We use cookies to improve your experience. Do you accept?

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Sep 30, 2024

The Good

The government took significant steps to strengthen cybersecurity resilience across various sectors. The DHS allocated $279.9 million in grants for the FY 2024 State and Local Cybersecurity Grant Program (SLCGP) to help state, local, and territorial governments enhance their ability to detect and respond to cyber threats. Meanwhile, German authorities dismantled the infrastructure of a ransomware group using Vanir Locker malware, seizing a leak site and 47 cryptocurrency exchanges linked to illegal money laundering. The FCC also introduced a voluntary cybersecurity labeling program, the U.S. Cyber Trust Mark, to help consumers identify IoT products that meet cybersecurity standards. In addition, the White House released a roadmap to enhance the security of the Border Gateway Protocol (BGP), encouraging the use of secure routing technologies and better monitoring to prevent BGP hijacking and safeguard critical networks.

  • The DHS announced $279.9 million in grant funding for the FY 2024 State and Local Cybersecurity Grant Program (SLCGP) to increase resilience and better secure critical infrastructure. Established by the State and Local Cybersecurity Improvement Act, and part of the Bipartisan Infrastructure Law, the SLCGP allocates around $1 billion in funding over four years to support SLT governments in building their capacity to detect, defend against, and respond to cyber threats.

  • German law enforcement has taken down infrastructure used by a ransomware group deploying the Vanir Locker malware in a small number of attacks. They seized control of a leak site used by the hackers, preventing data stolen from affected companies from being published. Simultaneously, they also seized 47 cryptocurrency exchange services in the country used for illegal money laundering by cybercriminals. These platforms allowed anonymous cryptocurrency transactions, creating a low-risk environment for criminals. The warning page of Operation Final Exchange now redirects visitors to inform them of the deception by the exchange operators. The exchanges with the most users and transactions have been listed.

  • A global law enforcement operation called Operation Kaerb dismantled a criminal network that used the iServer platform to carry out automated phishing attacks, targeting 483,000 victims worldwide. The operation involved authorities from several countries and resulted in the arrest of 17 suspects, including the administrator of the phishing platform.

  • The FBI and cybersecurity researchers have disrupted a massive Chinese botnet called Raptor Train that targeted critical infrastructure in the US and other countries. The botnet infected over 260,000 networking devices, including routers, modems, IP cameras, and NVR devices, and was used to target entities in military, government, education, and IT sectors. It operated as a complex, multi-tiered network with an enterprise-grade control system and was linked to state-sponsored Chinese hackers. The FBI executed operations to take control of the botnet infrastructure. Steps to protect against Raptor Train include checking for large outbound data transfers and regularly updating and replacing vulnerable devices.

  • The U.K government designated the data center sector as part of the country's critical national infrastructure, recognizing its importance in safeguarding vital data from cyber attacks and disasters. This designation aims to prioritize engagement with the sector and ensure continuity of operations during crises. It signals greater government support for physical data centers and cloud operators, providing access to security agencies and emergency services in case of incidents.

  • The FCC is launching a voluntary cybersecurity labeling program to help consumers make informed decisions about purchasing technology products. The program will use a U.S. Cyber Trust Mark to indicate products that meet cybersecurity standards, similar to the ENERGY STAR label for energy efficiency. The label will be displayed on internet of things products, providing information on security features and compliance with cybersecurity standards.

  • The White House released a roadmap to enhance the cybersecurity of the Border Gateway Protocol (BGP), which routes data across networks. The plan calls for contractors to provide secure internet routing technologies to validate the legitimacy of data entering government networks and prevent BGP hijack attacks. The roadmap recommends using Resource Public Key Infrastructure (RPKI) to confirm network rights to specific internet protocol addresses and enforce specialized filtering techniques. It also urges network service providers to monitor data entering their networks and develop cybersecurity risk management plans.

The Bad

In the ever-evolving landscape of cyber threats, attackers continue to leverage new vulnerabilities, deceptive tactics, and sophisticated malware to infiltrate systems and compromise sensitive data. Cybercriminals have been distributing AsyncRAT through fake versions of popular software like AnyDesk and CCleaner, tricking users into downloading malware that grants attackers remote access. In parallel, two critical vulnerabilities, CVE-2024-22303 and CVE-2024-21743, in the WordPress theme Houzez and its companion plugin Houzez Login Register, could allow unauthorized users to escalate privileges and take control of sites. Meanwhile, a phishing campaign has been delivering Excel files exploiting CVE-2017-0199 to execute a fileless version of the Remcos RAT via OLE objects and PowerShell commands, targeting various sectors globally. Additionally, Sophos uncovered a cyberespionage attack by Crimson Palace, a Chinese-linked threat actor, which targeted Southeast Asian government organizations using a new malware called Tattletale to steal sensitive data and compromise networks.

