Cyware Weekly Threat Intelligence - May 13–17

Weekly Threat Briefing • May 17, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • May 17, 2024
In a major win, the FBI, DOJ, and global law enforcement once again shut down BreachForums, arresting its alleged administrators and seizing its infrastructure. Across the pond, the NCSC-U.K launched the Share and Defend system, empowering ISPs to block malicious domains. Meanwhile, MITRE released the EMB3D threat model, enhancing security for embedded devices by aligning with and expanding on existing frameworks.
The FBI, DOJ, and international law enforcement agencies have taken down the BreachForums hacker website, leading to the arrest of alleged administrators and the seizure of infrastructure. BreachForums was the successor to the previously taken down RaidForums, and had been operating since June 2023 as a marketplace for stolen data, hacking tools, and other illegal services.
The NCSC-U.K launched a new Share and Defend system that will provide ISPs with the same protections against malicious domains as government networks, helping to disrupt cybercrime and online fraud across the country. It works by sharing threat intelligence data with industry partners, such as Internet Service Providers, who can then take action to block access to malicious content for their customers.
MITRE released the EMB3D threat model to address the evolving challenges in embedded device security. The model provides a common understanding of cyber threats to embedded devices and the security mechanisms needed to mitigate them. EMB3D aligns with and expands on existing models like Common Weakness Enumeration, MITRE ATT&CK, and Common Vulnerabilities and Exposures.
The Singapore government has updated its Cybersecurity Act, giving its primary cybersecurity agency more power to regulate critical infrastructure and third-party providers, and requiring the reporting of cyber incidents, in response to the growing threat landscape and the increasing reliance on cloud services and third-party providers by critical infrastructure operators.
The FCC is proposing a new requirement for ISPs to file regular updates on their efforts to secure BGP, a key internet routing protocol. The proposal would mandate that providers develop BGP security plans and document their use of the Resource Public Key Infrastructure (RPKI) security framework.
When shadows move in cyberspace, danger follows. Researchers have uncovered espionage by the Turla group using new backdoors LunarWeb and LunarMail. Additionally, the Ebury botnet has been found to have compromised over 400,000 Linux servers since 2009, with over 100,000 still affected. Microsoft's latest Patch Tuesday addresses 61 security vulnerabilities.
An unnamed European Ministry of Foreign Affairs and its diplomatic missions in the Middle East fell victim to espionage operations orchestrated by the Turla group. ESET researchers discovered two previously undocumented backdoors, LunarWeb and LunarMail, deployed in the attacks. LunarWeb operates on servers using HTTP(S) for command-and-control communications, while LunarMail, persisting as an Outlook add-in on workstations, communicates via email.
ESET divulged the extensive infiltration of the Ebury botnet into over 400,000 Linux servers since 2009, with over 100,000 servers still compromised as of late 2023. The sophisticated campaign involved various monetization activities, including spam distribution, web traffic redirection, and credential theft, with actors also engaged in cryptocurrency heists and credit card theft. The attackers employ diverse delivery methods, including SSH credential theft and exploitation of web panel vulnerabilities.
Microsoft released its Patch Tuesday updates, addressing a total of 61 security vulnerabilities which includes two zero-day issues being actively exploited in the wild. These are a critical flaw in the Windows MSHTML Platform and an elevation of privilege vulnerability in the Windows Desktop Window Manager (DWM) Core Library. These flaws could allow attackers to execute arbitrary code and gain SYSTEM privileges.
A cybercriminal going by the moniker ‘salfetka’ has been spotted selling the source code of the INC Ransom RaaS operation. The sale offers Windows and Linux/ESXi versions of the ransomware. Meanwhile, the ransomware group is allegedly transitioning to a new data leak extortion platform, hinting at internal changes or a rebranding effort. Some experts say the sale could potentially be a scam.
DanaBot malware operators are exploiting documents containing external links to evade detection, unveiled ASEC. Attackers send spam emails disguised as a job application form to deceive recipients. The analysis revealed the malware's propagation - from Word attachment execution to DanaBot installation via PowerShell. The malware can steal a variety of data, including screenshots and credentials.
The Kimsuky APT group, linked to North Korea, has been using rogue Facebook accounts to target victims through Messenger and deliver malware. They impersonated a South Korean public official to connect with key individuals in North Korean and security-related fields. The attack involved sending decoy documents via Messenger, which linked to a malicious file hosted on OneDrive. Upon opening the file, a multi-stage attack chain was initiated, allowing the malware to gather and exfiltrate information to a C2 server.
Security experts at New Jersey’s Cybersecurity and Communications Integration Cell warned of a LockBit Black ransomware campaign orchestrated by the re-emerged Phorpiex botnet group. Since April, millions of phishing emails with ZIP attachments have been sent. The new botnet version, dubbed Twizt, operates peer-to-peer, evading traditional detection methods. With over 1,500 unique sending IP addresses, the campaign spans multiple countries.
Numerous security issues in Apple products have been found to pose significant risks to users, with the most severe flaw allowing arbitrary code execution. Tracked as CVE-2024-23296, the bug threatens government and business entities. Criminals are using techniques like Exploitation for Client Execution (T1203) wherein they potentially gain kernel privileges or bypass security measures. These vulnerabilities span macOS, iOS, iPadOS, watchOS, and tvOS.
Malicious actors were found leveraging GoTo Meeting, a legitimate software, to execute Remcos RAT via deceptive tactics. Using a chain of LNK file executions, they trigger the malicious payloads, disguised as PDFs. The malware uses DLL sideloading to execute the malware DLL. The shellcode further obfuscates the process and assists in decrypting and executing the payload. A JS infection chain targeting diverse demographics with fake setups and documents was also identified.
The North Korean hacker group Kimsuy has unleashed a new Linux malware dubbed Gomir, spread through trojanized software installers. Google issued an emergency security update for Chrome to address a high-severity zero-day vulnerability (CVE-2024-4947) in the V8 JavaScript engine, marking the third zero-day patch in a week. A newly discovered WiFi vulnerability (CVE-2023-52424) allows attackers to execute SSID Confusion attacks, potentially leading to traffic interception and manipulation.