Get a demo

Weekly Cyber Round-up

Intelligence Report

June 20, 2024

UNC3944 shifts focus to data theft from SaaS applications

Mandiant researchers observed UNC3944 adapting its techniques to include data theft from software-as-a-service (SaaS) applications. Following extensive reconnaissance, UNC3944 exfiltrates data from SaaS applications via cloud synchronization utilities. UNC3944 leverages social engineering techniques to target help desks for initial access, with the group already in possession of victims’ personally identifiable information to help bypass user identity verification. The group uses Okta permissions abuse techniques to pivot from on-premises infrastructure to cloud and SaaS applications. UNC3944 has been active since at least May 2022 and previously focused on credential harvesting and SIM swapping attacks, before moving to ransomware, and ultimately data theft extortion attacks without ransomware. This change in objectives has resulted in an expansion in targeted industries and organisations.

Get the alert delivered directly to your inbox

UTA0137 targets Indian government with DISGOMOJI malware 

In 2024, Volexity researchers discovered a cyberespionage campaign attributed to a suspected Pakistan-based threat actor, dubbed UTA0137. The campaign targets government entities in India that use the Linux distribution BOSS with a new Golang malware, dubbed DISGOMOJI. UTA0137 was observed exploiting the DirtyPipe privilege escalation flaw, while also leveraging the Zenity utility to display malicious dialog boxes as part of social engineering efforts to obtain user passwords. DISGOMOJI was previously seen in a campaign by APT36 that targeted the aerospace sector. Volexity researchers also noted weak infrastructure links to SideCopy. 

Cosmic Leopard targets Indian entities with GravityRAT and HeavyLift

Cisco Talos researchers discovered a new espionage campaign, dubbed Operation Celestial Force, that has been active since at least 2018 and targets Indian entities likely belonging to defence, government, and related technology spaces. The campaign involves the use of a Windows-based loader, dubbed HeavyLift, as well as Windows and Android versions of GravityRAT. The infections of both malware are administered by a standalone tool, dubbed GravityAdmin, that is designed to manage multiple campaigns. The campaign is attributed with high confidence to a Pakistani nexus of threat actors, dubbed Cosmic Leopard, that focuses on espionage and surveillance.

Threat actors exploit hotel booking systems to conduct travel scams

Abnormal Security researchers observed threat actors using a ‘cash-out’ method that involves converting credit cards stolen from hotel booking systems into cash. The threat actors typically target hotels that do not have multi-factor authentication or two-factor authentication processes. Fake advertisements offering a discount on hotel room bookings are used as a lure. Victims then send payments, often in the form of cryptocurrency, to the threat actors to reserve their stay. The payments made to the threat actors are untraceable and allows them to convert the stolen credit card information into cash.

AridSpy spread via trojanised apps in suspected Arid Viper campaign

Since 2022, ESET researchers observed five campaigns targeting Android users in Egypt and Palestine with trojanised apps designed to deploy the Android malware, AridSpy. The malware was observed being distributed through dedicated websites for the malicious NortirChat, LapizaChat, and ReblyChat messaging apps, as well as a job opportunity app and a Palestinian Civil Registry app. Three of the campaigns are currently still ongoing. AridSpy is capable of deactivating itself and has multiple functionalities for data collection and exfiltration, including keylogging focusing on Facebook Messenger and WhatsApp. The malware is attributed with medium confidence to the advanced persistent threat actor, Arid Viper.


Volume of blog posts by operators during the last week.

DarkVault: A Rising Menace in the Ransomware UnderworldMedium Cybersecurity – Jun 19 2024Beware of Nevermore Actor Promoting Ransomware BuilderGBHackers On Security – Jun 19 2024More than 1500 Cancellations Following NHS RansomwareSC Magazine UK – Jun 17 2024Keytronic confirms data breach after ransomware gang leaks stolen filesBleeping Computer – Jun 14 2024Ransomware Roundup – Shinra and Limpopo RansomwareFortinet – Jun 14 2024Grand Traverse County Faces Cyberattack: FBI and State Police InvestigateThe Cyber Express – Jun 13 2024

High Priority Vulnerabilities

Name Software Base
CVE-2024-30078 Windows 8.8 7.7
Related: Threat actor claims to sell exploit for Windows RCE flaw
CVE-2024-32896 7.8
Related: Google Pixel Vulnerability Under Active Exploitation Now Has a Fix
CVE-2019-6268 SecFlow-2 3.5 3.4
Related: CISA Warns of PoC Exploit for Vulnerability in RAD SecFlow-2 Industrial Switch
CVE-2024-29824 Endpoint Manager 7.3 7.0
Related: PoC released for Ivanti EPM SQL injection flaw that leads to remote code execution
CVE-2017-11882 Office 7.8 6.0
Related: Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)

Get the full report
delivered to your inbox​

By filling out and submitting this request you give us your consent to use and store the information  you have provided for the purpose set out above or in connection with it. For more information, see our Privacy Policy.