  • Cybercriminals are using fake versions of popular software to distribute AsyncRAT, which can infiltrate systems and grant attackers remote access. The malware disguises itself as legitimate software like AnyDesk and CCleaner, tricking users into downloading and running it. Once executed, AsyncRAT remains undetected by exploiting system settings and using obfuscation techniques. It aims to establish a remote connection with the infected machine, allowing cybercriminals to carry out data theft and command execution. The malware's payload is designed to evade detection, and communicate with a C2 server, giving attackers control over compromised systems.
  • Two critical vulnerabilities in the WordPress theme Houzez and its companion plugin Houzez Login Register have been uncovered. These vulnerabilities could enable unauthorized users to take control of WordPress sites running the theme, posing a significant risk to businesses and clients. CVE-2024-22303 is a privilege escalation flaw that allows unauthenticated users to elevate their privileges and potentially take over a site. The theme lacks proper authorization checks, enabling users with Subscriber roles to obtain nonce tokens and reset passwords, including administrator accounts. CVE-2024-21743 affects the Houzez Login Register plugin, allowing users to change email addresses and hijack accounts. Users must update to version 3. 3. 0 or higher to mitigate these risks.
  • Microsoft has identified Vanilla Tempest, a ransomware affiliate, targeting U. S. healthcare organizations in INC ransomware attacks. Vanilla Tempest used INC ransomware in an attack on the U. S. healthcare sector, gaining access through the Storm-0494 threat actor and deploying malware like Gootloader and Supper. While the specific victim was not named, a similar attack affected Michigan's McLaren Health Care hospitals last month, causing disruptions to patient information databases and services. The threat actor conducts lateral movement through RDP and leverages the Windows Management Instrumentation Provider Host to deploy the INC ransomware payload.
  • The Russian ransomware group Key Group has been spotted using the .NET-based Chaos ransomware to encrypt files, steal data, and demand ransom via Telegram. The ransomware infects by encrypting files with a random extension and disabling system recovery, sparing certain files. A ransom message is displayed upon completion of encryption, directing victims to two URLs for payment. It is cautioned not to engage with the attackers as data recovery is unreliable, increasing the risk of permanent data loss even after payment.
  • North Korean hackers are targeting cryptocurrency users on LinkedIn using the RustDoor malware. The attacks involve pretending to be recruiters for legitimate decentralized cryptocurrency exchanges like STON.fi, aiming to infiltrate networks under the guise of interviews or coding assignments. RustDoor is a macOS malware designed to steal information and operate as a backdoor with two different command-and-control servers.
  • Cyble uncovered a sophisticated cyber campaign targeting attendees of the U.S.-Taiwan Defense Industry Conference. The attack involves a deceptive ZIP archive disguised as a conference registration form, which, when opened, executes covert actions to establish persistence and download additional malicious content. The attackers use advanced in-memory execution techniques to evade traditional detection methods and exfiltrate sensitive data.
  • A recent phishing campaign delivered a harmless-looking Excel file that utilizes CVE-2017-0199 to embed malicious code through OLE objects in Microsoft Office. The file employs encryption and obfuscation techniques to hide the malicious payload, which, when opened, executes a fileless version of the Remcos RAT, providing attackers with remote access. This campaign has been targeting various sectors in different countries and involves OLE object exploitation, HTA application execution, and PowerShell commands to inject the RAT into a legitimate process. Remcos RAT establishes persistence by injecting itself into legitimate processes, evading traditional security measures.
  • Sophos detailed an ongoing cyberespionage attack by Crimson Palace, targeting government organizations in Southeast Asia. Crimson Palace is a cluster of three Chinese clusters, namely, Cluster Alpha, Cluster Bravo, and Cluster Charlie. The hackers have adapted, using a new malware, Tattletale, to gather information and infiltrate networks. Cluster Charlie targeted government organizations, stealing sensitive data and authentication keys. The attackers focused on evading security tools and gaining deeper access within victim networks. They compromised at least 11 other organizations in the region, delivering malware under the guise of trusted access points.
  • The RansomHub ransomware gang has been using the legitimate TDSSKiller tool from Kaspersky to disable EDR services on target systems. Once the defenses are down, the attackers use the LaZagne credential-harvesting tool to extract logins from application databases. Through these tools, attackers can move laterally and access sensitive data. Notably, TDSSKiller was observed using the -dcsvc flag to target specific services, like MBAMService.

New Threats

In recent developments, a new RomCom malware variant called SnipBot surfaced, incorporating advanced evasion techniques to execute commands and deliver additional payloads. Meanwhile, Earth Baxia has been actively targeting government organizations in Taiwan and potentially other APAC countries through spear-phishing emails exploiting the GeoServer vulnerability (CVE-2024-36401). Additionally, Cisco Talos identified a new threat actor named DragonRank, targeting countries in Asia and Europe with the use of PlugX and BadIIS for SEO manipulation. Moreover, Microsoft addressed 79 vulnerabilities in its September 2024 Patch Tuesday update, including seven critical flaws and actively exploited vulnerabilities such as CVE-2024-38014, CVE-2024-38217, and CVE-2024-38226. The updates also patched 26 flaws in the Chromium-based Edge browser, urging users to install the latest security patches to mitigate the risks.

