Cybercriminals exploit recently patched VMware ESXi flaw to deploy ransomware

A recently patched vulnerability in VMware ESXi hypervisors is being actively exploited by threat actors to gain access to target networks and deploy ransomware. The flaw (CVE-2024-37085) allows attackers to obtain full administrative permissions on domain-joined ESXi hypervisors.

Attackers utilize specific commands to create a group named “ESX Admins” in the domain and add a user to it. The ESXi hypervisors, when joined to an Active Directory domain, recognize any member of the “ESX Admins” group as having full administrative rights by default. This group is not built-in and does not exist by default, and ESXi hypervisors do not validate its existence. Consequently, any member of a group named “ESX Admins” gains full administrative access, irrespective of its origin or security identifier (SID).

According to the recent data from the Shadowserver Foundation, there are more than 20,000 internet-accessible ESXi instances potentially vulnerable to CVE-2024-37085.

Germany blames China for cyberattack on BKG

Germany’s authorities have attributed a 2021 cyberattack on the Federal Office of Cartography and Geodesy (BKG) to China-linked state-sponsored hackers that infiltrated the BKG's network for espionage purposes.

The attackers utilized compromised end devices from private individuals and companies, forming obfuscation networks to mask their activities. Officials said that the threat actor had managed to partially compromise the network and that no additional malware was found on BKG systems.

UK’s Electoral Commission reprimanded for August 2021 breach

The United Kingdom's Information Commissioner's Office (ICO) said that the Electoral Commission was compromised in August 2021 due to its failure to patch its on-premise Microsoft Exchange Server against the ProxyShell vulnerabilities. The breach has been attributed to a Chinese state-backed threat actor tracked as APT31 by the UK National Cyber Security Centre (NCSC).

The vulnerabilities exploited in the attack are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. The flaws were chained together to infiltrate the commission's Exchange Server 2016, deploying web shells that provided the attackers with persistent access. During the intrusion, the Chinese hackers accessed the personal information of approximately 40 million people, including names, home addresses, email addresses, and phone numbers. Officials said that there is no evidence suggesting any misuse of the personal information since it was accessed in 2021. The ICO has found no indication that the breach has directly harmed the affected voters.

China-linked Cuckoo Spear threat actor targets Japanese orgs

A Chinese nation-state threat actor dubbed Cuckoo Spear has been observed leveraging the LODEINFO and NOOPDOOR malware families to steal sensitive information from Japanese organizations. The analysis indicates Cuckoo Spear remained undetected within victim networks for an extended period, often between two and three years.

The threat actor has been linked to a known Chinese state-backed hacker group APT10. Active since 2006, APT10 is known for targeting critical infrastructure sectors such as communications, manufacturing, and various public sectors. The group's primary objective is to support Chinese national security goals through intelligence gathering.

DigiCert revokes customer SSL/TLS certificates due to domain verification bug

Certificate authority (CA) DigiCert has announced the revocation of approximately 0.4% of its customer base's SSL/TLS certificates following the discovery of a flaw in its domain control verification process. The issue specifically affects certificates verified through CNAME DNS entries, where a bug led to the omission of a mandatory underscore character in the random verification string, thereby violating industry standards.

The affected certificates were issued between August 2019 and June 2024. DigiCert has urged impacted customers to reissue their certificates within 24 hours to avoid any disruptions.

The company has also said that it is working with customers operating critical infrastructure who have applied for a delayed revocation, but it is no longer accepting any applications for delayed revocation.

North Korean hackers target devs on Windows, Linux, and macOS

A North Korea-linked malware campaign, dubbed DEV#POPPER, is targeting software developers across Windows, Linux, and macOS systems. The threat actors behind the campaign have expanded their tactics and introduced new malware variants. They have targeted victims in South Korea, North America, Europe, and the Middle East by tricking developers into downloading malicious software from GitHub, presented as part of a job interview process.

SideWinder cyber spies shift focus to ports and maritime facilities in the Mediterranean Sea

The nation-state threat actor known as SideWinder has shifted its focus towards targeting ports and maritime facilities in the Mediterranean Sea and Indian Ocean. The new campaign employs spear-phishing tactics to infiltrate systems in countries such as Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.

The group employs a variety of sophisticated techniques to evade detection and deliver targeted implants. The threat actor’s primary method involves email spear-phishing, document exploitation, and DLL side-loading.

‘Sitting Ducks’ domain hijacking attack puts at risk over a million domains

Over a million domains are vulnerable to takeover by malicious actors through a method called the ‘Sitting Ducks’ attack. The technique exploits weaknesses in the domain name system (DNS) and has been used by over a dozen Russian-nexus cybercriminal groups to stealthily hijack domains, according to a joint analysis by Infoblox and Eclypsium.

In a Sitting Ducks attack, the attacker hijacks a registered domain at an authoritative DNS service or web hosting provider without accessing the true owner's account. For a successful attack, four conditions must be met:

• A registered domain uses authoritative DNS services from a different provider than the domain registrar, known as name server delegation.

• The domain or a subdomain is configured to use a different DNS provider for authoritative name service.

• The name server delegation is lame, meaning the authoritative name server lacks information about the domain and cannot resolve queries or subdomains.

• The DNS provider is exploitable, allowing the attacker to claim ownership of the domain at the delegated authoritative DNS provider without accessing the valid owner’s account at the domain registrar.

New malicious campaign targets Android users to steal SMS messages

A new malicious campaign has been observed exploiting malicious Android apps to steal users' SMS messages since at least February 2022, as part of a large-scale operation. The malicious apps, totaling over 107,000 unique samples, are specifically designed to intercept one-time passwords (OTPs) used for online account verification, thereby facilitating identity fraud.

