Active SolarWinds Serv-U Attacks Threaten Server Stability

CISA has issued a critical warning: threat actors are now actively exploiting a high-severity vulnerability in SolarWinds Serv-U to crash servers. This CVE-2024-38112 exploitation represents an immediate operational risk, as successful attacks can cause denial-of-service conditions, disrupting critical file transfer services. Organizations must patch immediately to Serv-U 15.5.1 Hotfix 1 or later versions. Additionally, blocking inbound traffic to Serv-U management ports (default TCP 22 for SSH, TCP 3389 for RDP) from untrusted networks at the perimeter firewall is essential. Security teams should review Serv-U server logs for unexpected crashes, service restarts, or connections from suspicious IPs, with particular focus on the Serv-U process and Windows System event logs.

Iranian APTs Target US Critical Infrastructure via PLCs

Iranian-affiliated advanced persistent threat (APT) actors are actively exploiting internet-exposed programmable logic controllers (PLCs) across U.S. critical infrastructure. These attacks target Rockwell Automation/Allen-Bradley PLCs including ControlLogix and CompactLogix models, potentially enabling disruptive physical effects. The advisory emphasizes that these devices were never designed for direct internet exposure. Immediate isolation of these PLCs using firewalls or OT DMZs is non-negotiable. Organizations must change default credentials on all PLC and HMI interfaces, enforcing strong passwords per Rockwell Automation’s security guidelines (Publication 10713). Network monitoring should be deployed to detect anomalous CIP (Common Industrial Protocol) traffic on TCP/44818 and UDP/2222.

Weaponized Exploits Emerge for Apache ActiveMQ and Gogs

The latest Metasploit framework update includes weaponized modules for two significant remote code execution vulnerabilities, increasing their threat level. The Apache ActiveMQ module exploits CVE-2023-46604, which allows unauthenticated attackers to execute arbitrary shell commands. The Gogs module targets CVE-2022-30781, enabling command execution through malicious branch names during rebase operations. Organizations running these services must patch immediately—Apache ActiveMQ to fixed versions and Gogs to version 0.13.0 or later. Network segmentation should restrict access to ActiveMQ ports (61616, 61613) and Gogs web/SSH ports from non-admin networks.

Supply Chain Threats Multiply in npm and AI-Powered CI/CD

Multiple fronts in the software supply chain are under attack. In the npm ecosystem, threat actors have distributed malicious and poisoned versions of over 50 legitimate packages, including ’node-hide-console-windows’ and ’tiktok-signature’, to spread the IronWorm information stealer and a new Miasma worm variant. Simultaneously, AI-powered CI/CD pipelines face novel risks, with Microsoft identifying a prompt injection vulnerability in the Claude Code GitHub Action that could expose workflow secrets. For npm, scan developer environments and CI/CD pipelines using JFrog’s advisory and enforce npm audit --audit-level=high. For AI CI/CD, update the ‘anthropic-actions/claude-code-review’ action to version v2.1.1 or later and restrict GitHub Actions permissions to least privilege.

Credential Harvesting and Mobile Spyware Target End Users

Two distinct campaigns are targeting end-user credentials and data. Suspicious polyfill login prompts have appeared on major websites including Toshiba and Muji, potentially harvesting user credentials through compromised third-party JavaScript. Meanwhile, the Asin Android spyware targets Arabic-speaking users through fake news, PDF, and war map applications, capable of harvesting contacts, messages, and device information. Website administrators must audit third-party JavaScript dependencies and implement strict Content Security Policy (CFP) headers. For mobile defense, deploy mobile threat defense solutions to detect Asin and block traffic to its C2 domains like govlens[.]net.

Organizations must prioritize patching SolarWinds Serv-U against CVE-2024-38112 above all else today. Immediately isolate internet-exposed Rockwell Automation PLCs and change default credentials—these critical infrastructure components are actively being hunted. Finally, audit npm dependencies and GitHub Actions workflows, removing malicious packages and updating the Claude Code action to v2.1.1 to secure development pipelines from these parallel supply chain threats.