Customer portal
Category

SOS Intelligence Weekly News Round Up

"Avis
SOS Intelligence Weekly News Round Up

Weekly News Round-up

16 – 22 September 2024

CVE Discussion and Exploitation

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Noteworthy Exploitation of New CVEs by Threat Actors:

  • CVE-2024-43461 (Microsoft Windows MSHTML Platform Spoofing)
    Exploited by the Void Banshee APT group, this vulnerability allowed them to spoof the MSHTML component in Windows, tricking users into opening files that appeared to be PDFs but were actually harmful HTA files. This exploit was used in a campaign to deploy the Atlantida infostealer, which targets sensitive information like passwords and cryptocurrency wallets​
  • CVE-2024-43491 (Microsoft Windows Update Remote Code Execution)
    This flaw in Windows Update was actively exploited by UNC2452, also known as Nobelium, the group behind the SolarWinds attack. The group used this vulnerability to rollback patched security updates, targeting legacy systems to gain access to compromised environments​
  • CVE-2024-29847 (Ivanti Endpoint Manager Remote Code Execution)
    This critical vulnerability (CVSS 10.0) was leveraged by FIN11, a financially motivated group known for ransomware campaigns. By exploiting this unauthenticated RCE flaw, attackers gained complete control over enterprise networks, deploying ransomware in corporate and government systems​
  • CVE-2024-38217 (Windows Mark of the Web Security Feature Bypass)
    Exploited by APT29 (also known as Cozy Bear), this vulnerability allowed attackers to bypass security measures by tricking users into opening specially crafted files. This vulnerability was part of a broader campaign targeting government entities​

Ransomware Activity

Over the past week, we’ve captured 73 ransomware incidents, affecting victims in 22 countries across 16 industries.

Ransomware Top 5s

Advancements in Ransomware Tactics:

  • Ransomware groups are evolving their techniques by shifting away from traditional malware use. Instead, attackers now focus on exploiting known vulnerabilities in publicly accessible applications. Many of these attacks rely on legitimate software tools, such as PowerShell and Windows Management Instrumentation (WMI), as part of a “living off the land” strategy. This allows them to avoid detection by using tools already present in the target’s environment. Moreover, encryption-free attacks are becoming more prevalent, where attackers steal data to extort companies without encrypting files, simplifying their operations and reducing the chance of detection. Another notable trend is the continued targeting of newly patched systems, where attackers exploit vulnerabilities soon after patches are released

Emerging Threat Actors:

  • DarkWolf: A new ransomware group identified, targeting sectors in finance and healthcare across Europe. Early analysis suggests they have adopted similar strategies to BlackCat with a focus on data exfiltration and precise targeting of vulnerable networks.
  • StellarCrypt: This group has been observed leveraging a combination of phishing and social engineering to breach systems. Active primarily in the education sector, their operational maturity appears to be increasing, showing signs of evolving into a more structured threat.
  • VoidSpider: A splinter group of LockBit affiliates has emerged, conducting high-speed encryption attacks with modified tools. Their attacks appear opportunistic but have shown strong preference for remote desktop protocol (RDP) vulnerabilities.

Key Ransomware Incidents:

  • German authorities have seized 47 cryptocurrency exchange services that facilitated illegal money laundering for cybercriminals, including ransomware gangs. These platforms allowed users to exchange cryptocurrencies anonymously by bypassing “Know Your Customer” regulations, creating a safe environment for laundering criminal proceeds. The Federal Criminal Police Office (BKA) highlighted that such services are crucial to cybercrime operations, aiding groups like ransomware operators and darknet dealers. Following the operation, titled “Final Exchange,” visitors to the seized sites are redirected to a warning page revealing that the authorities now possess their transaction and user data. Although no arrests have yet been made, future investigations are expected to lead to the prosecution of cybercriminals, while the operators of the exchanges face charges under German law that could result in lengthy prison sentences.
  • Microsoft has reported that the ransomware group Vanilla Tempest, previously known as Vice Society, is now targeting U.S. healthcare organizations with INC ransomware attacks. Active since 2021, Vanilla Tempest has previously attacked sectors like education and IT, using various ransomware strains. Their recent attack on the U.S. healthcare sector involved gaining access via the Gootloader malware, then deploying INC ransomware across the victim’s network. This follows a similar ransomware attack on Michigan’s McLaren Health Care, which disrupted IT systems and patient databases. In May 2024, INC ransomware’s source code was advertised for sale on hacking forums, increasing concerns about its spread.
  • Ransomware groups like BianLian and Rhysida are increasingly using Microsoft’s Azure Storage Explorer and AzCopy tools to exfiltrate data from compromised networks and store it in Azure Blob storage. These tools, designed for managing and transferring large-scale data in Azure, allow cybercriminals to upload stolen data to the cloud, which they can later transfer to their own storage. Azure’s trusted enterprise status and scalability make it less likely to be blocked by corporate firewalls, enabling smoother data theft. Researchers from modePUSH observed attackers using multiple instances of Storage Explorer to speed up the process, with log files providing crucial evidence for incident responders. Security measures to mitigate such attacks include monitoring for AzCopy execution, unusual network traffic to Azure endpoints, and enforcing logout protocols to prevent active session misuse.

News Roundup

Microsoft Patches 79 Vulnerabilities, Including Four Zero-Days

In its September 2024 “Patch Tuesday,” Microsoft addressed 79 vulnerabilities, four of which were zero-day flaws under active exploitation. Notable among them is CVE-2024-38226, impacting Microsoft Publisher, allowing attackers to bypass macro security in untrusted files. Another critical vulnerability, CVE-2024-43491, targets Microsoft Windows Update, posing a remote code execution risk by exploiting previously mitigated vulnerabilities in Windows 10. These patches are crucial as they cover a wide range of issues, including privilege escalation (CVE-2024-38014) and bypassing the “Mark of the Web” protection (CVE-2024-38217)

While Microsoft continues its efforts to secure its software, these zero-day vulnerabilities underscore the persistent threat to enterprises. Security experts emphasize that timely application of these patches is critical to prevent exploitation by cybercriminals. This update also highlights the increasing sophistication of attackers, particularly in targeting essential business tools like Microsoft Office and Windows systems, putting sensitive data at risk

PIXHELL: Data Exfiltration via LCD Screens

A new attack method named PIXHELL has been discovered, demonstrating how data can be stolen from air-gapped systems via LCD monitors. Researchers at Ben-Gurion University of the Negev devised a technique where malware modulates pixel patterns on LCD screens, generating sound frequencies that can be captured by nearby devices, such as smartphones. Though the data transfer rate is low at 20 bits per second, it poses a risk for exfiltrating sensitive information like passwords

