As major ransomware operations like LockBit and BlackCat have declined, threat actors are shifting to other ransomware for their extortion activities. Such is the case with the Scattered Spider threat group that has joined hands with RansomHub and Qilin to sustain its extortion schemes.

The financially-driven FIN7 has taken to advertising a new tool, named AvNeutralizer, which has already been widely adopted by various ransomware groups. Moreover, the group has also enhanced this tool with anti-analysis capabilities, making it an even bigger threat.

Amidst this turbulent cyber landscape, the CISA issued an urgent directive to patch a critical vulnerability in the GeoServer software. This RCE bug (CVE-2024-36401) is being actively exploited.

Top Malware Reported in the Last 24 Hours

Scattered Spider adopts Qilin and RansomHub

The cybercrime group Scattered Spider is now using the RansomHub and Qilin ransomware variants in its attacks. This shift demonstrates how newer ransomware families like RansomHub and Qilin are gaining prominence as ALPHV/BlackCat and LockBit decline. Microsoft has described Scattered Spider as one of the most threatening cybercrime groups currently in operation.

FIN7 advertises security-bypassing tool

The financially motivated threat actor FIN7 has been observed advertising a specialized tool called AvNeutralizer in underground forums, which has been used by multiple ransomware groups. It has also been observed using specialized tools like Core Impact and POWERTRASH, as well as engaging in phishing campaigns and employing typosquatting tactics. FIN7 has recently modified its AvNeutralizer tool to include anti-analysis techniques and the use of a Windows built-in driver to evade detection. The group has also updated its Checkmarks platform to include an automated SQL injection attack module.

Private HTS program spreads malware

Malicious actors are continuously distributing the Quasar RAT through a private HTS program called HPlus, similar to a previous case involving Quasar RAT. The initial distribution file has been changed from an NSIS installer to an MSI format installer. The downloaded file contains StockProh.exe as the launcher and Socketmanager240714.exe as the Quasar RAT. The threat actor now supports remote assistance, allowing them to execute the AnyDesk application when the "Remote Support" button is clicked.

Top Vulnerabilities Reported in the Last 24 Hours

Patch GeoServer bug, warns CISA

The CISA warned organizations to urgently patch a critical vulnerability in the GeoServer software that is being actively exploited in the wild. Tracked as CVE-2024-36401, it is a remote code execution flaw that allows unauthenticated attackers to execute code remotely through crafted input against a default GeoServer installation. It is caused by the unsafe evaluation of property names as XPath expressions in the GeoTools library API used by GeoServer. The CISA has added this vulnerability to its KEV catalog.

Chrome 126 updates released

Google has released security updates for Chrome 126 to address 10 vulnerabilities, including eight high-severity bugs reported by external researchers. These vulnerabilities could lead to sandbox escape and remote code execution. The release is rolling out for Windows, macOS, and Linux, with an update for Chrome on Android as well. Although there is no mention of these vulnerabilities being exploited in the wild, users are advised to update their browsers promptly.

Oracle patches 386 bugs

Oracle released 386 new security patches as part of its July 2024 Critical Patch Update, including over 260 for unauthenticated, remotely exploitable vulnerabilities across various Oracle products. Oracle identified and patched roughly 240 unique CVEs in this update. Over 25 of the patched vulnerabilities were rated as critical severity. Oracle Communications received the largest number of patches, with 84 fixes for remotely exploitable, unauthenticated vulnerabilities.