The Good

Recent developments showcase a proactive stance in bolstering cybersecurity across critical sectors. The collaboration between the U.K’s National Crime Agency (NCA) and the FBI to dismantle the Qilin ransomware gang highlights international efforts to combat cybercrime affecting healthcare providers globally. Meanwhile, the release of Supply Chain Cybersecurity Principles by the U.S. Department of Energy and the establishment of a G7 cybersecurity framework for operational technologies underscored a collective commitment to fortifying cybersecurity in global energy supply chains. On the other hand,**** the CISA Cybersecurity Advisory Committee's recommendations to optimize the Joint Cyber Defense Collaborative (JCDC) emphasized a strategic focus on operational cyber defense. This initiative enhances public-private partnerships in sharing cybersecurity data and coordinating defense operations, strengthening national cyber resilience.

• The U.K's National Crime Agency (NCA) and the FBI have joined forces to track down and disrupt the activities of the Qilin ransomware gang. The agencies are trying to identify and apprehend the criminals behind Qilin, which has been operating with the apparent approval of the Russian government. The Qilin ransomware gang has targeted global healthcare providers, causing widespread disruption and leaking sensitive patient data.
• The U.S. Department of Energy released Supply Chain Cybersecurity Principles, backed by prominent suppliers and manufacturers, to strengthen cybersecurity in global energy supply chains. The principles create a framework to strengthen key technologies used to manage and operate electricity, oil, and natural gas systems around the world. The principles were developed for manufacturers and end users alike to improve the cybersecurity of energy supply chains.
• The Group of Seven (G7) countries agreed to establish a collective cybersecurity framework for operational technologies in the energy sector. This framework aims to address the vulnerability of energy systems to cyberattacks and ensure the cyber security of new digital clean energy technologies. The leaders also discussed various cybersecurity issues, including ransomware and cyberattacks by adversarial countries, and announced the creation of a G7 Cybersecurity Working Group.
• The FCC has approved a $200 million pilot program to enhance cybersecurity in schools and libraries, aiming to prevent cyberattacks against these institutions. This decision comes in response to a rise in cyberattacks on schools and libraries, with the FCC aiming to address the issue by allocating funds from the Universal Service Fund. The proposal also includes a requirement for major broadband providers to submit plans to improve the cybersecurity of the Border Gateway Protocol, a crucial data transmission algorithm.
• The CISA Cybersecurity Advisory Committee (CSAC) has adopted recommendations to optimize the Joint Cyber Defense Collaborative (JCDC), a public-private partnership focused on sharing cybersecurity data and coordinating cyber defense operations. The key recommendations suggest JCDC should focus on “operational cyber defense.”

The Bad

The ongoing cyber incidents underscore the evolving and diverse threats faced globally. The Unfurling Hemlock group’s use of the cluster bomb technique highlighted their advanced tactics in delivering multiple malware types, posing significant challenges for detection and mitigation across targeted countries. Some persistent state-sponsored operations were seen. State-linked threat actors like UAC-0184 and Midnight Blizzard were observed conducting cyber-espionage campaigns against Ukraine and France respectively, leveraging sophisticated malware and social engineering tactics to compromise sensitive networks. Scammers were seen using fake job ads to lure victims into cryptocurrency scams highlighting ongoing efforts to exploit economic uncertainties and remote work trends, posing financial risks to unsuspecting job seekers.

