Cyware Monthly Threat Intelligence, April

The Good

• The Five Eyes agencies have published a joint cybersecurity information sheet that offers guidance and recommendations on deploying and operating externally developed AI systems. The document, titled "Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems," provides methodologies for protecting data and AI systems, with a focus on securing the deployment environment, continuously protecting AI systems, and securing AI operation and maintenance.
• GSM Association’s Fraud and Security Group (FASG) issued the first version of the Mobile Threat Intelligence Framework (MoTIF) to delineate how adversaries attack and use mobile networks, based on their TTPs. MoTIF covers mobile network-related attacks not addressed by existing frameworks like MITRE ATT&CK and MITRE FiGHT, encompassing 2G, 3G, 4G, 5G, telecommunication service enablers, and future mobile technology evolutions.
• The CISA introduced a dedicated High-Risk Communities webpage aimed at providing cybersecurity resources for high-risk communities, including activists, journalists, and human rights defenders. The initiative offers tailored guidance and tools to mitigate cyber threats, recognizing the increased risk these groups face. Resources include Project Upskill, offering "how-to" guides for non-technical individuals, information on local cyber volunteer programs, and a repository of free or discounted cybersecurity tools.
• The Biden administration introduced new privacy regulations aimed at protecting abortion providers and patients from conservative legal threats. The rules by HHS prevent healthcare entities from sharing patient information with state officials investigating or prosecuting abortion-related cases. They safeguard individuals seeking abortions across state lines or facing state abortion bans due to circumstances like rape. Despite the controversy, officials stress the importance of privacy and patient rights.

The Bad

• A new cyber campaign dubbed Dev Popper was found tricking software developers with fake job interviews, leading them to download a Python RAT. Orchestrated by North Korean threat actors, the attack employs multi-stage social engineering tactics. Victims are instructed to run code from GitHub during the interview, unknowingly activating the RAT. Once installed, the trojan gathers system data and enables remote access.
• Months after Qlik disclosed security flaws, Cactus ransomware has been found abusing those to gain an initial foothold in target environments. The flaws, disclosed in August and September 2023, allow remote code execution. Despite prior warnings, thousands of Qlik Sense servers remain vulnerable, with over 3,000 exposed to Cactus group attacks. Fox-IT's scan revealed 122 likely compromised instances, emphasizing the urgency for remediation.
• A newly discovered RAT was observed targeting Android devices by masquerading as popular social media apps like Snapchat and Instagram. This malware, equipped with advanced capabilities, harvests credentials through phishing attacks facilitated by fraudulent HTML login pages. Upon installation, it gains intrusive permissions and communicates with a C2 server to execute commands.
• Cybersecurity researchers at F.A.C.C.T. took the wraps off of a new ransomware group dubbed Muliaka. Operating since at least December 2023, Muliaka targets Russian businesses, utilizing tactics like disguising ransomware as corporate antivirus software and exploiting VPN services for remote access. Unlike its predecessor, Muliaka's malware terminates processes and system services before encryption, marking a notable evolution in malicious tools post-Conti leak.
• Eric Daigle, a student at the University of British Columbia, disclosed vulnerabilities in the popular location-tracking app iSharing, allowing access to users' precise location data and personal information. The bugs, affecting over 35 million users, enabled unauthorized access to location data and exposed users' names, profile photos, email addresses, and phone numbers. Daigle's findings prompted iSharing to address the issue, acknowledging the oversight.
• AI security firm HiddenLayer uncovered a critical vulnerability in the R programming language's serialization process (CVE-2024-27322). This flaw allowed for arbitrary code execution when loading malicious RDS files, posing a significant risk to the associated software supply chain. Exploiting lazy evaluation and promise objects, attackers could inject code that executes upon referencing the symbol associated with the compromised file.
• The Blackjack hacker group reportedly unleashed the destructive Fuxnet malware to target one of Moscow's internet providers and military infrastructure, damaging emergency detection and response systems. This sophisticated malware aimed to disable 87,000 sensors and control systems. Fuxnet was deployed to lock devices, erase filesystems, disable services, and rewrite flash memory, rendering them inoperable. The malware's final objective was to disrupt sensors by flooding serial channels.
• Cyber espionage group Earth Freybug (aka APT41) launched a phishing campaign utilizing a new malware called UNAPIMON. The attack, reminiscent of previous campaigns, targeted multiple sectors across several countries. The UNAPIMON malware, detected in the attack flow, utilizes DLL hijacking and API unhooking techniques to evade detection. Deployed through batch files and service manipulation, the malware prevents child processes from being monitored, allowing malicious activity to go undetected.
• ??Red Hat issued a warning regarding a backdoor flaw discovered in the xz data compression software library, potentially impacting instances of Fedora Linux 40 and Fedora Rawhide. The backdoor, present in xz versions 5.6.0 and 5.6.1, allows for remote access via OpenSSH and System. Designated as CVE-2024-3094, the vulnerability is rated as critical.
• Apple sent alerts to iPhone users in 92 countries, warning them of potential targeting by mercenary spyware attacks. The notifications advise users to take the threat seriously as the company refrained from disclosing attacker identities or affected countries to prevent adaptive behavior. Similar past incidents were linked to NSO Group's Pegasus. The alert comes amid rising concerns about state-sponsored interference in elections within selective countries.
• Visa warned about a surge in detections of a new variant of JsOutProx malware targeting financial institutions in South and Southeast Asia, the Middle East, and Africa. The malware enabled attackers to execute various malicious activities, including command execution, payload downloads, and keyboard/mouse control. The phishing campaign associated with JsOutProx involved fake financial notifications sent via email, with malicious JavaScript files hosted on GitLab.
• Cybersecurity firm Wiz identified two critical vulnerabilities within Hugging Face's AI platform, potentially exposing millions of private AI models and apps. The risks involved a shared inference infrastructure takeover and a shared CI/CD takeover, allowing attackers to compromise the platform's integrity. Wiz recommended isolation and segmentation as crucial steps to mitigate such risks for AI-as-a-service providers.
• Juniper Networks published multiple advisories detailing more than a hundred vulnerabilities in Junos OS, Junos OS Evolved, and other products. Patches were released for over 80 bugs, including critical issues in Junos cRPD and Cloud Native Router. Additionally, Paragon Active Assurance Control Center and Junos OS also received patches for high-severity flaws, such as information leaks and denial-of-service vulnerabilities.
• The TA558 hacking group launched a new campaign called SteganoAmor, with over 320 attacks impacting multiple sectors across different countries. The attackers exploited the CVE-2017-11882 flaw in Microsoft Office while deploying long chains of tools and malware, including AgentTesla, FormBook, Remcos, LokiBot, Guloader, SnakeKeylogger, and XWorm. The attackers used compromised legitimate FTP servers for C2 and SMTP servers for C2 and phishing. The group also uses legitimate services to store malware strings and images with embedded malicious code.