitel phones to recruit them into a network capable of launching distributed denial-of-service (DDoS) attacks. The vulnerability allows an authenticated attacker to execute arbitrary commands due to insufficient parameter sanitization, and Aquabot using a proof-of-concept (PoC) exploit to target the vulnerability, requires authentication and brute-forcing to gain initial access, after which the malware downloads and installs an Aquabot payload, sets up persistence, and connects to its command-and-control (C2) server to receive instructions. The goal of Aquabot is to enlist devices in a DDoS swarm, which is advertised on Telegram as a testing tool for DDoS mitigation measures, but is suspected to be offered as a DDoS service, and has been spotted spreading through other vulnerabilities, including those in Hadoop YARN, Linksys, Teltonika, Dasan GPON, and LB-LINK routers, highlighting the ongoing issue of Mirai-based botnets targeting internet-connected devices with poor security features. Additionally, separate security concerns have been discovered, including two (2) new side-channel attacks, SLAP and FLOP, that target Apple silicon and could be used to leak sensitive information from web browsers like Safari and Google Chrome, by exploiting vulnerabilities in Apple's speculative execution mechanism and CPU performance-improving features. A vulnerability in ChatGPT, dubbed "Time Bandit," has also been identified, allowing users to bypass the AI model's safety guidelines and obtain detailed instructions on sensitive topics, including the creation of weapons, nuclear information, and malware, by exploiting weaknesses in ChatGPT's timeline confusion and procedural ambiguity, further emphasizing the need for continued research and vigilance in the face of evolving cyber threats. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheHackerNews: New Aquabot Botnet Exploits article
- BleepingComputer: New Aquabotv3 Botnet Malware article
- SecurityWeek: Aquabot Botnet Targeting Vulnerable Mitel Phones article
- TheHackerNews: New Slap Flop Attacks article
- SecurityWeek: New Slap and Flop CPU Attacks article
- BleepingComputer: Time Bandit ChatGPT Jailbreak Bypass article
- TheRegister: DDOS Attacks Aquabot article
Threat Actor Activity
Operation Talent Leads to Arrests and Seizure of Cracked and Nulled Cybercrime Forums
An international law enforcement operation, named Operation Talent, has successfully dismantled major cybercrime forums Cracked and Nulled. These platforms, which collectively had over 10 million users, served as marketplaces for illegal goods and services, including stolen data, malware, and hacking tools. Cracked and Nulled were known for facilitating cybercriminal activities, hosting tools like AI-based scripts to scan for vulnerabilities and optimize attacks. The forums generated significant revenue, with Cracked making approximately $4 million and impacting 17 million victims in the U.S., while Nulled generated around $1 million annually from over 43 million posts advertising cybercrime tools. During the operation, law enforcement seized twelve (12) domains, seventeen (17) servers, and over fifty (50) electronic devices, along with approximately €300,000 in cash and cryptocurrency. Two (2) suspects were arrested in Valencia, Spain, and charges were unsealed against Lucas Sohn, an Argentinian national and administrator for Nulled, for his involvement in trafficking stolen passwords and identity theft. The crackdown also led to the shutdown of Sellix, a financial processor used by Cracked, and StarkRDP, a hosting service promoted on both forums. The seized data, including email and IP addresses of the 10 million registered users, will be used for further international investigations against criminal sellers and users of these platforms. The FBI changed the domains' name servers to indicate the seizure, and Cracked's staff confirmed the domain's seizure on Telegram, expressing their dismay. This operation follows recent law enforcement actions against other cybercrime operations, such as the takedown of PopeyeTools market and the disruption of MATRIX, an encrypted chat service used by criminals.
- Bleeping Computer: Operation Talent Article
- The Record: Operation Talent Article
- The Hacker News: Operation Talent Article
Vulnerabilities
Multiple PHP Voyager Flaws Can be Exploited to achieve RCE
The open-source PHP package Voyager, widely used for managing Laravel applications, has been found to contain three (3) critical security vulnerabilities that could be exploited to achieve one-click remote code execution (RCE) on affected instances. The three (3) flaws are CVE-2024-55417 (arbitrary file write), CVE-2024-55416 (reflected XSS), and CVE-2024-55415 (file leak/deletion). Attackers can leverage Voyager's media upload features to bypass MIME-type verification and upload malicious polyglot files that appear as images or videos but contain executable PHP code. Additionally, the reflected XSS flaw allows attackers to inject JavaScript into administrative popups, enabling them to execute arbitrary actions if an authenticated user clicks on a malicious link. The file management vulnerability further exposes servers to unauthorized file deletion or extraction of sensitive information. Despite responsible disclosure attempts by SonarSource researchers since September 2024, Voyager maintainers have not responded, leaving the flaws unpatched. Given the package's widespread use among Laravel developers, including startups, freelance developers, and small to medium-sized businesses, users are advised to restrict access, limit file upload permissions, enforce strict MIME-type validation, disable PHP execution for uploaded files, and monitor logs for unusual activity. Until official patches are released, CTIX analysts recommend avoiding Voyager in production environments or migrating to alternative Laravel admin panels.
- The Hacker News: PHP Voyager Vulnerabilities Article
- Bleeping Computer: PHP Voyager Vulnerabilities Article
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
