The Good

German law enforcement has dealt a double blow to cybercriminals, first by dismantling infrastructure used by the Vanir Locker ransomware group. In a separate operation, they took down 47 cryptocurrency exchanges used for illegal money laundering, redirecting users to an Operation Final Exchange page that exposes the platforms’ deceptive activities. The CISA and the FBI are calling on software manufacturers to rethink their approach, issuing a Secure by Design Alert to tackle the widespread occurrence of cross-site scripting (XSS) vulnerabilities.

• German law enforcement has taken down infrastructure used by a ransomware group deploying the Vanir Locker malware in a small number of attacks. They seized control of a leak site used by the hackers, preventing data stolen from affected companies from being published. Simultaneously, they also seized 47 cryptocurrency exchange services in the country used for illegal money laundering by cybercriminals. These platforms allowed anonymous cryptocurrency transactions, creating a low-risk environment for criminals. The warning page of Operation Final Exchange now redirects visitors to inform them of the deception by the exchange operators. The exchanges with the most users and transactions have been listed.
• A global law enforcement operation called Operation Kaerb dismantled a criminal network that used the iServer platform to carry out automated phishing attacks, targeting 483,000 victims worldwide. The operation involved authorities from several countries and resulted in the arrest of 17 suspects, including the administrator of the phishing platform.
• The CISA and the FBI issued a Secure by Design Alert to address the prevalence of cross-site scripting (XSS) vulnerabilities in software. They emphasize the need for manufacturers to prioritize customer security, embrace transparency, and build organizational structures to prevent XSS vulnerabilities. The alert provides principles and action items for software manufacturers to eliminate entire classes of vulnerabilities during the design and development phases. It also encourages manufacturers to take the Secure by Design Pledge and stay informed on best practices.
• The FBI and cybersecurity researchers have disrupted a massive Chinese botnet called Raptor Train that targeted critical infrastructure in the US and other countries. The botnet infected over 260,000 networking devices, including routers, modems, IP cameras, and NVR devices, and was used to target entities in military, government, education, and IT sectors. It operated as a complex, multi-tiered network with an enterprise-grade control system and was linked to state-sponsored Chinese hackers. The FBI executed operations to take control of the botnet infrastructure. Steps to protect against Raptor Train include checking for large outbound data transfers and regularly updating and replacing vulnerable devices.

The Bad

Microsoft flagged Vanilla Tempest as the latest ransomware affiliate preying on the U.S. healthcare sector. In a recent attack, the Storm-0494 group used the INC ransomware, along with leveraging malware like Gootloader and Supper to breach networks. GitHub users are under fire as cybercriminals weaponize the platform, spreading Lumma Stealer through fake vulnerability issues and phishing email alerts. The Russian Key Group is deploying Chaos ransomware to encrypt files and steal data, leaving victims with little hope of recovery. Using Telegram channels to demand ransom payments, the group disables system recovery and leaves files scrambled.

• Microsoft has identified Vanilla Tempest, a ransomware affiliate, targeting U. S. healthcare organizations in INC ransomware attacks. Vanilla Tempest used INC ransomware in an attack on the U. S. healthcare sector, gaining access through the Storm-0494 threat actor and deploying malware like Gootloader and Supper. While the specific victim was not named, a similar attack affected Michigan's McLaren Health Care hospitals last month, causing disruptions to patient information databases and services. The threat actor conducts lateral movement through RDP and leverages the Windows Management Instrumentation Provider Host to deploy the INC ransomware payload.
• A threat campaign has been found using GitHub to distribute Lumma Stealer. Malicious actors create fake security vulnerability issues on open source repositories, prompting users to visit a fake GitHub Scanner domain that distributes Windows malware. The campaign also sends convincing email alerts from legitimate GitHub servers, tricking users into accessing the malicious domain. The malware steals sensitive information and targets GitHub users, potentially aiming to compromise source code and conduct supply chain attacks.
• The Russian ransomware group Key Group has been spotted using the .NET-based Chaos ransomware to encrypt files, steal data, and demand ransom via Telegram. The ransomware infects by encrypting files with a random extension and disabling system recovery, sparing certain files. A ransom message is displayed upon completion of encryption, directing victims to two URLs for payment. It is cautioned not to engage with the attackers as data recovery is unreliable, increasing the risk of permanent data loss even after payment.
• North Korean hackers are targeting cryptocurrency users on LinkedIn using the RustDoor malware. The attacks involve pretending to be recruiters for legitimate decentralized cryptocurrency exchanges like STON.fi, aiming to infiltrate networks under the guise of interviews or coding assignments. RustDoor is a macOS malware designed to steal information and operate as a backdoor with two different command-and-control servers.
• Cryptocurrency exchange Binance alerted users to a surge in clipper malware attacks targeting cryptocurrency holders. This malware, known as ClipBankers, can intercept clipboard data and replace cryptocurrency wallet addresses with those controlled by attackers. Binance issued a warning on September 13, after noticing a significant rise in malicious activity, causing financial losses for affected individuals.
• Cyble uncovered a sophisticated cyber campaign targeting attendees of the U.S.-Taiwan Defense Industry Conference. The attack involves a deceptive ZIP archive disguised as a conference registration form, which, when opened, executes covert actions to establish persistence and download additional malicious content. The attackers use advanced in-memory execution techniques to evade traditional detection methods and exfiltrate sensitive data.
• Cyble uncovered a sophisticated cyber campaign targeting attendees of the U.S.-Taiwan Defense Industry Conference. The attack involves a deceptive ZIP archive disguised as a conference registration form, which, when opened, executes covert actions to establish persistence and download additional malicious content. The attackers use advanced in-memory execution techniques to evade traditional detection methods and exfiltrate sensitive data.
• A malware campaign was found locking users in their browser's kiosk mode to trick them into entering their Google credentials. This information-stealing malware, called StealC, then captures and sends the stolen credentials back to the attacker. The attack technique, discovered by OALABS researchers, has been observed since at least August 22, 2024, and is primarily associated with Amadey malware.