• The Unfurling Hemlock threat actor is using a malware cluster bomb technique to deliver multiple types of malware to compromised systems, providing high levels of redundancy and persistence. Over 50,000 cluster bomb files linked to the threat group have been identified, with the attacks targeting systems primarily in the U.S., as well as in Germany, Russia, Turkey, India, and Canada. The attacks begin with the execution of a file named 'WEXTRACT.EXE', which contains nested compressed cabinet files, each containing a malware sample. The final stage executes the extracted files in reverse order.
• Cyble identified the Russia-linked threat actor group UAC-0184 targeting Ukraine with the XWorm RAT. The campaign begins with a malicious LNK shortcut file disguised as an Excel document, which executes a PowerShell script to download and execute malicious files. The attackers use DLL sideloading and a tool called Shadowloader to inject the XWorm RAT into a running process. The XWorm RAT has various capabilities, including data theft, DDoS attacks, and cryptocurrency manipulation.
• The polyfill[.]io domain, previously used for JavaScript polyfills, has been compromised and is now serving malicious code to over 100,000 websites. The domain was bought by a Chinese organization, leading to a supply chain attack that infected visitors' browsers with malware. The malicious code is dynamically generated based on the website's HTTP headers, making it difficult to detect and block. Google has started blocking Google Ads for affected websites to reduce traffic and potential victims.
• SpyMax, an Android RAT, has been spotted targeting Telegram users. It does not require rooted devices, making it easier for threat actors to gather private information and control victims' devices. The malware pretends to be the Telegram app and requests Accessibility Service permission, acting as a trojan with keylogger capabilities. It collects location information and communicates with a C2 server to send compressed data and receive system commands and APK payload.
• North Korean hackers are actively using the HappyDoor malware in spear-phishing email attacks to steal sensitive information and gain remote access. HappyDoor is a malware used by the Kimsuky group, a North Korean hacking group, since 2021 and is still active as of 2024. The evolving HappyDoor malware operates via regsvr32.exe in three stages and has functions such as screen capture, key logging, file leakage, and communication with C&C servers using HTTP
• ANSSI warned that a Russian state-sponsored hacking group, Midnight Blizzard (aka Cozy Bear and APT29), targeted the French Ministry of Foreign Affairs using compromised emails of government staffers from the Foreign Ministry of Culture and the National Agency for Territorial Cohesion. The group attempted to infiltrate the networks using phishing campaigns, but ANSSI concluded that the hackers were unable to move laterally into government systems.
• The Void Arachne threat group has been targeting Chinese-speaking users with malicious Windows Installer (MSI) files. These files contain legitimate software but are bundled with malicious payloads. The campaign uses SEO poisoning, social media, and messaging platforms to distribute malware. They exploit public interest in AI technologies and promote nudifiers, deepfake pornography-generating software, and AI voice and facial technologies. The malware installs a backdoor, potentially compromising entire systems.
• The Chinese cyberespionage group Velvet Ant used custom malware to target F5 BIG-IP appliances to breach target networks and gain persistent access for espionage purposes. The threat actor exploited vulnerabilities in the appliances, established multiple footholds within the target organization's network, and deployed malware such as PlugX RAT. The group demonstrated agility and deep understanding of the target's network infrastructure, evading detection from traditional log monitoring solutions.
• A newly identified North Korean threat actor, Moonstone Sleet, is targeting the software supply chain by spreading malicious npm packages in public open source repositories. The group has targeted developers by spreading malicious npm packages and is differentiating itself from other North Korean actors by using new techniques such as single-package approaches. In Q2 2024, the Moonstone Sleet packages increased in complexity, with the addition of obfuscation and targeting of Linux systems.
• Broadcom discovered that Signal Messenger is being exploited to deliver DarkCrystal RAT malware to high-profile targets. The targets include government officials, military personnel, and representatives of defense enterprises in Ukraine. The infection chain begins with the victim receiving a message containing an archive file, a password, and instructions on how to open it. When the user runs these files, their computer becomes infected with the DarkCrystal RAT malware, granting attackers unauthorized access to the system.
• The FBI has issued a warning about scammers posing as recruiters for legitimate companies, using fake remote job ads to steal cryptocurrency from job seekers. These work-from-home scams entice victims with easy tasks and a confusing compensation structure that requires cryptocurrency payments. Victims of such fraudulent activities are advised to report to the FBI IC3 and provide transaction details associated with the scam.

New Threats

The cybersecurity landscape continues to evolve with the emergence of sophisticated threats and critical vulnerabilities. InnoLoader was found disguising itself as cracks and commercial tools, dynamically creating unique malware instances with varying hash values but consistent malicious functionalities via InnoSetup. In other news,**** Snowblind was seen targeting banking customers in Southeast Asia, bypassing detection mechanisms of Android banking apps using accessibility services. A critical authentication bypass vulnerability in MOVEit Transfer versions was identified exposing systems to unauthorized access. Other critical flaws in the vCenter Server could enable remote code execution via the DCE/RPC protocol, impacting virtual machine management.

• A new type of malware disguised as cracks and commercial tools is being distributed, where a unique malware is created upon each download attempt with different hash values but the same malicious functions. The malware is created using InnoSetup and is dubbed InnoLoader. It displays an installer UI and executes malicious behaviors when the user clicks the "Next" button during installation. The malware can download and execute various payloads from the C2 server, including infostealers, proxy tools, and adware.
• A new malware called Snowblind is targeting banking customers in Southeast Asia, resulting in financial losses and fraud. Snowblind uses a unique technique that disables Android banking apps' ability to detect malicious modifications, making it difficult to detect the malware. It exploits accessibility services on apps, which are designed to help users with disabilities use their devices effectively.
• A critical security vulnerability, CVE-2024-5806, has been identified in MOVEit Transfer, which can allow attackers to bypass authentication and gain unauthorized access to the system. The vulnerability is caused by improper validation of user-supplied input during the authentication process. The affected versions include MOVEit Transfer 2023.0.0 to 2023.0.10, 2023.1.0 to 2023.1.5, and 2024.0.0 to 2024.0.1. Progress strongly urges all MOVEit Transfer customers to immediately upgrade to the latest patched versions: 2023.0.11, 2023.1.6, and 2024.0.2.
• AT&T LevelBlue Labs discovered a new evasive malware loader named SquidLoader that spreads via phishing campaigns targeting Chinese organizations. It uses various techniques to avoid detection and analysis while fetching second-stage shellcode payloads. Techniques include encrypted code segments, pointless unused code, Control Flow Graph obfuscation, debugger detection, and direct syscalls instead of Windows NT APIs.
• Fortinet spotted a new Rust-based malware called Fickle Stealer, targeting Microsoft Windows users. The attack chain consists of three stages: Delivery, Preparatory Work, and Packer and Stealer Payload. The delivery is done through a VBA dropper, VBA downloader, link downloader, and executable downloader. The preparatory work involves scripts that bypass User Account Control, create new tasks, and send messages to a Telegram bot. The Packer disguises Fickle Stealer as a legal executable to avoid static analysis.
• VMware by Broadcom disclosed critical-rated flaws, CVE-2024-37079 and CVE-2024-37080, in the vCenter Server, which could allow remote code execution by malicious actors. The flaws are related to the DCE/RPC protocol and impact the management of virtual machines. A patched version of vCenter Server and Cloud Foundation is available, but older versions of vSphere may be affected and remain unfixed. Additionally, a local privilege escalation vulnerability, CVE-2024-37081, has been identified.
• A long-running malware campaign by Pakistan-linked threat group Cosmic Leopard has evolved to target Windows, Android, and macOS devices, using a suite of malware tools. The malware campaign, dubbed Operation Celestial Force, has been active since at least 2018. The malware tools include GravityRAT (for Windows, Android, and macOS), HeavyLift (an Electron-based malware loader for Windows and macOS), and GravityAdmin (a command-and-control tool).
• A new Agent Tesla RAT variant is targeting Spanish-speaking individuals through phishing emails posing as SWIFT transfer notifications from financial institutions. The malware can exploit MS Office vulnerabilities, steal sensitive information from various applications, and evade detection using fileless modules and the FTP protocol for data submission. It also employs a fileless module downloaded by a malicious JavaScript code, making it difficult to detect.
• Cisco Talos has discovered a new banking trojan called CarnavalHeist targeting Brazilian users. CarnavalHeist begins with financial-themed spam emails that redirect users to malicious websites hosting the first-stage payload. The payload uses a combination of LNK files, batch scripts, and Python loaders to download and execute the final banking trojan DLL. The DLL uses overlay attacks to present fake login screens for Brazilian financial institutions and capture user credentials.
• Aqua Security discovered a new Muhstik malware campaign exploiting a known remote code execution vulnerability (CVE-2023-33246) in Apache RocketMQ versions 5.1.0 and below to gain initial access to vulnerable instances. The Muhstik malware is then downloaded and executed on the compromised instances, allowing the attackers to establish persistence, evade detection, and perform various malicious activities like cryptocurrency mining and DDoS attacks. Analysis shows that there are over 5,200 vulnerable RocketMQ instances exposed on the internet.