We use cookies to improve your experience. Do you accept?

Cyware Weekly Threat Intelligence - August 05–09

Cyware Weekly Threat Intelligence - August 05–09 - Featured Image

Weekly Threat Briefing Aug 9, 2024

The Good

In a significant international crackdown, authorities from the U.S. and Germany have seized the domain of the online cryptocurrency wallet service, Cryptonator, after it was found to be facilitating illicit activities and failing to implement adequate anti-money laundering measures. In a positive move towards bolstering cybersecurity, the NHS has partnered with the North East Business Resilience Center to offer funding and support for small and medium businesses in the social care sector. This initiative focuses on providing free cyber services and training specifically tailored to social care businesses in the North East of England and Yorkshire.

  • Authorities from the U.S. and Germany seized the domain of the online crypto wallet Cryptonator for facilitating illicit activity and failing to implement proper anti-money laundering measures. The founder was charged with operating an unlicensed money service business and money laundering. The platform processed over $1.4 billion, with transactions involving darknet markets, fraud, ransomware, hacks, and sanctions evasion.

  • The NHS partnered with the North East Business Resilience Center to provide funding and support for small and medium businesses in the social care sector to protect themselves against cyber threats. The funding includes free cyber services and training specifically for social care businesses in the North East of England and Yorkshire. The initiative aims to combat the growing and complex cyber threats that can disrupt social care services.

  • A Singaporean commodity firm fell victim to a BEC scam, losing $42.3 million to fraudsters. Fortunately, the Singapore Police Force, with the help of Interpol, managed to recover $39 million and arrested seven individuals in Timor Leste in connection to the scam. The remaining $2 million has also been recovered, and the funds are being returned to the firm. Interpol's Global Rapid Intervention of Payments (I-GRIP) has been crucial in these efforts and has seen success in freezing bank accounts and intercepting funds from such scams.

  • The White House announced that the cybersecurity certification organization, EC-Council, has pledged $15 million in scholarships to support over 50,000 students in pursuing cybersecurity programs. The scholarships will cover various certifications and training programs, aiming to build a skilled cyber workforce. The initiative is part of President Biden's National Cyber Workforce and Education Strategy, which addresses the shortage of cybersecurity workers in the U.S.

  • The CISA released new guidance calling on private sector organizations to assess software manufacturers' cybersecurity measures. The guidance aims to shift security responsibilities from end users to developers, urging software suppliers to implement secure-by-default practices and provide transparency into their security processes. While the administration has pushed for voluntary pledges from developers, there are calls for further protections and benefits for the private sector.

The Bad

Earth Baku has broadened its operations beyond its traditional stronghold in the Indo-Pacific, extending its reach into Europe, the Middle East, and Africa. Countries such as Italy, Germany, the UAE, and Qatar have emerged as key targets, with additional suspicious activities noted in Georgia and Romania. Meanwhile, Cyble researchers have uncovered a phishing website masquerading as the Google Safety Centre, distributing two distinct types of malware—Latrodectus and ACR Stealer. In parallel, the South Korean NCSC sounded the alarm on state-sponsored North Korean hackers who are exploiting vulnerabilities in VPN software updates to infiltrate and compromise networks.

