WEEKLY TOP TEN: June 17, 2024, 09:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- CISA Adds Android Pixel, Microsoft Windows, Progress Telerik Report Server to its Known Exploited Vulnerabilities Catalog
This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three new vulnerabilities to its catalog. Google’s Pixel had a vulnerability in its framework, allowing for privilege escalation (CVE-2024-32896). This is due to a logic error in the code that leads to local escalation of privileges. Microsoft Windows also has a privilege escalation vulnerability in its Error Reporting Service, which can give an attacker system access (CVE-2024-26169).
Lastly, in Progress Telerik Report Server, there is a vulnerability that allows for spoofing authentication (CVE-2024-4358). Once an attacker bypasses authentication, they gain access to server-restricted functionality. These vulnerabilities have since been patched, and CISA has ordered federal agencies to patch them by July 4th, 2024. - Ransomware Attack Behind City Hall Cyber Problems, Cleveland Shares
Earlier this week, the City of Cleveland, Ohio, was hit by a cyberattack. On Friday, June 14th, the city confirmed the incident as being a ransomware attack after an investigation. The city’s essential services are still running, while the rest have been shut down to mitigate the damage. Although no threat actor has yet claimed responsibility for the attack, this continues the trend of ransomware attacks on governments. The city has also confirmed that taxpayer data is not affected. - Scattered Spider Hackers Switch Focus to Cloud Apps for Data Theft
The Scattered Spider gang, known for their breach of MGM, has started to steal data from software-as-a-service applications. A report by Mandiant states that Scattered Spider has expanded their tactics, techniques, and procedures (TTPs) into cloud infrastructure and SaaS applications to steal data without encryption.
Once Scattered Spider gains initial access, they have been seen utilizing Okta to reach cloud and SaaS applications; from there, they create new VMs with and disable security protocols. Mandiant also reports that they pivoted to EDR tools, creating API keys in CrowdStrike to test their access. Using CrowdStrike’s external console, Scattered Spider runs commands such as whoami and quser.
To defend against these TTPs, Mandiant suggests higher levels of monitoring on SaaS and cloud applications, as well as consistent auditing of VMs. - Microsoft Delays Windows Recall Amid Privacy and Security Concerns
Microsoft had planned to release a public preview of Windows Recall on June 18th, but after loud public feedback from security professionals, it has delayed the launch to a future date. Windows Recall is Microsoft’s latest development in the AI space; it’s capable of capturing every active window on a machine every three seconds.
These screenshots are then sent to an Azure AI model, which pulls data and adds the image to a database, allowing users to find historical data. Due to loud criticism from security professionals, the feature will now be an opt-in. Microsoft has also announced they would build additional security features into the system before the public launch but has not given specifics. - Ascension Hacked After Employee Downloaded Malicious File
Ascension, a large healthcare organization, has announced an update to the cybersecurity incident that we reported on May 13th, 2024. An employee downloaded a malicious file onto a company device, which resulted in a ransomware attack against them. The mistake by the employee caused Ascension to take devices offline, and employees lost access to electronic records. While the investigation is still ongoing, Ascension states that data has been stolen from seven of their servers. This data includes protected health information and personally identifiable information. - Search & Spoof: Abuse of Windows Search to Redirect to Malware
Researchers from Trustwave SpiderLabs have detected an advanced malware campaign that utilizes the Windows search functionality to deploy malware. The campaign starts with a phishing email that contains a malicious HTML document, usually compressed in a zip archive. Once the HTML document is opened in the browser, it immediately redirects to a URL containing a search protocol, interacting with Windows Explorer.
This search has been specifically crafted to pull an LNK file from a web server, named INVOICE. Once clicked on, the LNK file opens a malicious batch script. The danger here is that this campaign uses Windows features to appear benign to an end-user while infecting them at the same time. - Warmcookie Windows Backdoor Pushed via Fake Job Offers
An ongoing phishing campaign, dubbed “Warmcookie,” is being distributed through fake job offer emails. Security firm Elastic Security Labs has been tracking this campaign and has disclosed the killchain. Warmcookie starts with a spearphishing email targeting employees with a fake job offer.
Once an employee clicks the link, they are requested to download malware. The malware then loads malicious binaries onto the victim’s machine, creates scheduled tasks for persistence, calls out to its C2 server, and then fingerprints the machine. - Malicious VSCode Extensions with Millions of Installs Discovered
A group of security researchers have discovered significant vulnerabilities in Visual Studio Code’s extension feature, mainly focusing on the lack of oversight from Microsoft to protect users from malicious apps and extensions. In an attempt to test how dangerous extensions are, the researchers created their own extension named “Dracula Official,” which is a dark-mode theme to reduce eye strain. They then added malicious code that collects system information from end-users of the extension, which was sent to their server.
The researchers note that their malicious extension passed Microsoft’s security checks and is also undetected by EDR tools, as EDR tools do not work well with VS code extensions. The “Dracula Official” extension was downloaded millions of times across the world, showing how quickly an extension can gain traction once it gets popular. - Operation Celestial Force Employs Mobile and Desktop Malware to Target Indian Entities
Researchers at Cisco Talos have been tracking Operation Celestial Force since 2018, and note they are still expanding in capabilities and tactics. One new tactic is the use of social media as an infection point. The first step is to make contact with a victim over social media to gain their trust.
Once a relationship has been established, malware is sent to the victim. Multiple components have been observed, such as GravityRAT, HeavyLift, and GravityAdmin. HeavyLift is a malware loader, while GravityAdmin is the administrative panel for controlling infected machines. - New Attack Technique ‘Sleepy Pickle’ Targets Machine Learning Models
“Sleepy Pickle” is a new attack technique, that aims to exploit machine learning models by attacking the model itself instead of the system running the model. Machine Learning models utilize a serialization format known as a pickle for the storage and retrieval of trained models and data objects. The issue arises during the deserialization process; if the pickle file is malicious, arbitrary code execution is possible.
Sleepy Pickle works by inserting a payload into a pickle file, and once deserialized, the ML model is infected. Infection can range from backdoors in the model to corruption, allowing attackers to change the model output to be harmful instructions or misinformation.