WEEKLY TOP TEN: June 24, 2024, 09:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- RCE Vulnerability Discovered in Mailcow
Mailcow is an open-source application for self-hosting email servers. Recently, two vulnerabilities in this software were discovered and subsequently patched. The first is a directory traversal bug allowing for possible arbitrary command execution, and the second is an XXS (cross-site scripting) vulnerability. The combination of these two flaws could lead to full administrative access to an impacted machine. - Fake Virtual Meeting Software Spreads Infostealers
A malware campaign has recently been discovered using a fake virtual meeting application named Vortax. This app is advertised through its own fake social media accounts and website, giving it an air of legitimacy. Three separate Infostealer malwares have been spread using this application, namely Rhadamanthys, Stealc, and Atomic Stealer. This campaign appears to be heavily focused on cryptocurrency theft, searching for wallets and credentials on the victim’s machines. - Critical Vulnerability in VMware vCenter Patched
A new set of critical vulnerabilities discovered in VMware’s vCenter product have been discovered and patched. The two critical flaws patched in this latest update are CVE-2024-37079 and CVE-2024-37080, both being heap-overflows which allow for remote code execution via crafted packets. - LockBit Attacks Soar Following Law Enforcement Takedown
Following the very public and chaotic law enforcement actions against Lockbit in February, the group saw a significant decline in attacks, with only 23 attacks being reported in April. However, as of May, LockBit has not only returned to normal status but increased their number of reported attacks by over six times. This massive increase in attacks indicates LockBit has made a full recovery from their takedown and likely has a newfound drive for revenge. - New Infostealer Uses Several Infection Methods
A new infostealer has been discovered and dubbed Fickle Stealer, written in Rust; this stealer uses multiple tactics to spread and infect machines, covering many of the most common methods such as droppers and downloaders. To evade detection once on a machine, Fickle stealer includes code from legitimate applications to disguise it’s true use from malware analysts and performs sandbox and debugger checks to prevent dynamic analysis. - Russian APT Targets French Officials
The Russian-backed APT Nobelium has been observed targeting French diplomats in an assumed espionage campaign. The attack is carried out via a phishing campaign using lure documents which deliver malware to the target computers, followed by the use of common post-exploitation tools to perform actions on the infected device and steal sensitive information. - Change Healthcare Reveals Data Impacted by Recent Ransomware Attack
In February, the massive health technologies organization Change Healthcare was hit by a ransomware attack at the hands of Black Cat, aka ALPHV. Change Healthcare has now revealed that the data impacted by this attack includes health insurance information, medical records, payment info, and other PII (personally identifiable information), with their CEO stating that “maybe a third” of all American citizens’ data was taken. Notifications are expected to be mailed to impacted individuals starting in July. - Android Trojan ‘Ratel’ Used to Deliver Ransomware to Mobile Phones
A new open-source trojan targeting Android devices dubbed Ratel RAT, has been observed delivering ransomware to out-of-date Android phones. The ransomware used demands payment over Telegram rather than the standard dark-web negotiation site or ever-popular TOX. Targeted devices are mostly made up of phones running Android 11, which is severely outdated and no longer receives security updates. - APT ‘SneakyChef’ Targets Governmental Originations
SneakyChef is an assumed Chinese cyber espionage group that has been observed using SugarGh0st malware to target governments across Asia, the Middle-East and Africa. The malware is sent via a phishing message, containing a customized lure, seemingly on a per-organization basis. - Oyster Malware Spreading in Trojanized Downloads
A new malvertising campaign has been observed spreading a new malware dubbed Oyster. This backdoor has been linked to the same group behind the infamous TrickBot trojan, which in itself is a spin on the Zeus trojan. The malicious ads used in this campaign pose as popular free-software downloads, a common technique used in these types of campaigns to spread trojanized downloads.