Cyware Weekly Threat Intelligence, May 27–31, 2024 | Weekly Threat Briefing (2024)

The Good

In a bold stride towards AI accountability, NIST introduced the ARIA program to help evaluate AI technologies' real-world impacts, ensuring safety, security, and fairness. Meanwhile, OpenAI disrupted five international AI-powered disinformation campaigns, unmasking covert operations from China, Iran, Israel, and Russia that manipulated online discourse and political narratives.

• NIST launched a new program called Assessing Risks and Impacts of AI (ARIA) to help organizations and individuals evaluate and verify the capabilities and impacts of AI technologies in real-world scenarios. The program aims to help determine whether a given AI technology will be valid, reliable, safe, secure, private, and fair once deployed. ARIA expands on NIST's AI Risk Management Framework and will develop new methodologies and metrics to quantify how well an AI system maintains safe functionality within societal contexts.
• OpenAI disrupted five AI-powered disinformation campaigns originating from China, Iran, Israel, and Russia that sought to manipulate public discourse and political outcomes online while obscuring their true identities. The operations used OpenAI's models to generate text, debug code, translate and edit articles, and create the appearance of engagement across social media platforms.
• Europol coordinated an international effort, named Operation Endgame, to neutralize dropper botnet infrastructure for malware strains including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot. This resulted in the takedown of over 100 servers and the arrest of four key suspects. The 911 S5 botnet-for-hire operation, suspected of hijacking millions of IP addresses for cybercrimes, was successfully shut down by the DOJ, leading to the arrest of its operator. The botnet was linked to 560,000 scam unemployment insurance claims, resulting in over $5.9 billion in losses, as well as other pandemic relief program scams

The Bad

In a cunning cyber scheme, cracked versions of popular software are spreading sophisticated malware co*cktails. Users unknowingly download malicious installers that fetch additional threats via Telegram and Mastodon. Concurrently, a zero-day vulnerability in Check Point VPNs is under active exploitation, compromising sensitive network data. Additionally, cybercriminals targeted the Arc browser’s launch with malicious Google Ads, leading users to trojanized installers and info-stealing malware.

• Cybercriminals are using cracked versions of Microsoft Office, Windows, and Hangul Word Processor to distribute a malware co*cktail to unsuspecting users. The malicious installer has a well-crafted interface that allows users to select the version and language, but in the background, it launches obfuscated .NET malware. The malware contacts Telegram or Mastodon channels to receive a valid download URL, often from Google Drive or GitHub, to fetch additional malware components such as Orcus RAT, XMRig, 3Proxy, PureCrypter, and AntiAV.
• Researchers recently discovered attempts to breach enterprise networks through Check Point VPNs affected by a zero-day vulnerability, CVE-2024-24919. The bug allowed threat actors to access sensitive information from network security gateways. Check Point initially released a hotfix to address password-only logins but later identified the underlying vulnerability. Mnemonic reported seeing attacks exploiting the flaw since April 30.
• Cybercriminals exploited the Arc browser's Windows launch by running malicious Google Ads that redirected users to typo-squatted domains mimicking the official site. These sites delivered trojanized installers from MEGA, downloading additional malware payloads like 'bootstrap.exe' and 'JRWeb.exe,' likely info-stealers. The malware uses Python executables to inject code into legitimate processes for command and control operations.
• Trellix researchers identified fake antivirus websites distributing info-stealers. These sites mimicked legitimate products from Avast, Bitdefender, and Malwarebytes. The malicious domains hosted APK, EXE, and Inno setup installer files. These files deployed the SpyNote trojan, Lumma information stealer, and StealC info-stealer, respectively, requesting elevated permissions like reading SMS messages, installing and deleting apps, taking screenshots, and more.
• Cloudflare disrupted a month-long phishing campaign by the Russia-aligned threat actor FlyingYeti targeting Ukraine, using debt-themed lures to deliver PowerShell malware known as COOKBOX. The phishing campaign used Cloudflare Workers, GitHub, and exploited a WinRAR vulnerability to deliver the COOKBOX malware, primarily targeting Ukrainian military entities. Once installed, the COOKBOX variant will make requests to a DDNS domain for command-and-control, awaiting PowerShell cmdlets to be executed.
• The CatDDoS malware botnet reportedly abused over 80 known vulnerabilities in nearly 300 devices over the past three months, targeting routers, networking gear, and other devices from vendors such as Cisco, Apache, and Huawei. This botnet is a Mirai variant and conducts DDoS attacks primarily in China, the U.S., and other major countries. It uses the ChaCha20 algorithm for encrypted C2 communications and shares similarities with other botnets like hailBot and VapeBot.
• CERT-UA uncovered two attack campaigns by threat actor UAC-0006 infecting accountants in Ukraine with SmokeLoader to steal credentials and facilitate unauthorized fund transfers. Distributed via emails, SmokeLoader injects malicious code into explorer.exe and downloads additional malware like TALESHOT and RMS on affected systems. The attackers use ZIP archives containing IMG files to deploy the malware.

New Threats

In a striking evolution of ransomware, SpiderX emerges as a successor to Diablo, boasting faster encryption and other functionalities, making it a formidable threat to Windows systems. Vulnerabilities in popular WordPress plugins are being exploited to inject malicious scripts and create admin accounts, affecting numerous websites. Moreover, the RedTail cryptocurrency miner has evolved, exploiting a critical vulnerability in Palo Alto Networks firewalls.

• A new and advanced RaaS called SpiderX has been designed to be a successor to Diablo ransomware, featuring enhanced capabilities such as faster encryption, offline functionality, and a built-in info-stealer. SpiderX ransomware is designed for Windows systems and boasts features such as the ChaCha20-256 encryption algorithm, offline functionality, comprehensive targeting, built-in information stealer, and persistence, making it a highly effective and dangerous tool.
• Vulnerabilities in three popular WordPress plugins are being exploited to inject malicious scripts and backdoors, allowing attackers to create new administrator accounts and monitor infected websites. The exploited bugs include unauthenticated stored cross-site scripting (XSS) vulnerabilities in the WP Statistics(CVE-2024-2194), WP Meta SEO (CVE-2023-6961), and LiteSpeed Cache plugins (CVE-2023-40000), impacting a significant number of active installations.
• The RedTail cryptocurrency miner has evolved to exploit a critical vulnerability (CVE-2024-3400) in Palo Alto Networks firewalls, showcasing new anti-analysis techniques and the use of private crypto-mining pools. The malware spreads through multiple propagation mechanisms, targeting vulnerabilities in various systems such as TP-Link routers, ThinkPHP, and VMWare Workspace ONE Access and Identity Manager. The latest version of RedTail includes encrypted mining configurations to launch the embedded XMRig miner.
• A new ATM malware family, named EU ATM Malware, was advertised in the cybercrime underground. It reportedly threatens Europe's banking industry, claiming to compromise 99% of European ATMs and 60% globally. It purportedly targets machines from major vendors like Diebold Nixdorf and NCR. Experts shared the malware's full automation, simplifying deployment, offering various payment options, and more. The malware's manual operation mode adds to its versatility, heightening concerns.
• SingCERT issued a critical alert warning against nine plugins, including Copymatic, Pie Register, and Hash Form Drag & Drop Form Builder, which were found to be affected by critical flaws like arbitrary file uploads and SQL injection. Their exploitation could lead to unauthorized access and data compromise. SingCERT advises users to apply patches and adopt robust security measures promptly.
• A new North Korean threat actor, Moonstone Sleet, is targeting software, IT, education, and defense sectors with ransomware and custom malware. Using tactics like creating fake companies and job opportunities, Moonstone Sleet delivers malware through trojanized tools, fake games, and malicious npm packages. The group has been observed employing sophisticated phishing techniques and launching ransomware attacks, including a notable attack demanding $6.6 million in Bitcoin.
• Proofpoint identified a series of malicious email campaigns using piano-themed messages to conduct advance fee fraud scams. Experts spotted over 125,000 messages targeting primarily students and faculty at North American colleges, as well as healthcare and food and beverage sectors. The scam offers a free piano, asking victims to pay a fake shipping company for delivery. Payments are requested via Zelle, Cash App, PayPal, Apple Pay, or cryptocurrency.

Tags