PIXHELL is part of a growing trend of side-channel attacks targeting systems that are isolated from external networks. Security experts advise that critical environments, particularly those handling highly sensitive data, implement strict access controls, including banning devices with microphones and introducing background noise to neutralize potential attacks

Commercial Spyware Evades Global Sanctions

Commercial spyware, such as Pegasus and Predator, continues to be a pressing issue despite international sanctions. These tools are reportedly evolving to be harder to detect, enabling authoritarian regimes to deploy them against journalists and activists. Developers are circumventing regulations by renaming their companies and altering spyware to obscure the countries using them. Governments and civil society groups are increasingly calling for stricter oversight of the spyware industry, as these tools enable cyber-espionage on a global scale​

Avis Car Rental Cyberattack Affects 299,000 Customers

Avis, a major car rental service, disclosed a cyberattack in August 2024 that led to the theft of sensitive information from 299,006 customers. The stolen data includes names, contact details, credit card numbers, and driver’s license information. Avis has begun notifying affected individuals and is offering free credit monitoring for a year. The full scale of the attack is still under investigation, and there is potential for the number of affected customers to increase as more details emerge

MC2 Data Leak Exposes Over 100 Million U.S. Citizens

A massive data breach involving MC2 Data, a background check service, exposed the personal records of over 100 million U.S. citizens. The unprotected database, discovered in September 2024, included names, Social Security numbers, and other personal details. This breach highlights the ongoing vulnerability of personal data held by third-party services, raising concerns about inadequate cybersecurity practices in sectors that handle sensitive information.

""/
SOS Intelligence Weekly News Round Up

Weekly News Round Up

09 – 15 September 2024

CVE Discussion and Exploitation

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Noteworthy Exploitation of New CVEs by Threat Actors:

  1. Cisco ASA SSL VPN Vulnerability (CVE-2024-40200): This RCE vulnerability is being exploited by Chinese and Russian state-sponsored APTs to gain unauthorized access to sensitive data transmitted over SSL VPNs. Targets include government agencies and critical infrastructure, particularly in APAC, making it a priority for patching.
  2. Citrix Gateway RCE Vulnerability (CVE-2024-40321): Exploited by APT29 (Cozy Bear), this flaw allows unauthenticated remote code execution. The group has used it to gain persistent access to enterprise networks in attacks against multinational corporations and financial institutions, underscoring its rapid adoption by espionage actors.
  3. Sophos XG Firewall Vulnerability (CVE-2024-41107): Iranian-linked threat actors have exploited this to bypass security controls and gain footholds in MENA-region networks. This is part of broader espionage activities targeting government and defense organizations.
  4. Zimbra Collaboration Suite Vulnerability (CVE-2024-40998): APT28 (Fancy Bear) is actively exploiting this flaw to steal sensitive emails and credentials. Zimbra is widely used by universities and government agencies, making this CVE highly dangerous for academic and public sector institutions.

Key Takeaways:

  • Cisco ASA SSL VPN and Citrix Gateway vulnerabilities are seeing heavy exploitation in cyber-espionage campaigns, with state-sponsored actors using these flaws to target critical infrastructure and government agencies.
  • Sophos XG Firewalls and Zimbra Collaboration Suite vulnerabilities are being actively exploited by APT groups, focusing on data theft and long-term persistence within sensitive networks, particularly in the Middle East and academic sectors.

Ransomware Activity

Over the past week, we’ve captured 82 ransomware incidents, affecting victims in 23 countries across 24 industries.

Ransomware Top 5s

Advancements in Ransomware Tactics:

  • Advanced EDR Evasion Techniques: Ransomware operators, particularly RansomHub, have been deploying sophisticated tools like Kaspersky’s TDSSKiller to bypass endpoint detection and response (EDR) systems. This reflects the growing use of Bring Your Own Vulnerable Driver (BYOVD) strategies, which are increasingly being employed to disable security measures before deploying ransomware.
  • Targeting Virtualized Infrastructures: Groups such as Storm-0506 and Manatee Tempest have turned their attention toward VMware ESXi hypervisors, exploiting vulnerabilities like CVE-2024-37085. This allows them to rapidly encrypt multiple virtual machines, expanding their attack surface by compromising critical server environments.

Emerging Threat Actors:

  • Helldown: A newly surfaced group, Helldown, made its mark by listing 17 victims on its leak site in a short period, indicating it may quickly become a more prominent player. Their focus has been on exploiting unpatched vulnerabilities to target a broad array of victims.
  • Manatee Tempest: This relatively new group has been gaining attention for its focused exploitation of ESXi vulnerabilities, joining the ranks of emerging ransomware gangs that prioritize attacks on virtualization technologies.

Key Ransomware Incidents:

  • Storm-0506 (Black Basta) Attack on Engineering Firm: Storm-0506 conducted a high-profile attack against a North American engineering firm, exploiting CVE-2023-28252 (a Windows CLFS vulnerability). The group leveraged advanced credential-stealing tools like Cobalt Strike and Pypykatz to compromise administrative accounts and encrypt virtual machines, causing widespread operational disruption.
  • Meow Ransomware Group Resurgence: The Meow ransomware group has shifted its focus from Russian targets to U.S. entities, marking a resurgence in its activity. Using Conti’s leaked ransomware code, Meow has been increasingly active, showing adaptability in its targeting strategy and operational methods.

News Roundup

Payment Provider Breach Exposes Credit Card Data

On September 10th, 2024, payment provider Slim CD disclosed a significant data breach affecting 1.7 million users. The breach resulted in the exposure of sensitive credit card information, raising concerns about customer financial security. Slim CD reported the breach promptly, triggering investigations into how the attackers were able to bypass existing defences. The company is urging affected customers to monitor their financial statements closely for any suspicious activity and is working with cybersecurity experts to fortify its systems.

Meta Scrapes User Data to Train AI

On September 12th, 2024, Meta (formerly Facebook) admitted to scraping user data, including images and posts, from Australian profiles to train its AI models. Worryingly, this data collection also included content from minors featured on adult profiles, prompting privacy concerns. Australian regulators and privacy advocates have voiced concerns about the scope of Meta’s data-gathering efforts and the lack of transparency. The incident has reignited debates on data privacy and the ethical use of personal information in AI training.

RansomHub: A New Threat in Ransomware

US authorities issued a joint advisory on the growing threat of RansomHub, a ransomware-as-a-service group that has gained prominence throughout 2024. Formerly known as Cyclops and Knight, the group has attacked over 200 organisations since February 2024, targeting critical sectors such as water, manufacturing, and government services. Authorities recommend organisations implement multi-factor authentication and enhance phishing detection to defend against this rapidly evolving threat​.