  • Earth Baku, linked to APT41, has expanded its operations from the Indo-Pacific to Europe, Middle East, and Africa. Countries like Italy, Germany, the UAE, and Qatar are targeted, with suspected activity in Georgia and Romania. The attackers use IIS servers as entry points, deploying advanced tools like Godzilla webshell, StealthVector, StealthReacher, and SneakCross. The latest backdoor, SneakCross, utilizes Google services for command-and-control. Post-exploitation, Earth Baku uses tools like iox, Rakshasa, Tailscale, and MEGAcmd for persistence and data exfiltration.
  • Cyble discovered a phishing website posing as Google Safety Centre, distributing two types of malware - Latrodectus and ACR Stealer. The ACR Stealer uses Dead Drop Resolver to hide its Command and Control server details within legitimate platforms, while Latrodectus shows signs of continuous development. The phishing site tricks users into downloading a file disguised as Google Authenticator, which installs the malicious software.
  • The South Korean NCSC issued a warning about state-backed North Korean hackers exploiting vulnerabilities in VPN software updates to deploy malware and breach networks. The activity is linked to a nationwide industrial modernization project announced by North Korean President Kim Jong-un. Two threat groups, Kimsuky and Andariel, are identified as being involved in the attacks. The hackers used trojanized software to capture sensitive data from South Korean organizations, including construction companies and government institutions.
  • The StormBamboo threat group successfully compromised an ISP to conduct DNS poisoning attacks on target organizations. The attackers exploited insecure software update mechanisms to install new variants of the MACMA malware on victim machines running macOS and Windows. Additionally, they deployed the malicious browser extension RELOADEXT to exfiltrate victims’ email data.
  • A Russian threat actor called Fighting Ursa (APT28) used a car advertisement as a lure to distribute the HeadLace backdoor malware, targeting diplomats. The attack involved hosting malicious content on legitimate services like Webhook.site and ImgBB. The malware was delivered in a ZIP file disguised as an image, and it used tactics to evade detection. The malware campaign relied on free online services to host various stages of the attack.
  • The FBI issued a warning about scammers posing as cryptocurrency exchange employees to steal funds. These scammers create a sense of urgency and trick victims into providing login credentials or clicking on malicious links. They drain the victim's account once they have the information. Recovery service scams and imposter websites are also common in the crypto space. The FBI advises verifying communications, not rushing into decisions, researching crypto services, using multi-factor authentication, and being cautious with personal information.
  • The Chameleon Android banking trojan has been targeting users in Canada by posing as a CRM app. The campaign expanded its victimology footprint to Canada and Europe, mirroring previous attacks in Australia, Italy, Poland, and the U.K. The trojan uses CRM-related themes to target customers in the hospitality sector and B2C employees. It bypasses Google's Restricted Settings to deploy its payload, which can conduct on-device fraud and transfer funds illegally. By masquerading as a CRM tool, Chameleon aims to access corporate banking and poses a significant risk to organizations.

New Threats

Researchers uncovered a new APT group, Actor240524, targeting Azerbaijan and Israel through spear-phishing attacks. The attackers use malicious Word documents with macros to deploy the ABCloader and ABCsync trojans. Sonar identified a critical XSS vulnerability in Roundcube webmail. Researchers have also discovered a new RAT called SharpRhino during a ransomware incident linked to Hunters International.

  • The NSFOCUS Security Labs identified a new APT group, Actor240524, targeting Azerbaijan and Israel through a spear-phishing attack. The attackers used a Word document with malicious macros to execute ABCloader and ABCsync trojan programs. These malware employed various techniques to evade detection, including string encryption, PEB detection, hardware breakpoint detection, screen resolution detection, process count detection, and specific permission detection.

  • Sonar discovered a critical Cross-Site Scripting (XSS) vulnerability in Roundcube webmail software. When a victim views a malicious email in Roundcube, the attacker can execute arbitrary JavaScript in the victim's browser. This can lead to the theft of emails, contacts, and email passwords, as well as sending unauthorized emails from the victim's account. Roundcube administrators are advised to update to patched versions 1.6.8 or 1.5.8 immediately. The vulnerabilities are tracked as CVE-2024-42008, CVE-2024-42009, CVE-2024-42010.

  • Researchers identified a new RAT named SharpRhino during a recent ransomware incident. This malware was used by the Hunters International threat group to gain remote access to devices and progress the attack. SharpRhino is delivered through a typosquatting domain impersonating a legitimate tool, Angry IP Scanner, and uses the C# programming language. The malware can obtain high levels of permissions on devices to ensure minimal disruption during the attack.

  • Cisco has issued a warning about five critical remote code execution vulnerabilities in the web-based management interface of the Small Business SPA 300 and SPA 500 series IP phones, which have reached their end of life. The vulnerabilities allow attackers to execute arbitrary commands and cause denial of service. Cisco has not provided fixes or mitigation tips, so users are urged to transition to newer and supported models. The flaws are tracked as CVE-2024-20450, CVE-2024-20452, CVE-2024-20454, CVE-2024-20451, and CVE-2024-20453.

