1 November 2024

Cyber Security Week in Review: November 1, 2024


Cyber Security Week in Review: November 1, 2024

China-linked threat actors are increasingly targeting networking devices

Sophos published a series of reports detailing five years of encounters with Chinese threat actors increasingly targeting networking devices globally, including Sophos' own products. Since 2018, Sophos has defended against escalating attacks, including a breach of its Cyberoam office in India, where attackers exploited a wall-mounted display for initial access. Sophos described the attackers as adaptable and capable of escalating their tactics.

In addition to stealing VPN credentials and tampering with firmware for persistence, the threat actors employed sophisticated tools, such as a custom rootkit, TERMITE in-memory dropper, Trojanized Java files, and a UEFI bootkit. Sophos linked these attacks to groups such as Volt Typhoon, APT31, and APT41/Winnti, suggesting that Chinese researchers might develop and share zero-day vulnerabilities with both vendors and Chinese government-aligned entities.

In its recent national threat assessment report, the Canadian Centre for Cyber Security (Cyber Centre) revealed that Chinese state-sponsored hackers have breached at least 20 Canadian government networks over the past four years, stealing data valuable to China’s strategic, economic, and diplomatic interests. The cyber espionage attacks have targeted Canadian government institutions, the private sector, academia, and supply chain. In addition to government networks, Chinese threat actors have also targeted politicians, activists, journalists, and diaspora communities using tactics like spear phishing and spyware to monitor and harass these individuals. Alongside threats from China, Russia, Iran, and North Korea, the Cyber Centre has also identified India as a rising cyber threat, with growing geopolitical tensions expected to drive Indian-sponsored attacks on Canadian networks.

CyberPanel flaws is being exploited in ransomware attacks

Threat actors have begun exploiting critical vulnerabilities in the popular free web hosting control panel CyberPanel. Tracked as CVE-2024-51567 and CVE-2024-51378, the two bugs are described as an improper authentication issue that could lead to arbitrary OS command execution. CyberPanel developers addresed the flaws on October 23 and several days later mass-exploitation attempts were observed following the release of a proof-of-concept (PoC) code.

LeakIX, which monitors vulnerable systems, reported around 22,000 CyberPanel instances online as of October 28, but that number sharply dropped as compromised servers became inaccessible. Attackers deployed Psaux ransomware, targeting roughly 200,000 hosted websites and demanding ransom for encrypted files. Researchers said that at least three ransomware groups have been exploiting these bugs.

Hackers are abusing critical zero-day flaws in PTZ cameras

Hackers are targeting two zero-day vulnerabilities, CVE-2024-8956 and CVE-2024-8957, in PTZOptics pan-tilt-zoom (PTZ) cameras, commonly used in industrial, healthcare, conference, government, and courtroom environments, GreyNoise warns. The vulnerabilities allow exploitation via the camera’s CGI-based API and 'ntp_client,' enabling command injection. Successful exploitation could result in complete camera control, infection with botnets, network pivoting to other devices, or disruption of video feeds.

Akira and Fog ransomware exploit a SonicWall VPN bug to breach corporate networks

Akira and Fog ransomware operations are increasingly exploiting a high-risk vulnerability affecting SonicWall VPN accounts to access corporate networks. Tracked as CVE-2024-40766, the flaw is an improper access control issue that allows attackers to bypass access restrictions. SonicWall released a patch for this SonicOS flaw in late August 2024.

Russian APT28 targets government entities in Ukraine in a new phishing campaign

The Government Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign targeting local government entities. The campaign, attributed to the Russian military hacking unit APT 28 aka Fancy Bear and UAC-0001, is utilizing emails with the subject line "Table Replacement" and links resembling a Google Sheets document. Upon clicking the link, users are redirected to a page mimicking a reCAPTCHA verification, attempting to trick them into executing a malicious PowerShell command.

A separate CERT-UA’s report details another widespread phishing campaign involving emails with tax-related subjects, containing attachments disguised as official requests from the State Tax Service of Ukraine. This malicious campaign is financially motivated and is attributed to a threat group tracked as UAC-0050, targeting enterprise accountants who handle remote banking systems.

Google and Microsoft also released reports this week detailing suspected Russian cyber activities. Google’s Threat Analysis Group (TAG) and cybersecurity firm Mandiant observed a Russian-aligned group named UNC5812 delivering a blend of Windows and Android malware, targeting the Ukrainian military. 

