The Good

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos.

• The National Cyber Incident Response Plan (NCIRP) draft update was released, outlining the government's response to large-scale cyberattacks affecting the national economy. The plan emphasizes coordination between government agencies and the private sector, aiming for agile and effective incident response. It incorporates feedback from experts and public listening sessions. The updated plan addresses the evolving threat environment and lessons learned from past incidents.
• The CISA issued a binding operational directive (BOD 25-01) requiring federal civilian agencies to secure their cloud environments. This includes deploying assessment tools, integrating with CISA's monitoring infrastructure, and implementing secure configuration baselines for cloud services. The directive initially focuses on Microsoft 365 and will later expand to include other platforms like Google Workspace. Federal agencies must comply with specific deadlines for identifying cloud tenants, deploying assessment tools, and implementing secure configuration baselines. 
• Global law enforcement agencies seized 27 platforms used for launching DDoS attacks, leading to the arrest of three administrators in France and Germany and the identification of over 300 users. The operation, known as PowerOFF, aimed to disrupt cybercriminals' attempts to create chaos during the festive season. The platforms disrupted were used for illegal traffic flooding, causing financial loss and reputational damage.
• The NIST released two updates to help organizations evaluate their cybersecurity programs. The guidance is divided into two volumes. Volume 1 discusses technical issues in measuring information security, comparing qualitative assessments with data analysis and introducing various assessment types. Volume 2 involves leadership in applying the qualitative findings and stresses the importance of strong management support. The updates aim to broaden the audience to all organizations concerned with cybersecurity.
• The HHS announced updates to the to enhance protections for electronic health information (PHI). The proposed changes will include new technical measures such as network segmentation, multi-factor authentication, and encryption to address increasing cybersecurity threats faced by healthcare organizations. Key requirements include documenting all policies and procedures in writing, developing a detailed incident response plan, and creating an up-to-date inventory and network map for tracking PHI. Healthcare organizations will also need to improve their risk analysis processes.

The Bad

The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data.

• BlueAlpha, a Russian state-sponsored APT group, has updated its malware delivery methods to exploit Cloudflare Tunnels, aiming to infect victims with GammaDrop malware. BlueAlpha uses Cloudflare Tunnels to hide its malware staging infrastructure from detection. Its method involves HTML smuggling attacks that bypass email security and DNS fast-fluxing to maintain control communications. BlueAlpha has targeted Ukrainian organizations and has used GammaLoad malware since October 2023.
• Researchers observed suspicious domains impersonating brands like Etsy in a widespread phishing and pig-butchering network targeting retail brands and a crypto phishing campaign. The retail phishing campaign, dubbed "Aggressive Inventory Zombies (AIZ)," targets major retailers and marketplaces, like Amazon, BestBuy, eBay, Wayfair, Costco, Rakuten, etc, and also targets crypto audiences from Binance, Kraken, etc. The operators behind this campaign have been creating phishing sites using a popular website template and integrating chat services for phishing activities. It's believed that the threat actor has some financial ties to India.
• Malicious VSCode extensions targeting developers and cryptocurrency projects were discovered on the VSCode marketplace and NPM. These extensions, disguised as productivity tools and targeting cryptocurrency investors, contained downloader functionality to download heavily obfuscated PowerShell payloads. The threat actors used fake reviews and installation numbers to appear legitimate. The second-stage payloads were designed to execute hidden PowerShell commands to drop further malicious payloads on the compromised system.
• The BADBOX botnet, previously believed to have been dismantled, has re-emerged and expanded to compromise over 192,000 Android-based devices globally. It now infects high-end smart TVs and smartphones at the supply chain level, making detection difficult for consumers and enterprises. The malware performs malicious activities, including ad fraud and account abuse, and communicates with command-and-control servers to download and execute new payloads.
• CYFIRMA found a complex cyberattack aimed at valuable individuals in Southern Asia. An unknown attacker used the SpyNote RAT to create a malicious Android payload to target the targeted systems. The malware was delivered through WhatsApp with four apps disguised under names like “Best Friend.” These apps connected to a single C2 server and operated secretly. The malware could access sensitive permissions, like location tracking and reading text messages, and directed victims to enable accessibility settings, which allowed deeper control over their devices.
• Cybercriminals are increasingly exploiting Cloudflare's pages[.]dev and workers[.]dev domains for phishing and malicious activities. Fortra observed a 198% rise in phishing attacks on Cloudflare Pages, increasing from 460 incidents in 2023 to 1,370 by mid-October 2024, with expectations to exceed 1,600 incidents by year-end. The report also noted a 104% increase in phishing attacks using this platform, climbing from 2,447 incidents in 2023 to nearly 6,000 expected by year-end.
• Criminals are spoofing Google Calendar emails in a phishing scheme affecting about 300 organizations, with over 4,000 emails sent in four weeks. They alter sender email headers to make it seem like legitimate Google Calendar invites from known contacts. The phishing emails usually include a .ics calendar file with links to Google Forms or Google Drawings. Clicking these links leads to sites that mimic cryptocurrency mining or Bitcoin support, aimed at stealing personal and payment details. 
• The North Korea-aligned group Kimsuky has been linked to a series of phishing attacks aimed at stealing credentials. These attacks started with emails from Japan and Korea but shifted in mid-September to disguise themselves as Russian senders. They used the VK Mail[.]ru service and its various alias domains. Kimsuky impersonated financial institutions and internet services like Naver, targeting users with fake alerts about their MYBOX cloud storage accounts. These phishing emails were sent through a compromised server at Evangelia University using a PHP mailer called Star. 
• Researchers found that APT-C-01, also known as Poison Ivy, has resurged and is actively targeting defense, government, technology, and education sectors. It is using advanced phishing methods like watering hole and spear-phishing. Recent findings show an increase in its activities, including creating fake websites that trick victims into downloading Sliver RAT. The malware allows attackers to gain unauthorized access, steal sensitive information, and conduct remote operations.

