Winnti employs Glutton backdoor to target organisations and other cybercriminals
Qi An Xin researchers identified the Winnti threat actor employing a new PHP backdoor, dubbed Glutton, to target IT services, social security agencies, and web application developers in China and the United States since December 2023. The malware has also been used to target other cybercriminals, with Winnti embedding it inside software packages sold on cybercrime forums, impersonating gambling and gaming systems, cryptocurrency exchanges, and click-farming platforms. Glutton is an ELF-based modular backdoor that is capable of data exfiltration, code injection targeting popular PHP frameworks, and installing further backdoors. Backdoors deployed by Glutton include a PHP backdoor and the Winnti backdoor. The Glutton backdoor has weaknesses in stealth and encryption, indicating that it may be in an early development phase.
Suspected Chinese espionage campaign targets organisations in Southeast Asia
Symantec researchers observed an ongoing espionage campaign, active since October 2023, targeting high-profile organisations across Southeast Asia. The attackers leverage both open-source and living-off-the-land tools for the purpose of intelligence gathering. Between June and August 2024, the attackers compromised four machines on an organisation’s network. The attack began with a malicious PowerShell command altering the registry, then used an Impacket-based remote access tool to execute additional malicious commands. The threat actors also employed keyloggers, password protectors, and reverse proxy tools, including Rakshasa, Stowaway, and ReverseSSH to maintain persistence, along with DLL sideloading to intercept login credentials. Multiple tools used in the campaign have links to several China-based threat actors, such as Earth Baku.
Gamaredon uses BoneSpy and PlainGnome spyware to target former Soviet states
Lookout researchers identified two Android spyware families, dubbed BoneSpy and PlainGnome, that target former Soviet states, focusing on Russian-speaking victims. Both spyware are attributed to the Russian threat actor, Gamaredon, and are designed to collect sensitive data such as SMS messages, call logs, and more. PlainGnome functions as a dropper for a surveillance payload, whereas BoneSpy is deployed as a standalone application. BoneSpy showed evidence of continuous development between January and October 2022, after which samples started using consistent code structure and lure theming. The malware is primarily distributed through trojanised, functional Telegram applications titled as ‘Beta’ versions. PlainGnome was first active in 2024 and is distributed using similar Telegram lures to BoneSpy.
Suspected Earth Koshchei rogue RDP campaign targets multiple sectors
In October 2024, Trend Micro researchers observed a large-scale rogue RDP campaign targeting high-profile sectors. The attack used an RDP relay, a rogue RDP server, and a malicious RDP configuration file, risking potential data leakage and malware installation. Preparations for the campaign took place from August to October 2024, culminating in 200 spear phishing emails sent on October 22nd, 2024, to governments, armed forces, think tanks, academic researchers, and Ukrainian targets. The emails lured recipients into using a rogue RDP configuration file, which connected their systems to a foreign RDP server. The attackers also employed anonymisation layers to evade detection and red team tools, such as PyRDP, for espionage and data exfiltration. The campaign is attributed to Earth Koshchei with medium confidence.
Phishing campaign abuses HubSpot to target Microsoft Azure accounts of European organisations
In June 2024, Palo Alto Networks Unit 42 researchers identified a phishing campaign targeting at least 20,000 users across European automotive, chemical, and industrial compound manufacturing companies. The campaign abuses HubSpot to redirect victims to credential-harvesting pages, with the ultimate aim of taking over a target’s Microsoft Azure cloud infrastructure. It was still active as of September 2024. The campaign involves supposed Docusign PDFs sent via phishing emails containing HubSpot Free Form Builder links. At least 17 working Free Forms were identified, which were used to redirect victims to different actor-controlled domains. Each of the Free Forms contained a similar Microsoft Outlook Web App landing page. HubSpot’s own infrastructure was not compromised, nor were the links sent via HubSpot infrastructure.
Ransomware
Volume of blog posts by operators during the last week.
NotLockBit: A Deep Dive Into the New Ransomware ThreatQualys Blog – Dec 18 20241.4M records stolen in Texas Tech University Health Sciences Center ransomware attackSiliconANGLE – Dec 17 2024Dragos Industrial Ransomware Analysis: Q3 2024 Dragos Blog – Dec 17 2024Namibia ransomware: Sensitive data leaked after telecoms firm hackedBBC – Dec 17 2024Inside the Business of Ransomware: Insights from Reddit AMA with Ransomware NegotiatorsSocket – Dec 17 2024Undocumented DrayTek Vulnerabilities Exploited to Hack Hundreds of OrgsSecurityWeek RSS Feed – Dec 16 2024Ransomware Attack on Brazilian Gov’t Exposes ‘Fog’ Cyber-GangOCCRP – Dec 12 2024
Financial Services
5 million payment card details stolen in painful reminder to monitor Christmas spendingMalwarebytes Labs Blog – Dec 17 2024Download a banker to track your parcelKaspersky Lab – Dec 17 2024SRP Federal Credit Union Ransomware Attack Impacts 240,000SecurityWeek RSS Feed – Dec 16 2024A New Android Banking Trojan Masquerades as Utility and Banking Apps in IndiaMcAfee Labs – Other Blogs – Dec 12 2024Spain busts voice phishing ring for defrauding 10,000 bank customersBleeping Computer – Dec 12 2024
Geopolitics
Analysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizationsKaspersky Lab – Dec 18 2024Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs Proofpoint US Blog – Dec 17 2024Serbia: “A Digital Prison”: Surveillance and the suppression of civil society in SerbiaAmnesty International – Publications – Dec 16 2024New Yokai Side-loaded Backdoor Targets Thai OfficialsNetskope – Threat Labs – Dec 13 2024Hacktivist Alliances Target France Amidst Political CrisisCyble – Dec 12 2024
High Priority Vulnerabilities
| Name | name | Software | Base Score |
Temp Score |
|---|---|---|---|---|
| CVE-2024-53677 | Struts | 6.3 | 6.0 | |
| Related: Critical security hole in Apache Struts under exploit | ||||
| CVE-2024-55956 | LexiCom | 9.8 | 6.0 | |
| Related: CVE Assigned to Cleo Vulnerability as Cl0p Ransomware Group Takes Credit for Exploitation | ||||
| CVE-2024-35250 | Windows | 7.8 | 7.5 | |
| Related: CISA adds high-severity Microsoft and Adobe flaws to KEV catalog | ||||
| CVE-2024-38819 | Spring Framework | 5.3 | 5.1 | |
| Related: PoC developed for Spring Framework path traversal flaw | ||||
| CVE-2017-11882 | Office | 7.8 | 6.0 | |
| Related: Distinct infection chains used to deliver Remcos RAT variants | ||||