We use cookies to improve your experience. Do you accept?

Cyware Weekly Threat Intelligence - July 01–05

Cyware Weekly Threat Intelligence - September 16–20 - Featured Image

Weekly Threat Briefing Jul 5, 2024

The Good

In a labyrinthine orchestration of international cyber-justice, Europol spearheaded an intricate, multifaceted probe dubbed Operation Morpheus, meticulously dismantling the subterranean networks of nearly 600 IP addresses that clandestinely harbored illicit Cobalt Strike variants. This sweeping crackdown enveloped 690 IP addresses sprawling across 27 nations. Simultaneously, the U.S. federal government unveiled an avant-garde framework designed to streamline the validation and assimilation of nascent technological innovations within the aegis of FedRAMP. This pioneering framework aspires to catalyze the adoption of cutting-edge, secure technological solutions by federal entities, with a pronounced emphasis on cloud-centric emergent technologies.

  • Europol led a coordinated cross-border investigation codenamed Operation Morpheus to shut down nearly 600 IP addresses supporting illegal Cobalt Strike copies. The takedown targeted 690 IP addresses in 27 countries hosting illegal instances of Cobalt Strike, which has been used by cybercriminals and nation state actors for deploying ransomware and conducting cyber espionage campaigns. The enforcement actions involved server takedowns and warnings to internet service providers hosting malware. The NCA emphasized that while the software itself is legitimate, criminals have exploited it for illicit purposes, making it easier for them to conduct damaging cyber attacks.
  • The U.S. federal government has introduced a framework to prioritize emerging technologies for approval by the Federal Risk Authorization Management Program (FedRAMP). This framework aims to enable federal agencies to adopt new and secure tech solutions, with a focus on cloud-relevant emerging technologies. The initial priorities include generative AI capabilities such as chat interfaces, code generation and debugging tools, and prompt-based image generators. The framework will allow cloud service providers to expedite the authorization review process for their offerings with AI-based capabilities.
  • Law enforcement from 61 countries conducted an operation called First Light, dismantling online scam networks and arresting over 3,900 suspects. They seized $257 million in assets obtained illegally and identified over 14,600 potential cybercriminals. The operation targeted phishing, investment fraud, fake online shopping sites, romance scams, and impersonation scams.

The Bad

The Mekotio banking trojan, a cunningly intricate malware, cast its nefarious net primarily over Latin American territories. Disguised in the guise of seemingly innocuous phishing emails masquerading as communications from tax agencies, Mekotio ensnares its victims with malicious links or attachments. In a parallel vein, a seemingly benign QR code reader app on Google Play has been unmasked as a vessel for the notorious Anatsa banking malware. Simultaneously, cyber malefactors have turned their predatory gaze towards antiquated versions of Rejetto's HFS software, exploiting the critical-severity vulnerability CVE-2024-23692.

  • The Mekotio banking trojan is a sophisticated malware targeting Latin American countries, particularly Brazil, Chile, Mexico, Spain, and Peru. Mekotio is often delivered through phishing emails that appear to be from tax agencies, containing malicious links or attachments. Upon execution, Mekotio gathers system information and establishes a connection with a C2 server. It displays fake pop-ups that mimic legitimate banking sites, tricking users into entering their login details. Mekotio can also capture screenshots, log keystrokes, and steal clipboard data.

  • A malicious QR code reader app on Google Play has been discovered to be delivering the notorious Anatsa banking malware. The app has already been downloaded thousands of times, potentially compromising a significant number of users' financial data. Anatsa is a sophisticated piece of malware designed to steal sensitive banking information. It has advanced capabilities, including keylogging, overlay attacks, and remote access, making it a formidable threat to users' banking security.

  • Hackers are targeting older versions of the HTTP File Server (HFS) software from Rejetto to drop malware and cryptocurrency mining software.They are exploiting CVE-2024-23692, a critical-severity vulnerability in HFS versions up to and including 2.3m, which allows unauthenticated remote attackers to execute arbitrary commands on the affected system. The attackers use the vulnerability to gather information about the compromised system, install backdoors, and deploy various types of malware, including XMRig for Monero mining, XenoRAT, Gh0stRAT, and PlugX for remote access and control, and GoThief information stealer.