Victims of the campaign have been observed in 113 countries, with India and Russia topping the list, followed by Brazil, Mexico, the US, Ukraine, Spain, and Turkey.

In a separate report, the Cleafy TIR team detailed a new Android Remote Access Trojan (RAT) named ‘BingoMod’ capable of executing money transfers from compromised devices through Account Takeover (ATO) via On Device Fraud (ODF). It circumvents banks' security measures, including identity verification, authentication, and behavioral detection systems that monitor for suspicious transactions.

Upon installation, BingoMod exploits various permissions, notably Accessibility Services, to covertly harvest sensitive data such as credentials, SMS messages, and account balances. Additionally, it features capabilities for conducting overlay attacks and remotely accessing the compromised device using VNC-like functionality.

Threat actors target Polish businesses with Agent Tesla and Formbook malware

Threat actors are targeting small and medium-sized businesses (SMBs) in Poland with phishing campaigns delivering a number of malware families such as Agent Tesla, Formbook, and Remcos RAT.

ESET said that nine significant ModiLoader phishing campaigns were detected in May 2024, affecting businesses in Poland, Italy, and Romania.

The attackers utilized previously compromised email accounts and corporate servers to disseminate malicious emails and host malware, as well as steal data. The attacks were executed in nine waves, each employing the DBatLoader malware loader, also known as ModiLoader or NatsoLoader, to deliver the malicious payloads.

A massive phishing campaign is exploiting Proofpoint’s email protections

An unknown threat actor has been linked to a massive scam campaign exploiting an email routing misconfiguration in Proofpoint's defenses. Dubbed EchoSpoofing, the campaign began in January 2024 and involved sending millions of spoofed phishing emails impersonating companies like Best Buy, IBM, Nike, and Walt Disney. The attackers sent up to three million emails per day on average, peaking at 14 million in early June.

Hive0137 email spammer is now using AI to bolster its phishing campaigns

Hive0137 threat actor has been observed leveraging Large Language Models (LLMs) to generate phishing emails that look more authentic and are harder to detect using traditional signature-based methods. The new behavior was seen by the IBM X-Force threat intelligence team in an Italian campaign distributing Dave-crypted X-Worm. Additionally, Hive0137 appears to use Generative AI for creating its tooling, the team noted.

ERIAKOS spam campaign is targeting Facebook users

Recorded Future’s Payment Fraud Intelligence detailed the “ERIAKOS” campaign, a scam e-commerce network targeting Facebook users. Detected on April 17, 2024, the campaign involves 608 fraudulent websites that use brand impersonation and malvertising tactics to steal personal and financial data from unsuspecting victims.

OneDrive phishing scam tricks users into running malicious PowerShell script

The Trellix Advanced Research Center has observed a sophisticated phishing and downloader campaign targeting Microsoft OneDrive users. The campaign relies on social engineering tactics to deceive users into executing a malicious PowerShell script, compromising their systems.

The attack begins by enticing users to click on a button that ostensibly explains how to fix a DNS issue, which appears necessary to grant access to a file on Microsoft OneDrive. This approach exploits the user's sense of urgency and their hope that resolving the DNS issue will enable access to the desired document.

Hackers bypass Google Workspace authentication, exposing thousands of accounts

A security weakness in the Google Workspace platform allowed hackers to bypass the email verification required to create accounts. The flaw was exploited to impersonate domain holders across various third-party services utilizing the “Sign in with Google” feature.

The vulnerability was discovered in the email verification process for new Google Workspace accounts. Hackers managed to circumvent this feature, enabling unauthorized access to third-party services through Google’s single sign-on system.

Gemini crypto exchange discloses data breach involving banking info

Cryptocurrency exchange Gemini has disclosed a security breach resulting in the compromise of personal and banking information of thousands of its customers. The breach occurred between June 3 and June 7, 2024, when an unauthorized actor gained access to an internal collaboration tool on the bank partner’s system.

The company said that other sensitive information, such as date of birth, home or email address, social security number, phone number, username, or password, was not compromised. Additionally, Gemini confirmed that no account information or systems belonging to the exchange were impacted by this third-party incident.

Major US blood center OneBlood is facing a ransomware attack

OneBlood, a US-based non-profit blood bank serving over 300 hospitals in Florida, Georgia, and the Carolinas, has been hit by a ransomware attack. The cyber attack has disrupted its software systems, significantly slowing down their operations. Despite the breach, OneBlood continues to collect, test, and distribute blood, but at a much-reduced capacity. According to media reports, the attack took place over the weekend and the ransomware gang encrypted the organization's VMware hypervisor infrastructure.

In other news, a ransomware attack on C-Edge Technologies, a major banking technology provider in India, has led to the temporary shutdown of payment systems at nearly 300 small local banks. The National Payment Corporation of India (NPCI) has isolated C-Edge Technologies from accessing the retail payments system to contain the threat. NPCI is conducting a thorough audit to prevent the attack from spreading further.

UK shuts down Russian Coms fraud platform responsible for 1.8 million scam calls

The UK's National Crime Agency (NCA) has dismantled Russian Coms, a major caller ID spoofing platform responsible for over 1.8 million scam calls. This platform, used by criminals in over 107 countries including the UK, US, and France, allowed scammers to disguise their identity by mimicking phone numbers from financial institutions, telecom companies, and law enforcement. Between 2021 and 2024, Russian Coms facilitated over 1.3 million calls to 500,000 unique UK numbers. Three individuals linked to the platform's creation and development have been arrested and released on conditional bail. Joint actions against users of the platform are planned with support from Europol. Russian Coms, marketed via Snapchat, Instagram, and Telegram, offered services like “unlimited minutes,” “encrypted phone calls,” and voice changing.