Star Blizzard spear phishing campaign targets WhatsApp accounts
In mid-November 2024, Microsoft researchers observed the Russian threat actor Star Blizzard changing its initial access vector to target WhatsApp accounts. The campaign involved spear phishing emails that enticed the target to join a WhatsApp group for supposed non-governmental initiatives aimed at supporting NGOs in Ukraine. The email impersonated a US government official and contained a QR code that was intentionally broken to coax the target into responding. Star Blizzard then sent a second email with a Safe Links-wrapped shortened link as an alternative, which redirected the victim to a webpage with a further QR code to join the group. The QR code instead was used to connect an account to a linked device, enabling the threat actor to gain access to messages in the victim’s WhatsApp account and exfiltrate data using browser plugins.
New multi-stage loader PNGPlug used to deliver ValleyRAT to Chinese-speaking organisations
Intezer researchers identified a series of attacks against organisations in Chinese-speaking regions, including Hong Kong, Taiwan, and China. The campaign involves a new multi-stage loader, dubbed PNGPlug, which is used to deliver ValleyRAT. The attacks typically begin with a phishing site that encourages the victim to download a malicious MSI package disguised as legitimate software. Upon execution, a benign application is deployed, while an encrypted archive containing a DLL loader and malicious PNG image files is extracted. The PNG files contain PE executables that are loaded and injected into a newly created process, which executes ValleyRAT.
Threat actors impersonate CERT-UA using fake AnyDesk connection requests
CERT-UA warned of ongoing attempts by unknown threat actors to impersonate the agency by sending fake AnyDesk connection requests. The requests claim to be for conducting security audits and use social engineering techniques to exploit user trust. For the attack to succeed, AnyDesk must be installed and operational on the target’s computer. The attack also requires the attacker to be in possession of the target’s AnyDesk identifier.
Fake FortiGate config leaks used to target researchers with SmartLoader malware
Security researcher Chris Partridge warned of threat actors abusing the current news about Belsen Group’s leak of Fortinet FortiGate configurations to deliver malware. A newly created GitHub repository, called ‘Fortigate Belsen Leak Tracker’, contains a link to a ZIP file that supposedly contains all affected IPs. Instead, the file delivers the SmartLoader Lua malware, which is often used to install infostealers like Lumma.
PlushDaemon uses trojanised IPany VPN to deliver SlowStepper backdoor
ESET researchers identified a supply chain attack that targeted the South Korean VPN provider, IPany, in 2023 and 2024. The attack has been attributed to a new China-aligned advanced persistent threat group, dubbed PlushDaemon. The threat actor replaced the legitimate installer for IPany with one including a new custom backdoor, dubbed SlowStepper, which has at least 30 modules. PlushDaemon has been active since at least 2019, engaging in espionage operations against users in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand.
Ransomware
Volume of blog posts by operators during the last week.
Report: Healthcare ransomware targets are shiftingSecurity Magazine – Jan 23 2025Trustwave SpiderLabs: Ransomware Attacks Against the Energy and Utilities Sector Up 80%Trustwave – Blog – Jan 22 2025The New Face of Ransomware: Key Players and Emerging Tactics of 2024SpiderLabs Blog – Jan 21 2025Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”Sophos – Jan 21 2025Detecting Teams Chat Phishing Attacks (Black Basta)NVISO Labs – Jan 16 2025
Financial Services
Bashe Ransomware strikes ICICI BankCybersecurity Insiders – Jan 23 2025TRIPLESTRENGTH Hits Cloud for Cryptojacking, On-Premises Systems for RansomwareThe Hacker News – Jan 23 2025Several Swiss municipalities and banks hit by cyberattackSwiss Info – Jan 21 2025Hackers exploit Tet season vulnerabilities to target bank accountsVietNamNet News – Jan 20 2025Sterling Bank Begins 2025 On Bad Note, As Hackers Steal Billions From Bank’s PlatformThe Octopus News – Jan 19 2025
Geopolitics
Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring NationsSeqrite Blog – Jan 21 2025Love and hate under war: The GamaCopy organization, which imitates the Russian Gamaredon, uses…Knownsec 404 team – Jan 21 2025Russian disinformation targets German election campaign, says think-tankReuters – Jan 20 2025Sliver Implant Targets German Entities With DLL Sideloading And Proxying Techniques Cyble Blog – Jan 17 2025Cyber Threats Amid Disaster: California Fires Spark New Phishing ScamsVeriti – Jan 15 2025
High Priority Vulnerabilities
| Name | name | Software | Base Score |
Temp Score |
|---|---|---|---|---|
| CVE-2024-7029 | AVM1203 | 9.8 | 9.8 | |
| Related: Mass Campaign of Murdoc Botnet Mirai: A New Variant of Corona Mirai | ||||
| CVE-2024-8963 | CSA | 9.1 | 7.0 | |
| Related: CISA and FBI Release Advisory on How Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications | ||||
| CVE-2024-32555 | Easy Real Estate Plugin | 9.8 | 7.1 | |
| Related: Critical zero-days impact premium WordPress real estate plugins | ||||
| CVE-2024-49138 | Windows | 7.8 | 7.5 | |
| Related: Zero-Day Vulnerability in Windows Exploited: CVE-2024-49138 PoC Code Released | ||||
| CVE-2024-55591 | FortiProxy | 9.8 | 9.8 | |
| Related: Patch procrastination leaves 50,000 Fortinet firewalls vulnerable to zero-day | ||||