Threat Pulse – March 2023
Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats.
If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.
A Noteworthy Threat: How Cybercriminals are Abusing OneNote
Threat actors are taking advantage of Microsoft OneNote‘s ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files.
Once clicked, an attacker can use the embedded code for various malicious purposes, such as stealing data or installing ransomware on victims’ systems.
New HiatusRAT Router Malware Covertly Spies On Victims
A never-before-seen complex malware dubbed Hiatus is targeting business-grade routers to covertly spy on victims.
It has been found to deploy two malicious binaries, a remote access trojan dubbed HiatusRAT and a variant of tcpdump that makes it possible to capture packets on the target device. The packet-capture binary enables the actor to monitor router traffic on ports associated with email and file-transfer communications.
The threat cluster primarily singles out end-of-life (EoL) DrayTek Vigor router models 2960 and 3900.
The exact initial access vector used in the attacks is unknown, but a successful breach is followed by the deployment of a bash script that downloads and executes HiatusRAT.
Emotet Malware Now Distributed in Microsoft OneNote Files to Evade Defenses
Emotet malware is now being distributed using Microsoft OneNote email attachments with the aim of bypassing Microsoft security restrictions and infect more targets.
Emotet is a notorious malware botnet historically distributed through Microsoft Word and Excel attachments that contain malicious macros.
Once loaded, the malware will steal email contacts and email content for use in future spam campaigns. It will also download other payloads that provide initial access to the corporate network.
Microsoft Outlook Elevation of Privilege Vulnerability
The vulnerability, which affects all versions of Windows Outlook, was given a 9.8 CVSS rating and is one of two zero-day exploits disclosed on March 14. CVE-2023-23397 is a critical privilege elevation/authentication bypass vulnerability in Outlook.
WordPress Elementor Pro Plugin Vulnerability
A researcher at NinTechNet has discovered a high-severity vulnerability in the popular Elementor Pro WordPress plugin used by over eleven million websites. The flaw, which affects v3.11.6 and all versions prior to it, enables authenticated users, such as site members or consumers of online stores, to alter the settings of the website and potentially take entire control of it.
According to the WordPress security company PatchStack, hackers are currently actively taking advantage of this Elementor Pro plugin vulnerability to redirect users to hackers’ sites (“away[.]trackersline[.]com”) or upload backdoors to the compromised site.
Elementor Pro users must immediately update to version 3.11.7 or later (the most recent version is 3.12.0), since hackers are still focusing on unpatched websites.
AlienFox Malware Targets API Keys and Secrets from AWS, Google, and Microsoft Cloud Services
A new toolset called AlienFox is being distributed on Telegram as a way for threat actors to harvest credentials, API keys and authentication secrets from popular cloud service providers.
The toolset targets common misconfigurations in popular services like online hosting frameworks, such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress in order to gather sensitive data pertaining to AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Microsoft 365, Sendgrid, Twilio, Zimbra, and Zoho.
DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.
Talk to the team to see how you can start protecting your business against cyberattacks today.