The Good

The collaborative efforts and enhanced protocols by different government bodies represent significant steps forward in strengthening cybersecurity on a global scale. French authorities, in collaboration with Europol, have launched a "disinfection operation" to eradicate the PlugX malware from infected systems. Meanwhile, the U.K’s NCA, in partnership with the FBI and PSNI, successfully disrupted the DDoS-for-hire service DigitalStress as part of Operation Power Off. In another significant move, the White House is mandating federal research agencies to implement stricter cybersecurity protocols. This includes ensuring that R&D institutions have adequate security measures in place, a response to increasing threats from adversaries like China.

• French authorities have launched an operation in collaboration with Europol to remove the PlugX malware from infected systems. The initiative, known as a "disinfection operation," started on July 18 and is expected to last for several months. So far, around a hundred victims in various countries have benefited from the cleanup efforts. The PlugX malware, also known as Korplug, is a remote access trojan widely used by China-nexus threat actors since 2008.
• The NCA, in collaboration with the FBI and PSNI, disrupted the DDoS-for-hire service DigitalStress. The authorities seized the service's domain and arrested one of its suspected administrators. The NCA has warned users that their data has been collected and will be analyzed to identify them. This action was part of Operation Power Off, an international effort to disrupt DDoS-for-hire services.
• Europol led a coordinated cross-border investigation codenamed Operation Morpheus to shut down nearly 600 IP addresses supporting illegal Cobalt Strike copies. The takedown targeted 690 IP addresses in 27 countries hosting illegal instances of Cobalt Strike, which has been used by cybercriminals and nation state actors for deploying ransomware and conducting cyber espionage campaigns. The enforcement actions involved server takedowns and warnings to internet service providers hosting malware. The NCA emphasized that while the software itself is legitimate, criminals have exploited it for illicit purposes, making it easier for them to conduct damaging cyber attacks.
• Law enforcement from 61 countries conducted an operation called First Light, dismantling online scam networks and arresting over 3,900 suspects. They seized $257 million in assets obtained illegally and identified over 14,600 potential cybercriminals. The operation targeted phishing, investment fraud, fake online shopping sites, romance scams, and impersonation scams.
• The White House is requiring federal research agencies to implement increased cybersecurity protocols, including certifying that institutions conducting R&D have proper security measures in place, in response to growing threats from adversaries like China. Higher education institutions must implement cybersecurity programs consistent with the CHIPS and Science Act's cybersecurity resource for research-focused entities. Other covered institutions must implement cybersecurity programs consistent with resources maintained by NIST or other federal research agencies.
• Law enforcement agencies and crypto exchanges from six countries are collaborating in an effort called Operation Spincaster to combat cryptocurrency approval phishing scams. This initiative, led by blockchain intelligence firm Chainalysis, has identified 7,000 leads related to compromised wallets and $162 million in losses. The operation has resulted in the closure of attacker-controlled accounts, recovery of funds, and preventative actions against future scams.

The Bad

The cybersecurity landscape is facing significant threats from various sources, with the sale of the Trik Loader (aka Phorpiex) botnet's source code in antivirus circles raising alarm. Simultaneously, small and medium-sized businesses in Poland, Italy, and Romania are under attack from cybercriminals utilizing phishing campaigns loaded with malware like Agent Tesla, Formbook, and Remcos RAT. Adding to the growing list of cyber threats, the threat actor known as Stargazer Goblin has launched a malware Distribution-as-a-Service (DaaS) operation on GitHub.

