19 April 2024

Cyber Security Week in Review: April 19, 2024


Cyber Security Week in Review: April 19, 2024

International police operation takes down massive PhaaS platform LabHost

An international police operation, involving law enforcement agencies from 19 countries, led by the UK's Metropolitan Police Service, has dismantled LabHost, one of the largest Phishing-as-a-Service (PhaaS) providers. As part of the effort dubbed ‘Operation Stargrew’, 37 suspects were arrested worldwide, of which four individuals were apprehended in the United Kingdom, including the developer behind the platform, and five people in Australia.

Since its creation, LabHost has received just under £1 million ($1,173,000) in payments from criminal users.

Palo Alto PAN-OS zero-day flaw exploited to deploy a Python backdoor

Threat actors have been exploiting a recently disclosed vulnerability in Palo Alto Network’s PAN-OS software as a zero-day to deploy a Python backdoor since at least March 2024. Tracked as CVE-2024-3400, the issue is a command injection flaw in the GlobalProtect feature, which may enable a remote attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.

Russian military hackers targeted US water utilities and hydroelectric facilities in Europe

The group of hackers known as “CyberArmyofRussia_Reborn,” associated with Russian military hackers, the Sandworm APT, has in recent months targeted a hydroelectric power station in France and water supply facilities in the United States and Poland, according to Mandiant.

Since the beginning of the year, “CyberArmyofRussia_Reborn” has claimed responsibility for hacking operations at least three times directed against American and European water supply and hydroenergy enterprises—the dams of the Kurlon-sur-Yonne hydroelectric power station in France, several water supply enterprises in Texas (USA), and a wastewater treatment plant in Poland.

This week, Finnish cybersecurity firm WithSecure (formerly known as F-Secure) said it discovered a new Sandworm-linked backdoor, dubbed ‘Kapeka,’ which has been used in attacks against Eastern European targets since at least the middle of the year 2022.

Ukrainian military personnel targeted via messaging apps and dating sites

The Ukrainian CERT-UA (Computer Emergency Response Team) has identified a surge in activity from a threat actor it tracks as UAC-0184 involving attacks targeting the Ukrainian military with malware delivered through popular messaging apps and dating sites. The attacks typically involve social engineering techniques, such as enticing messages with themes like opening executive proceedings or criminal cases, videos of combat actions, or requests for acquaintance via popular platforms.

The threat actor employs a range of software in their malicious activities, including both commercial programs and open-source tools, including IDAT (HijackLoader, Shadowladder, Ghostpulse), RemcosRAT, Viottokeyloager, Xworm, Sigtop, and Tusc.

Some Ukrainian networks have been infected with OfflRouter malware since 2015

Select Ukrainian networks have been found to remain infected with VBA macro virus OfflRouter since 2015, according to new findings from Cisco Talos.

The threat research team uncovered over 100 compromised documents containing potentially confidential information about government and police activities in Ukraine uploaded to VirusTotal since 2018, suggesting the malware remains active, with more than 20 uploads detected since 2022. While its activity is centered in Ukraine, there's no evidence linking its origin to the region.

The malware targets only documents with the filename extension .doc, the default extension for the OLE2 documents, and it will not try to infect other filename extensions, Cisco said.

Russia steps up its influence operations targeting US election

Over the past two months, Russian influence operations (IO) have intensified, with the Microsoft Threat Analysis Center (MTAC) identifying at least 70 Russian actors involved in disseminating Ukraine-focused disinformation. These operations utilize both traditional and social media platforms, employing a combination of covert and overt campaigns.

One notable example is the group tracked by Microsoft as Storm-1516, which has effectively spread anti-Ukraine narratives to US audiences. This group typically follows a three-stage process:

  • An individual presents themselves as a whistleblower or citizen journalist, initiating a narrative on a purpose-built video channel.

  • The video content is then picked up by a seemingly unaffiliated global network of covertly managed websites, giving the illusion of independent coverage.

  • Russian expats, officials, and sympathetic individuals then amplify this coverage, further spreading the disinformation.

