WEEKLY TOP TEN | January 29, 2024, 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Research Shows a Large Increase in QR Code Phishing Attacks
Research from cybersecurity firm Check Point stated that they observed twenty-thousand attacks involving QR codes being used for social engineering and phishing within the past two weeks. These attacks typically redirect to a phishing page posing as popular services in an attempt to steal login credentials from victims. This tactic can bypass some phishing protection, as emailed QR codes may not be flagged in the same way as potentially malicious URLs.
- LockBit Ransomware Affiliates Leverage TeamViewer for Ransomware Deployments
Researchers at Huntress have discovered a trend among recent deployments of LockBit ransomware, in which threat actors are using the legitimate remote access software TeamViewer to gain unauthorized access to networks and deploy ransomware. While this is not a completely novel idea and has been seen fairly frequently in the past, the development of this initial access method has been rapidly gaining in popularity amongst threat actors.
- Akira Ransomware Attacks on Finnish Targets Disrupt Swedish Government Operations
The recent swarm of Akira ransomware attacks on Finnish targets included the IT service provider Tietoevry, which provides managed services and cloud hosting. These attacks brought down Tietoevry infrastructure, which includes companies in Sweden and Finland and even some Swedish government agencies. As a result, these dependent organizations also lost access to some critical systems, forcing temporary shutdowns.
- Coldriver APT Targets Government and Military Officials in Credential Theft Attacks
Google’s Threat Analysis Group (TAG) has discovered a new strain of attacks from the Russian-affiliated APT dubbed Coldriver. The primary targets of Coldriver are high-ranking individuals from NATO-affiliated countries. Until recently, Coldriver was mostly observed using phishing and social engineering attacks to steal credentials from their targets; however, recently, TAG has observed an expansion in capabilities with the use of new malware. Specifically, the malware used is the SPICA backdoor, written in Rust. This malicious software provides information-stealing and C2 (command and control) functions. Typically, infection is performed via a phishing email containing a malicious PDF document, which downloads and infects the victim machine.
- Zero-Day in Apple Devices Patched
Apple has recently released patches for a new vulnerability impacting nearly all Apple devices, seemingly with the exclusion of only watchOS. The patched vulnerability (CVE-2024-23222) is a type of confusion issue that lies in the WebKit browser engine that leads to remote code execution. Apple does state that it is aware of reports of potential in-the-wild exploitation of this specific vulnerability. Patches have been released for all impacted devices.
- BreachForum Admin Sentenced to 20 years of Supervised Release
Cybercriminals used BreachForums, a well-known marketplace, to buy and sell data obtained illegally through breaches or other unauthorized methods. The founder and main administrator of the site, Connor Fitzpatrick, aka Pompompurin, was notorious for several high-profile incidents, including the breach of FBI email servers, which were then used to send spam mail from legitimate FBI email addresses. After his arrest in March 2023, Connor Fitzpatrick has now been sentenced to twenty years of supervised release with a one-year ban on access to the internet.
- Critical Vulnerabilities in Jenkins Allows for Remote Code Execution
Jenkins is a popular solution for CI/CD (continuous integration and deployment) used by devops teams to sync development environments with production. A new critical vulnerability has been found in Jenkins that allows for remote code execution via an arbitrary file read in the command line interface. Patches have been released for the impacted versions.
- Vulnerability in Cisco Unified Communication Allows Attackers to Gain Root Access
A new vulnerability in Cisco Unified Communication has been identified and is currently being tracked as CVE-2024-20253 with a CVSS score of 9.9/10. This vulnerability is due to improper processing and sanitization of user-provided data. Attackers can send crafted messages to open ports on vulnerable devices, which allows for the bypass of authentication and the potential for root-level access.
- CherryLoader Malware Implements New Privilege Escalation Techniques
CherryLoader is a modular, multi-stage malware written in Golang that attempts to masquerade as the legitimate Cherrytree Notes application. Researchers at Arctic Wolf have released details on an attack in which CherryLoader dropped several tools used for privilege escalation, which is new to this particular malware family. CherryLoader is very modular and allows threat actors to quickly switch out the payload without the need to recompile a binary.
- Researchers Uncover Payload Delivery Tactics Used by SystemBC C2
SystemBC is a C2 (command and control) framework that allows attackers to remotely control infected devices. Researchers have discovered that primary infection is typically performed using either the Windows or Linux binary, which uses shellcode injection to spawn reverse shells, which is much stealthier than typical reverse shell deployments in cmd or powershell.