According to Microsoft’s findings, the Russian threat actor APT29, also known as Midnight Blizzard, UNC2452 and Cozy Bear, has been targeting organizations across critical sectors, including government agencies, higher education, defense, and non-governmental organizations (NGOs) since October 22, 2024. The threat actor targeted more than 100 organizations via phishing emails designed to trick users into opening a Remote Desktop Protocol (RDP) configuration file to gain access to a victim system. The emails were crafted to appear as if they originate from legitimate sources such as Microsoft and Amazon Web Services (AWS) and incorporated themes around Zero Trust.

In other news, the United Kingdom sanctioned three Russian organizations and three individuals, including the Social Design Agency (SDA) and its partner company Structura, for orchestrating a disinformation campaign meant to weaken international support for Ukraine. The British government’s sanctions target entities and individuals responsible for the “Doppelgänger” operation, an extensive online network that disseminates false information through spoofed websites and manipulated social media content.

China-linked Evasive Panda targets Taiwan and cloud services

Researchers at ESET detailed a previously unknown toolset, dubbed ‘CloudScout’, linked to China-aligned threat actor Evasive Panda. The group, also known as Bronze Highland, Daggerfly, or StormBamboo, has reportedly used this toolset to infiltrate and extract sensitive data from Taiwanese organizations. CloudScout has been deployed to target both a government entity and a religious institution in Taiwan from 2022 to 2023.

On the same note, the FBI and CISA confirmed that they are “investigating the unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People’s Republic of China.” The agencies said the FBI initially detected suspicious activity targeting telecom companies and promptly notified and provided assistance to affected organizations. The probe follows reports that devices used by prominent political figures, including Vice President Kamala Harris, former President Donald Trump, and Republican vice-presidential candidate JD Vance, may have been compromised.

North Korean hackers caught collaborating with Play ransomware

The state-sponsored Andariel hacking group linked to North Korea has been associated with the infamous Play ransomware operation, according to a recent report from Palo Alto Networks’ Unit 42 researchers. The group, believed to be a part of North Korea’s Reconnaissance General Bureau, is possibly using the ransomware-as-a-service (RaaS) platform to conceal its activity and bypass international sanctions.

The US and Israel accused Iranian hackers of targeting the 2024 Summer Olympics

The FBI, US Department of Treasury, and Israel National Cyber Directorate have issued a Cybersecurity Advisory detailing new tactics used by the Iranian cyber group Emennet Pasargad. Operating under the alias Aria Sepehr Ayandehsazan (ASA) and known to the private sector as Cotton Sandstorm, Marnanbridge, and Haywire Kitten, the group has demonstrated advanced methods for cyber-enabled information operations through mid-2024. The tactics involved using numerous cover personas and included cyber activities aimed at the 2024 Summer Olympics, where they compromised a French dynamic display provider.

Chinese threat actor Storm-0940 uses credentials from password spray attacks

A Chinese threat actor tracked as Storm-0940 has been leveraging the Quad7 (or CovertNetwork-1658) botnet to conduct password spray attacks via a network of compromised devices.

The botnet has infected multiple SOHO routers and VPN appliances from brands like TP-Link, Zyxel, and NETGEAR, facilitating follow-on activities such as lateral movement, remote access trojans, and data exfiltration. Microsoft assesses that multiple China-based actors are involved in operating Quad7 for these purposes.

New LightSpy spayware version comes with destructive capabilities

A report from ThreatFabric analyses a new version of LightSpy spyware targeting Apple iOS devices. The upgraded variant not only extends surveillance functions but also introduces a destructive feature designed to render compromised devices unbootable.

Xiū Gǒu phishing kit includes over 2K phishing websites, targets the US, UK, Spain, Australia and Japan

A new phishing kit, known as Xiu Gou, has emerged targeting users in the US, UK, Spain, Australia, and Japan since September 2024. Xiu Gou uses a unique "doggo" mascot to brand its attacks. The kit comprises over 2,000 phishing websites aimed at individuals in sectors like public services, postal services, digital platforms, and banking. 

Lottie-Player supply chain attack drains crypto wallets

LottieFiles has confirmed a supply chain attack on its Lottie-Player software, aimed at stealing cryptocurrency from users. The compromised versions (2.0.5, 2.0.6, and 2.0.7) were distributed to users who accessed the library through third-party CDNs without a pinned version, meaning they automatically received the malicious update. This version prompted users to connect their cryptocurrency wallets, likely intending to drain funds. Users are urged to update to version 2.0.8 to secure their systems.

