WEEKLY TOP TEN: May 27, 2024, 09:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Google Discovers Fourth Zero-Day in Chrome This Month
Over the past two weeks, Google has patched four new zero-day vulnerabilities in Chrome, making a total of eight so far this year. The most recent of these vulnerabilities, CVE-2024-5274, is a type of confusion bug in the V8 JavaScript and WebAssembly engine. - Popular Cloud Services Used to Masquerade Smishing Links
Popular Cloud Services such as Amazon, Google, and IBM have recently been observed in use as a masquerade for SMS phishing (smishing) attempts. This works due to seemingly trusted URLs such as storage[.]googleapis[.]com, which will then redirect the victim to the true malicious site. - Supply Chain Attacks Target Courtroom Recording Software
Researchers at Rapid7 have discovered what appears to be a supply chain attack on Justice AV (Audio Video) Solutions, a courtroom and prison focused software vendor. It is believed that a threat actor poisoned an installer for the JAVS viewer, trojanizing all affected installs. Rapid7 has recommended that organizations completely re-image any systems that had JAVS viewer v8.3.7 or lower. - GitLab XSS Vulnerability Allows For Account Takeover
GitLab has discovered and patched a high severity XSS (Cross Site Scripting) vulnerability in their platform, that allowed for account takeover. This vulnerability, CVE-2024-4835, allows attackers to send crafted pages that exfiltrate sensitive information. GitLab, like GitHub, is a code repository site, allowing for storage and version control of code. A compromised GitLab account could lead to supply chain attacks and mass malware distribution. - Commercial Spyware Database Dumped
The pcTattletale application is a form of commercial spyware, marketed as employee and child monitoring software. This application allows for monitoring of the infected device, including real-time screenshots and other common spyware functionality. Recently, a security researcher discovered an IDOR (Insecure Direct Object Reference) vulnerability in the pcTattletale API. This vulnerability was reported to pcTattletale, however, no fix was published, and an attacker took it upon themselves to exploit this vulnerability, dumping the entire pcTattletale database for public access and defacing the site. - Virtual Machines Used for Defense Evasion in MITRE Cyber Attack
MITRE recently released information on a cyberattack impacting their systems due to exploitation of the Ivanti Connect Secure vulnerability. The threat actors used a JSP web shell to gain access to MITREs vCenter webserver, giving them access to the ESXi hypervisor and allowing them to create rogue VMs, which were then used to evade detection. - ShrinkLocker Ransomware Leverages BitLocker for Encryption
A new strain of ransomware dubbed ShrinkLocker has been observed employing novel encryption techniques in it’s attacks against medical, manufacturing, and governmental targets. ShrinkLocker will downsize any available non-boot partitions and use the free space to create a new boot partition, which will then be encrypted using Windows’ built-in full disk encryption, BitLocker. This ransomware is written in Visual Basic, which is another Microsoft technology and an uncommon choice for this type of ransomware. - The Hunt for Scattered Spider
Mandiant has recently stated that they have been tracking Scattered Spider, the name given to the threat actor group behind the Las Vegas casino hacks last summer. The group is thought to be made up of teenagers and young adults, using crude social engineering and sim swapping techniques to gain access to their target environments. Their attack on MGM Resorts has placed a large target on their back, and it is believed that FBI prosecutors are hot on their tail. - VMWare ESXi Vulnerabilities Exploited in Ransomware Attacks
VMWare’s ESXi has become an extremely popular target for ransomware actors due to the rise in virtual desktops in corporate environments. All the major ransomware players; LockBit, Akira, Black Cat, etc. have been observed utilizing similar techniques in their attacks against ESXi infrastructure beginning with initial access via phishing or exploitation of known vulnerabilities and ending with the encryption of the “/vmfs/volumes” directory, which contains all virtual hard disks. - Operation Diplomatic Specter: Chinese Cyber Espionage Group
Palo Alto’s Unit 42 has published information on Operation Diplomatic Specter, a Chinese backed cyber-espionage campaign targeting governmental entities in the Middle East, Africa, and Asia. This group is closely linked to other Chinese APTs, using similar tools and techniques to carry out actions closely following CCP interests.