FortiGuard Labs have observed a high level of attack activity with vulnerabilities associated with Earth Lamia APT activity.

Earth Lamia APT is a hacking group that targets a range of sectors such as finance, government, IT, logistics, retail, and education. Earth Lamia APT primarily exploits known vulnerabilities in public-facing systems and web applications to gain access.

The following software vulnerabilities have been observed in use during the Earth Lamina APT campaigns:

JetBrain TeamCity
JetBrain TeamCity is a CI/CD tool for automated code building, testing and code deployment.

CVE-2024-27198 is an authentication bypass vulnerability in JetBrain TeamCity which could lead to remote code execution (RCE) by an unauthorized attacker.
CVE-2024-27199 is a path traversal vulnerability in JetBrain TeamCity which could lead to admin actions by an unauthorized attacker.

The following versions of JetBrain TeamCity are vulnerable to CVE-2024-27198 & CVE-2024-27199:

• Version < 2023.11.4

CyberPanel
CyberPanel is a web hosting control panel for managing websites, email, and servers.

CVE-2024-51378 & CVE-2024-51567 is an authentication bypass in CyberPanel which allowed unauthenticated attackers to execute arbitrary code.

The following versions of CyberPanel are vulnerable to CVE-2024-51378 & CVE-2024-51567:

• Version < 2.3.8

Apache Struts

Apache Struts is an open-source framework for developing Java-based web applications.

CVE-2017-9805 is a remote code execution (RCE) vulnerability in Apache Struts which allowed unauthenticated attackers to execute arbitrary code.

The following versions of Apache Struts with are vulnerable to CVE-2017-9805:

• 2.1.2 ≤ Version < 2.3.34
• 2.5.0 ≤ Version < 2.5.13

WordPress File Upload Plugin
WordPress is a free, open-source content management system (CMS) that lets you easily create and manage websites or blogs.

CVE-2024-9047 is a path traversal vulnerability in the WordPress file upload plugin which allows unauthenticated attackers to read or delete files outside the intended directory.

The following versions of WordPress file upload plugin are vulnerable to CVE-2024-9047:

• Version < 4.24.12

GitLab
GitLab is a collaborative software development platform that combines source code management, issue tracking, and automated deployment in a single application.

CVE-2021-22205 is a remote code execution (RCE) vulnerability which allowed unauthenticated attackers to execute arbitrary code.

The following versions of GitLab are vulnerable to CVE-2021-22205:

• GitLab Community:
  • 11.9.0 ≤ Version < 13.8.8
  • 13.9.0 ≤ Version < 13.9.6
  • 13.10.0 ≤ Version < 13.10.3
• GitLab Enterprise:
  • 11.9.0 ≤ Version < 13.8.8
  • 13.9.0 ≤ Version < 13.9.6
  • 13.10.0 ≤ Version < 13.10.3

CraftCMS
CraftCMS is a content management system (CMS) used to build custom websites and digital experiences.

CVE-2024-56145 is a remote code execution (RCE) vulnerability which allowed unauthenticated attackers to execute arbitrary code.

The following versions of CraftCMS are vulnerable to CVE-2024-56145:

• 3.0.0 ≤ Version < 3.9.14
• 4.0.0 ≤ Version < 4.13.2
• 5.0.0 ≤ Version < 5.5.2

SimpleHelp
SimpleHelp is a remote support and access software that allows technicians to securely control and manage computers over the internet.

CVE-2024-57727 is a path traversal vulnerability which allowed unauthenticated attackers to download arbitrary files from the SimpleHelp host via specially crafted HTTP requests.

The following versions of SimpleHelp are vulnerable to CVE-2024-57727:

• Version < 5.5.8

Customers can create custom investigation/detections using the Suricata signatures below:
2051505 -> ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Vulnerability Check
2051506 -> ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Admin User Creation Attempt
2051507 -> ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Auth Token Creation Attempt
2051508 -> ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) - Vulnerability Check
2051509 -> ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M1
2051510 -> ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M2
2051511 -> ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M3
2051512 -> ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M4
2059721 -> ET WEB_SPECIFIC_APPS CyberPanel getresetstatus statusfile Parameter Command Injection Attempt (CVE-2024-51378)
2057154 -> ET WEB_SPECIFIC_APPS Cyberpanel upgrademysqlstatus Command Injection Attempt (CVE-2024-51567)
2027516 -> ET EXPLOIT Apache Struts 2 REST Plugin Vulnerability (CVE-2017-9805)
2034455 -> ET EXPLOIT Possible Gitlab CE/EE Image Parser RCE Inbound (CVE-2021-22205)
2044201 -> ET EXPLOIT GitLab Pre-Auth RCE Detected (CVE-2021-22205)
2058436 -> ET WEB_SPECIFIC_APPS Craft CMS Template Path Injection RCE (CVE-2024-56145)
2059843 -> ET WEB_SPECIFIC_APPS SimpleHelp Support Server Unauthenticated Path Traversal (serverconfig.xml) (CVE-2024-57727)