APT35 employs fake recruitment sites to target aerospace and semiconductor companies
ThreatBook researchers identified the threat actor APT35 employing forged recruitment and corporate sites in attacks primarily targeting aerospace and semiconductor companies in the United States, Thailand, the United Arab Emirates, and Israel. The attacks have been ongoing since September 2023 and aim to deliver malicious white and black samples under the guise of access programs provided by the sites. In a likely attempt to lure targets, the fake sites often advertise salaries that are significantly higher than other similar positions. The researchers also identified one fake site, targeting a semiconductor company, where the attacker leveraged access restrictions to trick victims into downloading and installing a VPN program with a malicious payload.
TaxOff group targets Russian government agencies with Trinper backdoor
In Q3 2024, Positive Technologies researchers discovered a new threat actor, dubbed TaxOff, targeting Russian government agencies. The group used legal and finance-related phishing emails as the initial infection vector, which led to the deployment of a C++-based backdoor, dubbed Trinper. The main goal was espionage and gaining a foothold to conduct further attacks. One of the observed emails had a link to Yandex Disk and contained a shortcut used to start the Trinper backdoor, the Trinper backdoor itself, a merged encrypted RAR archive with trimmed headers, and a phishing form. The attackers also used the Spravki BK software to distribute Trinper, with the software also previously used to spread the Konni backdoor.
Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT to targets in Russia
Kaspersky researchers identified a new campaign, dubbed Horns&Hooves, which aims to deliver the NetSupport remote access trojan (RAT) and BurnsRAT to private users, retailers, and service businesses primarily located in Russia. The delivery of the trojans is assessed to be an intermediate link in the overall attack chain, with NetSupportRAT being observed delivering further infostealer payloads such as Rhadamanthys and Meduza. The campaign has been active since March 2023 and has impacted more than 1,000 victims. The attacks employ phishing emails to deliver a ZIP archive containing malicious JavaScript. The script files are disguised as requests and bids from potential customers and partners, with the attackers also adding various archive documents related to the organisation or individual being impersonated in some cases.The researchers assess with high certainty that the threat actor TA569 is responsible for the campaign.
SmokeLoader deployed in attacks targeting multiple sectors in Taiwan
In September 2024, Fortinet researchers observed a campaign delivering SmokeLoader to companies in Taiwan, with targeted sectors including manufacturing, healthcare, information technology, and more. Phishing emails that use native words and phrases are employed as an initial infection vector. The emails contain an attached Microsoft Excel file that exploits CVE-2017-0199 and CVE-2017-11882 to drop AndeLoader, which in turn deploys SmokeLoader. SmokeLoader consists of a stager and a main module, with the stager’s main purpose being to decrypt, decompress, and inject the main module into the explorer executable process. SmokeLoader carries out the resulting attack itself by downloading several plugins that allow it to steal login and FTP credentials, email addresses, cookies, and more from web browsers, Microsoft Outlook, Mozilla Thunderbird, FileZilla, and WinSCP.
Secret Blizzard hijacks Storm-0156 infrastructure to attack compromised networks
Lumen and Microsoft researchers identified the Russian threat actor Secret Blizzard hijacking infrastructure belonging to the Pakistani threat actor, Storm-0156, to launch attacks on already compromised networks, including Afghan and Indian government organisations. Since December 2022, Secret Blizzard has successfully infiltrated 33 separate C2 nodes used by Storm-0156, and used the tools and infrastructure of at least six other threat actors since 2017. Secret Blizzard leveraged the pre-existing access to deploy a TinyTurla backdoor variant, as well as new malware, dubbed TwoDash, MiniPocket, and Statuezy. By mid-2024, Secret Blizzard also expanded their activities to include the use of Wainscot and CrimsonRAT, which they appropriated from the workstations of Pakistani-based operators. In the attacks targeting India, Secret Blizzard appeared to avoid direct deployment via Storm-0156 backdoors, unlike the attacks targeting Afghanistan.
Ransomware
Volume of blog posts by operators during the last week.
Security Deloitte UK suffers alleged cyber incident, over 1tb stolenCyber Daily – Dec 04 2024BT unit took servers offline after Black Basta ransomware breachBleeping Computer – Dec 04 2024Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom MalwareRapid7 – Dec 04 2024US government, energy sector contractor hit by ransomwareHelp Net Security – Dec 03 2024Threat Assessment: Howling Scorpius (Akira Ransomware)Unit42 Palo Alto – Dec 02 2024Storm-1811 exploits RMM tools to drop Black Basta ransomwareRed Canary – Dec 02 2024
Financial Services
Payroll Pirates: Unveiling the Sophisticated Payroll Redirection Phishing CampaignSecurityonline.info – Dec 05 2024New DroidBot Android malware targets 77 banking, crypto appsBleeping Computer – Dec 04 2024AI Bypasses Biometric Security In $138.5 Million Financial Fraud RiskForbes.com – Dec 04 2024Republic Bank Warns Customers Of New Phishing ScamSt.Lucia Times – Dec 03 2024Hackers steal $17 mln from Uganda central bank – state paperReuters – Nov 28 2024
Geopolitics
MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform AttacksTrend Micro Simply Security – Dec 05 2024U.S. government says Salt Typhoon is still in telecom networksCyberscoop – News – Dec 03 2024France Accuses Azerbaijan of Online Manipulation CampaignsInfosecurity Today – Dec 02 2024Cyber-Attacks Could Impact Romanian Presidential Race, Officials ClaimInfosecurity Today – Nov 29 2024Decoding Cyberattacks on Morocco CYFIRMA – Nov 28 2024
High Priority Vulnerabilities
| Name | name | Software | Base Score |
Temp Score |
|---|---|---|---|---|
| CVE-2014-2120 | ASA | 6.1 | 4.1 | |
| Related: Cisco warns of continued exploitation of 10-year-old ASA bug | ||||
| CVE-2024-11667 | USG20(W)-VPN | 7.5 | 5.3 | |
| Related: German CERT Warns Zyxel Firewalls Exploited for Helldown Ransomware Deployment | ||||
| CVE-2023-40238 | InsydeH2O | 5.5 | 5.5 | |
| Related: Code found online exploits LogoFAIL to install Bootkitty Linux backdoor | ||||
| CVE-2024-52564 | UD-LT1 EX | 5.3 | 5.3 | |
| Related: Japan warns of IO-Data zero-day router flaws exploited in attacks | ||||
| CVE-2024-53375 | Tapo | 8.0 | 6.1 | |
| Related: PoC Confirms Root Privilege Exploit in TP-Link Archer AXE75 Vulnerability (CVE-2024-53375) | ||||