Google, Microsoft, Apple fix zero-days in their software products
Google issued two separate Chrome security updates this week to patch a couple of zero-day vulnerabilities exploited by hackers. One of the zero-days is CVE-2024-4947, a type confusion issue in the V8 component in Google Chrome that can be exploited for remote code execution.
The second zero-day, CVE-2024-4761, is an out-of-bounds write issue stemming from a boundary error when processing untrusted HTML content in V8. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger out-of-bounds write and execute arbitrary code on the target system. All in all, the tech giant patched three Chrome zero-day vulnerabilities in two weeks, and a total of seven Chrome zero-days since the start of the year.
Additionally, Microsoft issued a fresh batch of security updates as part of its May 2024 Patch Tuesday release that address around 60 security vulnerabilities across various software products, including a couple of zero-days exploited in the wild.
The first zero-day vulnerability, CVE-2024-30051, is a heap-based buffer overflow issue, which exists due to a boundary error within the Windows DWM Core Library. A local user can trigger a heap-based buffer overflow and execute arbitrary code with SYSTEM privileges. This vulnerability was previously linked to the QakBot botnet dismantled as part of a global police operation in August 2023.
The second zero-day flaw, CVE-2024-30040, is a Windows MSHTML platform security feature bypass issue, which can lead to remote code execution via a specially crafted file bypassing OLE mitigations in Microsoft 365 and Microsoft Office.
Last, but not least, Apple rolled out security updates for its mobile and desktop operation systems to address a slew of security flaws, including a memory corruption bug (CVE-2024-23296) in RTKit that the company says “may have been exploited” in the wild. The vulnerability affects older Apple devices such as iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation. In March, Apple fixed the flaw on newer iPhone, iPad, and Mac models and now the vendor backported the fix for older devices.
BreachForums seized in law enforcement op, admin reportedly arrested
An international law enforcement operation has shut down the notorious BreachForums hacker forum known for leaking and selling stolen data. This marks the second time in just over a year that authorities have taken down the illicit platform. As part of the operation, BreachForums’ Telegram channel and a Telegram channel of Baphomet, the current administrator of the platform, were seized. The ShinyHunters cybercrime gang, the alleged owners of BreachForums, reported that BreachForums’ admin Baphomet was allegedly arrested.
Russian cyber spies Turla target European MFA with new backdoors
ESET released a report on two previously unknown backdoors utilized by the Russian cyberespionage group Turla in attacks against European diplomatic entities. Dubbed ‘LunarWeb’ and ‘Lunar Mail,’ the two backdoors are believed to have been in operation since at least 2020. LunarWeb, deployed on servers, utilizes HTTP(S) for its command-and-control (C2) communications, disguising its activities within legitimate requests. LunarMail, deployed on workstations, operates as an Outlook add-in, using email messages for C2 communications. Both backdoors employ steganography, concealing commands within images to evade detection.
North Korean hackers steal sensitive data from South Korean court computer network
North Korean hackers infiltrated a South Korean court's computer network over a span of two years, stealing highly sensitive data, including individuals' financial records. According to South Korean national police, the hackers stole 1,014 GB of data from the court's computer system between January 2021 and February 2023. The threat actor had been breaking into the court's computer network since at least January 7, 2021, the police said. The hackers used malware to siphon off data, including crucial personal information such as marriage records and individuals' debt profiles. The stolen data was then transmitted to “four domestic and four overseas servers” before being flagged by antivirus software.
Additionally, Symantec observed the North-Korean state-backed hacking outfit Kimsuky (aka Springtail) using a new Linux malware called Gomir (a version of the GoBear backdoor) delivered via trojanized software installers.
US takes action against cyber schemes aiding North Korean weapons program
US prosecutors announced the arrests of Christina Marie Chapman, an American, and Oleksandr Didenko, a Ukrainian, for aiding North Korean IT workers in obtaining remote jobs at over 300 US companies by posing as Americans. This scheme aimed to generate revenue for North Korea in violation of international sanctions, and involved the theft of identities of more than 60 Americans. The IT workers also tried, but largely failed, to gain employment at two US government agencies. The scheme reportedly generated at least $6.8 million for North Korea, benefiting its Munitions Industry Department. Chapman was arrested in Arizona, and Didenko was arrested in Poland, pending extradition. The US is offering a $5 million reward for information on additional co-conspirators.
In addition, the US authorities seized 12 website domains used by North Korean IT workers to mimic western IT services firms to support the bona fides of their attempts to secure remote work contracts for US and other businesses worldwide. The authorities also arrested an individual named as Minh Phuong Vong for his alleged participation in a scheme to assist overseas IT workers.
Ebury botnet infects 400K Linux servers for cryptocurrency theft
ESET researchers published details on a decade-long botnet operation, which has infected nearly 400,000 Linux servers since its inception in 2009. Ebury leverages its access to hosting provider infrastructures, where it installs itself across rented servers within days. The malware employs sophisticated tactics, such as intercepting SSH traffic within data centers and utilizing compromised servers for ARP spoofing, to propagate itself and steal credentials.
FIN7 exploits trusted brands and Google ads to spread malware
The financially motivated threat group FIN7 has been using sophisticated techniques involving malicious Google ads spoofed legitimate brands to deliver MSIX installers that lead to the deployment of the NetSupport remote access trojan (RAT). The group, believed to be Russia-based, has been on operation since at least 2013, using spearphishing attacks as a primary method to infiltrate target networks and systems.
FIN7 has been leveraging fake websites disguised as well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet, as the primary entry point for its malware campaigns.