New Threats

Earth Baxia exploited a GeoServer vulnerability in spear-phishing attacks, targeting government networks in Taiwan and the APAC region. Using tools like GrimResource and EAGLEDOOR, they compromised energy and telecom sector firms across South Korea, Vietnam, and Thailand. UNC2970 used fake job offers in energy and aerospace to deliver the MISTPEN backdoor through a trojanized SumatraPDF, gaining access to critical infrastructure with phishing lures. The CISA urged immediate patching of an Apache HugeGraph-Server flaw after reports of active exploitation.

• Earth Baxia targeted a government organization in Taiwan and potentially other countries in the APAC region, using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401. The threat actor utilized GrimResource and AppDomainManager injection to deploy additional payloads, including customized Cobalt Strike components and a new backdoor named EAGLEDOOR. The threat actor's activities were primarily targeted at government agencies, telecommunication businesses, and the energy industry in countries such as the Philippines, South Korea, Vietnam, Taiwan, and Thailand.
• A North Korea-linked cyber-espionage group, UNC2970, used phishing lures to target victims in critical infrastructure verticals. The attackers posed as job openings from prominent companies in the energy and aerospace industries. They delivered malicious files containing a backdoor, MISTPEN, via a trojanized version of SumatraPDF. The backdoor was capable of downloading and executing PE files and communicated with Microsoft Graph URLs.
• The CISA added a critical remote code execution flaw (CVE-2024-27348) in Apache HugeGraph-Server to its KEV catalog. Apache released a fix in version 1. 3. 0, urging users to upgrade, use Java 11, enable Auth system, and activate "Whitelist-IP/port" for RESTful-API security. Active exploitation of CVE-2024-27348 has been reported, requiring federal agencies and critical infrastructure to apply mitigations before October 9. The CISA also added other flaws to the KEV catalog, including vulnerabilities in Microsoft SQL Server (CVE-2020-0618), Windows Task Scheduler (CVE-2019-1069), Oracle JDeveloper (CVE-2022-21445), and Oracle WebLogic Server (CVE-2020-14644).
• Varonis Threat Labs discovered a vulnerability in Salesforce's public link feature, which could be exploited by threat actors to access sensitive data. The vulnerability was related to the undocumented Salesforce Aura API and SOQL subqueries, allowing for a blind SOQL injection attack to retrieve customer information, including PII. Salesforce patched the vulnerability in February. The vulnerability affected virtually any public link generated by Salesforce, posing a widespread risk to data exposure.
• Apple's Vision Pro headset was affected by a security flaw named GAZEploit, allowing attackers to infer virtual keyboard inputs. The vulnerability, CVE-2024-40865, was patched in visionOS 1.3. Researchers found that analyzing eye movements on a virtual avatar could reveal text entered on the keyboard, compromising user privacy. Threat actors could exploit this to extract sensitive information like passwords, using supervised learning models to differentiate typing sessions from other VR activities.
• Microsoft recently patched a Windows MSHTML spoofing vulnerability, identified as CVE-2024-43461, which had been exploited by the Void Banshee APT hacking group. Void Banshee utilized the flaw in zero-day attacks to deploy information-stealing malware. The vulnerability allowed attackers to hide the .hta file extension as a PDF, making it more likely to be opened by users. Despite a security update, the file may still confuse users into opening it as a PDF.