Cyware Weekly Threat Intelligence, April 22–26, 2024

The Good

• As part of efforts to enhance U.S. cyber defenses, the CISA announced to provide federal agencies with a list of critical software products by September 30. These EO-critical software products meet specific criteria and are crucial for managing system privileges and network protections. The initiative follows a Government Accountability Office report highlighting the need for agencies to address cybersecurity requirements, especially in procuring IoT devices.
• The Biden administration introduced new privacy regulations aimed at protecting abortion providers and patients from conservative legal threats. The rules, issued by the HHS, prevent healthcare entities from sharing patient information with state officials investigating or prosecuting abortion-related cases. They safeguard individuals seeking abortions across state lines or facing state abortion bans due to circumstances like rape. Despite the controversy, officials stress the importance of privacy and patient rights.

The Bad

• A new malware campaign named ArcaneDoor, attributed to the sophisticated state-sponsored actor UAT4356, leveraged two zero-day bugs in Cisco networking gear to deploy custom malware and extract sensitive data. The campaign targeted Cisco Adaptive Security Appliance and Firepower Threat Defense Software. The implants deployed, Line Runner and Line Dancer, allow for malicious actions such as configuration modification and network traffic exfiltration.
• Sekoia researchers successfully inspected a C2 server for a variant of the PlugX malware, capturing over 2.5 million connections from unique IP addresses across 170 countries in six months. The sinkhole operation enabled analysis of traffic patterns, mapping of infections, and formulation of disinfection strategies. Although predominantly observed in 15 countries, the infections span globally, with notable concentrations in countries associated with China's Belt and Road Initiative.
• Unpublished GitHub and GitLab comments become hotbeds for cybercriminals to deploy phishing links and leave them as it is. This security issue allowed anyone to upload malware, such as the Redline Stealer Trojan, to repositories without the owners' knowledge. Even if discovered, owners can't remove the uploaded files. The method involves leaving unpublished comments with malware files, ensuring the links remain active.
• Lazarus was spotted employing fake job offers to distribute Kaolin RAT and FudModule rootkit in Asia under Operation Dream Job. The campaign delivers malware through social media and instant messaging platforms. Payload fetches shellcode from the C2 domain and initiates a multi-stage infection process. Kaolin RAT facilitates FudModule rootkit deployment, evading detection with file manipulation and C2 communication.
• Security researcher Pierre Barre has identified 18 vulnerabilities in the Brocade SANnav storage area network management application. These flaws, including unauthenticated remote login issues, exposed the appliance and Fibre Channel switches to multiple cyber threats. Three of nine CVE-assigned bugs allowed attackers to intercept credentials and compromise the entire Fibre Channel infrastructure.
• Experts at ASEC unearthed a malicious info-stealer developed with Electron, a framework for JavaScript-based applications such as Discord and Microsoft VSCode. The malware, distributed via Nullsoft Scriptable Install System installer format, exhibited two distinct cases of malicious behavior. In Case #1, the malware utilized node.js scripts packaged inside the Electron application to execute malicious actions. Case #2 involved the malware strain masquerading as a TeamViewer-related file, which uploaded collected user information to a file-sharing service.
• The Godfather mobile banking trojan, discovered in 2022, now boasts over 1,000 samples targeting 237 banking apps across 57 countries, revealed a Zimperium report. Godfather’s developers have automated sample creation to evade detection. According to experts, mobile malware, including other families like Nexus and Saderat, are rapidly multiplying, with some families amassing over 100,000 unique samples.
• Researchers uncovered sensitive security bugs in popular keyboard apps from tech giants Samsung, OPPO, Vivo, and Xiaomi, among others. These could enable attackers to intercept and decipher users' keystrokes, potentially exposing sensitive personal and financial information. The vulnerabilities affect up to one billion users worldwide, highlighting significant concerns regarding data security. 
• WPScan issued an alert regarding a critical security vulnerability, CVE-2024-27956, in the WP-Automatic plugin for WordPress. The flaw allows attackers to execute arbitrary SQL queries, potentially leading to site takeovers. Exploitation involves circumventing the plugin's user authentication mechanism, enabling unauthorized access to database and creation of admin accounts. Some attackers have also been observed in the wild.
• Eric Daigle, a student at the University of British Columbia, disclosed vulnerabilities in the popular location-tracking app iSharing, allowing access to users' precise location data and personal information. The bugs, affecting over 35 million users, enabled unauthorized access to location data and exposed users' names, profile photos, email addresses, and phone numbers. Daigle's findings prompted iSharing to address the issue, acknowledging the oversight.
• Cisco Talos uncovered an ongoing attack campaign by threat actor CoralRaider, distributing Cryptbot, LummaC2, and Rhadamanthys malware since February 2024. The campaign deploys a new PowerShell command-line argument in LNK files to evade antivirus. Utilizing a Content Delivery Network cache domain as a server, the campaign impacts victims globally, including the U.S., Nigeria, and Japan, with targets in various sectors.
• Avast uncovered the sophisticated GuptiMiner malware campaign, exploiting eScan antivirus update mechanisms to distribute backdoors and coinminers. The threat, possibly linked to North Korean APT group Kimsuky, employs advanced techniques including DNS requests to attacker-controlled servers, sideloading, and payload extraction from innocuous images. GuptiMiner targets large corporate networks with two distinct backdoor variants.
• A zero-day flaw discovered in the CrushFTP file transfer server is being actively exploited in the wild. The flaw, which has no CVE assigned, can allow threat actors to escape the virtual file system present in the CrushFTP application and download system files. According to reports, there have been several exploitation attempts against CrushFTP instances owned by multiple U.S. entities to gather politically motivated intelligence.
• A new vulnerability unearthed in the Windows systems can allow attackers to gain rootkit-like privileges without requiring administrative privileges. The flaw, dubbed MagicDot, exists in the DOS-to-NT path conversion process within the OS. It can be exploited by sending specially crafted files and processes and manipulating archive files.