We use cookies to improve your experience. Do you accept?

Cyware Weekly Threat Intelligence - September 02–06

Cyware Weekly Threat Intelligence - September 02–06 - Featured Image

Weekly Threat Briefing Sep 6, 2024

The Good

As cyber threats loom larger than ever, the White House released a comprehensive roadmap to secure the Border Gateway Protocol (BGP), a key component of internet routing. The initiative focuses on implementing Resource Public Key Infrastructure (RPKI) and advanced filtering techniques to defend against BGP hijacks and ensure the integrity of government network traffic. At the same time, the DOJ has seized 32 web domains tied to a Russian disinformation campaign aimed at influencing the American public, with multiple Russian entities facing legal action for orchestrating the operation.

  • The White House released a roadmap to enhance the cybersecurity of the Border Gateway Protocol (BGP), which routes data across networks. The plan calls for contractors to provide secure internet routing technologies to validate the legitimacy of data entering government networks and prevent BGP hijack attacks. The roadmap recommends using Resource Public Key Infrastructure (RPKI) to confirm network rights to specific internet protocol addresses and enforce specialized filtering techniques. It also urges network service providers to monitor data entering their networks and develop cybersecurity risk management plans.

  • The DOJ announced the seizure of 32 web domains linked to a Russian disinformation campaign targeting the American public ahead of the upcoming presidential election. The operation, known as Doppelgänger, is believed to be connected to Russian companies and agencies controlled by the Russian Presidential Administration. Russian companies and individuals, including RT executives, were indicted and sanctioned for orchestrating a $10 million scheme.

  • The ONCD launched a hiring sprint called Service to America to fill nearly half a million cyber jobs across the United States. The initiative aims to raise awareness about cyber job opportunities, remove barriers to entry, and engage both public and private sector employers. The government is collaborating with various agencies to recruit and hire individuals, including military spouses, and is advocating for the removal of degree requirements for cyber jobs.

The Bad

In the ever-changing world of cybercrime, no sector or individual is safe from increasingly sophisticated attacks. The Fog ransomware group has shifted its focus to financial services, leveraging a multi-pronged approach of data theft and file encryption to pressure victims into paying hefty ransoms. At the same time, political figures in Malaysia are under siege as the Babylon RAT spreads through malicious ISO files, allowing attackers to gain control of systems and steal sensitive data. Meanwhile, hackers themselves are being targeted by the Lummac Stealer malware, which disguises itself as an OnlyFans Checker tool to swipe credentials, financial info, and cryptocurrency wallets.

  • The Fog ransomware group, previously known for targeting education and recreational sectors, has now shifted focus to the financial services sector. The ransomware, a variant of STOP/DJVU, targets both Windows and Linux endpoints and demands a ransom via a Tor site. The attackers are highly skilled and utilize a multi-pronged approach, combining data theft with encryption to pressure victims into paying the ransom. They employ various tools and commands to traverse networks, gather information, exfiltrate data, and hinder file recovery from backups.
  • A cyberattack campaign in Malaysia is using malicious ISO files to spread the Babylon RAT, targeting political figures and officials. The ISO files contain deceptive components like shortcuts and scripts to trick users. The threat actor previously used the Quasar RAT against Malaysian entities, showing a trend of targeting high-profile individuals. Babylon RAT gives the attacker control over infected systems, allowing for activities like keylogging and data theft. This highlights the importance of enhancing security measures to prevent unauthorized access to sensitive data.
  • Cybersecurity experts uncovered the Lummac Stealer malware, posing as an OnlyFans Checker tool, which targets hackers. The malware also targets Disney+ and Instagram hackers. The malware is capable of stealing passwords, financial information, browsing history, and cryptocurrency wallets. It has been found to spread through cracked software and uses tactics to detect human users. The malware's architecture suggests global influences from East Asia, Africa, Latin America, and Celtic mythology.
  • The CISA added two flaws in DrayTek VigorConnect routers to its KEV catalog. These flaws, known as CVE-2021-20123 and CVE-2021-20124, are path traversal issues that allow attackers to download arbitrary files with root privileges. The vulnerabilities were patched in October 2021. While there are no reports of in-the-wild attacks, Fortinet noted CVE-2021-20123 being exploited in a global campaign across industries. Exploitation attempts spiked in August, leading CISA to include the vulnerabilities in its catalog.
  • Cisco Talos recently discovered a series of Microsoft Office documents created by the MacroPack payload generator framework and uploaded to VirusTotal between May and July. These documents contained various malicious payloads like the Havoc and Brute Ratel post-exploitation frameworks, as well as a new PhantomCore RAT variant. The MacroPack framework allows for the quick generation of different payloads with a single command, posing a challenge for detection. These documents originated from different countries, each featuring unique payloads and themes.