• The source code for the Trik Loader (aka Phorpiex) botnet is being sold in antivirus circles, raising concerns among cybersecurity experts. The botnet includes a crypto clipper, a USB emitter, and a PE infector targeting cryptocurrency wallets. Its ability to protect itself from detection (FUD) and the absence of a control panel make it a serious threat. Modules like the VNC bruteforcer and USB emitter further enhance its capabilities, posing risks to individuals and organizations by gaining unauthorized access to systems and spreading through USB drives.
• Cybercriminals are targeting small and medium-sized businesses in Poland, Italy, and Romania with phishing campaigns using malware like Agent Tesla, Formbook, and Remcos RAT. ESET researchers reported that the attackers used compromised email accounts and servers to spread malicious emails and host malware. These campaigns, consisting of nine waves, are using a malware loader known as DBatLoader to deliver the final payloads.
• UNC4393, the group known for deploying the Black Basta ransomware, has been changing tactics since mid-2022. As per the latest research, UNC4393 initially relied on QAKBOT for access but adapted to using custom malware and different techniques after the takedown of the Qakbot botnet. UNC4393 has transitioned from using readily available tools to custom malware like Black Basta, SystemBC, KnotWrap, DawnCry, and PortYard. They have diversified access methods through DARKGATE and SILENTNIGHT, along with open-source and custom tools for reconnaissance.
• Microsoft issued a warning on ransomware gangs exploiting a vulnerability in VMware ESXi authentication bypass in their attacks. The security flaw, identified as CVE-2024-37085, allows attackers to add a new user with full administrative privileges on the ESXi hypervisor. This bug was fixed with the release of ESXi 8.0 U3. The vulnerability has been used in attacks by ransomware groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest to deploy Akira and Black Basta ransomware.
• Researchers at Salt Labs uncovered critical cross-site scripting (XSS) vulnerabilities in the Hotjar web analytics platform and Business Insider. Exploiting XSS combined with OAuth, a commonly used authentication protocol, could lead to severe breaches. Attackers could gain control of accounts by tricking users into clicking malicious links. Major brands like Adobe, Microsoft, T-Mobile, and Nintendo, serving over a million websites, were at risk of data breaches.
• Proofpoint's email protection service was exploited in a phishing campaign called "EchoSpoofing" to send millions of spoofed emails daily impersonating major companies like Disney, Nike, IBM, and Coca-Cola to target Fortune 100 companies. The campaign began in January 2024 and peaked in June with 14 million spoofed emails per day. Guardio Labs discovered the campaign and the security vulnerability in Proofpoint's servers, which allowed threat actors to send emails through compromised Office 365 accounts.
• A targeted Python package, ‘lr-utils-lib,’ was uploaded to PyPI to steal Google Cloud Platform credentials from a specific set of 64 macOS systems. The malicious code is hidden in the setup file, allowing it to execute immediately upon installation. Successful infection leads to the exfiltration of Google Cloud credentials to a remote server, potentially enabling further attacks on cloud assets. The campaign also involves social engineering, with the package owner posing as the CEO of a legitimate company on LinkedIn.
• A critical local privilege escalation vulnerability has been found in RaspAP, used to turn Raspberry Pi devices into access points. The flaw is tracked as CVE-2024-41637 and has a severity score of 9.9. The vulnerability affects RaspAP versions before 3.1.5. It arises from improper access controls, letting the www-data user write to restapi.service, executing critical commands with sudo privileges without a password. A PoC exploit has also been released by the researcher who discovered the flaw.
• The Mekotio banking trojan is a sophisticated malware targeting Latin American countries, particularly Brazil, Chile, Mexico, Spain, and Peru. Mekotio is often delivered through phishing emails that appear to be from tax agencies, containing malicious links or attachments. Upon execution, Mekotio gathers system information and establishes a connection with a C2 server. It displays fake pop-ups that mimic legitimate banking sites, tricking users into entering their login details. Mekotio can also capture screenshots, log keystrokes, and steal clipboard data.
• Smishing Triad has been registering multiple domain names impersonating the India Post to carry out large-scale smishing campaigns to steal PII and payment data. The group uses compromised and registered iCloud accounts to send fraudulent iMessages with smishing URLs, directing victims to provide personal and payment details under the pretext of a failed package delivery. This threat has been observed targeting a wide range of individuals in India, including consumers, businesses, and government entities.
• The cybercriminal gang Revolver Rabbit has registered over 500,000 domain names using Registered Domain Generation Algorithms (RDGAs) to conduct infostealer campaigns targeting Windows and macOS systems. The threat actor is distributing the XLoader info-stealing malware, controlling more than 500,000 .BOND top-level domains to create decoy and live C2 servers for the malware. This massive domain registration campaign has cost the gang over $1 million in registration fees.
• The threat actor known as Stargazer Goblin developed a malware Distribution-as-a-Service (DaaS) on GitHub, using over 3,000 fake accounts to push information-stealing malware. This service, called Stargazers Ghost Network, distributes password-protected archives containing malware through GitHub repositories and compromised WordPress sites. The operation targets specific interests like cryptocurrency and gaming, using phishing templates to lure victims. The malware set includes RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer.
• Threat actors are exploiting the hype around the upcoming Grand Theft Auto VI release by creating malicious Facebook ads promising a GTA VI beta version for download. These ads are designed to lure unsuspecting gamers into downloading malware instead of a legitimate game. The malicious ads lead users to download a fake GTA VI installer, which is actually a form of FakeBat loader malware. FakeBat can, in turn, deploy next-stage malware like info-stealers and RATs.
• The cybercrime group Scattered Spider is now using the RansomHub and Qilin ransomware variants in its attacks. This shift demonstrates how newer ransomware families like RansomHub and Qilin are gaining prominence as ALPHV/BlackCat and LockBit decline. Microsoft has described Scattered Spider as one of the most threatening cybercrime groups currently in operation.