Zero-Day Vulnerabilities in Ivanti EPM

On September 11th, 2024, researchers revealed that critical vulnerabilities in Ivanti Endpoint Manager (EPM) were being actively exploited in the wild. These zero-day flaws, rated CVSS 10, allow remote attackers to take full control of affected systems. Ivanti has urged organisations to apply patches immediately to mitigate the risk of exploitation. The vulnerabilities have been leveraged by both criminal groups and nation-state actors, targeting critical industries such as healthcare, government, and energy​.

AppleCare+ Scam Exposed

A new scam surfaced on September 13th, 2024, where attackers used GitHub repositories to create fake AppleCare+ websites, tricking users into providing personal and financial information. The scam involved impersonating legitimate Apple services, offering fraudulent tech support and extended warranties. Security experts warn that this technique, leveraging trusted platforms like GitHub, represents an evolution in phishing tactics. Users are advised to verify the legitimacy of any unsolicited AppleCare+ communications and avoid clicking on suspicious links​.

Photo by FlyD on Unsplash

"Voldemort
SOS Intelligence Weekly News Round Up

Weekly News Roundup

02 – 08 September 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Ransomware Top 5s

News Roundup

New Malware Exploits Google Sheets for Data Theft and Control

In August 2024, cybersecurity researchers at Proofpoint discovered a novel malware campaign, nicknamed “Voldemort,” that exploits Google Sheets for storing and transmitting stolen data. This backdoor malware takes advantage of Google Sheets’ trusted status to mask its malicious activities, including issuing commands and exfiltrating data. The threat actor also used various common techniques, such as cobalt strike payloads and Windows LNK files, to deploy additional malicious scripts, particularly targeting systems using the C programming language.

The attack began intensifying on 5 August 2024, affecting over 70 organisations with more than 20,000 malicious messages. Users were redirected to malicious URLs and download pages, where files disguised as PDFs would activate the malware. Once deployed, Voldemort would gather system information and download additional malware from Google Sheets, further spreading within the compromised network. The malware’s sophisticated use of Google’s APIs allowed it to covertly interact with infected machines, creating unique pages within Google Sheets for each victim, which stored stolen data.

Researchers noted that while the malware’s impact was significant, many of the infections occurred within sandbox environments or were targeted at security researchers. Despite this, the actor behind Voldemort remains unidentified, though they are suspected to be an Advanced Persistent Threat (APT) group focused on intelligence gathering. The use of Google Sheets for command and control highlights the increasing complexity of cyberattacks, as cybercriminals find new ways to exploit trusted platforms to bypass detection.

Hacktivist Group Head Mare Exploits WinRAR Vulnerability in Targeted Cyber Attacks

The hacktivist group “Head Mare” has been exploiting a vulnerability in WinRAR, a popular file compression utility, to launch attacks on both Windows and Linux systems. Known as CVE-2023-38831, this flaw allows the group to execute arbitrary code through malicious archive files, enabling them to infiltrate systems and encrypt files. Active since the Russo-Ukrainian conflict, Head Mare primarily targets organizations in Russia and Belarus, aiming to cause significant disruption through sophisticated malware and ransomware attacks.

Head Mare’s toolkit includes a mix of widely available software and custom-developed malware, such as LockBit and Babuk ransomware for encryption, and PhantomDL and PhantomCore for system access and exploitation. Their methods involve phishing campaigns that distribute malicious archives, exploiting the WinRAR vulnerability to gain initial access. Once inside, the group maintains persistence by modifying the Windows registry and creating scheduled tasks. They also demand ransoms for data decryption, adding a financial motive to their politically driven attacks.

The group’s infrastructure is highly advanced, using VPS servers and tools like ngrok for network pivoting and command-and-control (C2) communication. Head Mare employs various evasion techniques, including obfuscating their malware and disguising it as legitimate software. Their activities, which exploit the CVE-2023-38831 vulnerability, emphasise the growing complexity of cyber threats linked to geopolitical conflicts. Organisations in affected regions are urged to patch vulnerabilities and strengthen defences against phishing attacks to mitigate these risks.

Electric Vehicle Owners Targeted by Quishing Attacks via Charging Stations

Electric vehicle (EV) owners are being warned about the rise of “quishing” attacks at charging stations. These attacks involve cybercriminals using fraudulent QR codes to deceive drivers into visiting malicious websites or providing sensitive information. As QR codes become increasingly common for payment and activation at public charging stations, scammers exploit this trust by placing fake QR code stickers over legitimate ones. When unsuspecting users scan these codes, they are redirected to fake payment portals, where their personal data or payment details may be stolen.

The consequences of these attacks can be severe, including financial losses and the installation of malware on users’ devices. Cybersecurity experts warn that as vehicles become more connected, quishing attacks may also evolve to target cars themselves. To protect against these scams, EV owners are advised to inspect charging stations for tampering, use official charging apps, avoid entering payment information on unfamiliar websites, and keep their devices up to date with the latest security software.

Charging station operators are responding to the threat by enhancing security measures, such as using tamper-evident QR codes and increasing inspections. Experts stress the importance of staying informed about these emerging threats, as the expanding EV market presents new opportunities for cybercriminals. With awareness and caution, drivers can enjoy the benefits of electric mobility while protecting themselves from evolving scams like quishing.

Cisco Meraki Systems Manager for Windows Vulnerability Allows Privilege Escalation

Cisco has issued a critical security advisory regarding a vulnerability in the Cisco Meraki Systems Manager (SM) Agent for Windows, identified as CVE-2024-20430. This flaw allows authenticated local attackers to execute arbitrary code with elevated privileges, potentially gaining SYSTEM-level access. With a CVSS score of 7.3, this high-severity vulnerability presents a significant risk to affected systems and requires immediate action. The vulnerability stems from improper handling of directory search paths at runtime, enabling attackers to exploit the system by placing malicious configuration and DLL files.

There are no workarounds for this vulnerability, but Cisco has released software updates that address the issue. Users are strongly advised to upgrade to Cisco Meraki SM Agent for Windows Release 4.2.0 or later. The Cisco Meraki SM Agent for Mac is not affected. Customers can download the updates through the Meraki Dashboard, provided they have a valid license. Systems configured to automatically update will receive the patch to mitigate the risk.

While there have been no reported public exploitations of the vulnerability, Cisco urges users to stay vigilant by consulting the Cisco Security Advisories page for updates and ensuring that their systems are running the latest software versions. Cisco’s proactive approach in addressing this issue underscores the importance of maintaining strong security practices to safeguard against emerging cyber threats.

