We use cookies to improve your experience. Do you accept?

Cyware Weekly Threat Intelligence - August 19–23

Cyware Weekly Threat Intelligence - August 19–23 - Featured Image

Weekly Threat Briefing Aug 23, 2024

The Good

With global cyber threats on the rise, over a dozen cyber authorities have endorsed new guidance to set baseline standards for logging and threat detection. This guidance aims to enhance cybersecurity monitoring, helping to prevent incidents like the SolarWinds attack. Additionally, the NCSC has introduced a Cyber Resilience Audit to assist organizations in assessing and improving their defenses against cyber threats, further strengthening overall resilience in the face of evolving risks.

  • Over a dozen global cyber authorities endorsed new guidance to establish baseline standards for logging and threat detection, addressing the rising threat from adversaries using living off the land techniques. The guidance emphasizes enhanced cybersecurity monitoring to detect critical software changes, potentially mitigating incidents like the SolarWinds attack and Colonial Pipeline hack. Released by organizations including the ACSC and the CISA, it urges logging of all control plane operations and recommends capturing administrative changes and authentication events.

  • The NCSC launched a new Cyber Resilience Audit aimed at helping organizations assess their resilience against cyber threats. This audit will provide organizations with a structured approach to evaluate their cybersecurity practices and identify areas for improvement. The initiative is part of the NCSC's ongoing efforts to enhance the UK's overall cyber resilience and support businesses in safeguarding their operations against increasing cyber risks.

  • Funding has been announced for a new cybersecurity pilot project aimed at social care providers in the North East and Yorkshire. The project, a collaboration between the North East Business Resilience Centre and NHS England, will provide free cyber services and training to help tackle cyber threats in the social care sector. The initiative is crucial in light of the high incidence of cyber security breaches reported by businesses and charities.

  • The Federal Aviation Administration (FAA) is proposing updates to its cybersecurity standards for future airplanes and critical equipment, in response to the increasing connectivity of flight equipment to data networks. The proposed regulations would require design approval applicants to conduct security risk analyses and mitigate any identified vulnerabilities. The FAA aims to standardize criteria for addressing cybersecurity threats while reducing certification costs and time. The FAA is seeking public comment on the new rule until October 21.

The Bad

A wave of sophisticated cyber campaigns emerged, each with its own unique methods of targeting victims. ESET researchers uncovered an Android malware, NGate, used in a criminal scheme against Czech bank clients to clone payment cards and facilitate unauthorized withdrawals. Meanwhile, a pro-Russian group is spreading malware under the guise of false information about Ukraine, deploying tools like Spectr spyware and Firmachagent. Additionally, North Korea's Lazarus group has evolved its BeaverTail malware to target job seekers, expanding to both macOS and Windows platforms to steal sensitive information.

  • ESET researchers discovered a sophisticated criminal campaign that targeted clients of Czech banks, using a unique Android malware called NGate. The malware relays data from victims' payment cards to the attacker's device, allowing them to clone the card and make unauthorized ATM withdrawals. The attackers initially used phishing and malicious apps to steal banking credentials before deploying NGate. The malware prompts victims to input sensitive information and enable NFC on their devices, subsequently relaying the NFC data to the attacker.
  • A pro-Russian hacker group called Vermin is using fake information about Ukraine's offensive in Kursk to spread malware. The hackers are believed to be linked to the Luhansk People’s Republic and are suspected of acting on behalf of the Kremlin. CERT-UA reported that the group has deployed two types of malware, including Spectr spyware and a new strain called Firmachagent. Spectr can capture screenshots of a victim's screen every 10 seconds, copy files with specific extensions, and extract data from messengers and web browsers. The stolen data is then uploaded to the hackers' server using Firmachagent malware.
  • The BeaverTail malware campaign, originating from North Korea, has evolved to target job seekers and now includes a native macOS version disguised as legitimate software. The malware is designed to steal confidential information, including browser data and cryptocurrency wallets, and has expanded its reach to Windows users through weaponized games. The Lazarus group has shown adaptability by developing different versions of BeaverTail for various operating systems and using sophisticated techniques to target victims.
  • Malicious actors are using a cloud attack tool called Xeon Sender to carry out SMS phishing and spam campaigns on a large scale using legitimate services. The tool exploits valid credentials for various SaaS providers to send messages. Some of the services utilized include Amazon SNS, Nexmo, Twilio, and more. The tool is distributed via Telegram and hacking forums, with the most recent version attributed to a Telegram channel named Orion Toolxhub. The tool allows users to conduct bulk SMS spam attacks through the command-line interface, utilizing backend APIs of service providers.
  • The Qilin ransomware group targeted a network's endpoints, stealing credentials stored in Google Chrome browsers. They gained access through compromised credentials and used a logon GPO to execute scripts that harvested credentials on user devices. The stolen credentials were exfiltrated, event logs were cleared, and files were encrypted with a ransom note left behind. The attack exploited the widespread use of Chrome and required defenders to change all Active Directory passwords.

