Cyware Weekly Threat Intelligence - January 29–02

Weekly Threat Briefing • February 2, 2024
Weekly Threat Briefing • February 2, 2024
In a global crackdown against cybercrime, Interpol dismantled malicious servers that served as a channel for phishing and malware attacks in great measure. Meanwhile, authorities from the U.S. and Brazil wiped out the KV botnet and Grandoreiro trojan, respectively.
Ransomware attack woes escalated as Schneider Electric's Sustainability Business division and a U.S. military-linked IT provider, Technica, fell victim to separate ransomware attacks. Additionally, Keenan & Associates disclosed a ransomware attack that impacted the sensitive data of over 1.5 million individuals.
Several malware campaigns abusing recently disclosed vulnerabilities were discovered in the wild. While Akamai reported Log4Shell vulnerability and Polkit Linux component flaws being exploited to distribute new variants of the FritzFrog botnet, InfectedSlurs botnet was observed exploiting six zero-day vulnerabilities impacting Hitron DVR device models. In a separate instance, the Trigona group targeted MS-SQL servers to install Mimic ransomware.
Akamai Security Intelligence Group (SIG) uncovered several new variants of the FritzFrog botnet, one of which includes the capability to exploit the 2021 Log4Shell vulnerability. The botnet has also been upgraded with a module to exploit a privilege escalation vulnerability (CVE-2021-4034) in the Polkit Linux component. So far, the botnet has infected over 1500 victims worldwide.
The Patchwork APT group was found to have created at least 12 malicious Android apps, including MeetMe, Let’s Chat, Quick Chat, and Rafaqat, and distributed them through Google Play Store and other platforms to exfiltrate data from Pakistani users. As part of the attack, the attackers used romance scams to trick the victims into installing the apps that eventually downloaded the VajraSpy RAT onto their Android phones.
The CERT-UA warned about a PurpleFox malware campaign that infected at least 2,000 computers in Ukraine. As part of the activity, CERT-UA leveraged IOCs associated with the malware to monitor infected hosts between January 20 and 31, and detected 486 intermediate control server IP addresses, most of which were located in China.
Mandiant researchers discovered new malware attacks targeting Ivanti Connect Secure VPN and Policy Secure devices. Attackers were observed exploiting CVE-2023-46805 and CVE-2024-21887 to execute arbitrary commands on the unpatched Ivanti devices. Some of the malware employed in these attacks include a custom web shell tracked as BUSHWALK, a new variant of the LIGHTWIRE web shell, a Python-based CHAINLINE web shell, the FRAMESTING web shell, and KrustyLoader. Meanwhile, the CISA issued a fresh directive, demanding all federal agencies disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.
Security researchers identified approximately 45,000 Jenkins instances that are vulnerable to a critical RCE bug CVE-2024-23897. The security issue can be abused in several ways, including manipulating Resource Root URLs, "Remember me" cookies, or CSRF protection bypass. Depending on permissions, attackers can exploit the flaw to access sensitive information, potentially leading to the decryption of stored secrets and other malicious activities.
AT&T researchers came across a phishing attack that leveraged the Microsoft Teams chat group to push DarkGate malware onto victims’ systems. The attackers used a domain named .onmicrosoft.com to send phishing messages, tricking users into downloading a deceptive file. Researchers noted that the attack succeeded because users had enabled External Access in Microsoft Teams users to message users in other tenants by default.
Researchers at Unit 42 identified a large-scale campaign named ApateWeb that employed over 130,000 domains to distribute scareware, PUPs, and other scam pages. The campaign involved adware programs, a rogue browser, and various browser extensions. These served as potential initial access points for cybercriminals, putting victims at risk of more severe threats.
The Trigona ransomware threat actor expanded its activities by installing Mimic malware targeting MS-SQL servers. The actor abused the Bulk Copy Program (BCP) feature in MS-SQL servers, utilizing the bcp.exe command-line tool during the malware installation process. The threat actor also used the Everything file search tool to speed up file encryption and imitate aspects of the Conti ransomware. The installed files contained tools for deactivating Windows Defender and port forwarding.
Akamai issued an InfectedSlurs botnet advisory following the discovery of active exploitation of multiple DVR device models from Hitron Systems. The botnet exploited six zero-day vulnerabilities (CVE-2024-22768 through CVE-2024-22772, and CVE-2024-23842) to launch attacks. These vulnerabilities, categorized as improper input validation issues, allowed attackers to inject OS commands and achieve remote code execution.
A new ransomware group, named Alpha, was observed on the landscape along with its leak site on the dark web. It displayed data from industries impacted across the U.K, U.S., and Israel. The ransomware appends a random 8-character alphanumeric extension to encrypted files, and its DLS, titled "MYDATA," is considered unstable and frequently offline.
Cado researchers recently encountered a novel malware campaign, dubbed “Commando Cat”, targeting exposed Docker API endpoints. It is unclear who the threat actor behind Commando Cat is or where they're from, though there is an overlap in scripts and IP addresses to other groups like Team TNT, indicating a potential connection.
Mandiant reported that the UNC4990 threat group has shifted from its traditional method of using USB devices to distribute payloads. It is now abusing legitimate services such as Ars Technica, GitHub, GitLab, and Vimeo to host the EMPTYSPACE downloader. It can execute QUIETBOARD backdoor or any payload from the command and control (C2) server.
Russia-based Star Blizzard APT impersonated Russian researchers and academics in a new campaign to gain access to their colleagues’ email accounts. The emails contained a document that included blurring content and a fake button to Google Drive.