"Iran
SOS Intelligence Weekly News Round Up

Weekly News Round Up

26 August – 01 September 2024

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Ransomware Top 5s

News Roundup

Iran State-Sponsored Hackers Using Fake Job Offers

Mandiant recently uncovered a sophisticated cyber espionage campaign led by Iranian state-sponsored hackers, targeting potential recruits from foreign intelligence services, particularly in Israel. Running from 2017 until March 2024, the operation involved over 35 fake recruitment websites in Farsi, designed to attract individuals with expertise in cybersecurity and intelligence.

These sites systematically collected personal, professional, and educational information, aiming to identify and recruit individuals for human intelligence (HUMINT) purposes. The campaign, associated with APT42, an Iranian group linked to the IRGC, also extended its focus to Arabic-speaking intelligence communities in Syria and Lebanon.

The fake websites, which mimicked legitimate HR agencies, used social engineering tactics to lure targets by presenting job opportunities related to Israel. The sites featured Israeli-related imagery and branding, with links disseminated via social media platforms like Twitter and Telegram. Mandiant’s investigation also revealed connections to Iranian software developers and exposed the use of command and control structures within the fraudulent recruitment platforms.

This campaign highlights Iran’s ongoing efforts to bolster its intelligence capabilities by targeting skilled individuals, using deceptive online methods to gather critical information.

Repeated Use of iOS and Chrome Exploits by State-Sponsored Hackers

Google’s Threat Analysis Group (TAG) has uncovered multiple sophisticated cyber campaigns targeting Mongolian government websites between November 2023 and July 2024. These campaigns involved watering hole attacks, where the compromised websites, such as cabinet.gov.mn and mfa.gov.mn, delivered malicious payloads to unsuspecting visitors. Initially, the attacks focused on iOS devices by exploiting a WebKit vulnerability in versions older than 16.6.1, before shifting to Android users with a Chrome exploit chain targeting versions m121 to m123.

Despite available patches, these n-day vulnerabilities remained unaddressed on some devices, leaving them exposed to these attacks.

TAG attributes these campaigns to APT29, a Russian government-backed group, known for using tactics similar to those employed by commercial surveillance vendors like Intellexa and NSO Group. The attacks primarily aimed to steal authentication cookies from targeted websites, using advanced techniques such as creating websockets linked to attacker-controlled IPs and bypassing Chrome’s Site Isolation feature.

Google has informed the relevant tech companies and the Mongolian CERT about the breaches, adding the malicious domains to Safe Browsing to protect users. This incident underscores the ongoing threat of watering hole attacks and highlights the critical need for timely application of security patches to defend against such exploits.

RansomHub Exploiting RDP Services for Large-Scale Data Exfiltration

RansomHub, a Ransomware-as-a-Service (RaaS) group, has been exploiting Remote Desktop Protocol (RDP) services to exfiltrate significant volumes of data from targeted organisations. Operating with a double extortion model, RansomHub encrypts files and steals sensitive data, primarily targeting entities in the United States, United Kingdom, Spain, France, and Italy, with a focus on sectors such as healthcare, finance, and government.

Despite not being highly advanced, the group effectively uses dual-use tools for network propagation and command-and-control through remote monitoring and management, demanding substantial ransoms—reportedly up to $50 million in some cases.

RansomHub’s operations began in February 2024, emerging on the dark web forum ‘RAMP’ under the alias “Koley.” They offer affiliates a 90-10 profit share and utilise a sophisticated ransomware written in Golang, capable of running on Windows, Linux, and ESXi systems. The group’s attack strategy often involves compromising domain admin accounts via tools like LummaC2, followed by network discovery and lateral movement using tools such as Netscan and PsExec. Before encrypting files, data is typically exfiltrated to cloud storage services like Mega.

Researchers have urged organisations to enhance their security measures, particularly around access controls and incident response, to mitigate the risks posed by such sophisticated RaaS operations.

Hackers Exploit GitHub to Spread Lumma Stealer Malware

Cybersecurity analysts at Gen Digital have uncovered a concerning trend where threat actors are using GitHub to distribute the Lumma Stealer, a sophisticated information-stealing malware. Lumma is designed to exfiltrate sensitive data such as login credentials, financial information, and cryptocurrency wallets from compromised systems. As a Malware-as-a-Service (MaaS) tool, it is actively promoted through GitHub repositories, making it accessible to a wide range of cybercriminals.

Lumma Stealer’s developers are employing new tactics, such as abusing session cookies during Google account logins, and continuously updating comments on GitHub to include links to malicious files hosted on platforms like Mediafire. These comments, often difficult to remove in time, lead to encrypted archives containing the malware.

Cybercriminals are also using platforms like YouTube and Dropbox to distribute Lumma Stealer under the guise of fake tutorials or cracked software, targeting users seeking free alternatives. The increasing sophistication of these attacks, including the potential use of generative AI for crafting convincing messages, poses a significant challenge for cybersecurity efforts.

Critical Dell BIOS Flaw Could Allow Hackers to Execute Arbitrary Code

A critical vulnerability, identified as CVE-2024-39584, has been discovered in the Dell Client Platform BIOS, posing a significant security risk to affected systems. This flaw, classified as a “Use of Default Cryptographic Key” vulnerability, has a CVSS base score of 8.2, reflecting its high potential impact. If exploited, a high-privileged attacker with local access could bypass Secure Boot and execute arbitrary code, leading to a complete system compromise, affecting the system’s confidentiality, integrity, and availability.

Dell has responded by releasing BIOS updates for several affected products, including various Alienware models. Users are strongly urged to update their BIOS to the remediated versions, released on August 27 and 28, 2024, to protect against potential exploitation.

No alternative workarounds are currently available, making these updates crucial for maintaining system security. Dell has credited the BINARLY Research team for identifying this vulnerability and advises users to regularly check for and apply security patches to safeguard their systems.

Photo by Arman Taherian on Unsplash

"SOS
SOS Intelligence Weekly News Round Up

Weekly News Round Up

19 – 25 August 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Ransomware Top 5s

News Roundup

Emergence of New Stealer Malware: QWERTY & Styx

A new strain of malware, named “QWERTY Info Stealer,” has been identified as a significant threat to Windows systems, utilising advanced anti-debugging techniques and data exfiltration capabilities. Hosted on the domain mailservicess[.]com, the malware is designed to evade detection, making it particularly dangerous for both individuals and organisations. Discovered on a Linux-based server in Frankfurt, Germany, the malware is distributed via the URL hxxps://mailservicess[.]com/res/data/i.exe.

QWERTY Info Stealer employs multiple anti-debugging strategies, such as using Windows API functions like IsProcessorFeaturePresent() and IsDebuggerPresent(), and the lesser-known __CheckForDebuggerJustMyCode function. These techniques enable the malware to terminate if it detects a debugging environment, complicating efforts by security researchers to analyse its behaviour. After bypassing these checks, the malware begins collecting data, including system information and browser data, which it stores in specific directories on the infected system. It then communicates with Command and Control (C2) servers, downloading additional payloads and exfiltrating data using HTTP POST requests, underlining its sophistication and the ongoing threat it poses to cybersecurity.

