Threat Pulse – July 2023

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats. 

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

Attackers Exploit Unpatched Windows Zero-Day Vulnerability 

An unpatched zero-day vulnerability (CVE-2023-36884) is currently being abused in the wild. This vulnerability impacts Windows and Office products and could lead to remote code execution if exploited.  

Exploitation requires specially crafted Microsoft Office documents, which when opened, would allow an attacker to perform remote code execution in the context of the victim. 

Currently, one phishing campaign by threat actor group ‘Storm-0978’ has been observed attempting to exploit this vulnerability. The threat group have mainly been targeting defence and government entities in Europe and North America.  

The campaign itself makes use of bait related to the Ukrainian World Congress, a non-profit organisation of “all Ukrainian public organisations in diaspora”.  

New Vulnerabilities Disclosed in SonicWall Products 

15 security flaws have been discovered which impact on-premise versions of SonicWall GMS 9.3.2-SP1 and before and Analytics 2.5.0.4-R7 and before.  

It is recommended to upgrade to GMS 9.3.3 and Analytics 2.5.2.  

“The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve,” SonicWall said. “This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behaviour.” 

Cybersecurity Firm Sophos Impersonated by New SophosEncrypt Ransomware 

A Rust-based file-encrypting ransomware dubbed ‘SophosEncrypt‘ was found by security researchers this week. The malware impersonates the cybersecurity firm Sophos.  

When executed using the Windows command line, it appends the ‘.sophos’ extension to the encrypted files and drops a ransom note into each affected directory, in the form of an HTML Application (.hta) file. The ransomware also has the capability to change the Windows desktop wallpaper, with the current wallpaper boldly displaying the ‘Sophos’ brand that it is impersonating.  

‘Big Head’ Ransomware Displays Fake Windows Update Alert 

Researchers have analysed malware which could be spreading through fake Windows updates and Microsoft Word installers. The ransomware is a .NET binary that installs three AES-encrypted files on the target system: one is used to propagate the malware, another is for Telegram bot communication, and the third is for encrypting the data, while this is completing a false windows update screen is displayed.  

Although its encryption methods are standard, and its evasion techniques are not sophisticated, this could be especially effective on end users who may think it is a legitimate update. 

Bug Exposing CF API Admin Credentials Fixed By VMWare 

VMware Tanzu Application Service for VMs (TAS for VMs) has been patched for CVE-2023-20891, a vulnerability which would allow remote attackers with low privileges to access Cloud Foundry API admin credentials on unpatched systems.  

This vulnerability can be exploited as hex-encoded CF API admin credentials are logged in the platform system audit logs. This can then be used to push malicious app versions. Non-admin users don’t have access to the system audit logs in standard deployment configurations. 

Realst Malware Steals Your Cryptocurrency Wallets 

A new Mac malware named “Realst” is being used in a massive campaign targeting Apple computers, with some of its latest variants including support for macOS 14 Sonoma, which is still in development.  

The malware, first discovered by security researcher iamdeadlyz, is distributed to both Windows and macOS users in the form of fake blockchain games using names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend.  

These games are promoted on social media, with the threat actors using direct messages to share access codes required to download the fake game client from associated websites. 

CherryBlos and FakeTrade Malware Targeting Android Users 

Researchers issued a warning about two connected malware campaigns called CherryBlos and FakeTrade that prey on Android users and engage in cryptocurrency theft and other financially motivated scams. The campaign’s operators are dispersing the malware through phishing websites, fake Android apps on Google Play, and social media networks. 

The research claims that the threat actor behind these efforts used sophisticated ways to avoid detection, including software packing, obfuscation, and manipulating Android’s Accessibility Service. 

One peculiar—and potentially dangerous—feature of CherryBlos is the ability to read any mnemonic phrases that may be present in images on a compromised host device using optical character recognition (OCR) and transfer that data to its command-and-control server. 

Dark Web Profile: 8Base Ransomware 

A new ransomware group, 8Base Ransomware, is targeting small and medium-sized businesses across various sectors, including finance and information technology, and is known for its double-extortion tactics. 

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.    

Talk to the team to see how you can start protecting your business against cyberattacks today.