Cyware Weekly Threat Intelligence, December 02–06, 2024
The Good
NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria.
The NIST released two updates to help organizations evaluate their cybersecurity programs. The guidance is divided into two volumes. Volume 1 discusses technical issues in measuring information security, comparing qualitative assessments with data analysis and introducing various assessment types. Volume 2 involves leadership in applying the qualitative findings and stresses the importance of strong management support. The updates aim to broaden the audience to all organizations concerned with cybersecurity.
The FCC presented draft regulations that would require telecom companies to upgrade cyber defenses under federal wiretapping law or face fines, in response to breaches by Chinese government hackers known as Salt Typhoon. The rules aim to secure communications critical infrastructure and prevent future cyberattacks. The proposal includes creating a legal obligation for telecom carriers to secure their networks and implementing an annual cybersecurity risk management plan certification process.
Europol and international law enforcement successfully took down the Manson Market cybercrime platform, disrupting phishing networks and seized a large amount of stolen data. In total, over 50 servers were seized, and more than 200TB of evidence collected during this operation, which took place in several countries including Germany and Austria. Two suspects have been arrested, and the operation showcases the importance of global collaboration in tackling complex cybercrime networks to protect citizens.
The U.K's National Crime Agency uncovered and disrupted two major Russian criminal networks, Smart and TGR, involved in money laundering. The operation, called Operation Destabilise, focused on exposing a scheme where TGR and Smart collected cash in one country and made the equivalent available in another, mainly using cryptocurrency. The NCA has made 84 arrests and seized £20 million in cash and cryptocurrency.
The Bad
Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024.
BlueAlpha, a Russian state-sponsored APT group, has updated its malware delivery methods to exploit Cloudflare Tunnels, aiming to infect victims with GammaDrop malware. BlueAlpha uses Cloudflare Tunnels to hide its malware staging infrastructure from detection. Its method involves HTML smuggling attacks that bypass email security and DNS fast-fluxing to maintain control communications. BlueAlpha has targeted Ukrainian organizations and has used GammaLoad malware since October 2023.
The Earth Minotaur threat group has been using the MOONSHINE exploit kit to target vulnerabilities in Android messaging apps and compromise the devices of Tibetan and Uyghur communities. The kit has over 55 identified servers and has been updated to include newer exploits. Earth Minotaur uses it to install the DarkNimbus backdoor for surveillance on both Android and Windows devices. The backdoor is used to steal a wide range of data, and the group uses social engineering tactics to entice victims to click on malicious links. MOONSHINE has also been used to compromise WeChat.
Cybercriminals are increasingly exploiting Cloudflare's pages[.]dev and workers[.]dev domains for phishing and malicious activities. Fortra observed a 198% rise in phishing attacks on Cloudflare Pages, increasing from 460 incidents in 2023 to 1,370 by mid-October 2024, with expectations to exceed 1,600 incidents by year-end. The report also noted a 104% increase in phishing attacks using this platform, climbing from 2,447 incidents in 2023 to nearly 6,000 expected by year-end.
Developers of decentralized applications downloaded compromised versions of the Solana Web3.js library after an attacker hacked a GitHub account with publishing rights. The backdoored library versions, 1.95.6 and 1.95.7, allowed attackers to steal private key material and drain funds from dapps. The compromised versions were available for download for about five hours on December 2, but have since been removed and replaced with a clean version, 1.95.8. While major cryptocurrency wallets were not hacked, third-party tools related to private keys may have been compromised.
A zero-day arbitrary file read vulnerability in Mitel MiCollab, can be combined with a now-patched critical bug to access sensitive files. Mitel MiCollab is an enterprise collaboration tool with over 16,000 instances, making it an appealing target for cybercriminals. In addition to the now-fixed critical bug, an authentication bypass vulnerability was also reported and fixed. However, a third flaw, an arbitrary file read vulnerability, remains unpatched despite promises from Mitel. watchTowr has published a proof-of-concept after waiting over 100 days for a fix from the vendor.