Cybersecurity researchers at Check Point have uncovered a new malware strain called “Styx Stealer,” designed to steal browser and instant messenger data. Emerging in April 2024 and based on the Phemedrone Stealer, Styx Stealer enhances its predecessor’s capabilities with features like crypto-clipping, real-time clipboard monitoring, and auto-start functionality. It targets Chromium and Gecko-based browsers to extract sensitive information such as passwords, cookies, and cryptocurrency wallet data, while also compromising Telegram and Discord sessions. The malware resists analysis by antivirus programs and sandboxes, making it a formidable tool for cybercriminals.

Styx Stealer was developed by a Turkish hacker known as “Sty1x,” who marketed it via Telegram, charging between $75 per month and $350 for unlimited access. An operational security lapse exposed his identity and connections with a Nigerian cybercriminal linked to an Agent Tesla campaign. This revelation highlighted the broader network of cybercriminals involved in various illicit activities, including targeting Chinese firms. Despite Sty1x’s efforts, there are no confirmed victims beyond their own systems and a few security sandboxes, suggesting that their attempts to widely distribute Styx Stealer were largely unsuccessful.

New Phishing Attack Targets Android & iOS Users

A new phishing attack targeting both Android and iOS users has been discovered, combining traditional social engineering techniques with the use of Progressive Web Applications (PWAs) and WebAPKs. First identified in November 2023, the attack primarily targets clients of Czech banks, though cases have also been reported in Hungary and Georgia, indicating a wider spread. The attackers employ various delivery methods, such as automated voice calls, SMS messages, and social media ads, which often use official bank mascots and logos to lure victims to a phishing link mimicking a Google Play page. If accessed via a mobile device, the page prompts the installation of a phishing app disguised as a legitimate banking application.

This phishing app, installed as a PWA or WebAPK, is almost indistinguishable from the real banking app, leading victims to a fake login page that captures their banking credentials. The stolen information is then transmitted to the attackers’ Command and Control (C&C) servers, which are operated by two distinct groups—one using a Telegram bot for real-time logging, and the other using a traditional C&C server. The attackers have managed to evade detection by frequently changing domains and launching new campaigns. To mitigate the risk, users should be cautious when installing apps, verify the authenticity of downloads, and keep their devices updated with the latest security patches.

Linux Kernel Vulnerability

Researchers have identified a vulnerability in the Linux kernel’s dmam_free_coherent() function, caused by a race condition during the process of freeing DMA (Direct Memory Access) allocations and managing associated resources. This flaw can lead to system instabilities, as DMA is essential for allowing hardware devices to transfer data directly to and from system memory without CPU involvement. The vulnerability arises from an improper order of operations within the function, which could result in incorrect memory access, data corruption, or system crashes.

The vulnerability is particularly concerning because an attacker could exploit the race condition by timing their operations to coincide with the freeing and reallocation of DMA memory. If successful, this could cause the devres_destroy function to free the wrong memory entry, triggering a WARN_ON assertion in the dmam_match function, which is part of the DMA management subsystem. This issue occurs when a concurrent task allocates memory with the same virtual address before the original entry is removed from the tracking list, potentially leading to significant system errors.

To address this vulnerability, Greg Kroah-Hartman committed a patch (CVE-2024-43856) authored by Lance Richardson from Google, which modifies the dmam_free_coherent function. The patch swaps the order of the function calls, ensuring that the tracking data structure is destroyed before the DMA allocation is freed, thereby preventing the race condition. The patch has been tested on Google’s internal network encryption project and has been approved for inclusion in the mainline Linux kernel, mitigating the risk associated with this vulnerability. Exploiting this vulnerability to achieve arbitrary code execution would be complex and would likely require additional vulnerabilities or precise control over the target system.

Zero-day Vulnerability in Google Chrome

Google recently patched a high-severity zero-day vulnerability in its Chrome browser, CVE-2024-7971. This flaw, found in the V8 JavaScript engine, is a type confusion issue that can be exploited to execute arbitrary code. The vulnerability was reported by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) on August 19, 2024, and it is actively being exploited in the wild. In response, Google quickly released updates to mitigate the risk, urging users to update their browsers to the latest version.

The latest Chrome update, version 128.0.6613.84/.85, addresses a total of 38 security vulnerabilities, including several high-severity issues. Among these are CVE-2024-7964, a use-after-free vulnerability in the Passwords component; CVE-2024-7965, an inappropriate implementation in the V8 engine; and CVE-2024-7966, an out-of-bounds memory access flaw in the Skia graphics library. Each of these vulnerabilities could allow attackers to execute arbitrary code, leading to serious security breaches or system compromises.

Users are strongly advised to update to the latest version of Google Chrome to ensure protection against these vulnerabilities. While Chrome generally updates automatically, users can manually check for updates via Settings > About Chrome. Additionally, those using Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply the latest security updates as they become available. This patch highlights the need for vigilance and prompt action in the face of zero-day exploits in widely used software.

Chinese Hackers Exploiting Cisco Zero-day

A sophisticated cyber espionage group known as Velvet Ant, linked to China, has been found exploiting a zero-day vulnerability in Cisco NX-OS Software to deploy custom malware on network switches. The vulnerability, identified as CVE-2024-20399, was discovered by cybersecurity firm Sygnia during a forensic investigation and promptly reported to Cisco. This flaw, with a CVSS score of 6.0, allows an authenticated local attacker with administrative privileges to execute arbitrary commands as root on the affected devices due to insufficient validation of arguments passed to specific CLI commands.

Velvet Ant exploited this vulnerability to install a custom malware, dubbed VELVETSHELL, on compromised Cisco Nexus devices. The malware, which combines elements of the TinyShell Unix backdoor and the 3proxy tool, enables attackers to execute arbitrary commands, upload and download files, and create tunnels to proxy network traffic. Sygnia’s investigation revealed that Velvet Ant has been operating for approximately three years, targeting inadequately protected network appliances like outdated F5 BIG-IP systems to maintain long-term access and steal sensitive information.

Cisco has released software updates to patch the vulnerability and strongly advises customers to apply these updates immediately. Experts warn that network appliances, especially switches, are often under-monitored, with logs rarely forwarded to centralized logging systems, making it difficult to detect and investigate such malicious activities. To mitigate this threat, organizations are urged to apply Cisco’s updates, enhance monitoring of network appliances, regularly update administrator credentials, and adopt stringent security practices to prevent unauthorized access.

