X
NEXT
Forgot password?

DigitalXRAID

Threat Pulse – September 2024

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats. 

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

DigitalXRAID’s SOC analysts constantly monitor for zero-day threats and update our signature databases using the largest Open Threat Exchange database available. 

CISA Adds Synacor, Microsoft, and Qualcomm Vulnerabilities to Exploited List 

Four critical vulnerabilities, including one with the highest severity rating, were added to CISA‘s Known Exploited Vulnerabilities catalogue.  

CVEs are: 

CVE 2024-43047 

CVE 2024-43572 

CVE 2024-43573 

CVE 2024-45519 

These flaws threaten widely used platforms like Zimbra, Microsoft Windows, and Qualcomm chipsets, exposing them to code execution and data theft.  

With phishing attacks and commercial spyware actively exploiting these weaknesses, immediate patching is essential to prevent widespread damage to critical communication and device management systems.  

LemonDuck Malware Exploiting SMB Vulnerabilities 

LemonDuck malware has evolved into a versatile threat, targeting both Windows and Linux systems.  

It exploits SMB vulnerabilities, particularly EternalBlue, to gain network access.  

The malware uses brute-force attacks, creates hidden administrative shares, and executes malicious actions via batch files and PowerShell scripts. It ensures persistence through scheduled tasks, disables Windows Defender, and employs anti-detection mechanisms.  

The attack includes cryptomining, system compromise, and lateral movement. LemonDuck disguises itself as legitimate system services, manipulates firewall settings, and uses base64 encoding for obfuscation. It also utilises Mimikatz for credential theft and employs multiple techniques for stealth and repeated execution.  

Yoda Crypter 

A miscellaneous VirusTotal attack has been uncovered by security analyst researchers. VirusTotal is a popular service that analyses suspicious files and URLs to detect types of malware and malicious content using antivirus engines and website scanners.  

The malicious hash was found while researching a malicious Twitter template.  

Researchers found BorpaToken – a next gen memecoin – attacking X Vercel servers. The attack has been seen to impact Azure, X.com, Google.com, YouTube, androids, apple id, and /w/o header – plus every version of any related links, such as Malicious x.com, which ‘REMOTELY’ redirects to malicious Twitter templates with recognised names.  

Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion 

A new multiplatform backdoor named KTLVdoor, written in Golang with versions for Windows and Linux, has been discovered during monitoring of the Chinese-speaking threat actor Earth Lusca.  

This highly obfuscated malware impersonates system utilities and allows attackers to control infected systems, manipulate files, and gather information. The campaign involves over 50 C&C servers hosted in China, potentially shared with other threat actors.  

KTLVdoor uses sophisticated encryption and obfuscation techniques, including a custom TLV-like configuration format and AES-GCM encryption for C&C communication. The malware’s capabilities include file operations, command execution, port scanning, and proxy functionality. 

Understanding Akira Ransomware 

Akira is a prolific ransomware operating since March 2023, targeting multiple industries in North America, the UK, and Australia. Today it remains as an active threat to businesses

It functions as Ransomware as a Service (RaaS) and employs double extortion tactics. Akira has connections to the disbanded Conti group, sharing code similarities and operator overlaps.  

The ransomware uses various techniques for initial access, including compromised credentials and vulnerability exploitation. It performs reconnaissance, lateral movement, and employs tools for credential dumping and defence evasion. Akira exfiltrates data before encryption and destroys system backups. The ransomware uses the ChaCha algorithm for file encryption and creates a log file of its execution. It accepts command-line arguments to define its behaviour and uses Windows restart manager APIs to terminate processes.  

Beware Of Fake Google Chrome Update That Delivers Malware 

An ongoing fake browser update effort, mostly targeting France, has been noticed by security researchers targeting Google Chrome, Mozilla Firefox, Microsoft Edge, and Java updates. This malicious update spreads WarmCookie malware via compromised websites. WarmCookie is a Windows malware that is used to obtain system access through phishing operations. 

Please warn staff, especially in France, to be more vigilant when update prompts appear and consider communicating with staff for awareness around updates and that manually downloading and executing updater packages is never a part of an actual update process and should be seen as a sign of danger.   

Mallox Ransomware Expands Targeting to Linux Systems 

A new variant of the Mallox ransomware, also known as TargetCompany or FARGO, has been developed to target both Windows and Linux systems particularly MS-SQL servers and virtualised/cloud infrastructures, according to a security report published in the Guardian in September 2024, the first time the group has done so. 

The ransomware is delivered through unsecured MS-SQL servers (Windows) and weak SSH configurations (Linux). 

To mitigate against this new variant, organisations must ensure that staff training and awareness is up to date, especially around phishing and secure passwords. Keep systems, especially MS-SQL and Linux servers, updated with the latest security patches. 2FA/MFA and strong email security should be in place and it’s strongly recommended that an EDR/XDR solution is in place to detect any attempted attacks.  

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.    

Talk to the team to see how you can start protecting your business against cyberattacks today. 

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]