Black Basta-linked social engineering campaign bombards orgs with spam emails
Cybersecurity researchers have identified a sophisticated social engineering campaign suspected to be orchestrated by the Black Basta cybercriminal group aimed at enterprises, designed to infiltrate their systems through a combination of spam emails and manipulative phone calls.
The campaign, which began in late April 2024, involves mass-sending spam emails, primarily consisting of seemingly innocuous newsletter sign-up confirmation messages from legitimate organizations. This tactic is aimed at overwhelming email protection systems, making it easier for the threat actors to breach the target environment.
The US cybersecurity agencies released an advisory detailing the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IoCs) associated with the Black Basta ransomware activity.
Threat actors abuse Windows Quick Assist in ransomware attacks
Microsoft’s threat intelligence team discovered a series of ransomware attacks by cybercriminal group Storm-1811, involving the exploitation of the Windows Quick Assist tool (allows a user to share their Windows or macOS device with another person over a remote connection).
This financially motivated group is known for deploying the Black Basta ransomware. The attack begins with social engineering through voice phishing (vishing), leading to the delivery of malicious tools such as remote monitoring and management (RMM) applications like ScreenConnect and NetSupport Manager. Additionally, the threat actor uses malware, including Qakbot and Cobalt Strike, before ultimately deploying the Black Basta ransomware.
Malicious Android apps mimic popular platforms to steal credentials
A wave of Android applications has been uncovered, posing as popular platforms like Google, Instagram, Snapchat, WhatsApp, and X (formerly Twitter). These seemingly innocuous apps serve as tools for credential theft, according to the SonicWall Capture Labs threat research team. Once installed, the malicious app coerces users into granting two critical permissions: Accessibility Service and Device Admin Permission. These permissions allow the malware to seize control over the victim's device and perform a series of malicious actions without the user's knowledge or consent.
Threat actors are using DNS tunneling for scanning and tracking
Palo Alto Networks' Unit 42 security research team has uncovered cyber campaigns employing DNS tunneling for activities beyond conventional command-and-control (C2) and Virtual Private Network (VPN) purposes. These campaigns, dubbed “TrkCdn” and “SecShow,” showcase how malicious actors evolve their tactics to bypass traditional network security measures.
Threat actors pose as 1Password, Bartender 5, and Pixelmator Pro to deliver malware
Russian-speaking threat actors are abusing trusted internet cervices like GitHub to disseminate various types of credential-stealing malware. The campaign, dubbed ‘GitCaught,’ utilized GitHub profiles posing as legitimate software such as 1Password, Bartender 5, and Pixelmator Pro, deploying a variety of malware, including Atomic macOS Stealer (AMOS) and Vidar designed to breach users’ systems and pilfer sensitive data.
SugarGh0st RAT target American AI experts
Proofpoint discovered a SugarGh0st RAT campaign targeting US organizations involved in artificial intelligence, including academia, private industry, and government. The campaign, attributed to a group called UNK_SweetSpecter, involved using a customized variant of Gh0stRAT, a trojan commonly associated with Chinese-speaking threat actors. Historically used in Central and East Asia, SugarGh0st RAT was employed in this campaign through AI-themed phishing emails, encouraging recipients to open a malicious zip archive.
Norway advises organizations to ditch SSL VPNs
Norway's cybersecurity agency has issued new guidance, advising companies to replace SSL and web VPN solutions with more secure alternatives. This recommendation comes in response to the numerous critical vulnerabilities identified in these products over recent years. The agency specifically recommends transitioning to solutions utilizing the IPsec and IKEv2 protocols. While companies should complete the transition away from SSL VPNs by the end of 2025, organizations governed by the country's Safety Act must make the switch by the end of this year.
China-linked hackers Earth Hundun update tactics
Trend Micro released a report highlighting tactics of Earth Hundun, a China-linked threat actor known for its operations in the Asia-Pacific region. The report analyses the operational methods of two malware variants, Waterbear and Deuterbear, detailing their infection stages, command-and-control (C&C) interactions, and behaviors.
Deuterbear, while similar to Waterbear, exhibits advanced features such as support for shellcode plugins, bypassing handshakes for remote access tool (RAT) operations, and using HTTPS for C&C communication. Unlike Waterbear, Deuterbear employs a shellcode format, has anti-memory scanning capabilities, and shares a traffic key with its downloader. The transition from Waterbear to Deuterbear highlights Earth Hundun's efforts to enhance anti-analysis and detection evasion techniques.
the key dev behind the Tornado Cash crypto mixer sentenced to 64 months in prison
Alexey Pertsev, a key developer of the Tornado Cash cryptocurrency mixer, has been sentenced to 64 months in prison for his role in laundering over $2 billion in cryptocurrency. The 31-year-old Russian national was arrested in Amsterdam in August 2022 on charges related to concealing financial flows from criminal activities and facilitating money laundering. Pertsev, one of the three main creators of Tornado Cash, was actively involved in the project from July 2019 to August 2022. Tornado Cash is an open-source, decentralized platform designed to provide anonymity to cryptocurrency holders by mixing deposits through multiple nodes before withdrawal to different wallet addresses.
Two former MIT students indicted over “first-of-its-kind” $25 million crypto theft
The US Department of Justice has indicted Anton Peraire-Bueno and James Pepaire-Bueno, two former MIT students, for allegedly executing a “first-of-its-kind” scheme to manipulate the Ethereum blockchain and steal $25 million in cryptocurrency within 12 seconds. Arrested in Boston and New York, the brothers face charges of wire fraud and conspiracy to commit wire fraud and money laundering, each carrying a maximum penalty of 20 years in prison per count. The scheme involved accessing and altering pending private transactions on the blockchain, stealing cryptocurrency, and rejecting return requests, while taking steps to conceal their actions.