""/
SOS Intelligence Weekly News Round Up

Weekly News Round Up

12 – 18 August 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Ransomware Top 5s

News Roundup

Hackers’ Toolkit Exposed

Cybersecurity researchers have uncovered an extensive hacker toolkit, revealing a sophisticated set of tools designed for various stages of cyberattacks. The toolkit, discovered in an open directory in December 2023, comprises a range of batch scripts and malware targeting both Windows and Linux systems. These tools illustrate the hackers’ ability to execute a variety of malicious activities, from initial system compromise to long-term control and data exfiltration.

Among the most significant tools found were PoshC2 and Sliver, two command and control (C2) frameworks commonly used by penetration testers but repurposed for malicious purposes. The toolkit also included custom scripts designed for defence evasion and system manipulation, such as those for removing remote management agents, deleting system backups, and erasing event logs. These components reflect the attackers’ intent to maintain persistent access while covering their tracks.

The discovery of this toolkit highlights the advanced methods used by modern cybercriminals and emphasises the need for robust cybersecurity measures. Experts recommend that organisations adopt comprehensive security strategies, including regular updates, employee training, and advanced threat detection, to protect against these sophisticated attacks. The presence of tools aimed at stopping services, deleting backups, and disabling antivirus software suggests that the toolkit was likely used in ransomware activities.

Critical Vulnerabilities in AWS Identified

Researchers from Aqua identified critical vulnerabilities in six Amazon Web Services (AWS) offerings: CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar. These vulnerabilities, varying in severity, posed significant risks such as remote code execution, service user takeover, AI module manipulation, data exposure, exfiltration, and denial of service (DoS) attacks, potentially affecting any organisation globally that utilised these services. Aqua introduced two key attack vectors, “Shadow Resource” and “Bucket Monopoly,” which exploit automatically generated AWS resources, like S3 buckets, created without explicit user commands. These techniques could allow attackers to execute code, steal data, or take over user accounts.

The vulnerabilities were reported to AWS between February and March 2024, with AWS confirming fixes for most by June 2024. However, a subsequent report indicated that the CloudFormation fix left users vulnerable to a DoS attack, prompting AWS to announce further work on this issue. By August 2024, the vulnerabilities and fixes were publicly discussed at prominent cybersecurity conferences, Black Hat USA and DEF CON 32. AWS’s response included adding random sequences to bucket names if a name conflict arose and planning the deprecation of CodeStar, which had been vulnerable but would no longer allow new projects.

One of the most critical vulnerabilities was in AWS Glue, where attackers could exploit predictable S3 bucket naming to inject malicious code into Glue jobs, leading to remote code execution. To mitigate these risks, it is recommended that organisations implement scoped policies, verify bucket ownership, and avoid using predictable bucket names. While AWS has addressed these specific vulnerabilities, similar risks may exist in other services, underscoring the importance of following best practices and implementing robust security measures to protect against evolving threats.

0-Click Vulnerability leading to RCE found in Outlook

Morphisec researchers have identified a critical vulnerability in Microsoft Outlook, labelled as CVE-2024-30103, which allows remote code execution when a malicious email is opened. This flaw builds on a previously discovered vulnerability, CVE-2024-21378, that exposed Outlook to remote code execution via synchronized form objects. The new vulnerability exploits weaknesses in the allow-listing mechanism, which fails to properly validate form server properties, enabling attackers to instantiate unauthorized custom forms.

The vulnerability hinges on how the Windows API function RegCreateKeyExA handles registry paths. Specifically, the function removes trailing backslashes, allowing attackers to manipulate registry keys and bypass security checks. This manipulation can lead to the loading of malicious executables when a specially crafted email is opened in Outlook. By exploiting this behaviour, attackers can execute arbitrary code within the Outlook process, potentially leading to data breaches, unauthorized access, and other malicious activities.

In response, Microsoft has issued a security update that revises the allow-listing matching algorithm to prevent such exploits. The update modifies how subkeys are matched by removing trailing backslashes before performing an exact match, enhancing system defences. Additionally, Microsoft has strengthened its denylist to block remote code execution attacks exploiting subkey manipulation. Despite these improvements, the evolving nature of security threats means organisations must remain vigilant, regularly updating and auditing their systems to protect against future vulnerabilities.

APT42 targeting US Presidential Election

The Iranian government-backed cyber group APT42 has launched a phishing campaign targeting high-profile individuals connected to the U.S. presidential election, according to Google’s Threat Analysis Group (TAG). This sophisticated threat actor, linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), has been focusing on individuals affiliated with both the Biden and Trump campaigns. The campaign is part of APT42’s broader efforts to support Iran’s political and military objectives through cyber espionage, with a notable focus on the U.S. and Israel, which together represent 60% of the group’s known targets.

APT42 employs a range of tactics in its phishing campaigns, including the use of malware, phishing pages, and malicious redirects, often hosted on popular services like Google Drive and OneDrive. The group is known for creating fake domains that closely resemble legitimate organizations, a tactic called typosquatting, to deceive their targets. Their phishing emails, often designed to seem credible, encourage recipients to enter credentials on fake landing pages, with the capability to bypass multi-factor authentication, making them particularly dangerous.

In response to these activities, Google has taken measures to secure compromised accounts and issued warnings to targeted individuals. They have also reported the malicious activities to law enforcement and are working with authorities to mitigate the threat. As the U.S. presidential election nears, the actions of APT42 highlight the ongoing risk of foreign interference, emphasizing the need for robust cybersecurity measures to protect democratic processes. High-risk individuals are advised to enhance their security, including enrolling in Google’s Advanced Protection Program.

Phishing Campaign masquerading as Google Safety Center

A sophisticated phishing campaign has been identified, where cybercriminals impersonate the Google Safety Centre to trick users into downloading a malicious file disguised as the Google Authenticator app. This attack threatens personal data by installing two types of malware, Latrodectus and ACR Stealer, on victims’ devices. Latrodectus allows attackers to remotely control the infected device, while ACR Stealer uses advanced techniques to obscure its command and control server, making it difficult for cybersecurity experts to trace and neutralize the threat.

What makes this campaign particularly concerning is the attackers’ use of advanced evasion techniques, which indicate a high level of sophistication and ongoing refinement of their methods. As cybercriminals continue to evolve, cybersecurity experts urge users to be cautious when receiving unsolicited emails or messages, especially those prompting software downloads. Verifying the authenticity of such communications and keeping software and security systems up to date are crucial steps in protecting against these increasingly sophisticated threats.

Photo by Kenny Eliason on Unsplash

"SOS
SOS Intelligence Weekly News Round Up

Weekly News Round Up

5 – 11 August 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs.