The National Tax Service (NTS) is facing a significant increase in phishing emails, with threat actors impersonating the NTS to distribute malware. These phishing emails use various file formats, such as DLL and CHM, to execute malicious behaviors. The DLL files distribute a legitimate file with a changed name, ultimately performing malicious functions. The CHM files contain a malicious script and access specific URLs to execute various functions. Threat actors are continuously exploiting topics like tax payments to trick users.
The North Korea-aligned group Kimsuky has been linked to a series of phishing attacks aimed at stealing credentials. These attacks started with emails from Japan and Korea but shifted in mid-September to disguise themselves as Russian senders. They used the VK Mail[.]ru service and its various alias domains. Kimsuky impersonated financial institutions and internet services like Naver, targeting users with fake alerts about their MYBOX cloud storage accounts. These phishing emails were sent through a compromised server at Evangelia University using a PHP mailer called Star.
Researchers found that APT-C-01, also known as Poison Ivy, has resurged and is actively targeting defense, government, technology, and education sectors. It is using advanced phishing methods like watering hole and spear-phishing. Recent findings show an increase in its activities, including creating fake websites that trick victims into downloading Sliver RAT. The malware allows attackers to gain unauthorized access, steal sensitive information, and conduct remote operations.
New Threats
DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.
A new Android banking malware called DroidBot targets over 77 cryptocurrency exchanges and banking apps. Despite its lack of unique features, DroidBot's botnets show 776 unique infections across the U.K, Italy, France, Spain, and Portugal. The malware has been active since June 2024 and operates as a MaaS platform, with affiliates customizing the tool for specific targets. DroidBot uses keylogging, overlaying, SMS interception, and VNC capabilities to steal sensitive information. It also abuses Android's Accessibility Services. Cleafy has identified at least 17 groups using this malware to customize attacks for specific targets.
A new PhaaS platform called Rockstar 2FA has appeared, enabling large-scale attacks that steal Microsoft 365 login details by bypassing MFA. Attackers create fake login pages resembling Microsoft 365 to trick users into entering their credentials. Rockstar 2FA is an updated version of earlier phishing kits and has gained popularity in the cybercrime world since August. Its service is offered for $200 for two weeks or $180 for API access renewal, and it is advertised on platforms like Telegram. The platform has launched over 5,000 phishing domains and employs various methods to bait users into clicking malicious links.
Threat actors are exploiting misconfigured Docker servers to spread the Gafgyt malware, traditionally used for targeting IoT devices. However, the malware is now being used to attack Docker Remote API servers, indicating a change in behavior. The attackers aim for publicly exposed, misconfigured Docker remote API servers to deploy the Gafgyt malware by creating a Docker container using a legitimate “alpine” Docker image. This process allows them to infect the victim via the Gafgyt botnet malware, which then enables the attacker to carry out DDoS attacks.
ThreatLabz discovered two new malware families, RevC2 and Venom Loader, active from August to October 2024. These are part of campaigns using the MaaS platform from a threat actor named Venom Spider. The campaigns employed tools like VenomLNK to deliver malware through phishing. RevC2 communicates with its command server using WebSockets and can steal cookies and passwords, execute commands, take screenshots, and proxy traffic. The second campaign introduced Venom Loader, which set up a JavaScript backdoor called More_eggs lite. This backdoor executes remote commands and uses unique encoding for each victim.
A new group of 15 SpyLoan Android malware apps with over eight million installs was found on Google Play, mainly affecting users in South America, Southeast Asia, and Africa. McAfee reported these apps to Google, which informed developers that their apps broke Google Play policies and required fixes. Some apps were removed while others were updated. From Q2 to Q3 2024, the number of malicious SpyLoan applications and unique infected devices rose by over 75%.
A new phishing attack has been discovered that uses corrupted Word documents as email attachments to evade security software. The documents prompt the recipient to scan a QR code, leading to a phishing site that impersonates a Microsoft login page to steal credentials. Despite their corrupt state, the documents remain recoverable by the application and have been successful in avoiding detection by most security solutions.