  • A new ransomware called CryptoKat has surfaced on the dark web, featuring state-of-the-art encryption using AES, fast encryption speed, unique executable files, and operates silently without Windows pop-ups. It also utilizes Fear, Uncertainty, and Doubt tactics on Windows 11 to maximize impact. Of particular concern is that the decryption key is not stored on the victim's machine. This forces victims to pay the ransom in hopes of recovering their data.

  • Researchers from the Graz University of Technology have discovered a new Linux Kernel cross-cache attack called SLUBStick, with a 99% success rate in exploiting heap vulnerabilities to gain arbitrary memory read-and-write capabilities. The attack works on both 32-bit and 64-bit systems, bypassing modern kernel defenses. The attack demonstrated high versatility by working on Linux kernel versions 5.9 and 6.2, and it bypassed modern kernel defenses like SMEP, SMAP, and KASLR.

Related Threat Briefings

Sep 20, 2024

Cyware Weekly Threat Intelligence - September 16–20

The Good German law enforcement has dealt a double blow to cybercriminals, first by dismantling infrastructure used by the Vanir Locker ransomware group. In a separate operation, they took down 47 cryptocurrency exchanges used for illegal money

Sep 13, 2024

Cyware Weekly Threat Intelligence - September 09–13

The Good The U.K government has elevated data centers to a new level of importance, officially designating them as critical national infrastructure - ensuring these digital fortresses get the protection and support they need during crises. Choo

Sep 6, 2024

Cyware Weekly Threat Intelligence - September 02–06

The Good As cyber threats loom larger than ever, the White House released a comprehensive roadmap to secure the Border Gateway Protocol (BGP), a key component of internet routing. The initiative focuses on implementing Resource Public Key Infra

Aug 30, 2024

Cyware Weekly Threat Intelligence - August 26–30

The Good In response to the rising tide of cyber threats, organizations and governments are stepping up their efforts to protect critical infrastructure and personal data. NASA's Katherine Johnson IV&V Facility expanded its mission to include c

Aug 23, 2024

Cyware Weekly Threat Intelligence - August 19–23

The Good With global cyber threats on the rise, over a dozen cyber authorities have endorsed new guidance to set baseline standards for logging and threat detection. This guidance aims to enhance cybersecurity monitoring, helping to prevent inc

Aug 16, 2024

Cyware Weekly Threat Intelligence - August 12–16

The Good In a landmark move, the UN has unanimously passed its first-ever cybercrime treaty, laying the groundwork for a unified global response to cyber threats. This historic treaty, now headed to the General Assembly for final approval, empo

Aug 5, 2024

Cyware Weekly Threat Intelligence, July 29 - August 02, 2024

The Good In recent cybersecurity developments, significant strides have been made in combating cyber threats and enhancing defenses. The UK’s NCA has successfully dismantled Russian Coms, a major caller ID spoofing platform used by scammers to make

Jul 26, 2024

Cyware Weekly Threat Intelligence - July 22–26

The Good In a decisive strike against cybercrime, Meta has eradicated 63,000 Instagram accounts connected to the Nigerian cybercrime group known as Yahoo Boys. Furthermore, it has purged 1,300 Facebook accounts, 200 Pages, and 5,700 Groups that

Jul 19, 2024

Cyware Weekly Threat Intelligence - July 15–19

The Good In a concerted blitz against the shadowy underworld of cryptocurrency phishing scams, law enforcement agencies and crypto exchanges from six nations united under the banner of Operation Spincaster. This initiative has unearthed a stagg

Jul 12, 2024

Cyware Weekly Threat Intelligence - July 08–12

The Good In a remarkable turn of events, Avast's cryptographic savants unearthed a pivotal vulnerability within the DoNex ransomware and its prior iterations. This discovery has paved the way for a decryptor, disseminated to victims. Concurrent

Jul 5, 2024

Cyware Weekly Threat Intelligence - July 01–05

The Good In a labyrinthine orchestration of international cyber-justice, Europol spearheaded an intricate, multifaceted probe dubbed Operation Morpheus, meticulously dismantling the subterranean networks of nearly 600 IP addresses that clandest

Jun 28, 2024

Cyware Weekly Threat Intelligence - June 24–28

The Good In a bold alliance, the NCA and the FBI embark on a relentless pursuit to dismantle the Qilin ransomware gang. This elusive group, seemingly shielded by Russian government approval, has wreaked havoc on global healthcare providers. Mea