We use cookies to improve your experience. Do you accept?

Cyware Weekly Threat Intelligence - November 11–15

shutterstock_2053715180

Weekly Threat Briefing Nov 15, 2024

The Good

As cyber threats to critical infrastructure surge, the TSA has proposed formal rules for pipeline and railroad operators, while the World Economic Forum introduced a new framework to enhance public-private collaboration against cybercrime. These efforts highlight the urgency of uniting resources and governance to fortify cybersecurity resilience on all fronts.

  • The Transportation Security Administration (TSA) has proposed new rules to formalize existing security directives for pipeline and railroad operators in response to cyber threats. The rules would require operators to report cyber incidents, create cyber risk management plans overseen by TSA, and incur an estimated $2.1 billion in costs over 10 years. TSA aims to increase cybersecurity resilience due to the increasing cyber threats to critical transportation infrastructure, which have been attributed to nation-state actors. The proposed rules are open for industry input until February 5, reflecting TSA's efforts to balance flexibility for operators while addressing the evolving cyber threats.
  • Italy conducted the annual Blueprint Operational Level Exercise (Blue OLEx) to test EU institutions' readiness for cyber-attacks. The exercise involved senior cybersecurity officials from EU member states and the Commission, focusing on improving responses to incidents and crises. Blue OLEx emphasized executive-level cooperation through the Cyber Crisis Liaison Organization Network (EU-CyCLONe), established by the NIS2 Directive. The event was hosted by the Italian Cybersecurity Agency (ACN), emphasizing the importance of sharing ideas and strengthening ties among crisis management leaders.
  • The World Economic Forum's Partnership against Cybercrime released a framework to enhance collaboration between the cybersecurity industry and the public sector. The framework emphasizes the need for incentives, good governance, and resources to support operational collaborations. It highlights the importance of clear missions, impact, peer-to-peer learning, and public recognition as incentives for organizations to collaborate. Additionally, it emphasizes the need for flexible governance frameworks, membership capability assessments, and data normalization to ensure a cohesive response to cyber threats.

The Bad

From Microsoft’s patching of critical flaws to nation-state campaigns, the week reveals no respite in cybersecurity. The WIRTE group expanded disruptive attacks across the Middle East, whereas TA455 targeted aerospace firms with fake job lures. Microsoft’s November 2024 Patch Tuesday updates addressed 89 vulnerabilities, including two actively exploited zero-days, underscoring escalating threats to global IT systems. 

  • CYFIRMA analyzed SpyNote, an Android malware that poses a significant threat by allowing extensive control over infected devices. The malware hides itself as a fake antivirus named Avast Mobile Security for Android to deceive users. The malware targets cryptocurrencies, steals data from other apps, and collects user credentials. It monitors network traffic to connect to a C2 server for data theft. There are over 10,000 identified samples of SpyNote, with recent infections linked to the threat actor EVLF distributing it through platforms like Telegram.
  • The Iranian Dream Job campaign conducted by TA455 targeted the aerospace industry by offering fake jobs and distributing the SnailResin malware. The campaign has been active since at least September 2023 and uses fake recruiting websites and LinkedIn profiles to distribute malicious files. The attackers use a detailed PDF guide to encourage victims to download a ZIP file containing the malware. The campaign is suspected to be involved in espionage targeting aerospace, aviation, and defense industries in Middle Eastern countries.
  • Microsoft released fixes for 89 CVE-listed security flaws in its products, with two zero-day vulnerabilities actively under attack. One flaw, CVE-2024-49039, allows privilege escalation through Windows Task Scheduler, while the second flaw, CVE-2024-43451, impacts NTLM hashes. Azure CycleCloud users should be aware of CVE-2024-43602, which permits remote code execution. Additionally, a serious flaw, CVE-2024-43498, affects . NET and Visual Studio, and another critical vulnerability, CVE-2024-43639, involves a cryptographic protocol vulnerability in Windows Kerberos.
  • The Google Chrome team has released Chrome 131, now available for Windows, Mac, and Linux. Among the changes are 12 security fixes, including ones reported by external researchers. These fixes address issues like inappropriate implementation in Blink, Autofill, Media, Accessibility, Views, Navigation, Paint, and FileSystem. Additionally, internal security work has led to a range of fixes.
  • The WIRTE APT group, associated with the Hamas-affiliated group Gaza Cybergang, has continued its attacks in the Middle East. It has expanded its focus from espionage to disruptive attacks while targeting entities in the Palestinian Authority, Jordan, Iraq, Egypt, and Saudi Arabia. Researchers uncovered a connection between the malware used by WIRTE and SameCoin, a wiper malware that attacked Israeli targets in 2024. The APT group has also included hack-and-leak operations and is using cyber capabilities to shape narratives.
  • The CISA issued a warning about two new vulnerabilities in the Palo Alto Networks Expedition software, which are being actively exploited. They have been added to the KEV catalog. The vulnerabilities are OS Command Injection (CVE-2024-9463) and SQL Injection (CVE-2024-9465), which can allow unauthorized access to run commands as root or expose database contents, potentially revealing sensitive information like usernames, passwords, configurations, and keys. Palo Alto Networks addressed these in an update on October 9.

