ArcaneDoor state-backed cyberespionage campaign exploits Cisco zero-days

A threat actor, tracked as UAT4356 (aka Storm-1849), has been observed taking advantage of two zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) affecting Cisco networking equipment to plant backdoors on the affected systems.

Dubbed “ArcaneDoor” by Cisco Talos, the campaign deployed two distinct backdoors, named “Line Runner” and “Line Dancer,” used for various purposes such as configuration manipulation, reconnaissance, network traffic interception, exfiltration, and potentially lateral movement within compromised networks.

CrushFTP patches actively exploited zero-day

Developers behind the CrushFTP enterprise file transfer software have urged users to update to the latest version due to the discovery of a remote code execution vulnerability (CVE-2024-4040) said to have been actively exploited in the wild. According to cybersecurity firm CrowdStrike, the flaw is being exploited in attacks targeting CrushFTP servers at multiple US entities by a possibly politically motivated cyberespionage group.

Data from the Shadowserver threat monitoring platform shows that currently there are at least 1,400 CrushFTP servers exposed on the internet, with the majority of them located in the United States, followed by Germany, Canada and the UK.

Palo Alto Networks releases a remediation guide related to CVE-2024-3400 exploitation

Palo Alto Networks has released a knowledge base advisory with remediation instructions for customers depending on the level of exploitation of a recently disclosed PAN-OS zero-day flaw.

Tracked as CVE-2024-3400, the issue is a command injection flaw in the GlobalProtect feature, which may enable a remote attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted. Threat actors have been exploiting this vulnerability as a zero-day to deploy a Python backdoor since at least March 2024.

Russian Sandworm hackers planned over 20 attacks on Ukraine’s critical infrastructure

Ukraine’s response team to computer security incidents (CERT-UA) said it detected and disrupted a malicious campaign in March 2024 aimed at disrupting the stable operation of information and communication systems (ICS) of around twenty entities in the energy, water, and heat supply sectors in ten regions of Ukraine.

CERT-UA’s analysis of infected computers (running Linux OS) showed that the attackers employed the well-known backdoor Queueseed (Knuckletouch, Icywell, Wrongsens, Kapeka) and a new set of tools like a Linux variant of Queueseed named ‘BiasBoat’ and malicious software called ‘LoadGrip.’ The tools are designed to automate the management processes of technological processes (SCADA) using specialized software of domestic production. On Windows systems, the threat actor deployed the Queueseed backdoor and the Gissipflow malware.

Russia’s Fancy Bear exploits Windows Print Spooler flaw to deploy GooseEgg malware

The Russian nation-state threat actor APT28 (Fancy Bear) has been observed exploiting a vulnerability in Microsoft Windows Print Spooler (CVE-2022-38028) to deploy the GooseEgg malware in attacks targeting government, non-governmental, education, and transportation sector organizations in Ukraine, West Europe and North America. The tool is capable of executing commands with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.

MITRE discloses a security breach via Ivanti zero-days

The MITRE Corporation said its R&D system was hacked by a nation-state threat actor via one of the organization’s Virtual Private Networks (VPNs). The attackers exploited two Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) and bypassed multi-factor authentication using session hijacking. The threat actor then moved laterally and accessed the network’s VMware infrastructure via a compromised administrator account. The attackers employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.

Threat actor uses Signal spearphishing to infect Ukrainian military personnel with malware

CERT-UA detailed two malicious campaigns targeting Ukrainian government and military. The first campaign, linked to a threat actor, tracked as UAC-0149, has been targeting the Ukrainian Defense Forces with the CookBox malware disseminated through the Signal messaging app. To deploy the malware on the infected systems the attackers exploit a critical WinRAR vulnerability (CVE-2023-38831).

The second campaign attempts to hijack victims’ WhatsApp accounts via a fake electronic petition for the conferment of the title “Hero of Ukraine.”

Chinese hackers reportedly breach Volkswagen Group, steal proprietary technology

A Chinese state-backed hacking group reportedly breached the Volkswagen Group, stealing nearly 19,000 sensitive documents related to the company's proprietary technology. The breach, which occurred between 2010 and 2014, targeted various aspects of Volkswagen's innovation, including gas engines, transmission systems, and electric and hydrogen car technologies.

North Korean hackers target South Korean defense contractors

South Korea's police have disclosed that North Korean hacking groups have been carrying out extensive cyber attacks against South Korean defense companies for over a year, resulting in the breach of internal networks and theft of technical data. The hacking teams, believed to be affiliated with North Korea's intelligence apparatus, including groups known as Lazarus, Kimsuky, and Andariel, have been identified as the perpetrators behind these cyber intrusions described as “all-out” by authorities. According to police reports, the attackers deployed malware into the data systems of defense companies, either directly or through contractors associated with them.

