WEEKLY TOP TEN: July 15, 2024, 16:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Massive AT&T Data Breach Exposes Call Logs of 109 Million Customers
Threat actors have stolen the call logs from AT&T’s Snowflake account, impacting 109 million customers. These call logs contained telephone numbers, interaction counts, and call durations. Personal information and the contents of the calls and texts have not been stolen. AT&T is currently working with law enforcement and the FBI on incident response. - CRYSTALRAY: Inside the Operations of a Rising Threat Actor Exploiting OSS Tools
CRYSTALRAY is the name Sysdig has given to a new threat actor group that are rapidly expanding its operations. First identified in early 2024, CRYSTALRAY was observed using SSH-Snake, an open-source pen-testing tool. In addition, CRYSTALRAY has been utilizing a collection of methods from an OSS (Out-of-Specification) organization, ProjectDiscovery. Their attack chain starts with ASN, a recon/osint tool. After finding a target, CRYSTALRAY uses Nuclei, an open-source vulnerability scanner from ProjectDiscovery. Nuclei will reveal CVEs that a target host is vulnerable to. The end goal is to harvest and sell credentials, and mine cryptocurrency on a victim’s machine. - GitLab: Critical Bug Lets Attackers Run Pipelines as Other Users
GitLab has patched a fresh, serious flaw that is tracked as CVE-2024-6385. This vulnerability allows an attacker to trigger a new pipeline as an arbitrary user. GitLab has not disclosed a proof of concept, but they strongly recommend that all installations be patched as soon as possible. All GitLab versions from 15.8 to 16.11.6, 17.0 to 17.0.4, and 17.1 to 17.1.2 are affected. - Attack Activities by Kimsuky Targeting Japanese Organizations
North Korean APT Kimsuky has been confirmed to be attacking Japanese organizations by JPCERT/CC. In its initial report in 2020, CISA shared that Kimsuky is an APT operating since 2012 and has been tasked with global intelligence-gathering missions. In the recent attack on the Japanese, the kill-chain starts with a spearphishing email containing malicious executables disguised as docx files. The executable will download a VBS script that downloads a PowerShell that operates as an Infostealer and keylogger. - Resurrecting Internet Explorer: Threat Actors Using Zero Day Tricks In Internet Shortcut File to Lure Victims
Check Point Research has identified a new zero-day that has been seen in the wild since January 2023. The trick involves a specifically crafted ‘.url’ file, which, when launched, will open Internet Explorer. The URL field contains a strange prefix, “mhtml,” which causes Windows to open Internet Explorer instead of a modern browser. This allows threat actors to get around the advanced security features that modern browsers contain, such as Mark of the Web, and file scanning. Once a user clicks on the ‘.url’ file; they are requested to allow the download of a ‘.pdf’ file, except this ‘.pdf’ file is a malicious ‘.hta’ file. Once this file is open, the user’s system is compromised. - Avast Releases a Decryptor for DoNex Ransomware and Its Predecessors
Researchers at Avast have discovered a cryptographic flaw in the DoNex ransomware. They have released a decryption key, allowing impacted victims to access their files. The key is freely available for download on Avast’s site. They recommend using the 64-bit version of the tool due to memory constraints. - ROCKYOU2024 Analysis: Mega Password List or Just Noise
Last week, a new password list known as Rockyou2024 made headlines for its bold claims. The uploader claims the list contains over 9.9 billion passwords, clocking in at 146 GB. Researchers at Specops have been digging through the billions of “passwords” on this list and have determined that the claims are false. While the file does contain 9.9 billion lines of text, the lines do not contain passwords. Contained in Rockyou2024 is a mix of Unicode, gibberish, and long strings, which are not passwords. This is another reminder to do your research and not believe everything you see at face value. - DarkGate: Dancing the Samba With Alluring Excel Files
DarkGate, a Malware-as-a-Service, is back with a new July campaign, mainly targeting North America and Europe. The campaign starts with Excel files, which prompt the user to enable editing and downloading of files from the cloud. Once the button is clicked, malicious ‘.vbs’ and ‘.js’ files will be downloaded.
These scripts will then load PowerShell, which infects the system with DarkGate’s malicious AutoHotKey package. DarkGate is known for its sophisticated malware, and this loader is no different. There are multiple checks for antivirus software; evasion techniques are used depending on which AV is installed on the system. - Hidden Between the Tags: Insights Into Spammers’ Evasion Techniques in HTML Smuggling
Researchers at Cisco Talos have identified several new malicious email campaigns that disguise JavaScript code within HTML email attachments. When an attachment is opened, the browser will decode and execute the hidden JavaScript automatically, delivering malware to the system.
Threat actors have been evading email detection by encoding, encrypting, and obfuscating the JavaScript. Another method of evasion is adding a “.” to the end of the HTML file, e.g. “HTML” which changes the Content-Type of the attachment from “HTML” to “octet-stream.” To aid in the detection and deobfuscation of these emails, Cisco Talos has created new CyberChef recipes that can decode and deobfuscate these email files. - Microsoft’s July 2024 Patch Tuesday Fixes 142 Flaws, 4 Zero-Days
Microsoft’s latest “Patch Tuesday” contained 142 security updates, including actively exploited vulnerabilities, and four zero-days. The zero-day patches covered a Hyper-V privilege escalation, a Visual Studio RCE, an MSHTML spoofing vulnerability, and a Systematic Identification and Characterization of Proprietary Prefetchers. These zero-days all have a Max Severity of “Important,” with CVEs ranging from 5.9 to 8.1. The full list of all the patches can be found in the linked report here.