New Threats

This week, several emerging threats highlighted the diversity of attack tactics. The new Glove Stealer exploits browser encryption to pilfer cookies and crypto wallets, whereas the Lazarus group’s RustyAttr trojan targets macOS users using the Tauri framework. A Chinese threat actor, SilkSpecter, was found scamming online shoppers via 4,695 fake domains, impersonating popular brands to steal credit card details during Black Friday hunts.

  • Researchers have discovered a tool, GoIssue, that can steal developer credentials in bulk and conduct malicious activities, including supply chain attacks. GoIssue gathers email addresses from public GitHub profiles by using automated processes and GitHub tokens, allowing attackers to send bulk emails directly to user inboxes. The tool is being marketed to potential attackers for $700 for a custom build or $3,000 for full source code access. It combines bulk email capabilities with data collection features and hides the attacker's identity through proxy networks.
  • The new Glove Stealer malware was found to bypass Google Chrome's Application-Bound encryption to steal browser cookies. The malware is simple and lacks protection mechanisms, suggesting it is in the early stages of development. The threat actors behind the malware use social engineering tactics to trick victims into installing it. The malware can extract cookies from Firefox and Chromium-based browsers, as well as steal cryptocurrency wallets, 2FA tokens, passwords, and emails. 
  • APT41, a threat group from China, is using a sophisticated Windows-based surveillance toolkit in a cyberespionage campaign targeting organizations in South Asia. The toolkit, called DeepData Framework, consists of 12 separate plugins optimized for malicious functions. These plugins steal communications from various messaging apps, system information, browsing history, cookies, passwords, audio files, and more.
  • Threat actors are using a new method on macOS to spread a malware called RustyAttr, which is linked to the Lazarus Group from North Korea. The malware is built using the Tauri framework and includes an extended attribute that runs a shell script. When executed, a decoy distraction is displayed. The shell script executes a Rust backend via a malicious JavaScript loaded on a fake webpage. 
  • Unit 42 researchers discovered a group of North Korean IT workers, referred to as CL-STA-0237, involved in phishing attacks using malware-infected video conference apps, operating primarily from Laos. This group exploited a U.S.-based IT services company to apply for jobs and succeeded in getting hired by a major tech company in 2022. The team found newly registered domains linked to a known IP address associated with the MiroTalk fake job campaign, revealing that CL-STA-0237 exploited information and controlled multiple accounts belonging to the U.S.-based IT company. 
  • A Chinese threat actor named SilkSpecter is running a scam using fake online stores to steal credit card information from shoppers in the U.S. and Europe. SilkSpecter operates 4,695 fake domains impersonating popular brands like North Face, Lidl, and Ikea. The scam uses domain names containing "Black Friday" to target bargain hunters. Sites adjust language based on location using Google Translate. They use legitimate payment processor Stripe to appear trustworthy while stealing card details. SilkSpecter tracks visitors' behavior with tools like OpenReplay and uses phishing kits to steal card information. The scam may use stolen phone numbers for two-factor authentication in future attacks.

Related Threat Briefings

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.