New Threats

A series of new and concerning threats have emerged in the threat landscape. Since February 2022, a malicious campaign has been exploiting over 100,000 Android malware apps to steal OTP codes from SMS messages, targeting victims across 113 countries, with India and Russia being the most affected. In another development, Walmart’s Cyber Intelligence Team has discovered a new PowerShell backdoor along with a variant of the Zloader malware that utilizes advanced obfuscation techniques. Additionally, the Iranian threat group MuddyWater has been deploying a new backdoor called BugSleep, using phishing emails to distribute legitimate remote management tools.

• A new malicious campaign using over 100,000 Android malware apps to steal OTP codes from SMS messages has been detected since February 2022. These apps intercept OTPs to commit identity fraud from over 600 global brands with millions of users. The victims are in 113 countries, with India and Russia being the most targeted. The attack starts with tricking victims into downloading a malicious app from fake ads or Telegram bots, which then steals SMS messages and transmits them to command-and-control servers.
• Walmart’s Cyber Intelligence Team discovered a new PowerShell backdoor alongside a variant of the Zloader/SilentNight malware. The backdoor enables threat actors to gain further access and deploy malware, using advanced obfuscation techniques. Zloader, originally a banking Trojan, has evolved into a multifunctional malware linked to ransomware groups like Ryuk and DarkSide. The PowerShell backdoor shares similarities with another malware called PowerDash, both utilizing obfuscation to hide their functions and communicate with command and control servers.
• A new phishing scam targeting Microsoft OneDrive users tricks them into running a malicious PowerShell script. Known as OneDrive Pastejacking, the attack begins with an email containing an HTML file simulating a OneDrive page and urging the recipient to update their DNS cache. Clicking on "How to fix" leads users to run a PowerShell command that creates a folder, downloads files, and executes a script. The campaign has been observed in various countries, including the U.S. and the U.K. This tactic, also known as ClickFix, is on the rise according to cybersecurity researchers from ReliaQuest, Proofpoint, and McAfee Labs.
• The new PKFail vulnerability allows attackers to bypass the Secure Boot process on millions of Intel and ARM microprocessor-based systems from multiple vendors, including Lenovo, HP, Asus, and SuperMicro, among others. The Platform Key (PK) from American Megatrends International (AMI) serves as the root of trust during the Secure Boot PC startup chain. An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database.
• Researchers disclosed a privilege escalation vulnerability, named ConfusedFunction, in Google Cloud Platform's Cloud Functions service. This vulnerability allows an attacker to access other services and sensitive data by exploiting the Default Cloud Build Service Account's excessive permissions. Google has updated the default behavior to prevent misuse, but existing instances remain unaffected. This issue highlights the potential risks of software complexity and inter-service communication in cloud providers' services.
• Check Point warned that the Iranian threat group MuddyWater has increased its cyber activities against Israel, deploying a new backdoor called BugSleep. The group has been using phishing emails to deploy legitimate remote management tools and has now introduced BugSleep to target organizations in Israel. BugSleep is designed to execute the threat actors' commands and transfer files between the compromised machine and the C2 server. The backdoor is currently in development, with the threat actors continuously improving its functionality and addressing bugs.