News Roundup

Critical Vulnerabilities Found in OpenVPN

Microsoft researchers have identified several medium-severity vulnerabilities in OpenVPN, a widely used open-source VPN software across various industries, including IT, finance, and telecommunications. These vulnerabilities, present in versions before OpenVPN 2.6.10 and 2.5.10, can be exploited to achieve remote code execution (RCE) and local privilege escalation (LPE). This could allow attackers to gain full control over targeted devices, leading to potential data breaches, system compromises, and unauthorised access to sensitive information.

The vulnerabilities are specifically found in OpenVPN’s client-side architecture, involving the communication between the openvpn.exe process and the openvpnserv.exe service on Windows systems. Key vulnerabilities include:

  • CVE-2024-27459, a stack overflow vulnerability causing denial-of-service (DoS) and LPE;
  • CVE-2024-24974, an unauthorised access vulnerability;
  • CVE-2024-27903, a flaw in the plugin mechanism allowing RCE and LPE;
  • CVE-2024-1305, a memory overflow vulnerability in the Windows TAP driver causing DoS.

These vulnerabilities require user authentication and a deep understanding of OpenVPN’s operations to be exploited, potentially allowing attackers to chain them together for more sophisticated attacks.

In response, Microsoft reported these issues to OpenVPN in March 2024, leading to the release of patches in versions 2.6.10 and 2.5.10. OpenVPN users are strongly advised to apply updates to mitigate the risks. Additionally, users should implement security measures such as segregating OpenVPN clients from unauthorised users, enforcing strong authentication, limiting user access, and monitoring for unusual activity.

Record-braking DDoS Attack

Akamai Technologies successfully mitigated one of its most extensive and sophisticated distributed denial-of-service (DDoS) attacks, which targeted a major financial services company in Israel. The attack, lasting nearly 24 hours from July 15, involved a globally distributed botnet that simultaneously targeted over 278 IP addresses using multiple methods, including UDP flood, DNS reflection, and PSH+ACK. During the peak of the attack, traffic ranged between 300 and 798 Gbps, with Akamai blocking approximately 419 terabytes of malicious traffic. This attack ranks as the sixth-largest DDoS peak traffic ever mitigated by Akamai Prolexic and underscores the growing trend of high-volume, sustained DDoS threats in the EMEA region.

The attack’s sophistication and intensity suggest a potentially state-backed threat actor, particularly given the geopolitical context and focus on Israel’s financial sector. The targeted institution had recently adopted Akamai’s Prolexic platform, which played a critical role in neutralising the threat, emphasising the need for robust, cloud-based DDoS protection solutions. Akamai cautions that organisations relying solely on on-premises mitigation or shared hosting provider defences may be vulnerable to such large-scale attacks. As DDoS threats continue to evolve, businesses must reassess their defences and invest in advanced, scalable security measures to safeguard against increasingly sophisticated attacks.

Kibana Vulnerability Leading to Remote Code Execution

Kibana, a widely used open-source data visualisation tool, has identified a critical security flaw, tracked as CVE-2024-37287, that could allow attackers to execute arbitrary code. This vulnerability has a CVSSv3 severity rating of 9.9, highlighting its critical nature. The flaw arises from a prototype pollution vulnerability, which can be exploited by attackers with access to Machine Learning (ML) and Alerting connector features, as well as write access to internal ML indices, posing significant security risks.

The vulnerability affects various Kibana environments, including self-managed installations, Kibana instances running on Docker, Elastic Cloud, Elastic Cloud Enterprise (ECE), and Elastic Cloud on Kubernetes (ECK). In all these environments, the Remote Code Execution (RCE) is confined within the Docker container, with additional protections provided by seccomp-bpf and AppArmor profiles to prevent further exploitation, such as container escape. However, the flaw remains critical, and immediate action is necessary to mitigate the risk.

To address this vulnerability, users are strongly advised to upgrade to Kibana versions 8.14.2 or 7.17.23, which include the necessary patches. This situation underscores the importance of timely software updates and robust security practices to protect systems from potential exploitation. Organisations using Kibana should prioritise upgrading to the latest versions and refer to official Kibana documentation and security advisories for detailed guidance.

Emerging Ransomware Variant Discovered Targeting Linux Machines

Symantec researchers have discovered a new Linux ransomware variant associated with a bilingual double-extortion ransomware group. This variant poses a significant threat by not only encrypting sensitive data but also exfiltrating it, allowing cybercriminals to demand ransom payments for both decryption and the protection of the stolen data. This double-extortion tactic greatly increases the potential damage to organisations, as the attackers gain additional leverage by threatening to leak the stolen information, making the attacks particularly dangerous across all industries.

The ransomware operates by depositing ransom notes in critical system directories and forcibly halting essential processes like PostgreSQL, MongoDB, MySQL, Apache2, Nginx, and PHP-FPM to ensure the attack’s success. The ransom note, written in both English and Spanish, warns victims that their files have been encrypted and exfiltrated, with decryption possible only through the attackers’ software. It further threatens to leak company data, including employee emails and customer databases, unless the victim contacts the attackers via the privacy-focused messaging app, ‘Session.’ Symantec has categorised this threat under Ransom.Gen and advises organisations to deploy comprehensive security solutions, maintain regular backups, train employees on cybersecurity awareness, and segment networks to mitigate the impact of such attacks.

New AMOS Mac Stealer Targets Apple Users via Fake Apps

A new variant of the AMOS Mac stealer is being distributed via a fake Loom website hosted on Google Ads, potentially linked to the Crazy Evil threat group. This advanced malware targets Apple users by masquerading as trusted applications like Ledger Live, Figma, and TunnelBlick, allowing it to steal sensitive data such as browser information, credentials, cryptocurrency, NFTs, and DeFi assets. The malware’s ability to clone legitimate apps and bypass Apple’s App Store security poses a significant threat, particularly to users relying on these platforms.

Cybercriminals are increasingly targeting gamers, especially younger individuals, by using social engineering tactics like fraudulent job postings or fake rewards on gaming platforms. A recent discovery of a .dmg file linked to the popular MMORPG Black Desert Online highlights this trend, with the Crazy Evil group distributing a modified AMOS stealer capable of targeting macOS Ledger wallets. The group, linked to a recent campaign via darknet analysis, remains largely anonymous but may have ties to a Russian government-associated network.

The investigation into this campaign uncovered an IP address with strong malware ties, flagged by VirusTotal as malicious and linked to the Russian ISP Gesnet.ru, raising concerns about network-wide compromise. To protect against such threats, users are advised to exercise caution when downloading software, adhere strictly to official app stores, and remain vigilant, especially within online gaming communities. Continuous awareness and proactive security measures are crucial to safeguarding against the evolving threat of AMOS malware.