This process ultimately results in US audiences unknowingly echoing and sharing the disinformation without awareness of its original source.

Cisco warns of large-scale brute-force attacks targeting VPNs, SSH services

Cisco’s threat intelligence unit is warning of a surge in in brute-force attacks targeting various services including Virtual Private Networks (VPNs), web application authentication interfaces, and SSH services. The malicious activity has been on the rise since at least March 18, 2024. According to Cisco Talos, the attacks come from TOR exit nodes and other anonymizing tunnels and proxies.

According to the advisory, the affected services include Cisco Secure Firewall VPN, Checkpoint VPN, Fortinet VPN, and SonicWall VPN. Additionally, web services like RD Web Services, Miktrotik, Draytek, and Ubiquiti have also been targeted by the observed brute-force attempts.

China-linked LightSpy iOS implant re-emerges, targets South Asia

A new cyber espionage campaign using the sophisticated iOS spyware implant known as LightSpy has been detected, which is focused in South Asia, primarily India, according to a recent BlackBerry report. Dubbed 'F_Warehouse,' the latest iteration of LightSpy comes with a modular framework with extensive spying capabilities.

OpenJS Foundation reports attempted supply-chain attacks on JavaScript projects

The OpenJS Foundation said it uncovered three attempted supply-chain attacks similar to the recent incident involving the popular compression library XZ Utils. In each instance, unknown individuals attempted to introduce suspicious updates or asked to be made maintainers of the targeted software. The OpenJS Foundation received emails urging the organization to update one of its popular JavaScript projects to “address any critical vulnerabilities,” without providing any details regarding the said flaws.

Despite the attackers' persistence, none were granted privileged access to the projects hosted by the OpenJS Foundation.

Multiple botnets are hunting for vulnerable TP-Link routers

Multiple malware variants are targeting a security vulnerability (CVE-2023-1389) affecting TP-Link Archer routers to ensnare them in the DDoS botnets. According to FortiGuard Labs, multiple botnets, including Moobot, Miori, the Golang-based agent “AGoent,” and the Gafgyt variant aka Bashlite have been actively exploiting the vulnerability to compromise TP-Link Archer AX21 routers. The exploitation of this vulnerability enables attackers to take control of the devices, utilizing them for distributed denial-of-service (DDoS) attacks.

Cybercrime outfit FIN7 targets US automotive industry with Carbanak backdoor

BlackBerry analysts uncovered a spear-phishing campaign orchestrated by the threat group FIN7, aimed at a major US-based automotive manufacturer. The attackers specifically targeted IT department employees with elevated administrative privileges, enticing them with a free IP scanning tool. Once engaged, FIN7 deployed their Anunak (Carbanak) backdoor, leveraging living off the land binaries, scripts, and libraries (lolbas) for initial access. This incident appears to be part of a broader offensive by FIN7.

Additionally, BlackBerry analyzed the XAgent spyware targeting iOS devices in Western Europe. This mobile implant has been linked to the Russian nation-state threat actor APT28 (aka Fancy Bear). The XAgent iOS implant exhibits advanced functionalities for comprehensive data collection, exfiltration and potential remote control.

High-risk Atlassian flaw exploited to deploy Linux variant of Cerber ransomware

Cado Security Labs spotted ransomware attacks involving a Linux variant of the Cerber ransomware, exploiting the CVE-2023-22518 Confluence vulnerability.

Using this bug, attackers create administrator accounts to execute malicious code. They upload the Effluence web shell plugin via the admin panel, providing a gateway for executing commands on the host. Through this web shell, attackers download and activate the Cerber ransomware payload. As Confluence typically operates with limited privileges under the “confluence” user, the encryption is limited to files owned by this user.

Malvertising campaign uses fake IP scanner software to distribute MadMxShell backdoor

Zscaler ThreatLabz has published a report on a new malvertising campaign that utilizes fake IP scanner software to distribute a previously unknown backdoor dubbed ‘MadMxShell.’ The backdoor employs multiple layers of DLL sideloading, exploiting DNS protocol for communication with its command-and-control server, and employing tactics to evade memory forensics security measures.