New Threats

A trio of evolving cyber threats highlights the ever-changing landscape of digital security. A new macOS malware, Cthulhu Stealer, has emerged, posing as legitimate software to steal sensitive information like cryptocurrency wallets and game account details. Meanwhile, Cisco Talos has uncovered a North Korean-developed RAT, MoonPeak, which is rapidly evolving to avoid detection. In parallel, Google has patched a critical zero-day vulnerability in Chrome, addressing a high-severity flaw that was actively being exploited by attackers.

  • Researchers observed the emergence of a new threat called Cthulhu Stealer. This malware targets macOS users by disguising itself as legitimate software, prompting users to enter their passwords and MetaMask credentials, and then stealing sensitive information such as cryptocurrency wallets and game account details. The functionality of Cthulhu Stealer is similar to another macOS malware called Atomic Stealer, indicating that the code may have been modified from the latter.
  • Cisco Talos identified a new RAT family called MoonPeak, which is based on the XenoRAT malware and is actively being developed by a North Korean threat actor known as UAT-5394. The MoonPeak malware has been evolving gradually, with each new variant introducing changes to make detection more difficult and prevent unauthorized connections to the C2 server. The threat actors have made modifications to the source code of XenoRAT, upon which MoonPeak is based, to ensure compatibility with their infrastructure and prevent rogue implants from connecting.
  • Google patched a new zero-day vulnerability (CVE-2024-7971) in Chrome, which was being exploited by attackers. The vulnerability is a high-severity issue caused by a type confusion weakness in the V8 JavaScript engine used by Chrome and other Chromium-based browsers. This type confusion can lead to out-of-bounds memory access in languages like C and C++. Google has released a fix in Chrome version 128.0.6613.84/.85 for Windows and Mac, and 128.0.6613.84 for Linux.
  • Symantec's Threat Hunter Team revealed a new stealthy backdoor called Msupedge that was recently used in a cyberattack against a university in Taiwan. The backdoor exploits a critical flaw in PHP (CVE-2024-4577) to achieve remote code execution (RCE). Msupedge is a dynamic-link library installed in specific paths on the system. It uses DNS tunneling for communication with the C&C server, receiving commands via DNS traffic. The backdoor supports various commands such as creating a process, downloading files, sleeping for a set time, and creating temporary files with unknown purposes.
  • Mandiant warned of a new threat known as "WireServing" enabling attackers to launch TLP bootstrap attacks against Azure Kubernetes Services (AKS). By exploiting weaknesses in how AKS clusters handled TLS bootstrap tokens, attackers could download configuration files containing credentials to escalate privileges and access sensitive information. Microsoft promptly addressed the issue by updating AKS clusters to prevent unauthorized access to TLS bootstrap tokens.
  • Threat actors are using a new malware called UULoader to distribute remote access tools like Gh0st RAT and Mimikatz. The malware is distributed through malicious software installers targeting Korean and Chinese speakers and is believed to be the work of a Chinese speaker. Additionally, phishing attacks are targeting cryptocurrency users using fake government entities to collect sensitive information.
  • The GiveWP plugin for WordPress recently addressed a critical security flaw involving PHP Object Injection that could lead to RCE. The vulnerability, tracked as CVE-2024-5932, affects all versions up to 3.14.1. Exploiting this flaw could allow unauthorized users to execute arbitrary code and delete files on affected sites. The severity of the exploit led to a CVSS score of 10.0. Technical details reveal that the flaw stems from inadequate validation of user-provided data during donation processing, leading to the injection of malicious PHP objects.

Related Threat Briefings