Cyware Weekly Threat Intelligence - August 05–09
Weekly Threat Briefing • Aug 9, 2024
We use cookies to improve your experience. Do you accept?
Weekly Threat Briefing • Aug 9, 2024
In a significant international crackdown, authorities from the U.S. and Germany have seized the domain of the online cryptocurrency wallet service, Cryptonator, after it was found to be facilitating illicit activities and failing to implement adequate anti-money laundering measures. In a positive move towards bolstering cybersecurity, the NHS has partnered with the North East Business Resilience Center to offer funding and support for small and medium businesses in the social care sector. This initiative focuses on providing free cyber services and training specifically tailored to social care businesses in the North East of England and Yorkshire.
Authorities from the U.S. and Germany seized the domain of the online crypto wallet Cryptonator for facilitating illicit activity and failing to implement proper anti-money laundering measures. The founder was charged with operating an unlicensed money service business and money laundering. The platform processed over $1.4 billion, with transactions involving darknet markets, fraud, ransomware, hacks, and sanctions evasion.
The NHS partnered with the North East Business Resilience Center to provide funding and support for small and medium businesses in the social care sector to protect themselves against cyber threats. The funding includes free cyber services and training specifically for social care businesses in the North East of England and Yorkshire. The initiative aims to combat the growing and complex cyber threats that can disrupt social care services.
A Singaporean commodity firm fell victim to a BEC scam, losing $42.3 million to fraudsters. Fortunately, the Singapore Police Force, with the help of Interpol, managed to recover $39 million and arrested seven individuals in Timor Leste in connection to the scam. The remaining $2 million has also been recovered, and the funds are being returned to the firm. Interpol's Global Rapid Intervention of Payments (I-GRIP) has been crucial in these efforts and has seen success in freezing bank accounts and intercepting funds from such scams.
The White House announced that the cybersecurity certification organization, EC-Council, has pledged $15 million in scholarships to support over 50,000 students in pursuing cybersecurity programs. The scholarships will cover various certifications and training programs, aiming to build a skilled cyber workforce. The initiative is part of President Biden's National Cyber Workforce and Education Strategy, which addresses the shortage of cybersecurity workers in the U.S.
The CISA released new guidance calling on private sector organizations to assess software manufacturers' cybersecurity measures. The guidance aims to shift security responsibilities from end users to developers, urging software suppliers to implement secure-by-default practices and provide transparency into their security processes. While the administration has pushed for voluntary pledges from developers, there are calls for further protections and benefits for the private sector.
Earth Baku has broadened its operations beyond its traditional stronghold in the Indo-Pacific, extending its reach into Europe, the Middle East, and Africa. Countries such as Italy, Germany, the UAE, and Qatar have emerged as key targets, with additional suspicious activities noted in Georgia and Romania. Meanwhile, Cyble researchers have uncovered a phishing website masquerading as the Google Safety Centre, distributing two distinct types of malware—Latrodectus and ACR Stealer. In parallel, the South Korean NCSC sounded the alarm on state-sponsored North Korean hackers who are exploiting vulnerabilities in VPN software updates to infiltrate and compromise networks.
Researchers uncovered a new APT group, Actor240524, targeting Azerbaijan and Israel through spear-phishing attacks. The attackers use malicious Word documents with macros to deploy the ABCloader and ABCsync trojans. Sonar identified a critical XSS vulnerability in Roundcube webmail. Researchers have also discovered a new RAT called SharpRhino during a ransomware incident linked to Hunters International.
The NSFOCUS Security Labs identified a new APT group, Actor240524, targeting Azerbaijan and Israel through a spear-phishing attack. The attackers used a Word document with malicious macros to execute ABCloader and ABCsync trojan programs. These malware employed various techniques to evade detection, including string encryption, PEB detection, hardware breakpoint detection, screen resolution detection, process count detection, and specific permission detection.
Sonar discovered a critical Cross-Site Scripting (XSS) vulnerability in Roundcube webmail software. When a victim views a malicious email in Roundcube, the attacker can execute arbitrary JavaScript in the victim's browser. This can lead to the theft of emails, contacts, and email passwords, as well as sending unauthorized emails from the victim's account. Roundcube administrators are advised to update to patched versions 1.6.8 or 1.5.8 immediately. The vulnerabilities are tracked as CVE-2024-42008, CVE-2024-42009, CVE-2024-42010.
Researchers identified a new RAT named SharpRhino during a recent ransomware incident. This malware was used by the Hunters International threat group to gain remote access to devices and progress the attack. SharpRhino is delivered through a typosquatting domain impersonating a legitimate tool, Angry IP Scanner, and uses the C# programming language. The malware can obtain high levels of permissions on devices to ensure minimal disruption during the attack.
Cisco has issued a warning about five critical remote code execution vulnerabilities in the web-based management interface of the Small Business SPA 300 and SPA 500 series IP phones, which have reached their end of life. The vulnerabilities allow attackers to execute arbitrary commands and cause denial of service. Cisco has not provided fixes or mitigation tips, so users are urged to transition to newer and supported models. The flaws are tracked as CVE-2024-20450, CVE-2024-20452, CVE-2024-20454, CVE-2024-20451, and CVE-2024-20453.
A new ransomware called CryptoKat has surfaced on the dark web, featuring state-of-the-art encryption using AES, fast encryption speed, unique executable files, and operates silently without Windows pop-ups. It also utilizes Fear, Uncertainty, and Doubt tactics on Windows 11 to maximize impact. Of particular concern is that the decryption key is not stored on the victim's machine. This forces victims to pay the ransom in hopes of recovering their data.
Researchers from the Graz University of Technology have discovered a new Linux Kernel cross-cache attack called SLUBStick, with a 99% success rate in exploiting heap vulnerabilities to gain arbitrary memory read-and-write capabilities. The attack works on both 32-bit and 64-bit systems, bypassing modern kernel defenses. The attack demonstrated high versatility by working on Linux kernel versions 5.9 and 6.2, and it bypassed modern kernel defenses like SMEP, SMAP, and KASLR.