Additionally, Lazarus has been observed deploying a new remote access trojan called Kaolin RAT as part of attacks targeting specific individuals in the Asia region in summer 2023. Security researchers also noticed that the North Korean hackers have resumed uploading malicious packages on npm.

Russia and Iran pose the biggest risk to elections, Mandiant says

Google’s Mandiant published a lengthy report on the 2024 election cybersecurity landscape, including a list of nation-state actors likely to attack election-related targets.

Iranian hackers exploit RMM tools to deliver malware

The Iran-affiliated state-backed threat actor tracked as MuddyWater (aka Mango Sandstorm, Seedworm or TA450) has been linked to a malware campaign involving a legitimate remote monitoring and management (RMM) tool called Atera Agent. The targeted sectors include airlines, IT companies, telecommunications, pharmaceuticals, automotive manufacturing, logistics, travel and tourism, employment/immigration agencies, and small businesses across Israel, India, Algeria, Turkey, Italy, and Egypt.

The US charges four Iranian hackers for cyber intrusions

The US authorities have charged four Iranian nationals for their alleged involvement in a sophisticated multi-year cyber campaign targeting both government and private entities, including the US Department of Treasury and State systems, defense contractors, and various New York-based companies.

GuptiMiner campaign hijacks antivirus updates to distribute backdoors

A sophisticated malware campaign has been exploiting the update mechanism of eScan antivirus software to distribute backdoors and coinminers. The campaign, attributed to a threat actor potentially linked to the North Korean state-backed Kimsuky hacker group, targets large corporate networks. The primary objective of GuptiMiner is to deploy backdoors within corporate networks. GuptiMiner also distributes the XMRig cryptocurrency miner on infected devices through the final stage malware called ‘Puppeteer.’ The attackers exploit a vulnerability in the update mechanism of eScan antivirus, leveraging a man-in-the-middle attack to swap legitimate updates with malicious ones.

An ongoing malware campaign targets multiple industries, distributes infostealers

Cisco Talos threat intelligence research group has uncovered a sophisticated and ongoing cyber campaign, targeting victims across multiple countries since at least February 2024 with three infostealer malware variants: Cryptbot, LummaC2, and Rhadamanthys.

This malware is designed to harvest sensitive information from victims, including system and browser data, credentials, cryptocurrency wallets, and financial information.

Security researchers sinkholed C&C server used by PlugX malware

Researchers at cybersecurity firm Sekoia have successfully sinkholed a command-and-control (C&C) server utilized by the PlugX USB worm. Sekoia says that nearly 100,000 compromised devices continue to reach out to the server for instructions each day. Over the span of six months, the researchers observed over 2.5 million unique devices making contact with the server. Additionally, Sekoia highlights that the malware includes a feature for remote uninstallation and has extended assistance to national Computer Emergency Response Teams (CERTs) for conducting comprehensive disinfection efforts across various countries' IP spaces.

Frozen#Shadow campaign uses SSLoad malware and RMMs for domain takeover

The Securonix Threat Research team (STR) detailed a campaign involving SSLoad malware and Cobalt Strike implants used for network domain takeover.

SSLoad malware (not to be confused with SLoader) was the primary vector deployed by threat actors during the Frozen#Shadow campaign along with Cobalt Strike and ScreenConnect RMM (remote monitoring and management) software. SSLoad is designed to stealthily infiltrate systems, gather sensitive information and send it back to its operators. Once inside the system, SSLoad deploys multiple backdoors and payloads to maintain persistence and avoid detection.

New Brokewell banking malware spreads via fake browser updates

A new Android malware called Brokewell has been discovered that is being spread through fake browser updates. The trojan combines data-stealing and remote-control features. Brokewell is actively evolving, with recent updates enabling it to capture touch events, screen text, and launched applications. Like other Android malware, it bypasses Google's security measures, allowing it to request accessibility service permissions despite restrictions on sideloaded apps.

US charges Samourai cryptomixer founders with laundering $100 million

The US Department of Justice has charged Keonne Rodriguez and William Lonergan Hill, the founders of Samourai, a cryptocurrency mixing service, for allegedly laundering over $100 million from various criminal enterprises over almost a decade. According to the DoJ, since 2015, Samourai Wallet has been used by cybercriminals as a means to launder illicit funds, masquerading as a legitimate privacy-oriented service.

Following Samourai’s takedown, the FBI released an alert warning against using unlicensed cryptocurrency money transmitting services, because people, who use such services “may encounter financial disruptions during law enforcement actions, especially if their cryptocurrency is intermingled with funds obtained through illegal means.”

The US imposes visa restrictions on individuals linked to commercial spyware

The US Department of State said it imposed visa restrictions on 13 individuals allegedly involved in the development and sale of such technology.

The Department of State stated that the targeted individuals, whose names it didn’t disclose, have either facilitated or gained financial benefit from the misuse of commercial spyware, which has been used to surveil and intimidate individuals deemed critical of certain governments or ideologies.