Cyware Weekly Threat Intelligence, June 10–14, 2024

The Good

• The FCC approved a notice of proposed rulemaking targeting Border Gateway Protocol (BGP) security, requiring the nine largest U.S. broadband providers to establish confidential BGP security risk management plans. This comes after recent BGP hijacking incidents, including one linked to Russian troops invading Ukraine. The proposed rules also require smaller providers to prepare and maintain BGP plans.
• NIST published a draft OT cybersecurity guide for the water sector, seeking public feedback to help water and wastewater utilities secure their systems and remote access capabilities against emerging cyber threats. The draft guide offers solutions for a range of water and wastewater systems, as well as cloud-based remote access solutions, to help mitigate cybersecurity risks. The project explores the application of existing commercially available products to improve asset management, enhance data integrity, and expand network segmentation capabilities while allowing for remote access to OT assets. 
• Microsoft and Google are offering free or highly discounted cybersecurity services to rural and critical-access hospitals in the U.S. as part of the government’s initiative to bolster cybersecurity in the healthcare sector. Congress has also focused on the cybersecurity needs of rural hospitals, with the Senate approving the Rural Hospital Cybersecurity Enhancement Act. The administration has also published voluntary "cybersecurity performance goals" for the healthcare sector, with plans to tie them to financial incentives.
• The U.S. federal authorities have seized 70 domains linked to a cryptocurrency investment scam that targeted the Russian diaspora in New York, resulting in over $5 million in losses for victims across the country. The scam lured victims through Facebook ads featuring a deepfake video of Elon Musk encouraging cryptocurrency investments. After investing for weeks or months, victims were locked out of their accounts or told to pay additional fees and taxes to withdraw their funds.  

The Bad

• ESET researchers identified five campaigns targeting Android users with trojanized apps, most likely orchestrated by the Arid Viper APT group. These campaigns involve the distribution of a three-stage Android spyware named AridSpy through dedicated websites. The malware is distributed through websites impersonating various messaging apps, a job opportunity app, and a Palestinian Civil Registry app. 
• A newly identified North Korean threat actor, Moonstone Sleet, is targeting the software supply chain by spreading malicious npm packages in public open source repositories. The group has targeted developers by spreading malicious npm packages and is differentiating itself from other North Korean actors by using new techniques such as single-package approaches. In Q2 2024, the Moonstone Sleet packages increased in complexity, with the addition of obfuscation and targeting of Linux systems.
• The Kimsuky threat group has been carrying out a sophisticated cyberattack by exploiting a known vulnerability (CVE-2017-11882) in the Microsoft Office Equation Editor, found ASEC. The attack begins when a user opens a compromised Office document, triggering the equation editor to execute a malicious script. The script downloads additional malware, including a keylogger, and records users' keystrokes and clipboard data.
• The CISA warned that criminals are impersonating its employees in phone calls and trying to trick victims into sending money. This is part of a broader trend where fraudsters use government employees' titles and names to make their scams appear more legitimate. The agency has reminded the public that its staff will never contact anyone and request wire transfers, cash, cryptocurrency, or gift cards, nor will they instruct people to keep discussions secret.
• More_eggs is a modular backdoor capable of stealing sensitive data, believed to be the work of the threat actor group Golden Chickens (aka Venom Spider). Phishing attacks using the More_eggs malware are resurfacing, this time disguised as a job applicant's resume. A recent attack uncovered by eSentire targeted an unnamed industrial services company in May. The attackers responded to LinkedIn job postings with a link to a fake resume download site, leading to the download of a malicious Windows Shortcut file.

New Threats

• A long-running malware campaign by Pakistan-linked threat group Cosmic Leopard has evolved to target Windows, Android, and macOS devices, using a suite of malware tools. The malware campaign, dubbed Operation Celestial Force, has been active since at least 2018. The malware tools include GravityRAT (for Windows, Android, and macOS), HeavyLift (an Electron-based malware loader for Windows and macOS), and GravityAdmin (a command-and-control tool). 
• A significant XSS vulnerability (CVE-2024-37629) has been found in the SummerNote 0.8.18 WYSIWYG editor. This vulnerability allows attackers to insert harmful executable scripts into trusted applications or websites. A security researcher discovered this vulnerability by testing the Code View function and successfully executed a malicious XSS payload. Over 10,000 web apps may be affected by this vulnerability, making users susceptible to persistent XSS issues.
• A new Agent Tesla RAT variant is targeting Spanish-speaking individuals through phishing emails posing as SWIFT transfer notifications from financial institutions. The malware can exploit MS Office vulnerabilities, steal sensitive information from various applications, and evade detection using fileless modules and the FTP protocol for data submission. It also employs a fileless module downloaded by a malicious JavaScript code, making it difficult to detect.
• A new phishing toolkit allows cybercriminals to create Progressive Web Apps (PWAs) that display convincing corporate login forms to steal user credentials. PWAs integrate with the operating system and can have their own app icons, making them appear more legitimate to users. The toolkit includes a fake address bar showing the legitimate corporate login URL to make the phishing page look more convincing. 
• A critical security flaw (CVE-2024-27801) in Apple platforms allows threat actors to gain unauthorized access, posing a serious risk to user and business data security. The vulnerability in the low-level implementation of NSXPC could enable attackers to compromise security features and gain extensive control over impacted devices. The potential consequences include data exfiltration, weakened privacy and security assurances, and risks for users and businesses.
• ??A new Windows malware called Warmcookie is being distributed through fake job offer phishing campaigns to infiltrate corporate networks. The malware is capable of extensive machine fingerprinting, capturing screenshots, and deploying additional payloads. The phishing emails contain links to fake job platforms that redirect to malicious landing pages. Once executed, the malware establishes communication with a C2 server, collects victim information, captures screenshots, executes commands, and evades analysis environments.
• The TellYouThePass ransomware group exploited a critical flaw in PHP on Windows servers after a proof-of-concept script was released. The attackers used the flaw to execute arbitrary code, deploying ransomware through webshell uploads and launching attacks using mshta.exe. The ransomware sends details about infected machines to a command-and-control server and then publishes a ransom message in the web directory.
• Zscaler ThreatLabz recently identified a new campaign delivering the latest version of ValleyRAT, which involves multiple stages. The campaign utilizes an HTTP File Server as the initial stage downloader to download the files required for subsequent attack stages. The downloader and loader employed in the campaign use various techniques, including anti-virus checks, DLL sideloading, and process injection. The ValleyRAT sample delivered includes modifications compared to a previously documented version, particularly in device fingerprinting, bot ID generation, and supported commands.