Emeraldwhale campaign targets exposed Git configs to siphon sensitive data

The global operation dubbed ‘Emeraldwhale’ has exploited misconfigured Git configurations, resulting in the theft of over 15,000 cloud service credentials. According to the Sysdig Threat Research Team (TRT), attackers used custom tools (MZR V2 and Seyzo-v2) to target and exploit misconfigured web services. This allowed them to gain unauthorized access to cloud credentials, clone private repositories, and extract sensitive data.

An ongoing malvertising campaign hijacks Facebook accounts to distribute SYS01Stealer malware

Cybersecurity researchers have uncovered a sophisticated malvertising campaign leveraging Meta’s advertising platform and hijacked Facebook accounts to spread malware known as SYS01Stealer. The campaign, targeting a broad range of Facebook users, has been active for at least a month.

Major French ISP Free confirms data breach after dark web leak

Free, one of France's leading internet service providers (ISPs) and a subsidiary of the Iliad Group, confirmed a data breach following reports that hackers accessed and leaked sensitive customer information. The breach came to light after data surfaced on a dark web marketplace, exposing the personal information of some of Free’s 22.9 million mobile and fixed broadband customers. Free said that certain sensitive data types, such as customer passwords, bank card information, and communications (emails, SMS, and voice messages), were not accessed during the breach. The company also said that its core services remain unaffected.

An international police effort disrupts RedLine and Meta info-stealers’ operations

A joint effort dubbed ‘Operation Magnus’ involving law enforcement from the Netherlands, the US, the UK, Belgium, Portugal, Australia, Europol, and Eurojust, dismantled the infrastructure of the RedLine and Meta data-stealing malware families. The Dutch National Police reported gaining full access to the servers used by the malware operations, resulting in the shutdown of three servers and the seizure of two domains in the Netherlands. In Belgium, two suspects were arrested, and over 1,200 servers associated with the info-stealers were identified across various countries. Additionally, authorities recovered a database with the identities of RedLine and Meta clients. Concurrently, the US authorities charged Maxim Rudometov, a key developer of the RedLine info-stealer, with multiple offenses, including access device fraud and money laundering, potentially facing up to 35 years in prison if convicted.

ByteDance fires intern for allegedly sabotaging internal AI model

ByteDance, the parent company of TikTok, has fired a doctoral student intern following allegations of tampering with the company’s internal artificial intelligence (AI) model. The intern allegedly exploited a vulnerability on the AI development platform Hugging Face to access the model, which they reportedly used to disrupt training processes over nearly two months.

Former Disney worker hacks food menu software, alters allergen warnings

Michael Scheuer, a former Disney employee, was arrested for hacking into the company's restaurant software after being fired for misconduct. Over a three-month period, he allegedly altered menu items to remove critical allergy warnings, jeopardizing the safety of Disney resort guests. In addition to manipulating the menu software, Scheuer conducted denial-of-service attacks on the accounts of former colleagues and reportedly stalked one employee.

Dstat.cc DDoS service disrupted by law enforcement, three suspects arrested

The Dstat.cc DDoS review platform has been seized by law enforcement, leading to the arrest of three suspects. This action was part of ‘Operation PowerOFF,’ an international initiative aimed at dismantling DDoS-for-hire services, commonly known as ‘booters’ or stressers. At present, the Dstat.cc exhibits a seizure notice, more information about the take down is expected to be disclosed in the coming days.

Back to the list

Latest Posts

New Ghost Tap cash-out technique exploiting mobile payment systems

New Ghost Tap cash-out technique exploiting mobile payment systems

The attack relies on a relay mechanism that connects a stolen card to a PPOS terminal via NFC.
21 November 2024
Ngioweb botnet and NSOCKS proxy service disrupted following over a year’s investigation

Ngioweb botnet and NSOCKS proxy service disrupted following over a year’s investigation

Since late 2022, Ngioweb has been providing residential proxies to both financially motivated groups and nation-state threat actors.
21 November 2024
Five alleged Scattered Spider members charged for phishing and crypto heists

Five alleged Scattered Spider members charged for phishing and crypto heists

The US authorities also disrupted the PopeyeTools marketplace for stolen financial data and cybercrime tools.
21 November 2024