Cybercriminals associated with the IcedID malware have come up with evolved delivery techniques and tactics. Researchers have observed several phishing campaigns in September wherein not only has its infection behavior changed but it also proficiently evades detection and establishes persistence on hosts. Meanwhile, the new Caffeine platform was released to stimulate the nerves of amateur hackers, experts at Mandiant uncovered. The Phishing-as-a-Service (PhaaS) platform aspires to help any beginner enter the phishing landscape via an entirely open registration process.

Flyers are expected to experience disruption in airport services as a Russian cybercrime group has overwhelmed the websites of several U.S. airports. Killnet has claimed to inundate the sites with garbage requests.

Top Breaches Reported in the Last 24 Hours

Killnet takes down U.S. airports

Russian threat actor group KillNet targeted the websites of several major airports in the U.S. Travelers appear to have faced challenges in connecting and receiving updates about their scheduled flights or using any other airport services. While the websites of ATL and LAX are nearly inaccessible, other airports returned database connection errors.

Top Malware Reported in the Last 24 Hours

New ‘Creep’ malware series

According to ESET, the POLONIUM espionage group has been using four new never-before-seen backdoors - TechnoCreep, FlipCreep, MegaCreep, and PapaCreep. While some of the ‘Creep’ malware backdoors abused cloud services, including Dropbox, OneDrive, and Mega for C2 servers, others utilized standard TCP connections to remote C2 servers or get commands to run from files hosted on FTP servers. PapaCreep is the most recent one spotted in September and the first one written in C++ by the hacker group.

New tactics by IcedID malware

IcedID malware has been observed progressing in its distribution and delivery methods. The behavior is likely to determine what works best against a variety of targets. In its latest development, the malware communicates to its C2 through a proxy over HTTPS and downloads additional payloads as directed by its operators. IcedID malware began as a modular banking trojan in 2017 but has since evolved into a malware dropper.

Mandiant discovers Caffeine service

Caffeine, a shared PhaaS platform, was observed being used by threat actors against customers of Mandiant Managed Defense, in an attempt to pilfer their Office 365 account credentials. The platform encourages a novice to launch their own phishing campaign. Caffeine also provides phishing templates targeting Russian and Chinese platforms, unlike other PhaaS platforms that look West.

Top Vulnerabilities Reported in the Last 24 Hours

Hidden DNS resolvers are risky

Application security firm SEC Consult highlighted that hidden DNS resolvers could be exploited to perform email redirection and account takeover attacks. An outsider can abuse the functionalities of web applications to readily attack closed resolvers. It is possible to manipulate the DNS name resolution closed DNS resolvers using a variant of cache poisoning attacks.

Seven high-severity RCE flaw

Horner Automation’s Cscape product was found laced with seven critical vulnerabilities that have been addressed by the vendor in two stages. These bugs are described as out-of-bounds read/write, heap-based buffer overflow, and uninitialized pointer issues related to improper validation of user-supplied data when the application parses fonts.

Android’s security update patches 50 bugs

Google released Android October 2022 security updates that addressed about 50 flaws. Among them is a high-severity vulnerability in the Framework component identified as CVE-2022-20419. It is an information disclosure bug that could allow an unauthenticated user for privilege escalation with no additional execution privileges needed.