Share Blog Post
Microsoft laid bare a multi-year campaign by Russia-based threat actors targeting government and transportation sectors. They have been using the GooseEgg tool to exploit a Windows Print Spooler bug for privilege escalation and credential theft since 2019. In another headline, a global malicious cyber campaign was observed distributing malware trio - Cryptbot, LummaC2, and Rhadamanthys. It employed a new PowerShell bypass technique via LNK files, utilizing CDN cache domains.
Separately, a new email phishing campaign impersonated Bank of America, prompting victims to a legitimate, infected Nespresso URL. The URL directed them to a fake Microsoft login page to steal credentials. Also, learn about a sophisticated malware campaign exploiting the eScan antivirus update mechanism for backdoor and cryptominer distribution.
Top Malware Reported in the Last 24 Hours
CoralRaider launches multi-malware campaign
Cisco Talos uncovered an ongoing attack campaign by threat actor CoralRaider, distributing Cryptbot, LummaC2, and Rhadamanthys malware since February 2024. The campaign deploys a new PowerShell command-line argument in LNK files to evade antivirus. Utilizing a Content Delivery Network cache domain as a server, the campaign impacts victims globally, including the U.S., Nigeria, and Japan, with targets in various sectors.
Microsoft dissects Forest Blizzard’s custom tool
Microsoft Threat Intelligence revealed that Russian-based threat actor Forest Blizzard would use their custom tool GooseEgg to escalate privileges and pilfer credentials in compromised networks. Exploiting the CVE-2022-38028 vulnerability in Windows Print Spooler service, Forest Blizzard targeted government, education, and transportation sectors in Ukraine, Western Europe, and North America since June 2020. Microsoft has advised applying security updates.
GuptiMiner exploits antivirus update mechanism
Avast uncovered the sophisticated GuptiMiner malware campaign, exploiting eScan antivirus update mechanisms to distribute backdoors and coinminers. The threat, possibly linked to North Korean APT group Kimsuky, employs advanced techniques including DNS requests to attacker-controlled servers, sideloading, and payload extraction from innocuous images. GuptiMiner targets large corporate networks with two distinct backdoor variants, facilitating lateral movement and reconnaissance for private keys and crypto wallets.
Top Vulnerabilities Reported in the Last 24 Hours
Flaws in Microsoft Defender and Kaspersky products
Researchers at SafeBreach identified security vulnerabilities in Microsoft Defender and Kaspersky's EDR software, allowing remote file deletion despite patching attempts. By implanting malware signatures into legitimate files, attackers could trick EDR programs into deeming databases as infected, leading to file deletion. Even after patches, further bypasses were discovered, highlighting the difficulty in fully addressing the issue.
Siemens affected by Palo Alto’s firewall issue
Siemens disclosed that its Ruggedcom APE1808 devices, equipped with Palo Alto Networks virtual NGFWs, are vulnerable to the recently exploited firewall vulnerability, CVE-2024-3400. Although Siemens has not observed attacks specifically targeting its product, it is preparing updates and providing mitigations. The vulnerability, exploited by a state-sponsored threat actor, allowed arbitrary command execution with elevated privileges. Shadowserver Foundation reports roughly 6,000 exposed devices.
Top Scams Reported in the Last 24 Hours
Nespresso bug abused to steal credentials
A phishing campaign exploited a bug in Nespresso's website, directing victims to a legitimate yet compromised Nespresso URL, and bypassing security warnings. The URL hosts a doctored Microsoft login page to capture credentials. Attackers exploited an open redirect vulnerability in Nespresso's site to direct victims to the fake login page. The campaign utilized various sender domains but consistently used phishing emails impersonating Bank of America employees.
Tags
Posted on: April 23, 2024
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
