Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Ransomware Roundup – Black Basta
Source: FORTINET
Black Basta operates a Ransomware-as-a-Service (RaaS) model, in which the developers offer a service such as ransomware, an infrastructure for payment processing and ransom negotiation, and technical support to its affiliates. Read more.
Fortinet Reverses Flutter-based Android Malware “Fluhorse”
Source: FORTINET
What sets this malware apart is its utilization of Flutter, an open-source SDK (software development kit) renowned among developers for its ability to build applications compatible with Android, iOS, Linux, and Windows platforms using a single codebase. Read more.
Microsoft Azure AD flaw can lead to account takeover
Source: Malwarebytes LABS
Now, all the attacker has to do is open the site or service they wish to take over and choose the “Login with Microsoft” option. They will automatically get logged into the account associated with the provided email address. Which was the one that belongs to the victim and not to the actual operator. Read more.
Malware Delivered Through .inf File
Source: SANS Internet Storm Center
The file is based on sections that describe what must be performed. One of them is very interesting for attackers: [RunPreSetupCommandsSection]. Note that .inf files cannot be executed “as is”. Read more.
A TECHNICAL ANALYSIS OF THE SALTWATER BACKDOOR USED IN BARRACUDA 0-DAY VULNERABILITY (CVE-2023-2868) EXPLOITATION
Source: CYBER GEEKS
The malware hooked the recv, send, and close functions using an open-source hooking library called funchook. The following functionalities are implemented: execute arbitrary commands, download and upload files, proxy functionality, and tunneling functionality. Read more.
China-linked APT group VANGUARD PANDA uses a new tradecraft in recent attacks
Source: Security Affairs
Crowdstrike reported that the group employed ManageEngine Self-service Plus exploits to gain initial access, then the attackers rely on custom webshells to achieve persistent access, and living-off-the-land (LOTL) techniques for lateral movement. Read more.
Grafana warns of critical auth bypass due to Azure AD integration
Source: BLEEPING COMPUTER
Grafana has released security fixes for multiple versions of its application, addressing a vulnerability that enables attackers to bypass authentication and take over any Grafana account that uses Azure Active Directory for authentication. Read more.
PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID
Source: deep instinct
Deep Instinct’s Threat Research Lab recently noticed a new strain of a JavaScript-based dropper that is delivering Bumblebee and IcedID. The dropper contains comments in Russian and employs the unique user-agent string “PindOS”, which may be a reference to current (and past) anti-American sentiment in Russia. Read more.
New Research: 90% Of Portuguese Domains Are Vulnerable to Phishing and Spoofing
Source: MARTECH SERIES
New research has discovered that spoofing and phishing protection is lacking in Portugal. Only 9.1% of the researched sample for Portuguese domains had correctly implemented and configured security policies to flag, report, and remove outbound phishing emails. Read more.
MULTI#STORM Campaign Targets India and U.S. with Remote Access Trojans
Source: The Hacker News
A new phishing campaign codenamed MULTI#STORM has set its sights on India and the U.S. by leveraging JavaScript files to deliver remote access trojans on compromised systems. Read more.
IoT devices and Linux-based systems targeted by OpenSSH trojan campaign
Source: Microsoft
Microsoft researchers have recently discovered an attack leveraging custom and open-source tools to target internet-facing Linux-based systems and IoT devices. The attack uses a patched version of OpenSSH to take control of impacted devices and install cryptomining malware. Read more.
Banking and Retail Top the List of Industries Targeted by Social Media Phishing Attacks
Source: KnowBe4
While phishing continues to be the leading initial attack vector, the use of social media presents attackers with a medium where the victim’s defenses are lowered, the content is less scrutinized, little to no security solutions stand in the way, and attackers can impersonate just about anyone they want. Read more.
Open-Source RATs Leveraged By APT Groups
Source: SOC Radar
Open-source RATs offer APT groups several advantages that make their work easier and increase their attack techniques. Read more.
Compromised Domains account for over 50% of Embedded URLs in Malware Phishing Campaigns
Source: COFENSE
Each of the three categories (Abused, Compromised, Created) has different tradeoffs that affect both the threat actor’s choice and the network defenders’ ability to detect and defend. The following sections will break down some statistics, what network defenders and reporters should look for, and some of the potential reasons that threat actors might choose each option. Read more.