CyberSecurity Newsletter December 9th, 2024
In this week’s news: Windows Explorer has a zero day that allows attackers to capture NTLM creds, Phone Scanner finds Pegasus spyware, G20 business leaders concerned about cyber risk, BrainCipher claim to have breached Deloitte UK, Malware as a Service group More_eggs are expanding, A large U.S. organization with significant presence in China has been reportedly breached by China-based threat actors, A Nebraska man pleaded guilty on Thursday to operating a large-scale cryptojacking operation and a Texas Teen Arrested for Scattered Spider Telecom Hacks.
A new zero-day vulnerability has been discovered that allows attackers to capture NTLM credentials by simply tricking the target into viewing a malicious file in Windows Explorer. The flaw was discovered by the 0patch team, a platform that provides unofficial support for end-of-life Windows versions, and was reported to Microsoft. However, no official fix has been released yet:
https://www.bleepingcomputer.com/news/security/new-windows-zero-day-exposes-ntlm-credentials-gets-unofficial-patch/
$1 phone scanner finds seven Pegasus spyware infections. iVerify's detection tool was launched in May and is turning up victims:
https://arstechnica.com/security/2024/12/1-phone-scanner-finds-seven-pegasus-spyware-infections/
Business leaders in G20 countries are more concerned about economic risks than cyber risks, although many fear “adverse outcomes” stemming from AI use, according to new World Economic Forum (WEF) research. The data comes from WEF’s new Executive Opinion Survey, which is based on interviews with 11,000 business executives who reside in G20 member nations. They were asked to select the top five risks most likely to pose the biggest threat to their country in the next two years:
https://www.infosecurity-magazine.com/news/g20-leaders-fear-economic-cyber/
A US federal appeals court has rejected a challenge to the law that prevents popular apps that collect data on Americans from being controlled by a foreign adversary. The decision puts the ongoing operation of social media network TikTok, a subsidiary of China-based ByteDance, at risk:
https://www.theregister.com/2024/12/06/appeals_court_backs_tiktok_ban/
A fierce Android remote access Trojan (RAT), dubbed "DroidBot," is using spyware features like keylogging and monitoring, as well as inbound and outbound data transmission, to steal data from banks, cryptocurrency exchanges, and other national organizations. But the real concern cybersecurity analysts have about the DroidBot banking Trojan is its apparent expansion into a full-on malware-as-a-service operation.:
https://www.darkreading.com/threat-intelligence/trojan-service-hits-euro-banks-crypto-exchanges
Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish the data it had stolen earlier this week. However, despite the claims, a Deloitte spokesperson told Infosecurity that its investigation indicates that the allegations relate to a single client's system which sits outside of the Deloitte network:
https://www.infosecurity-magazine.com/news/deloitte-denies-breach-claims/
The threat actors behind the More_eggs malware have been linked to two new malware families, indicating an expansion of its malware-as-a-service (MaaS) operation. This includes a novel information-stealing backdoor called RevC2 and a loader codenamed Venom Loader, both of which are deployed using VenomLNK, a staple tool that serves as an initial access vector for the deployment of follow-on payloads:
https://thehackernews.com/2024/12/moreeggs-maas-expands-operations-with.html
The FBI has warned that criminals are using generative AI to enhance financial fraud schemes, and the Bureau has issued new guidance for the public to protect themselves from these tactics.:
https://www.infosecurity-magazine.com/news/fbi-genai-financial-fraud/
A large U.S. organization with significant presence in China has been reportedly breached by China-based threat actors who persisted on its networks from April to August 2024. According to Symantec’s threat researchers, the operation appeared to focus on intelligence gathering, involving multiple compromised machines and targeting Exchange Servers, likely for email and data exfiltration. The researchers did not explicitly name the breached U.S. organization but mentioned that the same entity was targeted by the China-based ‘Daggerfly’ threat group in 2023:
https://www.bleepingcomputer.com/news/security/us-org-suffered-four-month-intrusion-by-chinese-hackers/
A newly identified cyber-threat operation is using a known exploit kit to target security vulnerabilities in the popular WeChat app, to deliver previously unreported spyware to both Android and Windows devices belonging to the Tibetan and Uyghur ethnic-minority communities in China:
https://www.darkreading.com/cyberattacks-data-breaches/earth-minotaur-exploits-wechat-bugs-spyware-uyghurs
This $3,000 Android Trojan Targeting Banks and Cryptocurrency Exchanges. As many as 77 banking institutions, cryptocurrency exchanges, and national organizations have become the target of a newly discovered Android remote access trojan (RAT) called DroidBot:
https://thehackernews.com/2024/12/this-3000-android-trojan-targeting.html
A Nebraska man pleaded guilty on Thursday to operating a large-scale cryptojacking operation after being arrested and charged in April. Charles O. Parks III (also known as "CP3O") admitted that he didn't pay a $3.5 million bill after renting cloud computing time from two providers to mine approximately $970,000 worth of cryptocurrency:
https://www.bleepingcomputer.com/news/security/nebraska-man-pleads-guilty-to-35-million-cryptojacking-scheme/
A Russian programmer accused of donating money to Ukraine had his Android device secretly implanted with spyware by the Federal Security Service (FSB) after he was detained earlier this year. The findings come as part of a collaborative investigation by First Department and the University of Toronto's Citizen Lab:
https://thehackernews.com/2024/12/fsb-uses-trojan-app-to-monitor-russian.html
Texas Teen Arrested for Scattered Spider Telecom Hacks. An FBI operation nabbed a member of the infamous cybercrime group, who is spilling the tea on 'key Scattered Spider members' and their tactics:
https://www.darkreading.com/cyberattacks-data-breaches/texas-teen-arrested-scattered-spider-telecom-hacks
Cybersecurity researchers have warned of a new scam campaign that leverages fake video conferencing apps to deliver an information stealer called Realst targeting people working in Web3 under the guise of fake business meetings:
https://thehackernews.com/2024/12/hackers-using-fake-video-conferencing.html
A zero-day arbitrary file read vulnerability in Mitel MiCollab can be chained with a now-patched critical bug in the same platform to give attackers access to sensitive files on vulnerable instances. A proof-of-concept (PoC) exploit that strings together the two flaws, both spotted and disclosed to Mitel by watchTowr:
https://www.theregister.com/2024/12/06/mitel_micollab_0day/
The threat actor known as Gamaredon has been observed leveraging Cloudflare Tunnels as a tactic to conceal its staging infrastructure hosting a malware called GammaDrop. The activity is part of an ongoing spear-phishing campaign targeting Ukrainian entities since at least early 2024 that's designed to drop the Visual Basic Script malware, Recorded Future's Insikt Group said in a new analysis:
https://thehackernews.com/2024/12/hackers-leveraging-cloudflare-tunnels.html
Malware-poisoned versions of the widely used JavaScript library solana/web3.js were distributed via the npm package registry, according to an advisory issued Wednesday by project maintainer Steven Luscher. An advisory, covering CVE-2024-54134 (CVSS-B: 8.3 High), explains that a hijacked @solana account with permission to publish the library was used to add malicious code:
https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/
Microsoft is now testing its AI-powered Recall feature on AMD and Intel-powered Copilot+ PCs enrolled in the Windows 11 Insider program. The company started rolling out the first preview of Recall to Snapdragon Copilot+ PCs last month after two delays in June and October. First introduced in May, Recall is a Windows feature that captures screenshots of active windows every few seconds, analyzes them, and allows Windows 11 users for specific snapshots using natural language:
https://www.bleepingcomputer.com/news/microsoft/microsoft-expands-recall-preview-to-intel-and-amd-copilot-plus-pcs/