Cyware Daily Threat Intelligence, November 25, 2024
Daily Threat Briefing • Nov 25, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Nov 25, 2024
Cyber attackers are rewriting the playbook, blending stealth with sophistication to breach global targets. Earth Estries is leveraging a new malware to infiltrate telecom and government networks worldwide, exploiting server vulnerabilities to achieve their objectives.
A novel twist in cyber tactics is turning proximity into an attack vector. Russian state-backed group Fancy Bear deployed the Nearest Neighbor Attack, breaching enterprise networks by exploiting nearby Wi-Fi vulnerabilities and weak MFA protections. The attack ultimately targeted Ukrainian-related work and projects.
In other news, a phishing campaign weaponized Google Docs and Weebly to create convincing login pages, targeting telecom and financial sectors. The attackers demonstrated adaptability and resourcefulness, highlighting the need for advanced security measures.
Chinese APT group deploys new backdoor
Earth Estries, a Chinese APT group, has been actively targeting key sectors such as telecommunications and government agencies since 2023, with operations spanning the U.S., Asia-Pacific, Middle East, and South Africa. The attackers utilize advanced methods for attacks, including the new GHOSTSPIDER backdoor, along with SNAPPYBEE and MASOL RAT. The group exploits vulnerabilities in public-facing servers to gain access and uses living-off-the-land techniques to navigate networks for deploying malware and conducting espionage.
Mysterious Elephant delivers new Asyncshell
The threat actor Mysterious Elephant, aka APT-K-47, has been using an advanced malware called Asyncshell to target entities in South Asia, primarily Pakistan. It employed Hajj-themed lures in a spear-phishing campaign to deliver a backdoor called ORPCBackdoor. The malware, Asyncshell, has evolved with multiple versions and capabilities, including transitioning from TCP to HTTPS for C2 communications. The threat actor has also used disguised service requests to control the final shell server address, showing the group's evolving tactics.
GruesomeLarch launches Nearest Neighbor Attack
Volexity reported that a Russian state-backed group, known as GruesomeLarch or Fancy Bear, hacked into a victim organization by exploiting local Wi-Fi networks and a known software vulnerability to collect information about Ukraine. The method is called the Nearest Neighbor Attack, where attackers compromised nearby organizations' networks to access the victim's Wi-Fi, which lacked MFA. GruesomeLarch initially performed password spray attacks to gain credentials from three employees, then leveraged a dual-homed system from a nearby organization to connect to the victim’s enterprise network. Later, they regained access via the victim's guest Wi-Fi network, which was not fully isolated.
Critical flaw in FluentSMTP plugin
A critical-severity vulnerability, CVE-2024-9511, has been found in the FluentSMTP WordPress plugin, potentially allowing attackers to execute arbitrary code. This could lead to file deletion, data retrieval, and complete control of websites. Although a partial fix has been released, website administrators are strongly advised to update to version 2.2.83 or higher immediately. Additional mitigation strategies include regular updates, strong passwords, monitoring practices, and the consideration of a web application firewall.
7-Zip bug enables RCE
A high-severity vulnerability (CVE-2024-11477) has been found in 7-Zip, allowing attackers to execute malicious code due to an integer underflow flaw. Users are advised to update to version 24.07 or later to address this vulnerability. Keeping software updated is crucial for strong security posture against cyber threats.
Phishing scheme weaponizes Weebly
A recent phishing campaign targeted the telecommunications and financial sectors using Google Docs and Weebly to deliver fake login pages. Attackers embedded malicious links in Google Docs presentations to bypass email filters and endpoint defenses. Phishing sites on Weebly mimicked well-known brands like AT&T to deceive victims into entering sensitive information. Attackers used tracking tools to refine their phishing attempts and even initiated SIM swapping attacks to bypass traditional MFA protections.
Sapphire Sleet, AI-driven scams, and crypto theft
Microsoft revealed that a North Korea-linked group called Sapphire Sleet has stolen over $10 million in cryptocurrency through social engineering schemes. The group creates fake profiles on LinkedIn to pose as recruiters or job seekers. Sapphire Sleet pretends to be recruiters for financial firms like Goldman Sachs to get targets to download malware through fake skills assessments. These workers use facilitators to create fake profiles and portfolios on platforms like GitHub and LinkedIn and use AI tools to modify stolen documents for job applications.