WEEKLY TOP TEN: May 6, 2024, 09:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Android Malware Uses Compromised WordPress Sites for C2
A new strain of Android malware dubbed Wpeeper has been observed using compromised WordPress sites to perform its command and control (C2) capabilities. This tactic hides typical C2 traffic, masking it as regular web traffic via HTTPS to ordinary WordPress sites. The malware is delivered via a sideloaded APK file, as is typical with Android-based malware. - ZLoader Returns with New Defense Evasion Tactics
The ZLoader trojan is a spinoff of the infamous Zeus banking trojan. In 2022, Microsoft dismantled the infrastructure behind ZLoader. However, this takedown did not stop ZLoader, and the malware has returned with new defense evasion techniques borrowed from Zeus. This new feature tries to prevent execution on a machine that does not match the original targets, making dynamic analysis by malware researchers more difficult. - Cuttlefish Malware Infects Routers to Grab Cloud Credentials
A new malware strain, dubbed Cuttlefish, has been observed targeting routers in an attempt to steal cloud credentials. This malware listens to HTTP get and POST requests and attempts to grab login requests from known cloud infrastructure domains. It also has modular functionality, allowing for a variety of added functions, such as DNS and HTTP hijacking. - Muddling Meerkat Tampers with the “Great Firewall of China”
A threat actor group known as Muddling Meerkat has been observed to be in control of the “Great Firewall of China” (GFW), the Chinese government’s internet censorship infrastructure that blocks access to many Western services. It seems that Muddling Meerkat can manipulate the GFW’s DNS configurations. At the time of this writing, the motives of this group are unknown. However, some speculate that Muddling Meerkat may be collecting devices for a massive DDoS attack. - Russian Threat Actors Target North American Critical Infrastructure
CISA, in cooperation with several European and Canadian authorities, has released a set of recommendations for critical infrastructure originations in the face of the looming threat of Russian cyberattacks. It was stated that pro-Russian hacktivists have been targeting human-machine interface devices (HMIs), mainly leveraging weak or default credentials and outdated versions of VNC. - Goldoon Botnet Targets D-Link Routers with a Ten-Year-Old Vulnerability
A new botnet dubbed Goldoon has been observed targeting D-Link routers using an exploit from 2015, nearly ten years ago. This vulnerability, CVE-2015-2051, has a CVSS score of 9.8/10 and allows for arbitrary command execution via a crafted HTTP request. Exploitation can lead to a complete takeover of the device, allowing it to be added to a botnet and used in large DDoS attacks. - GitLab Vulnerability Added to CISAs Known Exploited Vulnerabilities Catalog
CISA has added a vulnerability in GitLab to its KEV list, a catalog of vulnerabilities that CISA has observed being exploited in the wild. The vulnerability in question is CVE-2023-7038, with a 10/10 critical CVSS score. It allows for account takeover via a password reset and allows attackers to add malicious code to valid repositories. - Ukrainian Hacker Behind the Kaseya Ransomware Attack Sentenced to Thirteen Years in Prison
A Ukrainian national identified as part of the REvil ransomware group has been found guilty of charges related to the infamous Kaseya ransomware attack and sentenced to thirteen years in prison. The individual, who used the alias Rabotnik, was involved in over two and a half thousand ransomware attacks during their stint in REvil. - Microsoft Warns of Dirty Stream Android Attack
Microsoft has released information on a new Android-based attack they dubbed Dirty Stream. This attack allows malicious apps to overwrite files in other applications, which can lead to arbitrary code execution in the targeted apps. This attack takes advantage of incorrect implementations of ‘custom intents,’ a feature that allows apps to communicate with each other. The sandboxing features are bypassed if vulnerable, allowing the malicious application to change the target. - Bitcoin Blockchain AI Analysis Reveals Money Laundering Infrastructure
An MIT-IBM Watson AI lab’s forensic analysis has uncovered bitcoin laundering ‘clusters.’ This provides a new technique for forensically tracing Bitcoin transactions involved in illegal activity such as cybercrime and narcotics distribution. The project has identified forty-nine million node clusters and one hundred and ninety-six million transactions related to crypto laundering.