US election day sees technical issues, bomb threats, and warnings of foreign influence operations
On November 4th, 2024, the United States Cybersecurity and Infrastructure Agency released a joint statement warning of Iranian and Russian influence operations targeting the US presidential election. Russia’s operations are focused on fake content targeting swing states, while Iranian actors may also seek to create fake content intended to suppress voting or stoke violence. Separately, the Fulton County Police Department reported that it responded to multiple bomb threats at polling places, resulting in temporary closings of at least two polling locations in Union City, Georgia. The Federal Bureau of Investigation additionally stated that many of the bomb threats, which were made to polling locations in several states, appear to originate from Russian email domains. Voting in Cambria County, Pennsylvania was also extended after reported technical issues prevented voters from scanning their ballots once the polls opened.
LastPass is warning of an ongoing campaign in which scammers write Chrome extension reviews that promote a fake LastPass customer support phone number. Users who call the number are directed to a site where they are asked to enter a code to download a ConnectWise ScreenConnect agent. This enables the attacker full remote access to a victim’s device, enabling them to steal data. BleepingComputer also found that the phone number is linked to a much larger campaign that promotes support for various other companies, including Amazon, Adobe, Facebook, Hulu, and more. In addition to Chrome extension reviews, the phone number is posted to company forums and Reddit.
Emulated Linux environment used to backdoor Windows systems
Securonix researchers observed a new phishing campaign, dubbed CRON#TRAP, that uses malicious shortcut files to deliver a custom Linux environment emulated through QEMU. The emulated Linux instance, identified as Tiny Core Linux, comes pre-configured with a backdoor that automatically connects to the attacker’s C2 server via websockets. The initial infection is likely via a phishing email using a survey lure that contains a link to download a large ZIP file. A PowerShell command is used to start the infection chain that leads to the emulated Linux environment, enabling the attackers to evade antivirus solutions. The backdoor, a Chisel binary, is a tunneling tool commonly used for passing data covertly through firewalls.
Storm-0940 targets Microsoft customers with password spraying attacks
Since August 2023, Microsoft researchers have observed the Chinese threat actor Storm-0940 stealing credentials from Microsoft customers via highly evasive password spraying attacks. The source of the attacks has been linked to a network of compromised small office and home office routers, primarily TP-Link routers, tracked as ‘CovertNetwork-1658’. Storm-0940 has been active since at least 2021 and is known for targeting organisations in North America and Europe, including think tanks, government organisations, non-governmental organisations, defence industrial base, and more. The threat actors are believed to initially exploit a vulnerability in targeted routers to gain remote code execution capability, though the specific exploit is currently unknown. Upon gaining access to the vulnerable routers, a custom malware is deployed that allows remote access to the devices over Telnet.
Rhadamanthys delivered via copyright infringement lures in ongoing phishing campaign
Check Point researchers observed a new large-scale spear phishing campaign, dubbed CopyRh(ight)adamantys, that is delivering the latest version of Rhadamanthys stealer. The campaign targets users in various regions, including the United States, Europe, East Asia, and South America, claiming copyright infringement on their Facebook pages. The campaign has been ongoing since at least July 2024. The phishing emails are typically sent from Gmail accounts and impersonate dozens of companies, adapting the impersonated company and language depending on the target. Almost 70% of the impersonated companies are from the technology or entertainment sectors. The emails contain an archive file that triggers the infection via DLL sideloading, while also displaying a decoy Adobe ESPS or PDF file.
Ransomware
Volume of blog posts by operators during the last week.
Unwrapping the emerging Interlock ransomware attackTalos Intelligence Blog – Nov 07 2024Memorial Hospital and Manor suffered a ransomware attackSecurity Affairs – Nov 06 2024Schneider Electric ransomware crew demands $125k paid in baguettesTheRegister.com – Nov 05 2024GoZone Ransomware Adopts Coercive Tactics to Extract PaymentSonicWALL – Nov 04 2024German Pharma Wholesaler AEP Targeted in Ransomware AttackDataBreachToday.eu – Nov 01 2024LA housing authority confirms breach claimed by Cactus ransomwareBleeping Computer – Nov 01 2024
Financial Services
GodFather Malware Targets 500 Banking & Crypto Apps WorldwideCyble Blog – Nov 06 2024 Crooks bank on Microsoft’s search engine to phish customers Malwarebytes Labs Blog – Nov 04 2024G700 : The Next Generation of Craxs RAT CYFIRMA – Nov 04 2024Satori Threat Intelligence Alert: Phish ’n’ Ships Fakes Online Shops to Steal Money and Credit Card InformationHumanSecurity.com – Oct 31 2024ToxicPanda: a new banking trojan from Asia hit Europe and LATAMCleafy Labs – Apr 11 2024
Geopolitics
LameDuck: A Threat Actor Mixing Politics and Profit with Over 35,000 DDoS AttacksSecurityonline.info – Nov 06 2024Singtel detected and ‘eradicated’ malware said to be from Chinese hacking groupChannel NewsAsia – Nov 05 2024Pro-Russia hackers claim council cyber attacksBBC – Oct 31 2024Pacific Rim timeline: Information for defenders from a braid of interlocking attack campaignsSophos – Oct 31 2024New Tradecraft of Iranian Cyber Group Aria Sepehr Ayandehsazan aka Emennet PasargadThreat Reports – IC3 – Oct 30 2024
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2024-8956 | PT30X-NDI | 9.1 | 7.0 | |
| Related: Hackers target critical zero-day vulnerability in PTZ cameras | ||||
| CVE-2024-43047 | Snapdragon Wearables | 7.8 | 7.5 | |
| Related: November 2024 Android Security Update Fixes Actively Exploited Vulnerabilities CVE-2024-43093, CVE-2024-43047 | ||||
| CVE-2024-36401 | GeoServer | 9.8 | 9.4 | |
| Related: Androxgh0st integrates Mozi botnet functionalities and exploits new vulnerabilities | ||||
| CVE-2019-7256 | Linear eMerge E3 | 9.8 | 10.0 | |
| Related: Ngioweb sells infected victims as residential proxies via Nsocks | ||||
| CVE-2017-0199 | Office | 7.8 | 6.0 | |
| Related: SideWinder APT targets Sri Lanka via spear phishing campaigns | ||||