WEEKLY TOP TEN: February 19, 2024, 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Bumblebee Malware Reappears After Four-Month Hibernation
Bumblebee is a malware dropper and initial access broker, meaning compromised devices are sold to other threat actors for post-exploitation activities such as identity theft, addition to botnets, or ransomware deployments. In October 2023, there was a significant decline in the usage of Bumblebee, which continued for the past four months. Recently, however, it has returned in phishing campaigns posing as voicemail messages with links to OneDrive sites hosting the payload. - Critical Microsoft Exchange Vulnerability
A new zero-day vulnerability in Microsoft Exchange has been discovered and has reportedly been exploited as a zero-day prior to patches being released. This vulnerability allows privilege escalation by using an NTLM relay attack, which can lead to a complete server takeover. Patches have been released, and workarounds are present in Exchange Extended Protection. - Linux Command Not Found Feature Used to Distribute Malware
Ubuntu Linux has a feature that suggests packages to install if the user runs an unrecognized command. Researchers have discovered that this tool can be modified and abused to suggest the installation of malicious packages. The attacker would, however, need system access or a way to poison the commands not found in the database on the intended target. - MrAgent Ransomware Tool Automates VMware ESXi Infection
The RansomHouse cybercrime gang has developed a new tool they dubbed MrAgent, which automates the distribution of their ransomware to VMware ESXi hypervisors. These systems are often critical for originations and run important internal services and even workstations, making them a valuable target for threat actors. - New TicTacToe Dropper Delivers Several Types of Malware to Infected Devices
TicTacToe is a new strain of dropper malware that is used for initial infection. After a device has been compromised, TicTacToe Dropper can deliver a variety of payloads, depending on the attacker’s intent. Observed payloads include infamous malware such as AgentTesla, Remcos RAT, and LokiBot. - North Korean APT Breached South Korean Presidential Staff
The South Korean government has released a statement regarding a cybersecurity incident in which a member of the Presidential Office Staff had their personal email compromised. It is stated that the compromise occurred while the staff member was using the breached email for official governmental duties. This was attributed to the North Korean government and associated APTs. - GoldPickaxe iOS Malware Captures Facial Recognition Data
Researchers have found a new iOS-specific trojan. Dubbed GoldPickaxe, this malware steals sensitive information, such as banking details and facial recognition data. The stolen facial recognition data is likely used to create AI-generated deepfake videos of victims for social engineering or access to bank transfers. - Russian-Backed APT Targeting Polish Organizations with New Malware
Turla, aka Group 88, or Urobouros, is an APT attributed to the Russian FSB. Recently, it has come to light that this group is targeting Polish NGOs (non-governmental organizations) with a brand-new malware strain known as TinyTurla-NG. This malware mainly serves as a backdoor into infected devices, with modular features based on target or attacker intent. - Critical Privilege Escalation Vulnerability in Zoom Has Been Patched
A new critical vulnerability was discovered in Zoom Windows clients, allowing for unauthenticated privilege escalation. Zoom discovered this vulnerability internally, and it has since been patched. This comes with a wave of other low-to-medium-severity vulnerabilities being patched at the same time. - US Government Dismantles Russian Botnet
The US government has stated they have dismantled a Russian botnent built for home use and small business routers. This comes hot off the heels of the takedown of a similar Chinese botnet. The bot devices were infected with Mirai malware, and it was stated that over one thousand devices were compromised.