  • A new RomCom malware variant called SnipBot has been identified. It employs new tricks and evasion techniques to execute commands and run additional payloads. SnipBot is a new version of the RomCom malware that is mainly based on RomCom 3.0. However, it also contains techniques seen in its offshoot PEAPOD called RomCom 4.0.
  • Earth Baxia targeted a government organization in Taiwan and potentially other countries in the APAC region, using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401. The threat actor utilized GrimResource and AppDomainManager injection to deploy additional payloads, including customized Cobalt Strike components and a new backdoor named EAGLEDOOR. The threat actor's activities were primarily targeted at government agencies, telecommunication businesses, and the energy industry in countries such as the Philippines, South Korea, Vietnam, Taiwan, and Thailand.
  • A North Korea-linked cyber-espionage group, UNC2970, used phishing lures to target victims in critical infrastructure verticals. The attackers posed as job openings from prominent companies in the energy and aerospace industries. They delivered malicious files containing a backdoor, MISTPEN, via a trojanized version of SumatraPDF. The backdoor was capable of downloading and executing PE files and communicated with Microsoft Graph URLs.
  • Varonis Threat Labs discovered a vulnerability in Salesforce's public link feature, which could be exploited by threat actors to access sensitive data. The vulnerability was related to the undocumented Salesforce Aura API and SOQL subqueries, allowing for a blind SOQL injection attack to retrieve customer information, including PII. Salesforce patched the vulnerability in February. The vulnerability affected virtually any public link generated by Salesforce, posing a widespread risk to data exposure.
  • Microsoft recently patched a Windows MSHTML spoofing vulnerability, identified as CVE-2024-43461, which had been exploited by the Void Banshee APT hacking group. Void Banshee utilized the flaw in zero-day attacks to deploy information-stealing malware. The vulnerability allowed attackers to hide the .hta file extension as a PDF, making it more likely to be opened by users. Despite a security update, the file may still confuse users into opening it as a PDF.
  • Threat actors infected over 1.3 million Android TV streaming boxes with Vo1d backdoor, giving them full control over the devices. The malware targets Android firmware versions such as Android 7.1.2 and Android 10.1, modifying system files for persistence. Dr. Web researchers found infected devices in over 200 countries, with the most cases in Brazil, Morocco, and Pakistan. While the exact method of compromise is unknown, researchers suspect vulnerabilities in outdated software. Google clarified that the infected devices are not running Android TV but the Android Open Source Project (AOSP).
  • GitLab released security updates for 17 vulnerabilities, including a critical flaw (CVE-2024-6678) that allows attackers to run pipeline jobs as arbitrary users. The update also addresses three high-severity, 11 medium-severity, and two low-severity bugs. These fixes are available in versions 17. 3. 2, 17. 2. 5, and 17. 1.7 for GitLab CE and EE. While there is no evidence of active exploitation, users are advised to apply the patches promptly to reduce potential risks.
  • Cisco Talos discovered a new threat named DragonRank that targets countries in Asia and some in Europe using PlugX and BadIIS for SEO manipulation. DragonRank infiltrates web applications to deploy web shells, gather system information, and launch malware, along with credential-harvesting tools. The group has compromised over 35 IIS servers in countries including Thailand, India, Korea, Belgium, the Netherlands, and China. DragonRank is linked to a Simplified Chinese-speaking actor through their commercial website and messaging accounts.
  • Microsoft announced three new security vulnerabilities affecting Windows, which are being actively exploited, as part of the September 2024 Patch Tuesday update. This release addressed a total of 79 vulnerabilities, with seven rated critical, 71 important, and one moderate. Additionally, 26 flaws in the Chromium-based Edge browser were also fixed. The exploited vulnerabilities include CVE-2024-38014, CVE-2024-38217, and CVE-2024-38226, along with CVE-2024-43491. These flaws can lead to security feature bypasses and remote code execution. Microsoft recommended installing the September 2024 Servicing stack update and the Windows security update to mitigate the risks.
  • ESET researchers observed the CosmicBeetle, aka NoName, threat actor using its new ScRansom ransomware, replacing its previous Scarab ransomware, with a focus on small and medium-sized businesses. The threat actor has also been using the leaked LockBit builder to mimic the well-known ransomware gang in an attempt to boost its credibility. It is believed that CosmicBeetle may have connections to the RansomHub gang.
  • ManticoraLoader is a new MaaS observed on the XSS cybercrime forum distributed by a user with the alias DarkBLUP. The malware, available on Telegram since August 8, features stealth and obfuscation tactics, compatible with Windows 7 and above. It collects detailed information from infected devices, covertly sending data to a central control panel for profiling victims and customization of attacks. The actors limit clients to 10, offering services for $500 per month, aiming to monetize the tool.
  • Cisco patched a command injection vulnerability in its Identity Services Engine (ISE) solution, allowing attackers to gain root privileges on vulnerable systems. The flaw, tracked as CVE-2024-20469, stems from insufficient validation of user input. Attackers with administrator privileges can execute malicious commands without user interaction. Cisco has released fixes for affected versions of ISE, including 3.2P7 and 3.3P4. Additionally, Cisco removed a backdoor account in its Smart Licensing Utility software and addressed other vulnerabilities such as CVE-2024-20295 and CVE-2024-20401.

Related Threat Briefings