Cyware Weekly Threat Intelligence, July 29 - August 02, 2024
Weekly Threat Briefing • Aug 5, 2024
We use cookies to improve your experience. Do you accept?
Weekly Threat Briefing • Aug 5, 2024
In recent cybersecurity developments, significant strides have been made in combating cyber threats and enhancing defenses. The UK’s NCA has successfully dismantled Russian Coms, a major caller ID spoofing platform used by scammers to make over 1.8 million fraudulent calls, resulting in substantial financial losses for victims worldwide. Meanwhile, the NSA has unveiled an AI-powered Autonomous Penetration Testing platform to advance cyber defense for intelligence community contractors. The Center for Federal Civilian Executive Branch Resilience is bolstering U.S. federal cybersecurity with a new initiative focused on strengthening defenses against cybercriminals and nation-state attackers. This initiative includes education, technology solutions, and a push towards zero trust architecture.
Recent cybersecurity incidents highlight the evolving nature of cyber threats. APT41, a threat actor group believed to consist of Chinese nationals, has launched a sophisticated cyber-espionage campaign targeting a Taiwanese government-affiliated research institute. In another alarming development, fake Google Authenticator sites promoted through Google ads are leading users to malicious landing pages that mimic legitimate sites. Additionally, a new phishing campaign employing the Tycoon 2FA phishing kit has been identified. This campaign uses Amazon SES to deliver emails disguised as documents from Docusign, despite potential SPF and DKIM failures.
A malicious cyber-espionage campaign targeted a Taiwanese government-affiliated research institute, carried out by a group identified as APT41, alleged to be comprised of Chinese nationals. The attackers used malware such as ShadowPad and Cobalt Strike, along with various techniques to compromise the institute's environment, exfiltrate documents, and gather information. The attackers also leveraged Chinese-language tools and techniques, indicating a Chinese-speaking threat actor.
Google ads are being used to promote fake Google Authenticator sites that install malware on users' devices. The fake Google Authenticator ads lead users to a series of redirections to the malicious landing page at chromeweb-authenticators[.]com, which imitates a legitimate Google portal. The executable file is signed by legitimate companies, potentially bypassing security solutions on Windows systems to deploy the DeerStealer malware, which steals sensitive information from web browsers.
North Korea-linked malware campaign, known as DEV#POPPER, is targeting software developers on Windows, Linux, and macOS systems. The campaign has targeted victims in South Korea, North America, Europe, and the Middle East. The attackers use social engineering tactics to trick developers into downloading malicious software disguised as job interview materials. The malware, named BeaverTail, is designed to steal sensitive information by establishing contact with a remote server and downloading additional payloads, such as a Python backdoor called InvisibleFerret.
An online fraud operation known as "ERIAKOS" is promoting over 600 fake online stores through Facebook ads in an attempt to steal personal and financial information from visitors. These sites, which offer products from popular brands like Nike and Apple at highly discounted prices, are accessible only through mobile devices to evade security scans and utilize fake user testimonials to lure in potential buyers. Recorded Future uncovered the ERIAKOS operation and suspects its origin in China based on the domain registrar and payment providers used. While many of the sites have been taken down, the campaign continues to generate new ads for freshly created sites.
Apple has rolled out security updates for iOS, macOS, tvOS, visionOS, watchOS, and Safari to address numerous vulnerabilities. The updates include fixes for 35 security flaws in iOS 17.6 and iPadOS 17.6, as well as patches for nearly 70 vulnerabilities in macOS Sonoma 14.6. Third-party components such as libtiff and ANGLE engine were also fixed in the updates. Safari 17.6 was released with patches for nine bugs. The fixes are also available for older devices with iOS 16.7.9 and iPadOS 16.7.9 updates.
A sophisticated phishing campaign with Tycoon 2FA phishing kit has been identified, exploiting Amazon SES to steal user credentials. The attack involves emails with valid signatures and attachments posing as documents from Docusign, despite potential SPF and DKIM failures. Upon clicking links in the emails, victims are redirected through multiple URLs to obscure the final phishing domain. The phishing engine utilizes various services to store scripts and resources, while communication with the C2 server is encrypted using AES in CBC mode. Stolen user data is sent to the attackers' C2 server, managed by a custom communication protocol.
Cybercriminals are targeting small and medium-sized businesses in Poland, Italy, and Romania with phishing campaigns using malware like Agent Tesla, Formbook, and Remcos RAT. ESET researchers reported that the attackers used compromised email accounts and servers to spread malicious emails and host malware. These campaigns, consisting of nine waves, are using a malware loader known as DBatLoader to deliver the final payloads.
Proofpoint's email protection service was exploited in a phishing campaign called "EchoSpoofing" to send millions of spoofed emails daily impersonating major companies like Disney, Nike, IBM, and Coca-Cola to target Fortune 100 companies. The campaign began in January 2024 and peaked in June with 14 million spoofed emails per day. Guardio Labs discovered the campaign and the security vulnerability in Proofpoint's servers, which allowed threat actors to send emails through compromised Office 365 accounts.
New threats are constantly emerging, highlighting the dynamic and ever-changing nature of the cybersecurity landscape. Researchers have uncovered a new DNS attack vector, named Sitting Ducks, exploited by over a dozen Russian threat actors to hijack more than 30,000 domains. This vulnerability arises from inadequate domain ownership verification by DNS providers, leading to widespread malware delivery, phishing, and brand impersonation. In mobile security, a new Android malware called BingoMod has been identified that not only siphons money from victims' bank accounts but also wipes devices clean. Additionally, a rising phishing scam known as OneDrive Pastejacking targets Microsoft OneDrive users by tricking them into running a malicious PowerShell script.