Cyware Weekly Threat Intelligence, April 29–May 03, 2024

The Good

• The NCSC-U.K introduced the Advanced Mobile Solutions risk model to enhance cyber resilience for high-threat organizations targeted by nation states. This initiative aims to protect against consumer-grade devices being compromised by spyware, which could be used as a gateway to corporate systems. Key principles include untrusted mobile devices, robust network protection, and secure data handling. The architecture of AMS involves mobile device management tools, data protection measures, VPN terminators, continuous monitoring, and data inspection. 
• The CISA released guidelines for critical infrastructure owners and operators to address both the opportunities and risks posed by AI. The guidelines instruct operators to govern, map, measure, and manage their use of AI, incorporating NIST's AI risk management framework. The guidelines emphasize steps such as understanding dependencies on AI vendors, inventorying AI use cases, creating procedures for reporting AI security risks, and continually testing AI systems for vulnerabilities.
• The Product Security and Telecommunications Infrastructure (PSTI) Act came into effect in the U.K, mandating manufacturers of IoT products to stop using guessable default passwords and to have a vulnerability disclosure policy. The law covers a wide range of internet-connected products and imposes hefty fines for non-compliance. It also requires manufacturers to provide information on reporting security issues, security update timelines, and more. Enforcement will be handled by the Office for Product Safety and Standards.
• The DHS formed a new board to guide the use of AI across 16 critical infrastructure sectors within the U.S. The board includes representatives from tech companies, academia, government agencies, civil rights and civil liberties organizations, and leaders in the AI industry. It aims to create guidelines for responsible AI use and defense against its risks. The board is part of broader efforts by the U.S. government to oversee AI deployment, including hiring AI experts and issuing executive orders related to AI safety standards and protection of critical infrastructure.
• Europol's Operation Pandora successfully shut down a network of phone scam centers operating in Albania, Bosnia-Herzegovina, Kosovo, and Lebanon. The operation led to the arrest of 21 suspects and prevented criminals from defrauding victims of over €10 million ($11 million). German investigators played a crucial role in uncovering the scam, leading to the interception of millions of fraudulent calls. The authorities also identified different types of scams operated by call centers in each country.

The Bad

• The NSA, the FBI, and the Department of State issued a joint cybersecurity advisory warning about the North Korean Kimsuky group using spear-phishing campaigns to send spoofed emails appearing legitimate. The attackers exploit weak DMARC policies to deceive targets, particularly foreign policy experts, into sharing sensitive information. The hacking group engages in prolonged conversations to build trust and obtain opinions without immediately deploying malware. Organizations are advised to update their DMARC policies to better detect and mitigate such phishing attempts.
• Cybercriminals and nation-state actors are exploiting compromised routers for anonymity, renting them out for malicious activities. Pawn Storm APT accessed the Ubiquiti EdgeRouter botnet and used it for espionage, revealed Trend Micro. The botnet, dating back to 2016, also includes Raspberry Pi devices and VPS servers. Another threat, Ngioweb malware, operates discreetly on EdgeRouters. With diverse exploits like SSHDoor, attackers persistently compromise routers.
• Chinese cybersecurity firm QAX XLab uncovered the Android trojan Wpeeper, utilizing compromised WordPress sites for multi-level C&C infrastructure. Wpeeper, distributed via repackaged apps on UPtodown Store, employs HTTPS, elliptic signature encryption, and session differentiation to conceal its activities. Despite its sudden self-deletion command and disappearance, likely to evade detection, Wpeeper has infected thousands of devices.
• Zloader resurfaced with enhanced anti-analysis measures, reminiscent of ZeuS's original design. In versions 2.4.1.0 and 2.5.1.0, Zloader implements registry checks and MZ header validations to thwart execution on different systems. It reintroduces an anti-analysis feature akin to the original ZeuS 2.x code, restricting binary execution to the infected machine.
• A sophisticated phishing campaign has been found using RTF attachments in personalized emails mimicking reputable brands, like Epson and HP, to trick recipients into revealing Microsoft credentials. The RTF files harbor deceptive links redirecting victims to malicious sites designed to request users’ login credentials. The scam was detected over 1,000 times in two days.
• APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor targets Western and Middle Eastern NGOs, media organizations, academia, legal services, and activists, often posing as journalists, event organizers, or legitimate services to build trust with victims. Some of the news outlets it impersonated include The Washington Post, The Economist, The Jerusalem Post, Khaleej Times, Azadliq, and more.

New Threats 

• A critical vulnerability (CVE-2023-7028) in GitLab is being actively exploited, allowing hackers to hijack accounts without user interaction, even if MFA is enabled. The vulnerability stems from a feature introduced in May 2023, which allowed users to initiate password resets through links sent to secondary email addresses. Attackers can exploit this to send reset emails and take over accounts by clicking on the embedded link.
• Microsoft identified a new attack, named Dirty Stream, that affects Android apps. This flaw allows malicious apps to overwrite files in another app's directory, potentially leading to unauthorized code execution and data theft. The vulnerability arises from improper use of Android's content provider system, enabling custom intents to bypass security measures and manipulate data streams between apps. Microsoft found vulnerable apps with over four billion installations, including Xiaomi's File Manager and WPS Office.
• Despite a significant update to Apple's XProtect antivirus targeting Adload adware, a new variant of Adload was spotted bypassing detection by XProtect and other antivirus engines. This variant, including the Adload Go variant, demonstrates sophisticated evasion techniques, posing a serious threat to macOS security. Minor tweaks in the malware's code allow it to evade XProtect's signature rules. Users are urged to consider additional security measures beyond built-in antivirus solutions.
• FortiGuard Labs identified a new botnet named Goldoon that targets a decade-old D-Link router vulnerability. Goldoon's propagation involves downloading a file named "dropper" from a specified URL, which then executes and cleans up potentially malicious files across various Linux system architectures. Then, the dropper downloads the botnet payload, establishing a persistent connection with a C2 server.
• A new cyber campaign dubbed "Dev Popper" tricks software developers with fake job interviews, leading them to download a Python RAT. Orchestrated by North Korean threat actors, the attack employs multi-stage social engineering tactics. Victims are instructed to run code from GitHub during the interview, unknowingly activating the RAT. Once installed, the trojan gathers system data and enables remote access.
• KageNoHitobito, a newly discovered ransomware, has surfaced to target Windows users worldwide. Believed to spread via file-sharing services, and wrapped as legitimate software or game cheats, it strategically avoids critical system files to ensure system functionality. Victims are directed to a TOR site for negotiation, utilizing the AbleOnion chat platform.