We use cookies to improve your experience. Do you accept?

Cyware Weekly Threat Intelligence, July 29 - August 02, 2024

Cyware Weekly Threat Intelligence, July 29 - August 02, 2024 - Featured Image

Weekly Threat Briefing Aug 5, 2024

The Good

In recent cybersecurity developments, significant strides have been made in combating cyber threats and enhancing defenses. The UK’s NCA has successfully dismantled Russian Coms, a major caller ID spoofing platform used by scammers to make over 1.8 million fraudulent calls, resulting in substantial financial losses for victims worldwide. Meanwhile, the NSA has unveiled an AI-powered Autonomous Penetration Testing platform to advance cyber defense for intelligence community contractors. The Center for Federal Civilian Executive Branch Resilience is bolstering U.S. federal cybersecurity with a new initiative focused on strengthening defenses against cybercriminals and nation-state attackers. This initiative includes education, technology solutions, and a push towards zero trust architecture.

  • The U.K's NCA shut down Russian Coms, a major caller ID spoofing platform used by hundreds of criminals to make over 1.8 million scam calls, resulting in significant financial losses to victims across multiple countries. Scammers used Russian Coms to impersonate legitimate companies and financial institutions, tricking victims into transferring money or providing access to their bank accounts. The NCA's action, part of ‘Operation Henhouse,’ demonstrates a commitment to pursuing both the criminals and the technology they exploit, with 290 arrests made in a crackdown on fraud across the UK.
  • The NSA has developed an AI-powered Autonomous Penetration Testing platform to enhance cyber defense testing for intelligence community industry providers. The tool aims to streamline the identification and mitigation of vulnerabilities within Defense Industrial Base systems, ultimately improving overall cyber posture. AI-backed penetration testing can better assess and monitor network vulnerabilities, helping to safeguard sensitive and classified data from cyber threats.
  • The Center for Federal Civilian Executive Branch Resilience aims to enhance the cybersecurity defenses of federal agencies, recognizing the vulnerability of government workers to cyberattacks. The initiative aims to enhance defense against cybercriminals and nation-state hackers, especially after incidents like the SolarWinds breach and attacks from Russia, China, North Korea, and Iran. The center will provide education, technology solutions, and policy recommendations to strengthen the digital security of federal agencies. There is a deadline for agencies to adopt zero trust architecture, and the initiative will prioritize identifying and addressing pressing cyber issues facing federal workers.

The Bad

Recent cybersecurity incidents highlight the evolving nature of cyber threats. APT41, a threat actor group believed to consist of Chinese nationals, has launched a sophisticated cyber-espionage campaign targeting a Taiwanese government-affiliated research institute. In another alarming development, fake Google Authenticator sites promoted through Google ads are leading users to malicious landing pages that mimic legitimate sites. Additionally, a new phishing campaign employing the Tycoon 2FA phishing kit has been identified. This campaign uses Amazon SES to deliver emails disguised as documents from Docusign, despite potential SPF and DKIM failures.

  • A malicious cyber-espionage campaign targeted a Taiwanese government-affiliated research institute, carried out by a group identified as APT41, alleged to be comprised of Chinese nationals. The attackers used malware such as ShadowPad and Cobalt Strike, along with various techniques to compromise the institute's environment, exfiltrate documents, and gather information. The attackers also leveraged Chinese-language tools and techniques, indicating a Chinese-speaking threat actor.

  • Google ads are being used to promote fake Google Authenticator sites that install malware on users' devices. The fake Google Authenticator ads lead users to a series of redirections to the malicious landing page at chromeweb-authenticators[.]com, which imitates a legitimate Google portal. The executable file is signed by legitimate companies, potentially bypassing security solutions on Windows systems to deploy the DeerStealer malware, which steals sensitive information from web browsers.

  • North Korea-linked malware campaign, known as DEV#POPPER, is targeting software developers on Windows, Linux, and macOS systems. The campaign has targeted victims in South Korea, North America, Europe, and the Middle East. The attackers use social engineering tactics to trick developers into downloading malicious software disguised as job interview materials. The malware, named BeaverTail, is designed to steal sensitive information by establishing contact with a remote server and downloading additional payloads, such as a Python backdoor called InvisibleFerret.

  • An online fraud operation known as "ERIAKOS" is promoting over 600 fake online stores through Facebook ads in an attempt to steal personal and financial information from visitors. These sites, which offer products from popular brands like Nike and Apple at highly discounted prices, are accessible only through mobile devices to evade security scans and utilize fake user testimonials to lure in potential buyers. Recorded Future uncovered the ERIAKOS operation and suspects its origin in China based on the domain registrar and payment providers used. While many of the sites have been taken down, the campaign continues to generate new ads for freshly created sites.