New Threats

Cyber adversaries are ramping up attacks across platforms, with no one safe from mobile, web, or ransomware exploits. The new SpyAgent malware is after cryptocurrency wallets, disguising itself as innocent Android apps to steal sensitive data from users in Korea, with signs it may soon target iOS. At the same time, DarkCracks is infecting GLPI and WordPress websites, using multi-layered attacks to evade antivirus detection and seize control of servers for long-term exploitation. Meanwhile, the RaaS group Cicada3301 is making waves with its Rust-based ransomware, targeting both Windows and Linux/ESXi systems and recruiting affiliates for widespread attacks.

  • A new mobile malware called SpyAgent is targeting mnemonic keys for cryptocurrency wallets. This Android malware disguises itself as legitimate apps and steals sensitive data such as text messages, contacts, and images. It spreads through phishing campaigns and infects devices by tricking users into downloading fake apps. The malware can also receive and execute commands from a remote server. The malware has been targeting users in Korea and has shown signs of spreading to the U.K. The researchers also found evidence suggesting a potential shift to targeting iOS users in the future.
  • QiAnXin identified a sophisticated malware campaign known as DarkCracks that targets GLPI and WordPress websites to distribute malicious loaders and maintain control over compromised systems. This stealthy threat evades detection by most antivirus software. DarkCracks employs a complex delivery system utilizing public websites to distribute malicious payloads and compromise devices for long-term exploitation. The malware initiates a multi-stage attack upon gaining access to a server, enabling attackers to establish persistent control over networks. The campaign's use of a three-tier URL verification system and targeted phishing tactics, including a decoy resume file in Korean, adds layers of difficulty for defenders.
  • A new RaaS operation called Cicada3301 has emerged and already listed 23 victims on its extortion portal since mid-June. The ransomware is written in Rust and targets both Windows and Linux/ESXi hosts. The group behind Cicada3301 has recruited affiliates and shares similarities with the now-defunct BlackCat/ALPHV group. The ransomware supports configurable parameters for its operation and generates a symmetric key for encryption. After encrypting files, it creates a ransom note and targets specific file extensions.
  • ManticoraLoader is a new MaaS observed on the XSS cybercrime forum distributed by a user with the alias DarkBLUP. The malware, available on Telegram since August 8, features stealth and obfuscation tactics, compatible with Windows 7 and above. It collects detailed information from infected devices, covertly sending data to a central control panel for profiling victims and customization of attacks. The actors limit clients to 10, offering services for $500 per month, aiming to monetize the tool.
  • Security researchers uncovered a new threat called Revival Hijack that enables attackers to spread malicious payloads via PyPI. By re-registering a formerly legitimate package name with a malicious one, attackers can trick users into inadvertently downloading harmful packages. Attackers are utilizing tactics like cloning repositories and typosquatting to distribute malware. The researchers demonstrated the threat by replacing legitimate packages with empty ones, leading to nearly 200,000 downloads in three months.
  • Cisco patched a command injection vulnerability in its Identity Services Engine (ISE) solution, allowing attackers to gain root privileges on vulnerable systems. The flaw, tracked as CVE-2024-20469, stems from insufficient validation of user input. Attackers with administrator privileges can execute malicious commands without user interaction. Cisco has released fixes for affected versions of ISE, including 3.2P7 and 3.3P4. Additionally, Cisco removed a backdoor account in its Smart Licensing Utility software and addressed other vulnerabilities such as CVE-2024-20295 and CVE-2024-20401.
  • A new multi-platform backdoor called KTLVdoor, developed in Golang, was found to be associated with the Chinese threat actor Earth Lusca. This malware, available for Windows and Linux, disguises itself as system utilities to perform tasks like file manipulation, command execution, and port scanning. It uses sophisticated encryption and obfuscation methods to avoid detection. The attack utilizes more than 50 C&C servers in China, but it is uncertain if they are exclusively for Earth Lusca or shared with other threat actors.
  • FortiGuard Labs found Emansrepo, a Python info-stealer spreading through fake emails with purchase orders and invoices. The malware compresses victim data into zip files and sends them to the attacker. Initially spread via phishing emails with Emansrepo download links, it's now packed using PyInstaller for systems without Python. The attack has become more complex, with multiple stages and data theft from different sources. Emansrepo collects user data from browsers and sends them to the attacker. The malware has evolved to steal PDF files, extensions, and cookies.

Related Threat Briefings