Cyware Weekly Threat Intelligence, May 13–17, 2024

The Good

• The FBI, DOJ, and international law enforcement agencies have taken down the BreachForums hacker website, leading to the arrest of alleged administrators and the seizure of infrastructure. BreachForums was the successor to the previously taken down RaidForums, and had been operating since June 2023 as a marketplace for stolen data, hacking tools, and other illegal services.
• The NCSC-U.K launched a new Share and Defend system that will provide ISPs with the same protections against malicious domains as government networks, helping to disrupt cybercrime and online fraud across the country. It works by sharing threat intelligence data with industry partners, such as Internet Service Providers, who can then take action to block access to malicious content for their customers.
• MITRE released the EMB3D threat model to address the evolving challenges in embedded device security. The model provides a common understanding of cyber threats to embedded devices and the security mechanisms needed to mitigate them. EMB3D aligns with and expands on existing models like Common Weakness Enumeration, MITRE ATT&CK, and Common Vulnerabilities and Exposures.
• The Singapore government has updated its Cybersecurity Act, giving its primary cybersecurity agency more power to regulate critical infrastructure and third-party providers, and requiring the reporting of cyber incidents, in response to the growing threat landscape and the increasing reliance on cloud services and third-party providers by critical infrastructure operators.
• The FCC is proposing a new requirement for ISPs to file regular updates on their efforts to secure BGP, a key internet routing protocol. The proposal would mandate that providers develop BGP security plans and document their use of the Resource Public Key Infrastructure (RPKI) security framework.

The Bad

• An unnamed European Ministry of Foreign Affairs and its diplomatic missions in the Middle East fell victim to espionage operations orchestrated by the Turla group. ESET researchers discovered two previously undocumented backdoors, LunarWeb and LunarMail, deployed in the attacks. LunarWeb operates on servers using HTTP(S) for command-and-control communications, while LunarMail, persisting as an Outlook add-in on workstations, communicates via email.
• ESET divulged the extensive infiltration of the Ebury botnet into over 400,000 Linux servers since 2009, with over 100,000 servers still compromised as of late 2023. The sophisticated campaign involved various monetization activities, including spam distribution, web traffic redirection, and credential theft, with actors also engaged in cryptocurrency heists and credit card theft. The attackers employ diverse delivery methods, including SSH credential theft and exploitation of web panel vulnerabilities.
• Microsoft released its Patch Tuesday updates, addressing a total of 61 security vulnerabilities which includes two zero-day issues being actively exploited in the wild. These are a critical flaw in the Windows MSHTML Platform and an elevation of privilege vulnerability in the Windows Desktop Window Manager (DWM) Core Library. These flaws could allow attackers to execute arbitrary code and gain SYSTEM privileges.
• A cybercriminal going by the moniker ‘salfetka’ has been spotted selling the source code of the INC Ransom RaaS operation. The sale offers Windows and Linux/ESXi versions of the ransomware. Meanwhile, the ransomware group is allegedly transitioning to a new data leak extortion platform, hinting at internal changes or a rebranding effort. Some experts say the sale could potentially be a scam.
• DanaBot malware operators are exploiting documents containing external links to evade detection, unveiled ASEC. Attackers send spam emails disguised as a job application form to deceive recipients. The analysis revealed the malware's propagation - from Word attachment execution to DanaBot installation via PowerShell. The malware can steal a variety of data, including screenshots and credentials.
• The Kimsuky APT group, linked to North Korea, has been using rogue Facebook accounts to target victims through Messenger and deliver malware. They impersonated a South Korean public official to connect with key individuals in North Korean and security-related fields. The attack involved sending decoy documents via Messenger, which linked to a malicious file hosted on OneDrive. Upon opening the file, a multi-stage attack chain was initiated, allowing the malware to gather and exfiltrate information to a C2 server.
• Security experts at New Jersey’s Cybersecurity and Communications Integration Cell warned of a LockBit Black ransomware campaign orchestrated by the re-emerged Phorpiex botnet group. Since April, millions of phishing emails with ZIP attachments have been sent. The new botnet version, dubbed Twizt, operates peer-to-peer, evading traditional detection methods. With over 1,500 unique sending IP addresses, the campaign spans multiple countries.
• Numerous security issues in Apple products have been found to pose significant risks to users, with the most severe flaw allowing arbitrary code execution. Tracked as CVE-2024-23296, the bug threatens government and business entities. Criminals are using techniques like Exploitation for Client Execution (T1203) wherein they potentially gain kernel privileges or bypass security measures. These vulnerabilities span macOS, iOS, iPadOS, watchOS, and tvOS.
• Malicious actors were found leveraging GoTo Meeting, a legitimate software, to execute Remcos RAT via deceptive tactics. Using a chain of LNK file executions, they trigger the malicious payloads, disguised as PDFs. The malware uses DLL sideloading to execute the malware DLL. The shellcode further obfuscates the process and assists in decrypting and executing the payload. A JS infection chain targeting diverse demographics with fake setups and documents was also identified.

