WEEKLY TOP TEN: October 28, 2024, 16:00 GMT
- Severe Flaws in E2EE Cloud Storage Platforms Used by Millions
ETH Zurich researchers have discovered vulnerabilities in five end-to-end encrypted (E2EE) cloud storage platforms: Sync, pCloud, Icedrive, Seafile, and Tresorit. These flaws allow malicious actors to inject files, tamper with data, or gain access to user files. The discovered issues include unauthenticated key material, lack of public key authentication, exposed passwords, and the ability to manipulate file metadata and content.
Tresorit fared better than the other platforms, with issues that do not directly expose file contents or allow for easy data manipulation. The vendors’ responses to the findings varied, with some taking action to address the vulnerabilities while others have not yet responded or decided not to take action. Most vendors claim that these attacks are too hypothetical to have an effect on users or that user files will be safe even if a threat actor accesses them. - Internet Archive Breached Again Through Stolen Access Tokens
The Internet Archive was breached again through exposed GitLab authentication tokens, allowing threat actors to access their Zendesk email support platform. The attacker has been sending replies to old removal requests, warning that the Internet Archive failed to rotate the stolen tokens despite being aware of the breach for weeks.
The exposed tokens gave the attacker access to more than 800,000 support tickets from 2018 until now that possibly include personal information that users uploaded when requesting page removals. - ClickFix Tactic: The Phantom Meet
A new social engineering tactic called ClickFix was observed in May 2024, featuring fake error messages in web browsers to deceive users into executing malicious PowerShell code. Researchers from Sekoia investigated a ClickFix cluster using fake Google Meet pages to distribute infostealers to Windows and macOS users and associated it with two cybercrime groups: “Slavic Nation Empire (SNE)” and “Scamquerteo”, sub-teams of larger cryptocurrency scam operations. The ClickFix tactic allows attackers to bypass web browser security features and appear less suspicious to users. - Exposing the Danger Within: Hardcoded Cloud Credentials in Popular Mobile Apps
Several popular mobile apps on Android and iOS have been found to contain hardcoded and unencrypted cloud service credentials, such as Amazon Web Services (AWS) and Microsoft Azure Blob Storage, directly within their codebases. This dangerous practice exposes sensitive user data and backend services to significant risk, as anyone with access to the app’s binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to security breaches. Some affected apps include Pic Stitch, Crumbl, Eureka, and more. - ReliaQuest Uncovers New Black Basta Social Engineering Technique
BlackBasta ransomware group has evolved their social engineering tactics by combining Microsoft Teams messages with malicious QR codes for initial access. The group starts by overwhelming users with spam emails, then follows up through Teams chats from domains like securityadminhelper.onmicrosoft[.]com while posing as help desk support.
Once contact is established, the attackers convince victims to install remote monitoring tools like AnyDesk, which is then used to deploy malicious executables masquerading as anti-spam software. These files, including “AntispamAccount.exe,” target LSASS for credential harvesting while “AntispamConnectUS.exe” performs internal network scanning. The attack chain leads to Cobalt Strike beacons being placed. - Tricks and Treats: GHOSTPULSE’S New Pixel-Level Deception
A significant evolution in the GHOSTPULSE malware family has been observed, shifting from its previous IDAT chunk exploitation to a new pixel-based algorithm for payload delivery. The malware now embeds its malicious configuration directly within the RGB values of PNG files instead of utilizing IDAT chunks. The infection begins when victims are socially engineered to execute Windows keyboard shortcuts during a fake CAPTCHA validation, which triggers a PowerShell script through malicious JavaScript. Unlike its previous multi-file package approach, GHOSTPULSE now operates as a single compromised executable containing an embedded PNG file in its resources section. - Cisco Issues Urgent Fix for ASA and FTD Software Vulnerability Under Active Attack
Cisco has patched multiple critical vulnerabilities in their networking products, including an actively exploited flaw in their Adaptive Security Appliance. The vulnerability (CVE-2024-20481) with a CVSS score of 5.8 impacts the Remote Access VPN service and allows unauthenticated attackers to cause a denial-of-service condition through resource exhaustion via mass VPN authentication requests. The patch release follows a March 2024 spike in brute-force attacks targeting VPN services, which utilized TOR exit nodes to target multiple vendors, including Cisco, Fortinet, and SonicWall. Three other patches were also released for other Cisco products. - TeamTNT’s Docker Gatling Gun Campaign
Hacker group TeamTNT has launched a new campaign targeting cloud-native environments through exposed Docker daemons. The group uses a “Docker Gatling Gun” script to deploy containers from compromised Docker Hub accounts, initially executing a malicious shell script. This campaign showcases several evolutionary changes in their tactics, including the replacement of their traditional tsunami backdoor with the more sophisticated Sliver malware framework and the novel approach of appending compromised Docker instances to a Docker Swarm. - New Qilin Ransomware Encryptor Features Stronger Encryption, Evasion
A new Rust-based variant of Qilin ransomware, dubbed Qilin.B, has been discovered, featuring significant upgrades to its encryption capabilities and evasion techniques. The ransomware now implements AES-256-CTR with AESNI support for systems with compatible CPUs while maintaining ChaCha20 encryption for older hardware and uses RSA-4096 with OAEP padding for key protection. Upon execution, Qilin.B establishes persistence through Windows Registry autorun keys and terminates critical processes including Veeam, Volume Shadow Copy Service, SQL services, Sophos, Acronis Agent, and SAP. The malware also clears Windows Event Logs, deletes its binary post-encryption, and enables network drive sharing between elevated and non-elevated processes. - Firm Hacked After Accidentally Hiring North Korean Cybercriminal
An anonymous company unknowingly hired a North Korean cybercriminal as a remote IT contractor, leading to a data theft and ransomware incident. The attacker, who worked for the unnamed company for four months while collecting a salary, exploited remote access to exfiltrate sensitive data before being terminated for poor performance. Following the termination, the company received ransom demands threatening to publish the stolen data unless a six-figure cryptocurrency payment was made. This incident follows a broader trend identified by Mandiant, which reported that dozens of Fortune 100 companies have inadvertently employed North Korean operatives.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
