BlueAlpha sharpened its arsenal by exploiting Cloudflare Tunnels to obscure its malware staging infrastructure. The Russian-backed group deployed GammaDrop malware against Ukrainian organizations, using advanced techniques like HTML smuggling to bypass email filters and DNS fast-fluxing for stealthy command-and-control. 

Mitel MiCollab’s unresolved vulnerability exposed enterprises to potential cyber risks despite earlier patches. While two critical flaws, including an authentication bypass, were fixed, a lingering arbitrary file read vulnerability remains open after over 100 days without a vendor-provided solution. 

Manufacturing firms have become the latest victims of a multi-stage malware campaign. Threat actors disguised malicious LNK files as PDFs, leveraging LOLBins and PowerShell commands to bypass security. The attack deploys tools like Lumma stealer and Amadey bot to siphon sensitive data.

Top Malware Reported in the Last 24 Hours

BlueAlpha hides in Cloudflare Tunnels, drops GrammDrop

BlueAlpha, a Russian state-sponsored APT group, has updated its malware delivery methods to exploit Cloudflare Tunnels, aiming to infect victims with GammaDrop malware. BlueAlpha uses Cloudflare Tunnels to hide its malware staging infrastructure from detection. Its method involves HTML smuggling attacks that bypass email security and DNS fast-fluxing to maintain control communications. BlueAlpha has targeted Ukrainian organizations and has used GammaLoad malware since October 2023. 

Campaign leverages Lumma stealer and Amadey bot

A sophisticated campaign has been found targeting the manufacturing industry. It involves a multi-stage attack using deceptive LNK files disguised as PDFs. The attackers use Living-off-the-Land Binaries (LOLBins) to bypass security measures, inject malicious payloads, and deploy the Lumma stealer and Amadey bot to exfiltrate sensitive information and maintain control over compromised systems. The attack also involves URL abuse, PowerShell commands, DLL sideloading, and file injection techniques.

Top Vulnerabilities Reported in the Last 24 Hours

Mitel MiCollab 0-day unpatched 100 days later

A zero-day arbitrary file read vulnerability in Mitel MiCollab, can be combined with a now-patched critical bug to access sensitive files. Mitel MiCollab is an enterprise collaboration tool with over 16,000 instances, making it an appealing target for cybercriminals. In addition to the now-fixed critical bug, an authentication bypass vulnerability was also reported and fixed. However, a third flaw, an arbitrary file read vulnerability, remains unpatched despite promises from Mitel. watchTowr has published a proof-of-concept after waiting over 100 days for a fix from the vendor.

Critical bug in SailPoint IdentityIQ

SailPoint issued a warning about a critical vulnerability in its IdentityIQ platform, which could allow unauthorized access to restricted files. The vulnerability, tracked as CVE-2024-10905 with a severity score of 10/10, is an improper access control flaw affecting multiple versions of IdentityIQ. SailPoint has released e-fixes for the affected versions and advises users to update their instances as soon as possible to prevent potential exploitation by threat actors. 

0-day in Windows exposes NTLM credentials

A newly found zero-day vulnerability affects all supported and legacy versions of Microsoft Windows, allowing attackers to capture user NTLM credentials by simply viewing a malicious file in Windows Explorer. The vulnerability impacts all Windows versions from Windows 7 to Windows 11 and requires immediate mitigation to safeguard sensitive information. 0patch has released free micropatches for various Windows versions, including unsupported legacy systems.