  • Apple has rolled out security updates for iOS, macOS, tvOS, visionOS, watchOS, and Safari to address numerous vulnerabilities. The updates include fixes for 35 security flaws in iOS 17.6 and iPadOS 17.6, as well as patches for nearly 70 vulnerabilities in macOS Sonoma 14.6. Third-party components such as libtiff and ANGLE engine were also fixed in the updates. Safari 17.6 was released with patches for nine bugs. The fixes are also available for older devices with iOS 16.7.9 and iPadOS 16.7.9 updates.

  • A sophisticated phishing campaign with Tycoon 2FA phishing kit has been identified, exploiting Amazon SES to steal user credentials. The attack involves emails with valid signatures and attachments posing as documents from Docusign, despite potential SPF and DKIM failures. Upon clicking links in the emails, victims are redirected through multiple URLs to obscure the final phishing domain. The phishing engine utilizes various services to store scripts and resources, while communication with the C2 server is encrypted using AES in CBC mode. Stolen user data is sent to the attackers' C2 server, managed by a custom communication protocol.

  • Cybercriminals are targeting small and medium-sized businesses in Poland, Italy, and Romania with phishing campaigns using malware like Agent Tesla, Formbook, and Remcos RAT. ESET researchers reported that the attackers used compromised email accounts and servers to spread malicious emails and host malware. These campaigns, consisting of nine waves, are using a malware loader known as DBatLoader to deliver the final payloads.

  • Proofpoint's email protection service was exploited in a phishing campaign called "EchoSpoofing" to send millions of spoofed emails daily impersonating major companies like Disney, Nike, IBM, and Coca-Cola to target Fortune 100 companies. The campaign began in January 2024 and peaked in June with 14 million spoofed emails per day. Guardio Labs discovered the campaign and the security vulnerability in Proofpoint's servers, which allowed threat actors to send emails through compromised Office 365 accounts.

New Threats

New threats are constantly emerging, highlighting the dynamic and ever-changing nature of the cybersecurity landscape. Researchers have uncovered a new DNS attack vector, named Sitting Ducks, exploited by over a dozen Russian threat actors to hijack more than 30,000 domains. This vulnerability arises from inadequate domain ownership verification by DNS providers, leading to widespread malware delivery, phishing, and brand impersonation. In mobile security, a new Android malware called BingoMod has been identified that not only siphons money from victims' bank accounts but also wipes devices clean. Additionally, a rising phishing scam known as OneDrive Pastejacking targets Microsoft OneDrive users by tricking them into running a malicious PowerShell script.

  • Researchers have identified a DNS attack vector, dubbed Sitting Ducks, which has been exploited by over a dozen Russian threat actors to hijack more than a million domains. This exploit takes advantage of weak or nonexistent domain ownership verification by DNS providers, resulting in malware delivery, phishing, and brand impersonation. The issue has been exploited since 2019, with an estimated 1 million exploitable domains and 30,000+ hijacked domains confirmed.
  • A new Android malware named BingoMod has been discovered by researchers, which not only steals money from victims' bank accounts using on-device fraud but also wipes devices clean. The malware is distributed through text messages, posing as a legitimate mobile security tool, and can steal up to 15,000 EUR (~$16,200) per transaction. The malware, under active development, is distributed in SMS phishing campaigns under various names related to mobile security tools.
  • A new malicious campaign using over 100,000 Android malware apps to steal OTP codes from SMS messages has been detected since February 2022. These apps intercept OTPs to commit identity fraud from over 600 global brands with millions of users. The victims are in 113 countries, with India and Russia being the most targeted. The attack starts with tricking victims into downloading a malicious app from fake ads or Telegram bots, which then steals SMS messages and transmits them to command-and-control servers.
  • Walmart’s Cyber Intelligence Team discovered a new PowerShell backdoor alongside a variant of the Zloader/SilentNight malware. The backdoor enables threat actors to gain further access and deploy malware, using advanced obfuscation techniques. Zloader, originally a banking Trojan, has evolved into a multifunctional malware linked to ransomware groups like Ryuk and DarkSide. The PowerShell backdoor shares similarities with another malware called PowerDash, both utilizing obfuscation to hide their functions and communicate with command and control servers.
  • A new phishing scam targeting Microsoft OneDrive users tricks them into running a malicious PowerShell script. Known as OneDrive Pastejacking, the attack begins with an email containing an HTML file simulating a OneDrive page and urging the recipient to update their DNS cache. Clicking on "How to fix" leads users to run a PowerShell command that creates a folder, downloads files, and executes a script. The campaign has been observed in various countries, including the U.S. and the U.K. This tactic, also known as ClickFix, is on the rise according to cybersecurity researchers from ReliaQuest, Proofpoint, and McAfee Labs.
  • The new PKFail vulnerability allows attackers to bypass the Secure Boot process on millions of Intel and ARM microprocessor-based systems from multiple vendors, including Lenovo, HP, Asus, and SuperMicro, among others. The Platform Key (PK) from American Megatrends International (AMI) serves as the root of trust during the Secure Boot PC startup chain. An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database.

Related Threat Briefings