• Wiz warned about an ongoing campaign that exploits internet-exposed Selenium Grid services for illicit cryptocurrency mining. The campaign, called SeleniumGreed, has been active since at least April 2023 and targets older versions of Selenium (3.141.59 and prior). The attack involves the threat actor targeting publicly exposed instances of Selenium Grid and making use of the WebDriver API to run Python code responsible for downloading and running an XMRig miner. Researchers identified more than 30,000 instances exposed to remote command execution, making it imperative that users take steps to close the misconfiguration.
• A new campaign by the Turla malware group has been spotted using malicious LNK files to deploy a fileless backdoor. The malware campaign starts with a malicious package downloaded from a compromised website, potentially distributed through phishing emails. The malicious LNK file masquerades as a normal PDF document and executes a PowerShell script that deploys a fileless backdoor using Microsoft's msbuild.exe. The backdoor disables Event Tracing for Windows (ETW), performs memory patching on system modules, and bypasses the Windows Antimalware Scan Interface (AMSI) to evade detection.
• Microsoft discovered and disclosed two vulnerabilities in Rockwell Automation's PanelView Plus devices, which could allow RCE and DoS attacks by unauthenticated attackers. The RCE vulnerability (CVE-2023-2071) involves two custom classes that can be abused to upload and load a malicious DLL into the device. The DoS bug (CVE-2023-29464) takes advantage of the same custom class to send a crafted buffer that the device is unable to handle properly, leading to a DoS.
• Transparent Tribe has developed a new variant of its Android spyware called CapraRAT that targets gamers, weapons enthusiasts, and TikTok fans by embedding it into curated video browsing applications. SentinelLabs has identified four new CapraRAT APKs, including Crazy Game signed.apk, Sexy Videos signed.apk, TikTok signed.apk, and Weapons signed.apk.
• The Chinese government-backed cyber espionage group APT41 has added a new loader called DodgeBox and a backdoor named MoonWalk to its arsenal of malware tools, according to research by Zscaler ThreatLabz. DodgeBox, similar to APT41's StealthVector, is a shellcode loader with advanced features such as encryption, environment checks, and evasion techniques. It also drops the MoonWalk backdoor, which utilizes Google Drive for command-and-control communication.
• The Play ransomware group has developed a new Linux variant targeting VMWare ESXi environments, with most attacks concentrated in the U.S. This variant evades security measures and encrypts files in ESXi environments. The group appears to be using infrastructure from the Prolific Puma group. The ransomware encrypts VM files, powers off VMs, and drops a ransom note. The researchers also found a possible connection between Play Ransomware and Prolific Puma.
• A new variant of the HTTP request smuggling attack called TE.0 affected thousands of Google Cloud-hosted websites, compromising services like Identity-Aware Proxy. HTTP request smuggling is a web security flaw where attackers exploit inconsistencies in handling HTTP request sequences by servers and intermediaries. The technique, similar to the CL.0 variant, uses the Transfer-Encoding header to enable mass zero-click account takeovers on susceptible systems.