Earth Kasha deploys LODEINFO and NOOPDOOR to target technology and government agencies
From early 2023 to early 2024, Trend Micro researchers observed Earth Kasha expanding its targets to advanced technology and government agencies in Japan, Taiwan, and India as part of a new spear phishing campaign. Earth Kasha was observed exploiting public-facing applications such as SSL-VPN and file storage services as an initial access vector, as well as abusing vulnerabilities in enterprise products, such as CVE-2023-28461, CVE-2023-45727, and CVE-2023-27997. After gaining access, the threat actor deployed several backdoors to achieve persistence, including Cobalt Strike, LODEINFO, and NOOPDOOR. Earth Kasha primarily aimed to exfiltrate victim information and credentials, including by using legitimate Windows tools and its custom credential dumper, MirrorStealer. The researchers noted overlaps with another campaign attributed to Earth Tengshe, with both groups suspected to be related to APT10 and potentially sharing tactics and tools with one-another.
SilkSpecter phishing campaign targets Black Friday shoppers
In early October 2024, EclecticIQ researchers discovered a phishing campaign targeting e-commerce shoppers in Europe and the United States. The campaign uses fake Black Friday discounts as phishing lures to deceive victims into providing their cardholder data (CHD), sensitive authentication data, and personally identifiable information. Based on infrastructure and language indicators, the researchers attribute the campaign with high confidence to the Chinese financially motivated threat actor SilkSpecter.
PXA Stealer targets education and government sectors in Europe and Asia
Cisco Talos researchers identified a campaign delivering a new infostealer, dubbed PXA Stealer, to the education sector in India and government organisations in Europe, including Sweden and Denmark. PXA Stealer targets credentials for online accounts, VPN and FTP clients, browser cookies, and data from gaming software. It also has the capability of decrypting a victim’s browser master password and using it to steal the stored credentials of online accounts. The attacker gains initial access by sending a phishing email with a ZIP file attachment that contains a malicious Rust loader executable and a hidden folder. The researchers assess that the attacker responsible for the attacks is of Vietnamese origin. The attacker was observed selling credentials and tools in a Telegram channel named ‘Mua Bán Scan MINI’, which is also where the CoralRaider threat actor operates.
Threat actors impersonate government agencies in latest Docusign phishing attacks
SlashNext researchers warned of new wave of Docusign phishing attacks targeting businesses that interact with state, municipal, and licensing authorities. The latest campaign impersonates various government agencies in the United States. The attack begins with a general contractor being sent a supposed Docusign request from their state licensing board. The attacks use legitimate Docusign infrastructure to appear authentic, include accurate pricing and terminology familiar to the industry, and target businesses during predictable licensing cycles. The messages additionally bypass email security filters since they come from actual Docusign accounts. Between November 8th and November 14th, 2024, the researchers observed a 98% increase in the use of Docusign phishing URLs compared to all of September and October 2024.
LIMINAL PANDA targets telecommunications sector for espionage purposes
CrowdStrike researchers detailed the suspected China-nexus state-sponsored threat actor, LIMINAL PANDA, which has targeted telecommunications entities since at least 2020. LIMINAL PANDA demonstrates deep knowledge of telecommunications networks, including understanding interconnections between providers, and has used compromised servers to launch intrusions into providers in other regions. The threat actor has primarily targeted Asia and Africa and highly likely engages in targeted intrusions to support intelligence collection. The threat actor combines custom malware, publicly available tools, and proxy software to route C2 communications through different network segments. Similarities between LIMINAL PANDA and the LightBasin activity cluster, active since at least 2016, were identified.
Ransomware
Volume of blog posts by operators during the last week.
BianLian Ransomware Group Adopts New Tactics, Posing Significant RiskInfosecurity Today – Nov 21 2024Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit RansomwareUnit 42 – Palo Alto Networks Blog – Nov 20 2024ELPACO-team Ransomware: A New Variant of the MIMIC Ransomware Family CYFIRMA – Nov 19 2024Helldown Ransomware: an overview of this emerging threatSekoia Blog – Nov 19 2024RansomHub says 313GB exfiltrated in Mexican Government cyber attackCyber Daily – Nov 18 2024Thanos Operator Targets Police Department in United Arab EmiratesSonicWALL – Nov 15 2024
Financial Services
Now BlueSky hit with crypto scams as it crosses 20 million usersBleeping Computer – Nov 21 2024Criminals ‘Ghost Tap’ NFC for Payment Cash-Out AttacksBankInfoSecurity – Nov 20 2024Fintech Giant Finastra Investigating Data BreachKrebs on Security – Nov 20 2024 QuickBooks popup scam still being delivered via Google ads Malwarebytes Labs Blog – Nov 18 2024Six US Banks Issue Urgent Debit Card Alerts, Forcing Mandatory Replacements for Many, After Third-Party Security BreachThe Daily Hodl – Nov 16 2024
Geopolitics
Sophos MDR blocks and tracks activity from probable Iranian state actor “MuddyWater”Sophos – Nov 20 2024Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage CampaignThe Hacker News – Nov 19 2024Cyber Authority warns of Iranian hackers attempting to breach Israeli orgsThe Jerusalem Post – Homepage – Nov 18 2024Cofense Intelligence Identifies U.S. Presidential Assassination-Themed Phishing CampaignCofense – Nov 15 2024Hungary’s defence procurement agency hacked, government saysReuters – Nov 14 2024
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2024-0012 | PAN-OS | 9.8 | 9.4 | |
| Related: Palo Alto Networks patches two firewall zero-days used in attacks | ||||
| CVE-2024-44308 | visionOS | 8.8 | 6.0 | |
| Related: Apple addressed two actively exploited zero-day vulnerabilities | ||||
| CVE-2024-11120 | GVLX 4 V3 | 9.8 | 9.6 | |
| Related: Botnet exploits GeoVision zero-day to install Mirai malware | ||||
| CVE-2024-38812 | Cloud Foundation | 9.8 | 9.4 | |
| Related: VMware vCenter RCE Vulnerability Actively Exploited After Patch Error | ||||
| CVE-2024-1212 | LoadMaster | 9.8 | 7.0 | |
| Related: CISA tags Progress Kemp LoadMaster flaw as exploited in attacks | ||||