8 November 2024

Cyber Security Week in Review: November 8, 2024


Cyber Security Week in Review: November 8, 2024

PAN Expedition auth bypass bug exploited in the wild

The US Cybersecurity and Infrastructure Security Agency (CISA) has added four high-risk vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating its exploitation in real-world attacks. One of the flaws is a high-risk vulnerability in Palo Alto Networks' Expedition tool (CVE-2024-5910).  Initially patched in July 2024, this flaw involves a missing authentication mechanism, allowing attackers with network access to potentially gain admin control of the affected system.

The updated list of actively exploited bugs also includes Nostromo nhttpd directory traversal flaw (CVE-2019-16278), CyberPanel incorrect default permissions vulnerability (CVE-2024-51567), and CVE-2024-43093 Android framework privilege escalation vulnerability (CVE-2024-43093). The flaw allows unauthorized access to sensitive directories, including “Android/data,” “Android/obb,” and “Android/sandbox,” along with their sub-directories.  Google has confirmed that another vulnerability, CVE-2024-43047, is also being actively exploited.

In the meantime, Hewlett Packard Enterprise (HPE) has released updates for Aruba's Instant AOS-8 and AOS-10 software to fix two critical vulnerabilities (CVE-2024-42509 and CVE-2024-47460) affecting Aruba Networking Access Points. These flaws, located in the CLI service and exploitable via Aruba's PAPI protocol over UDP port 8211, could allow remote, unauthenticated attackers to execute commands through specially crafted packets. Cisco has also issued a patch for a critical vulnerability (CVE-2024-20418) in its Ultra-Reliable Wireless Backhaul (URWB) Access Points, caused by insufficient input validation in the web management interface, potentially enabling attackers to execute commands with elevated privileges.

Currently, there’s no indication that the vulnerabilities have been exploited by hackers.

Hackers abuse Microsoft SharePoint bug to breach corporate networks

A remote code execution (RCE) vulnerability in the Microsoft SharePoint document management platform, is being exploited by threat actors seeking to compromise corporate networks. Tracked as CVE-2024-38094, the flaw affects Microsoft SharePoint’s on-premise installations and is related to insecure input validation when processing serialized data. The issue was fixed as part of Microsoft’s July 2024 Patch Tuesday release.

China-linked Volt Typhoon reportedly breached Singapore’s largest mobile carrier Singtel

Singapore’s largest mobile operator Singapore Telecommunications (Singtel) reportedly suffered a major cyber breach this summer, allegedly orchestrated by Chinese state-sponsored hackers. The attack, uncovered in June, was reportedly executed by Volt Typhoon, a hacking group associated with Chinese interests. It is believed that the Singtel breach may have served as a trial for further incursions into US telecommunications networks. The hackers reportedly employed a web shell tool, allowing them to intercept and steal login credentials and gain unauthorized access by masquerading as legitimate users.

ESET APT activity report

ESET released its APT Activity Report for Q2–Q3 2024 highlighting the operations of various APT groups and the latest tactics observed by ESET researchers. During this period, China-aligned groups like MirrorFace expanded their focus beyond Japan to include targets in the European Union, with groups increasingly using SoftEther VPN for covert access. Iran-aligned groups emphasized espionage in geopolitically significant regions, notably targeting financial sectors in Africa and diplomatic entities in France, Iraq, and Azerbaijan.

North Korea-linked actors continued targeting cryptocurrency and defense sectors, deploying new methods such as using Microsoft Management Console files and misusing popular cloud services. Russia-aligned groups remained highly active, especially targeting Ukrainian entities and exploiting XSS vulnerabilities in webmail servers; new tools and malware such as WrongSens, LOADGRIP, and BIASBOAT were also detected. Other significant incidents included Operation Texonto's psychological operations against Ukraine and Russia’s opposition, as well as a hack-and-leak campaign involving the Polish Anti-Doping Agency, linked to Belarus-aligned disinformation efforts.

UK cybersecurity agency details China-linked Pygmy Goat backdoor discovered on Sophos XG firewalls

The UK’s cybersecurity agency released a report describing a sophisticated new backdoor dubbed “Pygmy Goat” found on Sophos XG firewall devices. The malware is said to be the work of Chinese state-sponsored hackers and includes capabilities that grant attackers control over compromised systems.

Pakistan-linked APT36 intensifies cyber espionage on Indian entities

A Pakistan-affiliated cyber espionage group tracked as Transparent Tribe and APT36 has orchestrated a series of cyber espionage campaigns targeting high-profile Indian entities throughout 2024. A new report from researchers at Check Point Research highlights new tactics and malware employed by the group, with particular focus on an advanced tool called ElizaRAT, which has evolved significantly in recent months.

North Korean hackers target crypto firms with new macOS malware in Hidden Risk campaign

A threat actor linked to North Korea has been observed deploying advanced malware designed to compromise cryptocurrency-related businesses in a targeted attack campaign dubbed ‘Hidden Risk’. The campaign, detected and analyzed by the SentinelLabs cybersecurity team, involves a multi-stage malware that infects Apple macOS devices. The malicious activity has been attributed to BlueNoroff, a threat actor with a history of conducting financially motivated cyberattacks.

New Rhadamanthys phishing campaign exploits copyright baits

A phishing campaign that began in July 2024 is using copyright infringement themes to deceive victims into downloading the latest version of the Rhadamanthys information stealer. Dubbed "CopyRh(ight)adamantys," the operation targets regions including the United States, Europe, East Asia, and South America.

In other news, the UK’s National Cyber Security Centre (NCSC) has released guidance to help organizations defend against malvertising threats. Key recommendations include enforcing strong “know your customer” (KYC) checks and adopting robust cybersecurity practices. The guidance advises sourcing data from reputable providers, implementing industry standards, and utilizing reliable detection and removal tools for malvertising. Organizations are also encouraged to share threat intelligence, maintain transparent operations, and establish reliable reporting mechanisms.

Threat actors abuse DocuSign’s Envelopes API to mass-distribute fake invoices

Malicious actors have begun misusing DocuSign’s Envelopes API to distribute fraudulent invoices that mimic well-known brands, including Norton and PayPal. The invoices typically request an e-signature, which, once provided, gives attackers the authorization to demand payment directly from a company’s finance team or an organization’s banking department. Some invoices even include direct wire instructions or purchase orders, which, if executed, transfer funds directly to the attacker’s bank accounts.

VEILDrive threat actors exploit Microsoft services in novel C2 campaign

Security firm Hunters has uncovered a sophisticated phishing campaign, dubbed “VEILDrive,” which leverages multiple Microsoft services such as Teams, SharePoint, Quick Assist, OneDrive, and Azure AD as command-and-control (C2) infrastructure. The campaign, suspected to be of Russian origin, has been active since early August 2024 and remains ongoing. 

Five-year-long fraud ring Phish 'n' Ships infected over 1K legitimate websites

A sophisticated eCommerce fraud ring has been siphoning millions of dollars from unsuspecting consumers for over five years. The operation, dubbed “Phish 'n' Ships,” allegedly infected over 1,000 legitimate websites, creating fake product listings that lured victims with unrealistically low prices. The fraud ring exploited known website vulnerabilities to insert fake product listings, which appeared authentic in design and placement.

22,000+ malicious servers and IPs disrupted in cybercrime crackdown

More than 22,000 malicious IP addresses and servers linked to a range of cyber threats, including phishing, ransomware, and information-stealing malware have been taken down as part of an Interpol-led crackdown dubbed “Operation Synergia II” aimed at counteracting phishing, info-stealing, and ransomware threats. During the operation, which ran from April 1 to August 31, 2024, authorities identified nearly 30,000 suspicious IP addresses, of which 76% were neutralized. Additionally, 59 servers directly associated with cybercriminal activity were seized, and 41 arrests have been made.

Canadian authorities arrest suspected Snowflake hacker linked to the major corporate data breaches

Canadian law enforcement has apprehended Alexander “Connor” Moucka, aka ‘Judische’ and ‘Waifu,’ who is suspected of conducting a series of hacks tied to a high-profile breach of the data management platform Snowflake earlier this year. The arrest took place on October 30, 2024, under a provisional warrant issued at the request of US authorities. The charges against Moucka have yet to be disclosed.

Canadian authorities order TikTok to close its Canadian operations

The Canadian government has ordered TikTok to close its Canadian operations following a national security review, though the app itself is not blocked and remains accessible to Canadians. TikTok, operated by ByteDance, maintains offices in Toronto and Vancouver. The government cautions Canadians about potential data collection and misuse by the app's ties to an adversarial nation, emphasizing concerns about national security. The decision, based on advice from Canada’s security and intelligence agencies, aims to address specific risks related to TikTok’s operations in Canada through its local subsidiary, TikTok Technology Canada.

Ukrainian cyberpolice dismantle pro-Russian bot farm spreading anti-Ukrainian narratives

Cyberpolice officers working in conjunction with the Security Service of Ukraine (SBU), have dismantled a pro-Russian bot farm allegedly operated by two local residents. According to authorities, the individuals created and sold fake social media accounts to agents of the Russian Federation, who used the accounts to spread anti-Ukrainian propaganda and discourage Ukrainian citizens from military mobilization.

