GruesomeLarch uses Nearest Neighbor Attack and zero-day flaw to target Ukraine
In early 2022, Volexity researchers identified the Russian advanced persistent threat actor, GruesomeLarch, deploying a new attack technique, dubbed the Nearest Neighbor Attack. The attack involves the initial abuse of Wi-Fi networks near the intended target, ultimately enabling the attacker to daisy-chain access from organisation to organisation solely via the use of valid user credentials. The threat actor targeted Ukrainian-related work and projects, just ahead of the Russian invasion of Ukraine. The attackers first breached an organisation that was near the office of its target, after which they moved laterally to find systems they could access that were dual-homed. The attackers were ultimately able to connect to the SSID of their target’s Enterprise Wi-Fi and authenticate it, granting them network access.
Phishing campaign leverages Google Docs to target telecommunications and financial sectors
In late October 2024, EclecticIQ researchers discovered a phishing campaign targeting the telecommunications and financial sectors. The campaign leverages Google Docs to deliver phishing links that redirect victims to fake login pages hosted on Weebly that impersonate targeted brands, such as AT&T. The campaign also likely targets security professionals through PICUS-themed pages hosted on Google Docs. To bypass multi-factor authentication (MFA), the threat actors use MFA prompts that mimic legitimate MFA workflows or the SIM swapping technique. The phishing pages were found to be embedded with legitimate tracking tools, such as Snowplow Analytics and Google Analytics, to monitor victim engagement.
Earth Estries targets critical industries with new MASOL RAT and GHOSTSPIDER backdoors
Since 2023, Trend Micro researchers have observed the Chinese advanced persistent threat (APT) actor, Earth Estries, targeting critical industries such as telecommunications and government agencies in the United States, the Asia-pacific region, the Middle East, and South Africa. For initial access, the group exploits server-based n-day vulnerabilities to target public-facing servers. After gaining access, the group has been observed leveraging living-off-the-land binaries for lateral movement and deploying malware such as SNAPPYBEE and DEMODEX, as well as new backdoors, dubbed MASOL RAT and GHOSTSPIDER. Earth Estries’ operations often overlap with other known Chinese APT groups, indicating the possible use of shared tools from malware-as-a-service providers.
Threat actor Matrix targets IoT devices to create DDoS botnet
Aqua Security researchers identified an ongoing, widespread distributed denial-of-service (DDoS) campaign that is attributed to the threat actor, Matrix. The threat actor targets a range of internet-connected devices, including internet of things (IoT) devices, cameras, routers, DVRs, and enterprise systems, primarily gaining initial access through brute-force attacks and the exploitation of known vulnerabilities. Once compromised, the devices are incorporated into a larger botnet. Matrix relies on a range of publicly available scripts and tools, ultimately deploying the Mirai botnet alongside other DDoS-related programs on compromised devices, including PyBot, PYnet, DiscordGo, and The Homo Network. The threat actor has also set up a Telegram bot, named Kraken Autobuy, which sells DDoS attack services targeting Layer 4 and Layer 7.
Malware abuses Avast Anti-Rootkit driver to terminate security processes
Trellix researchers identified a malicious campaign that involves malware dropping and abusing a legitimate Avast Anti-Rootkit driver to terminate security processes, disable protective software, and take control of infected devices. After initially dropping the legitimate driver, the malware uses Service Control to create a service that registers the driver for further actions. Following this, the malware gains kernel-level access to the system, providing it with the ability to terminate critical processes and take complete control.
Ransomware
Volume of blog posts by operators during the last week.
VPN vulnerabilities, weak credentials fuel ransomware attacksHelp Net Security – Nov 28 2024Ransomware-driven data exfiltration: techniques and implicationsSekoia Blog – Nov 27 2024Investigation into Helldown : RANSOMWARE CYFIRMA – Nov 26 2024Blue Yonder’s Ransomware Incidents Impacts Supply ChainSC Magazine UK – Nov 26 2024Analysis of Elpaco: a Mimic variantKaspersky Lab – Nov 26 2024CyberVolk | A Deep Dive into the Hacktivists, Tools and Ransomware Fueling Pro-Russian Cyber AttacksSentinelLabs – Nov 25 2024
Financial Services
PixPirate Resurfaces: Spreading via WhatsApp and Expanding Beyond BrazilSecurityonline.info – Nov 28 2024Credit Card Skimmer Malware Targeting Magento Checkout PagesSucuri Blog – Nov 27 2024Notorious Ursnif Banking Trojan Uses Stealthy Memory Execution To Avoid DetectionCyble Blog – Nov 25 2024SpyLoan: A Global Threat Exploiting Social EngineeringMcAfee – Nov 25 2024Massive Credit Card Leak, Database of 1,221,551 Cards Circulating on Dark WebGBHackers On Security – Nov 25 2024
Geopolitics
Guess Who’s Back – The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024Trend Micro – Nov 26 2024APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell MalwareThe Hacker News – Nov 22 2024Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCONMicrosoft Security Blog – Nov 22 2024Seeing Through a GLASSBRIDGE: Understanding the Digital Marketing Ecosystem Spreading Pro-PRC Influence OperationsGoogle Cloud – Nov 22 2024DPRK IT Workers | A Network of Active Front Companies and Their Links to ChinaSentinelLabs – Nov 21 2024
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2024-9680 | Firefox | 9.8 | 6.0 | |
| Related: Firefox and Windows zero days chained to deliver the RomCom backdoor | ||||
| CVE-2024-11680 | ProjectSend | 9.8 | 9.4 | |
| Related: Malicious Actors Exploit ProjectSend Critical Vulnerability | ||||
| CVE-2024-49035 | Partner Center | 8.8 | 8.4 | |
| Related: Microsoft patches actively exploited privilege escalation flaw | ||||
| CVE-2024-42057 | USG20(W)-VPN | 8.1 | 8.1 | |
| Related: Zyxel firewalls targeted in recent ransomware attacks | ||||
| CVE-2024-52940 | AnyDesk | 3.5 | 3.4 | |
| Related: PoC exploit released for AnyDesk zero-day flaw | ||||