The ever-evolving threat landscape continues to target unsuspecting users across industries and platforms. A SocGholish malware campaign recently set its sights on Kaiser Permanente employees, leveraging fraudulent Google Search Ads masquerading as an HR portal. Meanwhile, the Chinese hacking group Winnti has unleashed a new modular backdoor named Glutton, targeting industries in both China and the U.S. This advanced ELF-based backdoor not only enables tailored cyberattacks but also infiltrates other threat actors’ systems by embedding itself in software packages. 

Ruijie Networks faced scrutiny as researchers uncovered 10 vulnerabilities in its Reyee cloud management platform and OS devices. Among these flaws is Open Sesame, allowing attackers near a Ruijie access point to exploit its cloud connection and infiltrate internal networks. Though Ruijie has patched these vulnerabilities at the cloud level, the findings emphasize the growing risks associated with cloud-enabled devices.

Even content creators are under siege, as over 200,000 YouTubers have been targeted in a phishing campaign that mimics major brands. Cybercriminals lure victims with fake collaboration emails containing malware-laden attachments designed to steal credentials and grant remote system access.

Top Malware Reported in the Last 24 Hours

Malicious ad propagates SocGholish

A SocGholish malware campaign has been found targeting Kaiser Permanente employees through fraudulent Google Search Ads. The fraudulent ad, named Heather Black, pretended to be the company’s HR portal for accessing benefits and paystubs. The attackers aimed to steal KP employees' login information, but when victims clicked the ad, they were redirected to a compromised website that asked them to update their browser. 

Winnti uses new Glutton backdoor

The Chinese hacking group Winnti has been found using a new PHP backdoor called Glutton to target organizations in China and the U.S. Glutton is an ELF-based modular backdoor that allows for tailored attacks, targeting specific industries and organizations. It can also be used to target other cybercriminals by embedding itself in software packages and deploying a tool called 'HackBrowserData' to extract sensitive information from their systems. This comprehensive attack framework has been active for over a year, but the initial access vector remains unknown.

New Yokai backdoor targets Thai officials

The Thai government officials are being targeted by a new campaign using DLL side-loading to deliver a backdoor called Yokai. The attack starts with a RAR archive containing Windows shortcut files disguised as U.S. government documents. When opened, these files drop a malicious executable and a DLL that helps deploy the backdoor. Yokai sets up persistence and connects to a C2 server. 

NodeLoader campaign evades detection

Zscaler ThreatLabz found a NodeLoader malware campaign using Node.js apps for Windows to spread cryptocurrency miners and information stealers. This malware is hard to detect as Node.js is usually used for web services, and there are few antivirus signatures for it. The attackers rely on NPM to create Windows executables for malicious use, using social engineering and anti-evasion techniques. They promote malware through YouTube and Discord, directing users to fake gaming sites that lead to malware downloads. NodeLoader downloads a PowerShell script to execute further malware, such as XMRig, Lumma, and Phemedrone Stealer.

Top Vulnerabilities Reported in the Last 24 Hours

PoC exploit released for Spring Framework bug

A critical vulnerability (CVE-2024-38819) in the Spring Framework has been publicly disclosed, allowing attackers to conduct path traversal attacks and potentially access sensitive files on affected servers. The vulnerability affects versions 5.3.0 to 6.1.13 of the framework, and a PoC exploit has been published. The Spring Framework team has issued patches, and users are strongly urged to upgrade to fixed versions (5.3.4, 6.0.25, 6.1.14) to mitigate the risk.

About this new Open Sesame attack

Team82 conducted research on Ruijie Networks' devices and uncovered 10 vulnerabilities in its Reyee cloud management platform, affecting both the platform and Reyee OS network devices. These vulnerabilities could enable attackers to execute code on cloud-enabled devices, potentially controlling thousands of devices. One attack, called Open Sesame, allows attackers in close physical proximity to a Ruijie Reyee OS access point to exploit the device through the cloud, gaining access to its internal network. Ruijie has addressed the vulnerabilities in the cloud, and users are not required to take any action.

Top Scams Reported in the Last 24 Hours

FTC warns of online task job scams

The FTC issued a warning about a steep increase in task scams, which are online job scams that resemble gambling. These scams involve luring victims with promises of making money through repetitive tasks, such as liking videos or rating products, and then asking for deposits in order to access earnings. The FTC received 20,000 reports of these scams in the first half of 2024, causing reported financial losses to triple from 2020 to 2023. The scammers use cryptocurrency and impersonate well-known companies to make the scams appear legitimate. 

Phishing campaign targets YouTube creators

Over 200,000 YouTube creators have been targeted by cybercriminals posing as well-known brands in a new phishing campaign. The scammers send harmful emails with subject lines like Collaboration Proposal to trick victims into opening malware-filled attachments. These attachments contain malicious files that steal sensitive information and allow remote access to victims’ computers. Cloudsek reported that over 340 SMTP servers and 46 RDP systems are part of this campaign, which also involves 26 SOCKS5 proxies to hide their activities.