New Threats

This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in  South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces.

• Iranian threat actors are using a new malware called IOCONTROL to target IoT devices and OT/SCADA systems in Israel and the U.S. This malware targets various devices, including routers and fuel management systems. IOCONTROL can disrupt key infrastructure by controlling devices like pumps and payment terminals. The malware avoids detection through various measures and can execute commands like sending system information, running commands, and deleting itself. It operates via standard protocols used by IoT devices and has been reported to compromise gas stations.
• A new malware technique uses a Windows accessibility system called UI Automation (UIA) to perform rogue actions without being detected by security software. Users can be tricked into running a UIA program, which can execute commands, access sensitive data, and redirect browsers to phishing sites. This method can also affect messaging apps and manipulate UI elements over a network. It can be abused to read messages, steal data, and execute harmful redirects.
• A new Android banking malware called DroidBot targets over 77 cryptocurrency exchanges and banking apps. Despite its lack of unique features, DroidBot's botnets show 776 unique infections across the U.K, Italy, France, Spain, and Portugal. The malware has been active since June 2024 and operates as a MaaS platform, with affiliates customizing the tool for specific targets. DroidBot uses keylogging, overlaying, SMS interception, and VNC capabilities to steal sensitive information. It also abuses Android's Accessibility Services. Cleafy has identified at least 17 groups using this malware to customize attacks for specific targets. 
• ThreatLabz discovered two new malware families, RevC2 and Venom Loader, active from August to October 2024. These are part of campaigns using the MaaS platform from a threat actor named Venom Spider. The campaigns employed tools like VenomLNK to deliver malware through phishing. RevC2 communicates with its command server using WebSockets and can steal cookies and passwords, execute commands, take screenshots, and proxy traffic. The second campaign introduced Venom Loader, which set up a JavaScript backdoor called More_eggs lite. This backdoor executes remote commands and uses unique encoding for each victim.
• A new series of cyberattacks on Chinese scientific organizations have been linked to the Patchwork APT group. This latest attack targets intellectual property related to scientific research. The method begins with a spear-phishing email that contains a harmful LNK file disguised as a document. When opened, it launches a multi-stage malware process while showing a harmless PDF. The main malware used in this campaign is BadNews, which communicates with a C2 server to steal data and receive instructions. Additionally, fake domains mimicking legitimate websites were identified to distribute more malware and steal data. 
• A new group of 15 SpyLoan Android malware apps with over eight million installs was found on Google Play, mainly affecting users in South America, Southeast Asia, and Africa. McAfee reported these apps to Google, which informed developers that their apps broke Google Play policies and required fixes. Some apps were removed while others were updated. From Q2 to Q3 2024, the number of malicious SpyLoan applications and unique infected devices rose by over 75%.
• Two Android spyware families, BoneSpy and PlainGnome, linked to the Russian group Gamaredon, were designed for extensive surveillance, including tracking GPS, collecting data, and capturing audio. Gamaredon employs them for espionage purposes. BoneSpy has been active since 2021, while PlainGnome was identified in 2024. Both target Russian-speaking victims in former Soviet states. BoneSpy mimics legitimate apps, and PlainGnome uses a two-stage deployment to avoid detection.
• A new phishing campaign has been discovered, distributing a malware variant known as AppLite Banker. This campaign mainly targets Android devices, using advanced social engineering techniques to steal personal and corporate credentials. The current attacks exploit mobile vulnerabilities through fake job application pages and banking trojans. The attackers impersonate recruiters from reputable companies, sending phishing emails that lead users to fake websites. These sites trick users into downloading a fake CRM app, which then installs the AppLite malware.