New Threats

• North Korean state-sponsored hacker group Kimsuy was identified using a new Linux malware dubbed Gomir, a variant of the GoBear backdoor. The malware is distributed through trojanized software installers and shares similarities with GoBear, including direct C2 and support for various operations. Gomir targets South Korean government organizations and utilizes supply-chain attacks to maximize its impact.
• Google issued an emergency security update for Chrome to address a high-severity zero-day vulnerability (CVE-2024-4947) actively exploited in attacks. The flaw stemmed from a type confusion issue in the Chrome V8 JavaScript engine. This marks the third zero-day patch within a week. Alongside, Google urged users to update their browsers to the latest version (125.0.6422.60/.61 for Mac/Windows and 125.0.6422.60 for Linux) to mitigate the risk of exploitation.
• A suspected Chinese threat actor is using a customized version of the Gh0st RAT malware to target AI experts in the US, indicating a potential effort to steal non-public information related to generative artificial intelligence. The SugarGh0st malware, a variant of Gh0st RAT, has new capabilities including reconnaissance and data exfiltration, making it more advanced and dangerous than its predecessor. The campaign's use of AI-themed phishing lures and the recent US government efforts to restrict Chinese access to AI technologies suggest a possible motive for the cyberattacks: to harvest generative AI secrets for Chinese development goals.
• A newly discovered vulnerability in the WiFi standard, identified as CVE-2023-52424, enables attackers to execute an SSID Confusion attack on enterprise, mesh, and certain home WiFi networks. This flaw allows attackers to spoof network names and trick victims into connecting to less secure networks, potentially leading to traffic interception and manipulation.
• A concerning surge in phishing attacks posing as DocuSign documents threatens customer security. These attacks employ carefully crafted emails resembling authentic document signing requests, aiming to trick recipients into divulging sensitive information or clicking on malicious links. Factors such as DocuSign's widespread usage, trusted image, and cybercriminals' evolving tactics contribute to the spike.
• The U.K's NHS alerted organizations about the potential exploitation of vulnerabilities in Arcserve Unified Data Protection (UDP) software, disclosed in March. These include authentication bypass and path traversal flaws, with Tenable rating them ‘critical’ and the Centre for Cybersecurity Belgium emphasizing urgent action. Risks range from data theft to ransomware attacks, necessitating heightened monitoring alongside patching.
• The FCC alerted users regarding a group of robocall scammers known as Royal Tiger, marking them as the first Consumer Communications Information Services Threat (C-CIST). Led by Prince Jashvantlal Anand and Kaushal Bhavsar, Royal Tiger operates in multiple countries and has utilized various entities for illegal robocall campaigns targeting U.S. consumers. Despite previous warnings and cease-and-desist letters, the group continues to perpetuate imposter scams, including spoofed calls impersonating banks and government agencies.