WEEKLY TOP TEN: September 16, 2024, 16:00 GMT
- Phishing Pages Delivered Through Refresh HTTP Response Header
New phishing techniques have been observed that allow threat actors to trick victims into giving up their credentials. Unit42 has discovered a new phishing campaign that uses HTTP response headers to refresh a page without user interaction. The response header contains a refresh URL, which refreshes the page to the URL, effectively redirecting the victim to the attacker’s controlled page.
The victim will think they are clicking on a legitimate link, but the HTTP header unknowingly redirects them. These attacker pages are often pre-filled with the victim’s information, giving the site more credibility. Before entering your credentials, double-check the URL of the website you are accessing to mitigate this. - Unmasking the Hidden Threat: Inside a Sophisticated Excel-Based Attack Delivering Fileless Remcos RAT
Researchers from Trellix have disclosed how Remcos RAT is delivered using multiple techniques and vulnerabilities. The initial access begins with a phishing attachment. An Excel document that contains OLE-embedded objects is sent in the initial email. To establish credibility and trust, the victim sees a fake image when they first open the sheet explaining how Microsoft has protected the document. If the victim executes the document, a lengthy and obfuscated kill-chain is launched. This involves downloading multiple files and scripts, along with images altered with stenography. This eventually results in Remcos RAT being installed on the victim’s machine. - Progress LoadMaster Vulnerable to 10/10 Severity RCE Flaw
CVE-2024-7591 is a maximum severity vulnerability impacting Progress Software’s LoadMaster products. This vulnerability allows an “unauthenticated, remote attacker to access LoadMaster’s management interface using a specially crafted HTTP request.” There was no input sanitization, which also allows attackers to execute arbitrary system commands. A security update for this vulnerability has been released. - GitLab Warns of Critical Pipeline Execution Vulnerability
Eighteen security vulnerabilities have recently been patched in GitLab. The vulnerability with the highest severity score of 9.9 (CVE-2024-7768) allows an attacker to trigger a pipeline as an arbitrary user. All GitLab versions from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2 are affected. - Fortinet Confirms Data Breach After Hacker Claims to Steal 440GB of Files
Fortinet has confirmed in a security notice that a hacker has gained unauthorized access to 440 GB of files. These files were stored on a third-party cloud-based share drive; the hacker stated it was from an Azure Sharepoint instance. Fortinet has publicly responded, stating that only 0.3% of its customers were impacted. Fortinet also said that there is no indication that the incident has resulted in malicious activity affecting customers. Investigations are still ongoing. - Fake Recruiter Coding Tests Target Devs with Malicious Python Packages
Lazarus Group, also known as APT38, has been observed continuing its campaign targeting developers. This is an update to our report from August 5th, when we reported on DEV#POPPER. Cybersecurity firm ReversingLabs has published new details of APT38’s campaign. The attackers have shifted from JavaScript to Python, asking developers to run malicious Python code “PasswordManager.py.” The developers are told they only have 30 minutes to complete the assessment, which puts pressure on them to forego security checks. ReversingLabs has concluded that this campaign is still ongoing with malicious GitHub repos recently observed on July 31st. - New RansomHub Attack Uses TDSSKiller and LaZagne, Disables EDR
Ransomware gang RansomHub has been seen using new TTPs, notably TDSSKiller and LaZagne. The Malwarebytes MDR team has reported on the details. Kaspersky’s TDSSKiller is reputable software for removing rootkits. In the hands of RansomHub, they are using it to disable EDR software instead. After disabling security software, RansomHub then used LaZagne to harvest credentials, specifically targeting database credentials. - Adobe Fixes Acrobat Reader Zero-Day With Public PoC Exploit
Security researcher Haifei Li detected a zero-day in Acrobat Reader back in June 2024. This zero-day (CVE-2024-41869) allows for a crafted PDF document to execute remote code, abusing a use-after-free bug. A proof of concept was released after Adobe’s first fix did not work. On September 10th, 2024, Adobe released a second patch that fixed the vulnerability. Li will release a full write-up on the detection and abuse of the vulnerability in a follow-up blog post. - Microsoft Fixes Windows Smart App Control Zero-Day Exploited Since 2018
Microsoft has released a security update, fixing a zero-day (CVE-2024-38217) that has been exploited since 2018. The vulnerability allowed an attacker to bypass Mark of the Web protections, which means a malicious file would not undergo Smart Screen checks. This involved crafting LNK files that contained a period at the end, e.g., “powershell.exe.”. When executed, Windows Explorer will update the path, removing the extra period while also removing the Mark of the Web. - New PIXHELL Attack Exploits LCD Screen Noise to Exfiltrate Data from Air-Gapped Computers
A new paper from the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of the Negev in Israel reveals how air-gapped computers could still be attacked. The PIXHELL attack generates acoustic signals using the noise that LCD screen pixels produce.
LCD screens have capacitors and inductors that vibrate at an audible frequency. An attacker could exfiltrate this audible data, demodulate the packets, and extract the information that was on the screen. While this is still experimental, it shows how even being air-gapped does not mean your information is secure. The researchers recommend using an acoustic jammer to neutralize transmissions.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: