Cyware Monthly Threat Intelligence
Monthly Threat Briefing • Sep 30, 2024
We use cookies to improve your experience. Do you accept?
Monthly Threat Briefing • Sep 30, 2024
The government took significant steps to strengthen cybersecurity resilience across various sectors. The DHS allocated $279.9 million in grants for the FY 2024 State and Local Cybersecurity Grant Program (SLCGP) to help state, local, and territorial governments enhance their ability to detect and respond to cyber threats. Meanwhile, German authorities dismantled the infrastructure of a ransomware group using Vanir Locker malware, seizing a leak site and 47 cryptocurrency exchanges linked to illegal money laundering. The FCC also introduced a voluntary cybersecurity labeling program, the U.S. Cyber Trust Mark, to help consumers identify IoT products that meet cybersecurity standards. In addition, the White House released a roadmap to enhance the security of the Border Gateway Protocol (BGP), encouraging the use of secure routing technologies and better monitoring to prevent BGP hijacking and safeguard critical networks.
The DHS announced $279.9 million in grant funding for the FY 2024 State and Local Cybersecurity Grant Program (SLCGP) to increase resilience and better secure critical infrastructure. Established by the State and Local Cybersecurity Improvement Act, and part of the Bipartisan Infrastructure Law, the SLCGP allocates around $1 billion in funding over four years to support SLT governments in building their capacity to detect, defend against, and respond to cyber threats.
German law enforcement has taken down infrastructure used by a ransomware group deploying the Vanir Locker malware in a small number of attacks. They seized control of a leak site used by the hackers, preventing data stolen from affected companies from being published. Simultaneously, they also seized 47 cryptocurrency exchange services in the country used for illegal money laundering by cybercriminals. These platforms allowed anonymous cryptocurrency transactions, creating a low-risk environment for criminals. The warning page of Operation Final Exchange now redirects visitors to inform them of the deception by the exchange operators. The exchanges with the most users and transactions have been listed.
A global law enforcement operation called Operation Kaerb dismantled a criminal network that used the iServer platform to carry out automated phishing attacks, targeting 483,000 victims worldwide. The operation involved authorities from several countries and resulted in the arrest of 17 suspects, including the administrator of the phishing platform.
The FBI and cybersecurity researchers have disrupted a massive Chinese botnet called Raptor Train that targeted critical infrastructure in the US and other countries. The botnet infected over 260,000 networking devices, including routers, modems, IP cameras, and NVR devices, and was used to target entities in military, government, education, and IT sectors. It operated as a complex, multi-tiered network with an enterprise-grade control system and was linked to state-sponsored Chinese hackers. The FBI executed operations to take control of the botnet infrastructure. Steps to protect against Raptor Train include checking for large outbound data transfers and regularly updating and replacing vulnerable devices.
The U.K government designated the data center sector as part of the country's critical national infrastructure, recognizing its importance in safeguarding vital data from cyber attacks and disasters. This designation aims to prioritize engagement with the sector and ensure continuity of operations during crises. It signals greater government support for physical data centers and cloud operators, providing access to security agencies and emergency services in case of incidents.
The FCC is launching a voluntary cybersecurity labeling program to help consumers make informed decisions about purchasing technology products. The program will use a U.S. Cyber Trust Mark to indicate products that meet cybersecurity standards, similar to the ENERGY STAR label for energy efficiency. The label will be displayed on internet of things products, providing information on security features and compliance with cybersecurity standards.
The White House released a roadmap to enhance the cybersecurity of the Border Gateway Protocol (BGP), which routes data across networks. The plan calls for contractors to provide secure internet routing technologies to validate the legitimacy of data entering government networks and prevent BGP hijack attacks. The roadmap recommends using Resource Public Key Infrastructure (RPKI) to confirm network rights to specific internet protocol addresses and enforce specialized filtering techniques. It also urges network service providers to monitor data entering their networks and develop cybersecurity risk management plans.
In the ever-evolving landscape of cyber threats, attackers continue to leverage new vulnerabilities, deceptive tactics, and sophisticated malware to infiltrate systems and compromise sensitive data. Cybercriminals have been distributing AsyncRAT through fake versions of popular software like AnyDesk and CCleaner, tricking users into downloading malware that grants attackers remote access. In parallel, two critical vulnerabilities, CVE-2024-22303 and CVE-2024-21743, in the WordPress theme Houzez and its companion plugin Houzez Login Register, could allow unauthorized users to escalate privileges and take control of sites. Meanwhile, a phishing campaign has been delivering Excel files exploiting CVE-2017-0199 to execute a fileless version of the Remcos RAT via OLE objects and PowerShell commands, targeting various sectors globally. Additionally, Sophos uncovered a cyberespionage attack by Crimson Palace, a Chinese-linked threat actor, which targeted Southeast Asian government organizations using a new malware called Tattletale to steal sensitive data and compromise networks.
In recent developments, a new RomCom malware variant called SnipBot surfaced, incorporating advanced evasion techniques to execute commands and deliver additional payloads. Meanwhile, Earth Baxia has been actively targeting government organizations in Taiwan and potentially other APAC countries through spear-phishing emails exploiting the GeoServer vulnerability (CVE-2024-36401). Additionally, Cisco Talos identified a new threat actor named DragonRank, targeting countries in Asia and Europe with the use of PlugX and BadIIS for SEO manipulation. Moreover, Microsoft addressed 79 vulnerabilities in its September 2024 Patch Tuesday update, including seven critical flaws and actively exploited vulnerabilities such as CVE-2024-38014, CVE-2024-38217, and CVE-2024-38226. The updates also patched 26 flaws in the Chromium-based Edge browser, urging users to install the latest security patches to mitigate the risks.