Weekly Top 10: 12.9.2024: New Windows Zero-Day Exposes NTLM Credentials, Gets Unofficial Patch; Supply Chain Attack Detected in Solana’s web3.js Library; Snowblind: The Invisible Hand of Secret Blizzard, and More.

WEEKLY TOP TEN: December 9, 2024, 16:00 GMT

1. New Windows Zero-Day Exposes NTLM Credentials, Gets Unofficial Patch
   
   0Patch has disclosed a new zero-day zero-click vulnerability that lets an attacker steal NTLM credentials. The vulnerability currently has no CVE and works on all versions of Windows, including Server 2022. While details of the exploit are sparse, a specifically crafted file must be used to view it in Windows File Explorer. This forces an outbound NTLM connection to a remote share, allowing attackers to steal NTLM hashes. These hashes can then be cracked, giving the attacker access to login credentials.
2. Droidbot: Insights From a New Turkish Maas Fraud Operation
   
   Researchers from Cleafy have discovered a new Android banking trojan called DroidBot. The malware combines VNC capabilities with overlay attacks to steal credentials and monitor user activity. DroidBot is unique due to its dual-channel communication; it uses MQTT for data exfiltration and HTTPS for receiving commands. DroidBot currently targets 77 financial institutions across Europe, with researchers tracking 17 unique affiliate groups using the malware-as-a-service platform due to the improper error handling in the ‘check_login_and_get_user’ function. An unauthenticated attacker can log in as any user when two-factor authentication is enabled.
3. Supply Chain Attack Detected in Solana’s web3.js Library
   
   Malicious code has been pushed to Solana’s web3.js npm library, affecting versions 1.95.6 and 1.95.7. The compromised library receives around 350,000 weekly downloads and contains malicious code that steals private keys when imported. So far, the attack has led to over $160,000 in stolen assets. Developers using these versions should immediately update to 1.95.8 and rotate any potentially compromised keys.
4. South Korea Arrests CEO for Adding DDos Feature to Satellite Receivers Allowing Python Execution
   
   Police in South Korea have arrested a CEO and 5 employees for manufacturing satellite receivers with DDoS capabilities. The manufacturer produced 240,000 devices between 2019 and 2024, with 98,000 having pre-installed DDoS modules and the rest receiving the functionality through firmware updates. While the companies have not been named, the courts have authorized the seizure of company assets, including 4.5 million USD, which is the estimated profit the firm made selling the malicious receivers.
5. Novel Phishing Campaign Uses Corrupted Word Documents to Evade Security
   
   Researchers from Any.Run have discovered a novel phishing campaign that attaches corrupted Word documents in an email to bypass security software. When opened, these documents will prompt Microsoft Word to recover the corrupted file, leading to a scannable QR code that links to a fake Microsoft login page. While most of the kill chain is not novel, using corrupted Word documents is.
6. Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows Popular AI Models
   
   Threat actors’ continued use of AI has led to a convincing crypto scam targeting Web3 professionals. Researchers at Cado have found fake companies operating under the names “Meetio,” “Meeten,” and “Clusee.” These fake companies have professional-looking websites and social media presences created using AI. The scam is quite simple: the goal is to trick users into downloading malware through the guise of a professional-looking UI. The malware has both MacOS and Windows variants and can steal credentials through browsers, wallets, and Telegram.
7. Americans Urged to Use Encrypted Messaging After Large, Ongoing Cyberattack
   
   Chinese state-sponsored APT Salt Typhoon has infiltrated eight major telecom companies, including AT&T and Verizon. The complete details of the attacks are not fully known, but US officials believe the group is targeting high-profile individuals and government officials. The attack is still ongoing as efforts continue to remove the attackers from the compromised networks. The FBI and CISA recommend using encrypted messaging apps to communicate and protect sensitive information.
8. Snowblind: The Invisible Hand of Secret Blizzard
   
   A report by Lumen reveals that Russian threat actor Secret Blizzard has hijacked the C2 servers of a Pakistan APT. Over the past two years, Secret Blizzard has infiltrated 33 C2 servers and deployed their malware into Afghan government networks. The Russian group was also able to compromise the workstations of Pakistan operators and steal their tools and data, including RATs and malware. This approach allows threat actors to gather intelligence while making attribution much more difficult.
9. Japan Warns of Io-Data Zero-Day Router Flaws Exploited in Attacks
   
   Japan’s CERT is warning of three critical vulnerabilities in I-O’s UD-TL1 router series that are currently being exploited in the wild. The vulnerabilities allow attackers to access sensitive files, execute commands, and disable firewalls on affected devices. While I-O has released a patch, it only addresses the firewall vulnerability. The other two issues will not be fixed until December 18th, 2024.
10. Bootkitty: Analyzing the First Uefi Bootkit for Linux
    
    Bootkitty is the first UEFI bootkit to target Linux systems. It contains capabilities like disabling kernel signature verification and preloading files during system startup. It patches the Linux kernel to bypass security and allows unsigned kernel modules to load. When loaded, the bootkit displays ASCII art and prints that BlackCat developed it. There is no connection to the ransomware group ALPHV/BlackCat, as this is a separate entity sharing the name. While it seems to be a proof of concept, it showcases that a UEFI bootkit is no longer Windows-exclusive.