Earth Simnavaz targets UAE and Gulf region with STEALHOOK backdoor
Trend Micro researchers observed an ongoing campaign by the Iranian state-sponsored hacking group, Earth Simnavaz, actively targeting governmental entities in the UAE and Gulf region. The group is using a new backdoor, dubbed STEALHOOK, which leverages Microsoft Exchange servers for credential theft. Earth Simnavaz is expected to leverage the stolen credentials for further attacks. STEALHOOK can retrieve email data, send emails, gather user credentials, and has code similarities to the Karkoff backdoor used in previous Earth Simnavaz campaigns. Initial access is gained via a web shell uploaded to a vulnerable server. Once inside, Earth Simnavaz employs custom .NET tools, PowerShell scripts, IIS-based malware, and remote monitoring tools such as Ngrok.
Telekopye targets tourists via hotel booking scams
ESET researchers observed an expansion in the operations of Telekopye, a Telegram bot used to scam users on online marketplaces. Scammers using Telekopye have now started targeting popular accommodation booking platforms like Booking[.]com and Airbnb to maximise their financial gains. The hotel booking scams started gaining traction in 2024 and have been especially prevalent in the summer holiday season. The new activity ultimately leads to victims being asked for card details for payment, which the scammers harvest to steal money. The researchers also observed improvements being made to the tools and operations used by Telekopye scammers.
Fraudulent North Korean IT workers steal intellectual property for extortion
Secureworks researchers analysed the tactics employed by NICKEL TAPESTRY, who conduct remote IT worker schemes linked to the North Korean government. In some of the schemes, fraudulent workers were observed demanding ransom payments from former employers after gaining insider access. This activity suggests that NICKEL TAPESTRY has expanded its operations to include theft of intellectual property, with the potential for monetary gain through extortion, rather than aiming to maintain consistent employment.
SideWinder APT targets Middle East and Africa with StealerBot implant
Kaspersky researchers identified the SideWinder advanced persistent threat (APT) group expanding its attack operations to target the Middle East and Africa. Targeted sectors include government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities, and oil trading companies. SideWinder was also observed employing a new espionage toolkit, dubbed StealerBot, that is currently assessed to be their main post-exploitation tool. As an initial infection vector, SideWinder typically leverages spear phishing emails with attached documents that contain information obtained from public websites. Some of the documents were observed using the remote template injection technique to download an RTF file that is designed to exploit CVE–2017-11882 in Microsoft Office, while others used ZIP files containing a malicious LNK file. StealerBot’s identified plugins enable it to install additional malware, take screenshots, log keystrokes, steal passwords, intercept RDP credential, steal files, start reverse shell, phish Windows credentials, and escalate privileges via bypassing UAC.
Iranian threat actors use brute force attacks to compromise critical infrastructure organisations
On October 16th, 2024, United States, Canadian, and Australian authorities released a joint advisory warning that Iranian threat actors are using brute force attacks and other techniques to compromise organisations across multiple critical infrastructure sectors. The threat actors likely aim to obtain credentials and information that can be sold to other actors as a means of gaining initial access or conducting additional malicious activity. Targeted sectors include healthcare and public healthcare, government, information technology, engineering, and energy. Threat actors begin with reconnaissance operations to gather victim identity information and later gain persistent access to victim networks via brute force attacks such as password spraying or multifactor authentication push bombing. After gaining access, the actors use open-source tools and methodologies, such as living off the land techniques, to gather more credentials, escalate privileges, and gain information about the target’s systems and network.
Ransomware
Volume of blog posts by operators during the last week.
Volkswagen monitoring data dump threat from 8Base ransomware crewTheRegister.com – Oct 16 2024Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal DataTrend Micro – Oct 16 2024Gryphon Healthcare, Tri-City Medical Center Disclose Significant Data BreachesSecurityWeek RSS Feed – Oct 14 2024Casio Confirms Ransomware Outage and Data BreachInfosecurity Today – Oct 14 2024Ransomware Landscape in H1 2024: Statistics and Key IssuesS2W Blog – Oct 14 2024Rhysida Leaks Nursing Home Data, Demands $1.5M From AxisHealth Care Info Security – Oct 11 2024Lynx Ransomware: A Rebranding of INC RansomwareUnit42 Palo Alto – Oct 10 2024
Financial Services
New FASTCash malware Linux variant helps steal money from ATMsBleeping Computer – Oct 14 2024Hidden In Plain Sight: ErrorFather’s Deadly Deployment Of Cerberus Cyble Blog – Oct 14 2024Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign, Targets Brazil With Astaroth MalwareTrend Micro – Oct 14 2024Fidelity says data breach exposed personal data of 77,000 customersTechCrunch – Oct 10 2024Eighteen Individuals and Entities Charged in International Operation Targeting Widespread Fraud and Manipulation in the Cryptocurrency MarketsUnited States Department of Justice – Oct 09 2024
Geopolitics
Malware spreads on Telegram, mimicking Ukraine’s Reserve+ appNV.ua – Oct 16 2024Suspected Russian hackers UAC-0050 expand operations in UkraineCyberSecurity Help – Oct 16 2024Fortinet FortiGuard Labs Observes Darknet Activity Targeting the 2024 United States Presidential ElectionGlobeNewswire – Oct 15 2024UK ambulance services targeted by Russian hackersThe Independent – Oct 12 2024A cyber attack hit Iranian government sites and nuclear facilitiesSecurity Affairs – Oct 12 2024
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2024-38178 | Windows | 7.5 | 7.2 | |
| Related: TA-RedAnt exploits Microsoft Internet Explorer zero-day to deliver RokRAT | ||||
| CVE-2024-40711 | Backup & Replication | 9.8 | 8.8 | |
| Related: Akira and Fog ransomware now exploit critical Veeam RCE flaw | ||||
| CVE-2023-42793 | TeamCity | 9.8 | 7.0 | |
| Related: APT29 exploits multiple unpatched vulnerabilities in ongoing global campaign | ||||
| CVE-2024-28987 | Web Help Desk | 9.1 | 7.3 | |
| Related: CISA Warns of Active Exploitation in SolarWinds Help Desk Software Vulnerability | ||||
| CVE-2024-9380 | Cloud Services Appliance | 7.2 | 6.9 | |
| Related: Ivanti CSA zero-days exploited in attempt to deploy rootkit | ||||