State-sponsored cyber spies and cybercriminals are increasingly exploiting legitimate cloud services to launch stealthy attacks, making their malicious activities more challenging to detect. Researchers identified three such operations involving the use of cloud platforms like Google Drive and Microsoft to facilitate their campaigns. These operations have unveiled new data theft and malware tools in development.

In a parallel development, a security researcher has disclosed two zero-day vulnerabilities that enable downgrade attacks, effectively unpatching fully updated Windows 10, 11, and Windows Server systems. These vulnerabilities allow threat actors to revert the operating system to an older version, thereby reintroducing previously patched vulnerabilities and compromising the system's security.

Additionally, a new phishing campaign has emerged, employing Google Drawings and WhatsApp-generated shortened links to deceive users into clicking on fraudulent links. The attackers craft these campaigns to mimic Amazon account verification processes, leading unsuspecting users to fake Amazon login pages to steal their credentials and personal information.

Top Malware Reported in the Last 24 Hours

New threat group Actor240524

The NSFOCUS Security Labs identified a new APT group, Actor240524, targeting Azerbaijan and Israel through a spear-phishing attack. The attackers used a Word document with malicious macros to execute ABCloader and ABCsync trojan programs. These malware employed various techniques to evade detection, including string encryption, PEB detection, hardware breakpoint detection, screen resolution detection, process count detection, and specific permission detection.

Malware dissemination via cloud storage lockers

State-sponsored cyber spies and criminals are increasingly using legitimate cloud services to launch attacks, making it harder to detect their activities. Symantec identified three such operations and new data theft and malware tools in development. The attackers favor cloud platforms like Google Drive and Microsoft for their operations, exploiting the benefits and difficulty of detection. The recent campaigns involve backdoors named Grager and Moon_Tag, with tentative links to a group suspected to be associated with the Chinese government. Another backdoor, Onedrivetools, targeted IT services firms in the U.S. and Europe.

Top Vulnerabilities Reported in the Last 24 Hours

Critical Roundcube XSS flaw

Sonar discovered a critical Cross-Site Scripting (XSS) vulnerability in Roundcube webmail software. When a victim views a malicious email in Roundcube, the attacker can execute arbitrary JavaScript in the victim's browser. This can lead to the theft of emails, contacts, and email passwords, as well as sending unauthorized emails from the victim's account. Roundcube administrators are advised to update to patched versions 1.6.8 or 1.5.8 immediately. The vulnerabilities are tracked as CVE-2024-42008, CVE-2024-42009, CVE-2024-42010.

Windows Update downgrade attack

A security researcher revealed two zero-day vulnerabilities that can be exploited in downgrade attacks to "unpatch" fully updated Windows 10, 11, and Windows Server systems. These vulnerabilities allow threat actors to roll back the software version, reintroducing old vulnerabilities and compromising the system. By exploiting the zero-days, attackers could bypass virtualization-based security and make fully patched Windows machines susceptible to past vulnerabilities. The bugs are Windows Update Stack Elevation of Privilege (CVE-2024-38202) and Windows Secure Kernel Mode Elevation of Privilege (CVE-2024-21302).

Active abuse of WhatsUp RCE bug

Threat actors are actively exploiting a critical remote code execution vulnerability, CVE-2024-4885, in Progress WhatsUp Gold 23.1.2 and older versions. Proof-of-concept exploits targeting the '/NmAPI/RecurringReport' endpoints are being used to execute arbitrary commands. The vulnerability allows unauthenticated attackers to execute commands with elevated privileges. The vendor recommends upgrading to version 23.1.3 or implementing firewall rules to restrict access to the vulnerable endpoint.

Top Scams Reported in the Last 24 Hours

New phishing scam spotted

A new phishing campaign has been using Google Drawings and WhatsApp-generated shortened links to trick users into clicking on fake links. The attackers mimic an Amazon account verification link, leading users to a fake Amazon login page to steal credentials and personal information. The method also involves exploiting a loophole in Microsoft 365's anti-phishing mechanisms. The attackers use CSS trickery to hide safety tips in phishing emails.