X
NEXT
Forgot password?

DigitalXRAID

Threat Pulse – December 2023

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats. 

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

Eight-legged Phreaks: New Scattered Spider phishing infrastructure discovered 

A leading threat hunting organisation has highlighted an increase in the number of domains created by Scattered Spider targeting organisations in the financial, insurance, investment, retail, and entertainment sectors.  

The group is known for launching sophisticated social engineering attacks designed to obtain login credentials and MFA tokens from employees. 

MrAnon Stealer Spreads via Email with Fake Hotel Booking PDF 

A sophisticated phishing campaign deploying MrAnon Stealer via a fake booking PDF has been uncovered.  

The threat actor sends phishing emails with fake room booking details, aiming at specific regions. The malware uses PowerGUI and cx-Freeze tools to create a complex process that involves .NET executable files and PowerShell scripts.  

The attacker also uses tricks like false error messages to hide successful infections. The malware downloads and extracts files from a specific domain to run a harmful Python script. 

Malvertisers zoom in on cryptocurrencies and initial access

Over the past month, there’s been an increase in the number of malicious ads on Google searches for “Zoom”, the popular piece of video conferencing software.  

Threat actors have been alternating between different keywords for software downloads such as “Advanced IP Scanner” or “WinSCP” normally geared towards IT administrators. 

Chinese Hackers Deliver Malware to Barracuda Email Security Appliances via New Zero-Day 

Chinese-affiliated hackers persist in targeting Barracuda Email Security Gateway (ESG) appliances, with recent incidents involving the exploitation of a new zero-day vulnerability. 

In May 2023, it was revealed that a zero-day in Barracuda ESG, identified as CVE-2023-2868, had been actively exploited since at least October 2022. This exploitation aimed to deliver malware and acquire data from a select number of organisations utilising the email security product. 

In June, Mandiant confidently attributed these attacks to UNC4841, a cyberespionage group believed to be backed by the Chinese government. 

On Christmas Eve, Barracuda issued a new alert, disclosing that the same China-linked UNC4841 group had uncovered another zero-day vulnerability affecting ESG appliances. The fresh flaw, designated as CVE-2023-7102 and characterised as an arbitrary code execution vulnerability, impacts ‘Spreadsheet::ParseExcel,’ an open source library utilised by the Amavis virus scanner present in ESG devices. 

Barracuda announced in a blog post on December 22, 2023, that a patch has been implemented to address compromised ESG appliances displaying indicators of compromise associated with the recently discovered malware variants.  

Customers are not required to take any immediate action, and the investigation is still ongoing. 

Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts 

Cybercriminals are exploiting a hidden Google login feature to break into accounts, even after passwords are changed. They’re using malware to target a little-known Google login process called “MultiLogin.” It’s designed to let people log in to multiple accounts at once, but the malware is twisting it to revive expired login cookies. 

These cookies are like temporary keys that keep you logged in to websites. Normally, they expire after a while, but the malware is tricking Google into giving them a new lease on life. This means even if you change your password, the hackers can still sneak in using the old cookie. 

Sophisticated JaskaGO info stealer targets macOS and Windows

A new Go-based information stealer malware called JaskaGO has emerged targeting both Windows and Apple macOS systems. Detected variants of the malware have masqueraded as legitimate software packages including CapCut, AnyConnect and various security tools. 

In an effort to fly under the radar, JaskaGO runs checks to determine if it is executing within a virtual environment.  If it isn’t, JaskaGO proceeds to harvest information from the victim system and establishes a connection to its C&C for receiving further instructions, including executing shell commands, enumerating running processes, and downloading additional payloads. 

Vulnerabilities found in pfsense firewall software 

Multiple security vulnerabilities have been discovered in the pfSense firewall solution; two cross-site scripting (XSS) bugs and one command injection flaw. This vulnerability can be used to execute arbitrary commands on susceptible appliances. 

This impacts pfSense version CE 2.7.0 and below as well as pfSense Plus 23.05.1 and below and has been given separate CVEs per vulnerability: 

CVE-2023-42325 (CVSS score: 5.4)  

CVE-2023-42327 (CVSS score: 5.4)  

CVE-2023-42326 (CVSS score: 8.8) 

This flaw can be weaponised by tricking an authenticated pfSense user, such as admins into clicking on a specially crafted URL vis phishing, which contains an XSS payload that activates command injection upon clicking.  

With pfSense process running as root due to its need to change network settings, a breach to this service would result in hostile actors having root access.  

We recommend anyone that’s uses the affected version of pfSense to update to pfSense CE 2.7.1 and pfSense Plus 23.09. 

GCTI Cobalt Strike 

Google Cloud has released a set of open source YARA rules to help flag and identify versions of Cobalt Strike components. These are designed to detect potential instances of Cobalt Strike activity.  

Each Cobalt Strike version contains around 10 to 100 attack template binaries, of which a total of 275 unique JAR files have been found by GCTI. These serve as key indicators for recognising the tool being used. 

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.    

Talk to the team to see how you can start protecting your business against cyberattacks today. 

Cyber Security Experts

Accredited and regulated, we're in the top 1% of cyber security agencies globally

Crown Commercial Service Supplier Cyber Essentials Plus ISO 27001 BSI ISO 9001 CHECK NCSC Cyber Incident Response CREST

We’re trusted by the UK Government as Crown Commercial Service providers as well as being accredited by two of the leading cyber security governing bodies. Our ISO9001 certification means you can rest assured our processes and approach are market leading.

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]