Weekly Top 10 – 02.05.2024-  Homeland Security Employees Arrested, CISA Warns of iOS and macOS Actively Exploited Zero-Day Vulnerabilities, Brazilian Authorities Take Down Grandoreiro and more.

WEEKLY TOP TEN | February 5, 2024, 15:00 GMT

1. Homeland Security Employees Arrested for Stealing the Data of Government Employees
   
   Three former US Department of Homeland Security (DHS) employees have been arrested and sentenced to prison for the theft of proprietary government software and federal employee information. All three individuals plead guilty to Attempts to Defraud the United States and Theft of Government Property charges.
2. ZLoader Malware Resurfaces After Takedown by Microsoft
   
   In April of 2022, Microsoft dismantled the infrastructure of the ZLoader malware campaign. Recently, ZLoader has re-emerged with a new version, containing new features and defense-evasion methodology. The new version of ZLoader has been under development since September 2023 and has been modified to use RSA encryption and an updated randomized domain generation algorithm.
3. US Government Disrupts Volt Typhoon Botnet
   
   The Chinese government supports Volt Typhoon, an APT group. The FBI and DOJ have released a statement with limited information concerning a joint operation to disrupt a botnet linked to Volt Typhon, which has been targeting critical infrastructure. Researchers have revealed that the White House has asked private companies within the cybersecurity space to track the Volt Typhoon.
4. CISA Warns of Actively Exploited Zero-Day Vulnerabilities in iOS and macOS
   
   The Cybersecurity and Infrastructure Security Agency (CISA) has added a new vulnerability impacting all Apple-developed operating systems to their Known Exploited Vulnerabilities (KEV) list. This vulnerability (CVE-2022-048618 CVSS score 7.8) is an arbitrary file read, allowing files to be read without authentication. Apple has released patches for all impacted operating systems.
5. Developer of Trickbot Sentenced to Five Years in Prison
   
   Apple has recently released patches for a new vulnerability impacting nearly all Apple devices, seemingly with the exclusion of only watchOS. The patched vulnerability (CVE-2024-23222) is a confusion issue in the WebKit browser engine that leads to remote code execution. Apple does state that it is aware of reports of potential in-the-wild exploitation of this specific vulnerability. Patches have been released for all impacted devices.
6. LockBit Ransoms a Non-Profit Children’s Hospital
   
   After renouncing their previous “honor among thieves” code, the LockBit ransomware gang stated they would no longer avoid targeting critical infrastructure or healthcare facilities; the impact of this has truly been felt as the gang ransomed a children’s hospital located in Boston. LockBit is asking for eight thousand dollars to decrypt the hospital’s files. The victim hospital has claimed that no patient data has been stolen and that there has been no lapse in patient care due to this attack.
7. Nitrogen Malware Distributed via Malicious Advertising
   
   JNitrogen is loader malware with various possible payloads, from infostealers to command-and-control frameworks. This malware has followed the booming trend of using malicious advertisements and compromised websites to deliver its executables to victim devices. These ads pose as legitimate software downloads, using sites compromised by threat actors and re-skinned to provide the appropriate look for the imitated software. Due to the use of ads, these websites frequently appear at the top of web searches and enjoy widespread user trust.
8. Brazilian Authorities Take Down Grandoreiro Banking Trojan
   
   Grandoreiro is a banking malware that has targeted Spanish-speaking countries for several years. The federal police of Brazil, with support from Interpol and the Spanish police, have arrested five individuals linked to Grandoreiro and conducted property seizures across several Brazilian cities. This malware was estimated to be responsible for $120,000,000 in theft and damages.
9. Russian-Backed APT Midnight Blizzard Breached Microsoft Corporate Emails
   
   Microsoft reported a cybersecurity incident in which they claimed that Russian-affiliated threat actors known as Midnight Blizzard had compromised Microsoft corporate emails. The account accessed had limited administrative privileges over some Microsoft email accounts, including those of senior leadership. Midnight Blizzard was able to exfiltrate data from these emails, including legal and cybersecurity information.
10. Vulnerabilities Discovered in Popular Security Driver
    
    The Panda Memory Access Driver is part of an EDR solution from Panda Security. Recently, several vulnerabilities have been discovered in this driver, allowing attackers to exploit several exploits, including registry modification, out-of-bounds reads, and arbitrary file reads. Patches have now been released in the latest versions of WatchGuard and Panda Dome.