Connect:fun campaign targets Fortinet bug to deploy malware and RMTs

Security researchers spotted an exploitation campaign that targets organizations using an SQL injection vulnerability (CVE-2023-48788) in Fortinet's FortiClient Enterprise Management Server (EMS) software.

Dubbed “Connect:fun” by Forescout Research’s Vedere Labs, the campaign has been attributed to a threat actor believed to be in operation since at least 2022. Evidence suggests that the threat actor targets Fortinet appliances and employs a combination of Vietnamese and German languages within their infrastructure.

Ivanti fixes multiple flaws in its Avalanche MDM solution

IT software company Ivanti addressed 27 vulnerabilities in its Avalanche enterprise mobile device management (MDM) product, including a number of high-severity flaws that could potentially lead to remote code execution.

CryptoChameleon phishing kit targets LastPass users

LastPass is warning about a new malicious campaign aimed at its users, utilizing the CryptoChameleon phishing kit used for cryptocurrency theft. This sophisticated kit, previously linked to targeting FCC employees with customized Okta single sign-on pages, employs a blend of social engineering tactics. Perpetrators employ voice phishing, posing as LastPass staff, to deceive victims into believing their accounts have been compromised to gain unauthorized access.

Cisco Duo issues warning after third-party data breach exposes MFA logs

Cisco Duo, a multi-factor authentication (MFA) and Single Sign-On service provider, has warned its customers about a third-party data breach, which exposed SMS and VoIP MFA message logs. The data breach, which occurred on April 1, 2024, was a result of a cyberattack on one of Cisco Duo's telephony providers.

The threat actors are said to have obtained employee credentials through a phishing attack and gained unauthorized access to the systems of the telephony provider responsible for handling Cisco Duo's SMS and VoIP MFA messages.

Cryptojacker indicted for defrauding cloud service providers of $3.5M

The US Department of Justice unsealed an indictment charging Charles O. Parks III, known as “CP3O,” with orchestrating an illegal “cryptojacking” operation. Parks is accused of defrauding two major cloud computing service providers of over $3.5 million in computing resources to mine cryptocurrency valued at nearly $1 million.

Firebird RAT developers and sellers arrested in the US and Australia

Law enforcement authorities in the US and Australia have apprehended two men allegedly involved in the development and sale of the Firebird remote access trojan (RAT) later rebranded as Hive.

Former Amazon engineer sentenced for hacking and crypto theft

Shakeeb Ahmed, a former security engineer at Amazon, has been sentenced to three years in prison for his involvement in hacking two decentralized cryptocurrency exchanges, leading to the theft of digital assets worth over $12 million.

According to court documents, Ahmed took advantage of vulnerabilities in blockchain contracts to carry out theft. He used sophisticated schemes to manipulate pricing data and exploit flaws in smart contracts. Specifically, he targeted Cream Finance and Nirvana Finance, making away with $9 million and $3.6 million, respectively.

Moldovan hacker charged with running a massive botnet

A Moldovan national, Alexander Lefterov, has been indicted by US authorities for orchestrating a botnet operation that compromised thousands of computers. Lefterov (aka Alipako, Uptime, and Alipatime) utilized malware to infiltrate systems, gathering login details to siphon funds from victims' online accounts. Additionally, he profited by vending access to these compromised systems to other cybercriminals, including ransomware syndicates. Currently, Lefterov remains at large and has been added to the FBI's Cyber Most Wanted list.

Back to the list

Latest Posts

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

The flaw involves Foxit PDF Reader's handling of pop-up messages.
20 May 2024
China-linked APT group uses malware to spy on commercial shipping

China-linked APT group uses malware to spy on commercial shipping

Mustang Panda infiltrated the computer systems of cargo shipping companies in Norway, Greece, and the Netherlands.
20 May 2024
The Grandoreiro malware is back up and running after January disruption

The Grandoreiro malware is back up and running after January disruption

Grandoreiro now targets over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region.
20 May 2024