Threat actors exploit CrowdStrike update incident with malware and phishing attempts
Security researchers have observed numerous threat actors exploiting disruptions resulting from the recent CrowdStrike update incident to target companies with data wipers, remote access tools, and typosquatted domains. CrowdStrike researchers observed the distribution of a malicious ZIP archive containing a HijackLoader payload, leading to the execution of the Remcos remote access trojan (RAT), as well as the distribution of Daolpu Stealer and Lumma Stealer. The incident was claimed by the Handala hacker group, who stated that they are specifically targeting Israeli companies. Cyble researchers also identified numerous malicious domains that were registered to target individuals and organisations interested in following the incident.
UAV lures used to deploy GLUEGG and DROPCLUE in attacks on Ukrainian defence sector
The Computer Emergency Response Team of Ukraine warned of new cyberattacks on Ukrainian defence enterprises by UAC-0180. The attacks employ lures regarding unmanned aerial vehicle (UAV) purchases to deploy malware such as GLUEGG and DROPCLUE, ultimately aiming to install the legitimate Atera software for unauthorised remote access. The hackers may also impersonate employees of government agencies to increase credibility. The initial infection vector involves a ZIP attachment containing a PDF document with a link in it. The link leads to GLUEGG being downloaded, which is used to decrypt and run the DROPCLUE downloader. DROPCLUE downloads a decoy PDF file alongside an EXE file, which leads to the download and installation of Atera.
APT41 campaign targets multiple industries on a global scale
Mandiant researchers detailed an ongoing campaign, attributed to the threat group APT41, targeting organisations in the global shipping and logistics, media and entertainment, technology, and automotive sectors. APT41 has infiltrated and maintained access to multiple victim networks since 2023, with the campaign primarily targeting organisations in Italy, Spain, Taiwan, Thailand, Turkey, and the UK. The campaign involves the use of ANTSWORD and BLUEBEAM web shells for persistence, while the DUSTPAN dropper is used to execute the BEACON backdoor for C2 communication. APT41 also leveraged DUSTTRAP for hands-on keyboard activity, SQLULDR2 to export data from Oracle databases, and PINEGROVE to exfiltrate data to Microsoft OneDrive.
Vigorish Viper develops technology supply chain for Chinese organised crime
Infoblox researchers identified a threat actor, dubbed Vigorish Viper, that is responsible for designing, developing, and operating a supply chain which facilitates Chinese organised crime, money laundering, and human trafficking throughout Southeast Asia. The technology suite is composed of software, Domain Name System configurations, website hosting, payment mechanisms, mobile applications, and more. The technology is employed by tens of seemingly unrelated gambling brands that are promoted via sponsorship deals with European sports teams, including English Premier League teams. The researchers assess with high confidence that Vigorish Viper’s technology suite was developed by the Yabo Group, who are believed to be the biggest illegal gambling operation targeting Greater China.
Daggerfly uses updated backdoors to target organisations in China and Taiwan
Symantec researchers identified new tools linked to the Daggerfly espionage group that have been used in attacks targeting organisations in Taiwan and a United States non-governmental organisation based in China. Among them is the previously unattributed macOS backdoor, Macma, and the new Windows backdoor, Suzafk. Daggerfly also exploited a vulnerability in Apache HTTP server to deliver its Mgbot malware. Macma is a modular backdoor that has been used since at least 2019 and is distributed via watering hole attacks against websites in Hong Kong that exploit the CVE-2021-30869 privilege escalation vulnerability. Suzafk is a multi-stage backdoor that was first discovered in March 2024 being used alongside Mgbot.
Ransomware
Volume of blog posts by operators during the last week.
Ransomware Groups Fragment Amid Rising Cybercrime ThreatsInfosecurity Today – Jul 22 2024From RA Group to RA World: Evolution of a Ransomware GroupUnit42 Palo Alto – Jul 22 2024Ransomware Has Outsized Impact on Gas, Energy & Utility FirmsDark Reading – Jul 19 2024Two Russian Nationals Plead Guilty in LockBit Ransomware AttacksThe Hacker News – Jul 19 2024Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific PumaTrend Micro Simply Security – Jul 19 2024
Financial Services
Personal data of 128,000 customers of moneylenders stolen after IT vendor hackedChannel NewsAsia – Jul 25 2024Customers of PHL Variable Insurance Company Affected by Infosys McCamish Systems Announces Data BreachJD Supra – Jul 22 2024Telegram Bots Masquerade as Digital Wallet Brands to push Referral Reward Scams to Indonesian CustomersCloudSEK Blog – Jul 22 2024Qatar Central Bank issues warning on ATM skimming devicesQatar Tribune – Jul 21 2024WazirX Cryptocurrency Exchange Loses $230 Million in Major Security BreachThe Hacker News – Jul 19 2024
Geopolitics
Russian banking sector faced DDoS attack planned from abroad — VTBTASS ENGLISH – Jul 24 2024Ukraine CERT-UA reveals cyberattack by UAC-0063 group on scientific institution, linked to Russian APT28Industrial Cyber – Jul 24 2024Threat actors target recent Election ResultsK7 Security Labs – Jul 23 2024Russian hackers massively attacked Ukrainian Telegram channelsUkrinform News – Jul 21 2024‘Tip of the iceberg’: Furry hacking group SiegedSec announces breach of 2 Israeli companiesDaily Dot – Jun 17 2024
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2024-21412 | Windows | 8.1 | 6.0 | |
| Related: Exploiting CVE-2024-21412: A Stealer Campaign Unleashed | ||||
| CVE-2024-39891 | Authy | 5.3 | 5.1 | |
| Related: Organizations Warned of Exploited Twilio Authy Vulnerability | ||||
| CVE-2024-37998 | SICORE Base system | 9.8 | 6.2 | |
| Related: Siemens Patches Power Grid Product Flaw Allowing Backdoor Deployment | ||||
| CVE-2024-23897 | Jenkins | 7.5 | 3.2 | |
| Related: BORN Group Supply Chain Breach: In-Depth Analysis of Intelbroker’s Jenkins Exploitation | ||||
| CVE-2024-23692 | HTTP File Server | 9.8 | 9.8 | |
| Related: Spear Phishing Campaigns Target Institutions in Ukraine with HATVIBE and CHERRYSPY Malware | ||||