  • ASEC uncovered a case where an unidentified threat actor exploited a Korean ERP solution to attack the defense and manufacturing industries. The attack involved inserting a malicious routine into the ERP update program to distribute the Xctdoor backdoor, which is designed to steal system information and execute commands. The attack also targeted web servers, installing the XcLoader malware to inject Xctdoor into processes. The malware communicates with a C&C server using HTTP and employs encryption.

New Threats

The notorious Turla malware group has been found deftly utilizing insidious LNK files to unleash a fileless backdoor. The LNK file masquerades as an innocuous PDF document and triggers a PowerShell script. Microsoft unveiled two critical vulnerabilities within Rockwell Automation's PanelView Plus devices, presenting gateways for remote code execution and denial-of-service attacks. A new ransomware menace, Volcano Demon, has been using a ransomware variant dubbed LukaLocker.

  • A new campaign by the Turla malware group has been spotted using malicious LNK files to deploy a fileless backdoor. The malware campaign starts with a malicious package downloaded from a compromised website, potentially distributed through phishing emails. The malicious LNK file masquerades as a normal PDF document and executes a PowerShell script that deploys a fileless backdoor using Microsoft's msbuild.exe. The backdoor disables Event Tracing for Windows (ETW), performs memory patching on system modules, and bypasses the Windows Antimalware Scan Interface (AMSI) to evade detection.
  • Microsoft discovered and disclosed two vulnerabilities in Rockwell Automation's PanelView Plus devices, which could allow RCE and DoS attacks by unauthenticated attackers. The RCE vulnerability (CVE-2023-2071) involves two custom classes that can be abused to upload and load a malicious DLL into the device. The DoS bug (CVE-2023-29464) takes advantage of the same custom class to send a crafted buffer that the device is unable to handle properly, leading to a DoS.
  • Halcyon identified a new ransomware operator called Volcano Demon that is using a ransomware variant called LukaLocker. The ransomware encrypts victim files with the .nba file extension and uses common administrative credentials to lock Windows workstations and servers. The attackers cleared logs and exfiltrated data for double extortion before demanding payment through threatening phone calls. The ransomware also employs evasion tactics to stop various services and processes and uses the Chacha8 cipher for file encryption.
  • Over 40 vulnerabilities have been discovered in Toshiba's e-STUDIO Multi-Function Printers (MFPs), affecting 103 different models used by businesses and organizations worldwide. The vulnerabilities include RCE, XML external entity injection, privilege escalation, authentication credential leak, DOM-based XSS, insecure permissions, TOCTOU (Time-of-Check to Time-of-Use (TOCTOU) conditions, and others. Affected MFPs run on Linux and can be leveraged by attackers to move laterally within infrastructures.
  • Transparent Tribe has developed a new variant of its Android spyware called CapraRAT that targets gamers, weapons enthusiasts, and TikTok fans by embedding it into curated video browsing applications. SentinelLabs has identified four new CapraRAT APKs, including Crazy Game signed.apk, Sexy Videos signed.apk, TikTok signed.apk, and Weapons signed.apk.
  • A trio of security flaws were uncovered in the CocoaPods dependency manager that could be exploited to stage software supply chain attacks. One of the vulnerabilities is CVE-2024-38368 (CVSS score: 9.3) and allows an attacker to exploit the ‘Claim Your Pods’ process. The other two are tracked as CVE-2024-38366 (CVSS score: 10) and CVE-2024-38367 (CVSS score: 8.2).
  • The North Korea-linked threat actor Kimsuky has been using a new malicious Google Chrome extension called TRANSLATEXT to steal sensitive information from South Korean academia focused on North Korean political affairs. This extension gathers email addresses, usernames, passwords, cookies, and browser screenshots. The attack starts with a ZIP archive that claims to be about Korean military history, containing a Hangul Word Processor document and an executable.

Related Threat Briefings