"Compromised
SOS Intelligence Weekly News Round Up

Weekly News Round-up

29 July – 4 August 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

News Roundup

Linux Servers Exposed to Data Exfiltration from TgRat

The TgRat trojan, first discovered in 2022, is now targeting Linux servers to steal data. Controlled via a private Telegram group, it can download files, take screenshots, execute commands remotely, and upload files. TgRat verifies the computer name’s hash upon startup and establishes a network connection if it matches, using Telegram to communicate with its control server.

Due to Telegram’s popularity and the anonymity it provides, TgRat’s use of it as a control mechanism makes detection difficult. It executes commands via the bash interpreter, encrypted with RSA, and manages multiple bots using unique IDs.

This unique control mechanism complicates detection, as typical network traffic to Telegram servers can mask malicious activity. Installing antivirus software on all local network nodes is recommended to prevent infection.

Threat Actors Using Fake Authenticator Sites to Deliver Malware

Researchers from ANY RUN identified a malware campaign called DeerStealer, which uses fake websites mimicking legitimate Google Authenticator download pages to deceive users. The primary site, “authentificcatorgoolglte[.]com,” looks similar to the genuine Google page to trick users into downloading malware. Clicking the download button on this fake site transmits the visitor’s IP address and country to a Telegram bot and redirects users to a malicious file on GitHub, likely containing DeerStealer, which can steal sensitive data once executed.

The Delphi-based DeerStealer malware employs obfuscation techniques to hide its activities and runs directly in memory without leaving a persistent file. It initiates communication with a Command and Control (C2) server by sending a POST request with the device’s hardware ID to “paradiso4.fun.” Subsequent POST requests suggest data exfiltration.

Analysis revealed the use of single-byte XOR encryption for transmitted data, uncovering PKZip archives containing system information. Researchers also linked DeerStealer to the XFiles malware family, noting that both use fake software sites for distribution but differ in their communication methods.

Threat Actors Abusing TryCloudflare to Deliver Malware

Cybercriminals are increasingly using TryCloudflare Tunnel to deliver Remote Access Trojans (RATs) like Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos in financially motivated attacks. TryCloudflare allows developers to experiment with Cloudflare Tunnel without adding a site to Cloudflare’s DNS, which attackers exploit to create temporary infrastructures that bypass traditional security controls.

This tactic, initiated in February 2024, has intensified, posing a significant threat due to its rapid deployment and evasion capabilities. Recent campaigns often use URL links or attachments to download malicious files, which execute scripts to install RATs and other malware.

Campaigns frequently target global organisations, using high-volume email campaigns with lures in multiple languages, often exceeding the volume of other malware campaigns. Attackers dynamically adapt their attack chains and obfuscate scripts to evade defences, demonstrating a sophisticated and persistent threat.

By abusing TryCloudflare tunnels, attackers generate random subdomains on trycloudflare.com, routing traffic through Cloudflare to avoid detection. For example, on May 28, 2024, and July 11, 2024, targeted campaigns used tax-themed lures and order invoice themes, respectively, to deliver AsyncRAT and Xworm via malicious email attachments and PowerShell scripts, providing remote system access and data exfiltration capabilities.

Ransomware Threat Actors Exploiting VMWare ESXi

Microsoft researchers have identified a critical vulnerability in VMware’s ESXi hypervisors, CVE-2024-37085, which allows ransomware operators to gain full administrative permissions on domain-joined ESXi hypervisors. This flaw, associated with the “ESX Admins” group, enables any domain user who can create or rename groups to escalate their privileges, potentially gaining full control over the ESXi hypervisor. Exploiting this vulnerability can result in the encryption of the hypervisor’s file system, access to virtual machines, data exfiltration, and lateral movement within the network.

Ransomware groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have been observed exploiting this vulnerability, deploying ransomware like Akira and Black Basta to encrypt ESXi file systems.

A notable attack by Storm-0506 involved using Qakbot and exploiting a Windows vulnerability to elevate privileges, followed by deploying Black Basta ransomware. In response, VMware has released a security update to address CVE-2024-37085. Microsoft urges organisations to apply this update, validate and secure the “ESX Admins” group, deny access or change administrative group settings, use multifactor authentication for privileged accounts, and secure critical assets with the latest security updates and monitoring procedures.

Photo by Joshua Hoehne on Unsplash

"Crowdstrike
SOS Intelligence Weekly News Round Up

Weekly News Round-up

15 – 21 July 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs.

News Roundup

Ransom paid by AT&T

AT&T recently paid $370,000 to a hacker affiliated with the ShinyHunters group to delete manipulated client data, including call and text metadata, which had been compromised between May 2022 and January 2023. The breach occurred from April 14th to April 25th, 2024, through unauthorised access to AT&T’s third-party cloud platform. The compromised data included phone numbers, communication dates, and call durations, but did not involve the actual content of conversations or text messages.

The payment was made in Bitcoin, and the hacker confirmed the data deletion through a demonstration video. Despite this effort to erase evidence, there is concern that some information might still be accessible, potentially posing ongoing security risks for AT&T’s consumers.

Compromise of Squarespace domain names

Squarespace customer accounts were compromised by hackers, leading to unauthorised access to sensitive information such as email addresses and account details. The breach was attributed to a third-party vendor, highlighting concerns about the security measures in place for customer data. In response, Squarespace has notified affected users and is working to enhance their security protocols.

To protect their accounts, customers are urged to change their passwords and enable two-factor authentication. This incident underscores the persistent risks associated with third-party integrations in the digital environment and the importance of robust security measures.

22 minutes to exploit

Cloudflare’s Q1 2024 Application Security Report reveals that it takes hackers an average of just 22 minutes to exploit newly disclosed vulnerabilities, highlighting a concerning trend in cybersecurity. The report indicates that Distributed Denial-of-Service (DDoS) attacks remain a significant threat, constituting 37.1% of mitigated traffic, while automated traffic makes up one-third of all internet activities, a substantial portion of which is malicious.

Additionally, API traffic has increased to 60%, with many organisations regularly missing a large number of their public-facing API endpoints. The report also underscores the growing use of zero-day exploits and the challenges posed by third-party integrations in web applications, emphasising the constantly evolving cybersecurity threat landscape.

Exploiting the Crowdstrike Issue

On July 19, 2024, Windows systems were impacted by an issue with the CrowdStrike Falcon sensor, which cybersecurity experts have flagged as a serious concern. Hackers exploited this vulnerability to target CrowdStrike customers through phishing campaigns, social engineering, and the distribution of potentially harmful software. The attackers impersonated CrowdStrike support, falsely claiming the issue was a content update error rather than a security problem.

This incident underscores the need for companies to authenticate communication channels and adhere to official guidance on modern threats. Additionally, it highlights the importance of educating employees about behaviours that could compromise security, helping to strengthen defences against such opportunistic attacks.

Photo by Joshua Hoehne on Unsplash

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound