Weekly Top 10 — 7.22.2024 — Threat Actors Spread Password Stealers using Facebook Ads; 15M Trello User Email Addresses Leaked; Microsoft-Signed Chinese Kernel Level Malware Discovered, and More.

WEEKLY TOP TEN: July 22, 2024, 16:00 GMT

1. Threat Actors Spread Password Stealers using Facebook Ads
   
   Using Facebook to spread malware is not new; it is still a concern due to the reach the social media platform has. Threat actors are using Facebook business pages and advertisements promoting windows themes, free game downloads, and software activations and cracks for popular applications.
   
   These are used to spread the password-stealing malware SYS01. The threat actors have taken out thousands of ads for a variety of campaigns, with the most popular being blue-softs (8,100 ads), xtaskbar-themes (4,300 ads), newtaskbar-themes (2,200 ads), and awesome-themes-desktop (1,100 ads).
2. New Speculative Execution Attack TIKTAG Impacts Google Chrome and Linux Kernal
   
   Korean researchers from Samsung, Seoul National University, and the Georgia Institute of Technology have discovered a brand-new speculative execution attack known as “TIKTAG.” This new attack targets ARM’s Memory Tagging Extension (MTE). This feature was added to the ARM v8.5-A architecture and later to help detect and prevent memory corruption.
   
   In the technical paper that these researchers released, they demonstrated the attack against Google Chrome’s V8 engine, and the Linux kernel. This attack leaks the memory tags that ensure the accessed memory space is correct and has not been corrupted. Although leaking these tags does not directly expose sensitive data, it is possible to make the protections provided by MTE ineffective.
3. 15 Million Trello User Email Addresses Leaked
   
   The threat actor ’emo’ released a list of about 15 million Trello profiles’ non-public email addresses to the popular hacking forum Breached. The actor explained that he gained this information by querying an unauthenticated REST API that maps an email address to a Trello account.
   
   Atlassian did confirm that the API used to get this information was changed so that only authenticated users can query public user information by email address.
4. New BugSleep Malware Implant Used by Iranian Hacking Group MuddyWater
   
   The Iranian hacking group ‘MuddyWater’ started using a new custom malware implant named ‘BugSleep’ to steal files and run commands. When examining phishing lures, analysts at Check Point Research discovered this backdoor malware that is still in active development.
   
   The phishing campaign disguises their emails as invitations to webinars or online courses, that will redirect the victims to download the malicious payloads hosted on Egnyte’s secure file-sharing platform.
5. New Ad Fraud Campaign Konfety
   
   A massive ad fraud campaign named ‘Konfety’ leverages hundreds of apps on Google Play Store to distribute harmless decoy apps, while directing users from ads to a malicious version of the same application. The threat actors can spread the malicious versions through an ad campaign by using a spoofed version of the legitimate decoy’s app ID and advertising publisher IDs in an effort to evade detection.
6. OSGeo GEOServer and GeoTools Critical Code Execution Vulnerabilities
   
   CISA recently added a new critical vulnerability impacting OSGeo GeoServer an open-source server that allows users to share and edit geospatial data, to its known exploited vulnerabilities database. This new vulnerability being tracked as CVE-2024-36401 is a remote code execution (RCE) by unauthenticated users that was reported by security researcher Steve Ikeoka.
   
   Code execution is made possible due to the default GeoServer installation not properly evaluating property names as XPath expressions. Additionally, some GeoServer addons named Geotools have code execution vulnerabilities, these are tracked as CVE-2024-36404, and CVE-2024-29510.
7. BeaverTail Stealer Malware Updated for MacOS
   
   Threat actors affiliated with the Democratic People’s Republic of Korea (DPRK) updated their JavaScript stealer malware BeaverTail that targets job seekers to now work on Apple’s macOS. The actors are using a malicious DMG file named ‘MiroTalk.dmg’ which is using the same name as a legitimate video call service. This group seems to rely on social engineering techniques to have their target install the malicious file that is hosted on ‘mirotalk[.]net’ instead of installing from the legitimate source from ‘mirotalk[.]com’.
8. Microsoft-Signed Chinese Kernel Level Malware Discovered
   
   Researchers from WeLiveSecurity discovered a fake ad blocker named ‘HotPage.exe’ that was approved and signed by Microsoft. This kernel-level malware is marketed towards internet cafés based in China. Instead of removing ads like it is marketed as it introduces more ads with-in the victim’s browser and drops a vulnerable system-level driver that allows code execution with system level privileges.
9. Critical Vulnerability Found in Cisco SEG Appliances
   
   A new critical severity arbitrary file write vulnerability impacting Cisco’s Security Email Gateway (SEG) was found and fixed by cisco and is tracked as CVE-2024-20401. This vulnerability is caused by improper handling of email attachments when file analysis and content filters are enabled. An attacker that successfully exploits this flaw can overwrite any file in the underlying file system.
10. Revolver Rabbit Cyber Gang Registers 500,000 Domains
    
    Researchers at Infoblox discovered a cybercriminal gang named Revolver Rabbit registered more than 500,000 domains to be used for infostealer campaigns. These threat actors used a registered domain generation algorithm (RDGA) to automatically register domains with the ‘.bond’ top-level domains at scale, to act as potential command and control servers for their Xloader malware that targets both Windows and MacOS.