WEEKLY TOP TEN: May 20, 2024, 09:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Europol Confirms Web Portal Breached
Europol confirmed that its Europol Platform for Experts (EPE) was breached via a compromised user account and is investigating the claim that the threat actor IntelBroker stole “For Official Use Only” (FOUO) documents containing classified information. Although Europol is investigating this claim, they have confirmed that no operational information was stolen since the system compromised does not have access to any operational information.
According to IntelBroker, they have successfully obtained entry into EC3 SPACE (Secure Platform for Accredited Cybercrime Experts), a repository containing numerous cybercrime resources and used by more than 6,000 authorized cybercrime specialists worldwide. At this time, Europol has not made a statement confirming or denying this claimed breach. - Black Basta Breached over 500 organizations
Black Basta ransomware affiliates have breached over 500 organizations over the past 2 years. This information was released in a joint report by Department of Health and Human Services (HHS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
These agencies didn’t share what prompted this threat advisory. It is suspected that the increase in ransomware attacks in recent times against health organizations, with the most recent being an attack against the healthcare giant Ascension, which was linked to Black Basta, is what triggered this advisory. - MITRE Revealed a New Threat-Modeling Framework for Embedded Devices
The MITRE Corporation officially unveiled the new embedded device threat-modeling framework called EMB3D, in collaboration with Niyo ‘Little Thunder’ Pearson, Red Balloon Security, and Narf Industries. Like their ATT&CK framework, it is expected to be a living framework as well, meaning the framework will be updated overtime with new mitigations and techniques as new threat actors, vulnerabilities, and attack vectors emerge. - Cyber Crime Forum Breach Forums Seized by FBI and DOJ
The FBI and DOJ seized the extremely popular hacker forum, Breach Forums, related to clear and dark web domains, as well as multiple telegram accounts and group chats connected to Breach Forums. As of now, the FBI and DOJ have disclosed no official arrests. However, the owners of Breach Forums, the hacking group ShinyHunters, have alleged that one of the Breach Forums admins, Baphomet, was arrested and shared their credentials with Breach Forums and Telegram chats, allowing this seizure to happen. - New Phishing Campaign Mimics DocuSign Templates
Researchers at Abnormal Security have tracked an increase in phishing attacks designed to mimic DocuSign. Because of DocuSign’s generic email templates, and is often seen by employees, it has become an easy, low-effort way for threat actors to compromise a business or user. Abnormal Security recommends the usual phishing mitigations that employees can do to help not fall victim to a phishing attack, with the best recommendation being going to the company’s website to find the document that was sent instead of clicking on the phishing email. - Microsoft Patches Zero-Day Exploited by Qakbot
Microsoft patches CVE-2024-30051, a privilege escalation bug within the Windows service Desktop Window Manager (DWM) this patch Tuesday, May 14th, 2024. The service allows for the operating system to use hardware acceleration when rendering.
Security researchers at Kaspersky revealed this weakness, and it has been exploited in real-world situations to distribute QakBot and other malicious software to those affected. - New Social Engineering Campaign Information Released by Rapid7
Cybersecurity researchers at Rapid7 released information about a social engineering campaign. What these threat actors are doing is sending a mass flood of spam and phishing emails to a user to overload both the user’s mailbox and the email filtering solution the company employs. While the actor is preformatting the email flood, they will call the user posing as the company’s IT team and ask the user to download remote monitoring and management software like AnyDesk or utilize Microsoft’s built-in Quick Assist feature, in hopes to gain an initial foothold into the network. - PoC Exploit Was Publicly Released for D-Link EXO AX4800 Routers
Researchers from SSD Secure Disclosure released a proof-of-concept with instructions on gaining root access to D-Link EXO AX4800 routers to the public after unsuccessful attempts to disclose the vulnerability to D-Link. For an attacker to perform this exploit they will first need to be able to access the Home Network Administration Protocol (HNAP) port which is usually accessible through HTTP or HTTPS. Through this administration port the attacker can gain full root access to the device by combining an authentication bypass with command execution. - Kimsucky APT Group Attacking South Korea with New Linux Backdoor Gomir
The APT group Kimsuky (aka Springtail), which is linked to North Korea’s Reconnaissance General Bureau (RGB), has been seen using a new version of its GoBear backdoor codenamed Gomir that is targeting Linux machines in South Korea. The new Linux counterpart to GoBear supports 17 commands that it can receive from its C2 server, with the most notable being the ability to run shell commands, pause C2 communications for a set amount of time, and start a reverse proxy on the affected machine. - PyPi Package Targets MacOS Devices with Backdoor
A new package was uploaded to the Python Package Index (PyPI) named’requests-darwin-lite’ which is a fork of the popular’requests’ library. The security company Phylum was alerted of this package through their automated risk detection platform. Phylum discovered this package has several layers of obfuscation to hide their end goal of installing the Silver payload, an adversarial framework testing suite, via a 17MB PNG image file. Although this package was identified to be malicious, not all versions were; only versions 2.27.1 and 2.27.2 were identified to contain the malicious modifications and installation hooks.