WEEKLY TOP TEN: March 25, 2024, 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- AI-Enhanced Cyber Attack Rising
As AI and LLMs become more prominent and powerful tools, the malicious use of these tools is rising. Threat actors are using LLMs to aid in the development of malware and even for social engineering via deepfakes. These deepfakes allow an attacker to copy the victim’s voice or appearance for use in phishing or identity theft. - LockBit Releases New Encryptor After Law Enforcement Takedown
The very public and messy takedown of the highly notorious LockBit ransomware group has led to the group returning with new tactics and even a new version of their ransomware. LockBit has announced that they have changed their approach for ransom negotiations and will not allow for discounts over 50% of the initial demand. The new version of their encryptor has been dubbed LockBit Green and contains code from the infamous Conti group, which was disbanded in 2022. They have not labeled this as a true 4.0 but rather as an intermediate stage between three and four. - Microsoft Warns Taxpayers of Tax Return Phishing Scams
Microsoft recently released information about a new phishing campaign they have observed in the wild. This campaign tries to lure the victim using supposed tax information to gain access to the target’s financial information and online banking credentials via a crafted HTML page. - Hundreds of Thousands of Systems Vulnerable to a New “Loop” DoS Attack
Researchers have discovered a new technique used for Denial of Service (DoS) attacks. This attack has been dubbed “Loop DoS” and target the application layer via UDP to create a loop of communication between applications, using all available bandwidth and denying use of the targeted services. - Law Enforcement Takedowns Lead to a Ransomware Recruiting Boom
The recent takedowns of several ransomware groups, such as LockBit and ALPHV, have led to an influx of ransomware gangs looking to recruit these developers for their own groups. With a sort of power vacuum left in the wake of these ransomware titans being taken down, several groups are now gunning for those top spots, looking for members to bolster their teams and offering pay incentives for experienced ransomware developers. - “Fluffy Wolf” Stealer Malware Targets Corporate Environments
A new malware strain dubbed “Fluffy Wolf” has been observed for sale in a MaaS (Malware-as-a-Service) model, offering its stealer tools to fairly unsophisticated attackers for a monthly fee. This is commonly seen in the stealer malware scene. Currently, Fluffy Wolf has been observed mainly targeting Russian corporate organizations. However, it seems likely that it will spread to other countries. - “Tiny-Turla” Backdoors Used to Target European NGOs Increasing.
The Russian threat actor Turla has released a new backdoor dubbed “Tiny-Turla.” This backdoor is deployed after initial compromise as a way of establishing persistence and performing Command & Control (C2) actions. This malware has been most commonly seen targeting European NGOs (Non-Governmental-Organizations) mainly in Poland. - Sign1 Malware Infects Nearly Forty-Thousand WordPress Sites
A new malware campaign targeting WordPress sites is leveraging “Sign1” malware installed through trojanized WordPress plugins. This is an extremely common attack vector used against sites using WordPress, the most popular CMS (Content Management System). The malware implemented on the site serves visitors with malicious ads, leading to fake downloads containing further malware. - Critical RCE Vulnerabilities Discovered in Fortinet EMS
Fortinet EMS (Enterprise Management Server) is the primary administrative management tool for Fortinet services. A new critical RCE vulnerability has been discovered in this application, which can allow attackers to gain full access to the management console. Exploitation has been considered fairly trivial, even for low-skill attackers. This vulnerability comes with several other Fortinet vulnerabilities, including an authentication bypass. - “GoFetch” Attack Can Grab Cryptographic Keys from Apple Devices
A new cryptographic attack dubbed GoFetch targets Apple’s ARM-based M1, M2, and M3 chips with the ability to obtain cryptographic keys stored in the CPU’s cache. This attack works due to Apple’s implementation of prefetch features, which will speed up cryptographic operations. This feature is built directly into Apple’s CPU architecture, meaning there is no way to mitigate this attack against the earlier M1 and M2 chips. The M3 chip does allow users to disable this feature in software, closing this attack vector.