Request demo

Best practices guide: How to build a requirements-driven intelligence programme

Download Report

Weekly Cyber Round-up

Intelligence Report

November 7, 2024

US election day sees technical issues, bomb threats, and warnings of foreign influence operations

On November 4th, 2024, the United States Cybersecurity and Infrastructure Agency released a joint statement warning of Iranian and Russian influence operations targeting the US presidential election. Russia’s operations are focused on fake content targeting swing states, while Iranian actors may also seek to create fake content intended to suppress voting or stoke violence. Separately, the Fulton County Police Department reported that it responded to multiple bomb threats at polling places, resulting in temporary closings of at least two polling locations in Union City, Georgia. The Federal Bureau of Investigation additionally stated that many of the bomb threats, which were made to polling locations in several states, appear to originate from Russian email domains. Voting in Cambria County, Pennsylvania was also extended after reported technical issues prevented voters from scanning their ballots once the polls opened.

Get the alert delivered directly to your inbox

LastPass is warning of an ongoing campaign in which scammers write Chrome extension reviews that promote a fake LastPass customer support phone number. Users who call the number are directed to a site where they are asked to enter a code to download a ConnectWise ScreenConnect agent. This enables the attacker full remote access to a victim’s device, enabling them to steal data. BleepingComputer also found that the phone number is linked to a much larger campaign that promotes support for various other companies, including Amazon, Adobe, Facebook, Hulu, and more. In addition to Chrome extension reviews, the phone number is posted to company forums and Reddit.

Emulated Linux environment used to backdoor Windows systems 

Securonix researchers observed a new phishing campaign, dubbed CRON#TRAP, that uses malicious shortcut files to deliver a custom Linux environment emulated through QEMU. The emulated Linux instance, identified as Tiny Core Linux, comes pre-configured with a backdoor that automatically connects to the attacker’s C2 server via websockets. The initial infection is likely via a phishing email using a survey lure that contains a link to download a large ZIP file. A PowerShell command is used to start the infection chain that leads to the emulated Linux environment, enabling the attackers to evade antivirus solutions. The backdoor, a Chisel binary, is a tunneling tool commonly used for passing data covertly through firewalls.

Storm-0940 targets Microsoft customers with password spraying attacks

Since August 2023, Microsoft researchers have observed the Chinese threat actor Storm-0940 stealing credentials from Microsoft customers via highly evasive password spraying attacks. The source of the attacks has been linked to a network of compromised small office and home office routers, primarily TP-Link routers, tracked as ‘CovertNetwork-1658’. Storm-0940 has been active since at least 2021 and is known for targeting organisations in North America and Europe, including think tanks, government organisations, non-governmental organisations, defence industrial base, and more. The threat actors are believed to initially exploit a vulnerability in targeted routers to gain remote code execution capability, though the specific exploit is currently unknown. Upon gaining access to the vulnerable routers, a custom malware is deployed that allows remote access to the devices over Telnet.

Rhadamanthys delivered via copyright infringement lures in ongoing phishing campaign

Check Point researchers observed a new large-scale spear phishing campaign, dubbed CopyRh(ight)adamantys, that is delivering the latest version of Rhadamanthys stealer. The campaign targets users in various regions, including the United States, Europe, East Asia, and South America, claiming copyright infringement on their Facebook pages. The campaign has been ongoing since at least July 2024. The phishing emails are typically sent from Gmail accounts and impersonate dozens of companies, adapting the impersonated company and language depending on the target. Almost 70% of the impersonated companies are from the technology or entertainment sectors. The emails contain an archive file that triggers the infection via DLL sideloading, while also displaying a decoy Adobe ESPS or PDF file.

Ransomware

Volume of blog posts by operators during the last week.

Unwrapping the emerging Interlock ransomware attackTalos Intelligence Blog – Nov 07 2024Memorial Hospital and Manor suffered a ransomware attackSecurity Affairs – Nov 06 2024Schneider Electric ransomware crew demands $125k paid in baguettesTheRegister.com – Nov 05 2024GoZone Ransomware Adopts Coercive Tactics to Extract PaymentSonicWALL – Nov 04 2024German Pharma Wholesaler AEP Targeted in Ransomware AttackDataBreachToday.eu – Nov 01 2024LA housing authority confirms breach claimed by Cactus ransomwareBleeping Computer – Nov 01 2024

High Priority Vulnerabilities

Name Software Base
Score
Temp
Score
CVE-2024-8956 PT30X-NDI 9.1 7.0
Related: Hackers target critical zero-day vulnerability in PTZ cameras
CVE-2024-43047 Snapdragon Wearables 7.8 7.5
Related: November 2024 Android Security Update Fixes Actively Exploited Vulnerabilities CVE-2024-43093, CVE-2024-43047
CVE-2024-36401 GeoServer 9.8 9.4
Related: Androxgh0st integrates Mozi botnet functionalities and exploits new vulnerabilities
CVE-2019-7256 Linear eMerge E3 9.8 10.0
Related: Ngioweb sells infected victims as residential proxies via Nsocks
CVE-2017-0199 Office 7.8 6.0
Related: SideWinder APT targets Sri Lanka via spear phishing campaigns

Get the full report
delivered to your inbox​

By filling out and submitting this request you give us your consent to use and store the information  you have provided for the purpose set out above or in connection with it. For more information, see our Privacy Policy.

Detect and respond to threats faster.

Request a personalised demo to see Silobreaker in action.
Get started

Request a demo