Germany proposes new law to protect security researchers and toughen penalties for cybercrime

The German Federal Ministry of Justice has released a draft law designed to offer legal protection to IT security researchers who identify and responsibly report cybersecurity vulnerabilities. The new legislation seeks to clarify that specific actions taken by security researchers, IT security companies, and ethical hackers, when aimed at detecting and closing security gaps, will not be punishable under existing computer criminal law.

Winos4.0 malware framework targets gamers

Criminals are exploiting game-related apps to spread Winos4.0, a malicious software framework for Windows that provides full control over infected machines. The malware, reportedly a reworked version of Gh0strat, includes multiple modules for specific functions. Fortinet found that Winos4.0 has been concealed within game installation tools, speed boosters, and optimization utilities, and shares similarities with known red-teaming tools like Cobalt Strike and Sliver, often misused by cybercriminals for ransomware deployment and espionage. Winos4.0 has been used in several campaigns, including Silver Fox, a group potentially linked to the Chinese government.

New ToxicPanda banking trojan hits Europe and LATAM

Cleafy's Threat Intelligence team uncovered a new Android banking Trojan campaign, initially linked to the TgToxic Trojan observed in Southeast Asia. ToxicPanda executes account takeovers by initiating fraudulent money transfers from compromised devices, employing an On-Device Fraud (ODF) technique to bypass banking security measures.

Although ToxicPanda appears to be in an early development stage, Cleafy said it discovered a botnet with over 1,500 infected devices across Italy, Portugal, Spain, and Latin America, targeting 16 banks. The threat actors behind the campaign appear to be Chinese speakers.

Additionally, Securonix researchers discovered a new malware campaign, dubbed CRON#TRAP, that targets Windows systems by deploying a Linux virtual machine with a pre-configured backdoor. The attack begins with a malicious LNK file, likely delivered via a ZIP attachment in a phishing email. Once activated, the malware sets up a virtual Linux environment on the Windows host, which includes a backdoor that automatically connects to an attacker-controlled command-and-control (C2) server, allowing remote access to the compromised machine.

New Interlock ransomware linked to Rhysida developers

The Cisco Talos incident response team observed a ‘big-game hunting’ and double extortion campaign involving the Interlock ransomware, a relatively new strain. The attacker employed a sophisticated delivery chain, including a Remote Access Tool (RAT) disguised as a fake browser update, PowerShell scripts, a credential stealer, and a keylogger, before finally deploying the ransomware encryptor. Lateral movement within the network was achieved via RDP, along with tools like AnyDesk and PuTTY. Data was exfiltrated using Azure Storage Explorer with AZCopy to an attacker-controlled Azure blob. The threat actor remained undetected in the victim’s environment for approximately 17 days. Talos speculates that the Interlock ransomware group may be connected to the Rhysida ransomware group, given overlapping tactics and similarities in the ransomware encryptor.

Mozi returns as Androxgh0st botnet

A new report from CloudSEK’s Threat Research team looks into a new iteration of the infamous Mozi botnet dubbed “Androxgh0st.” Active since January 2024, Androxgh0st borrows payloads and tactics from Mozi, targeting systems like Cisco ASA, Atlassian JIRA, and PHP frameworks. The botnet uses remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to breach critical infrastructures.

US authorities establish website linked to the 2016 Bitfinex hack

The US Department of Justice has set up a website for individuals who may be victims of the 2016 Bitfinex hack, where approximately 120,000 bitcoin were stolen by Ilya Lichtenstein, a perpetrator behind the breach. Following the hack, Lichtenstein developed a complex scheme to launder the stolen funds, using tactics like layering transactions, cryptocurrency mixers, and using both US and overseas bank accounts. He was assisted by his wife, Heather Rhiannon Morgan, until their arrest in February 2022. Both pleaded guilty to money laundering conspiracy charges on August 3, 2023. Lichtenstein’s sentencing is set for November 14, 2024, and Morgan’s for November 15, 2024.


Back to the list

Latest Posts

Cyber Security Week in Review: December 6, 2024

Cyber Security Week in Review: December 6, 2024

In brief: Zero-day vulnerabilities in I-O data routers, Russian Turla hijacks C2 infrastructure of Pakistani hackers, and more.
6 December 2024
Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

The group has infiltrated the C2 infrastructure of the Pakistani-based actor Storm-0156, as part of the “spy-on-spy” tactics.
5 December 2024
Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

If exploited, the flaws allow attackers to alter device settings, execute arbitrary commands, and disable the firewall.
5 December 2024