Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
Multiple vulnerabilities in TP-Link Omada system could lead to root access by @TalosSecurity
- several vulnerabilities focusing on small subset of available devices, including EAP 115 and EAP 225 wireless access points, and ER7206 gigabit VPN router.
https://blog.talosintelligence.com/multiple-vulnerabilities-in-tp-link-omada-system/
MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems by #FORTIGUARD LABS
- allows to execute malicious code via specially crafted documents
- MerkSpy is designed to clandestinely monitor user activities, capture sensitive info & establish persistence
The Growing Threat of Malware Concealed Behind Cloud Services by #FORTIGUARD LABS
- botnets UNSTABLE & Condi leverage cloud storage & computing to distribute malware payloads & updates
Kimsuky deploys TRANSLATEXT to target South Korean academia by @Threatlabz
- Mar 2024: uploaded to GitHub repo
- can bypass security measures for Gmail, Kakao & Naver to steal info (email addresses, usernames, passwords, cookies & take browser screenshots)
‘Poseidon’ Mac stealer distributed via Google ads by @Malwarebytes
- new campaign distributing stealer via malicious ads for Arc browser
- 2nd time in past couple of months where Arc being used as a lure
https://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads
Malicious npm package targets AWS users by @ReversingLabs
- legacyreact-aws-s3-typescript mimics popular legitimate npm package: react-aws-s3-typescript, designed for uploading of files to Amazon S3 Buckets directly using React typescript template
Attackers Exploiting Public Cobalt Strike Profiles by #PaloAlto‘s #Unit42
- post-exploitation payload Beacon uses text-based profiles called Malleable C2 to change the characteristics of Beacon’s web traffic in an attempt to avoid detection
https://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/
Global Revival of Hacktivism Requires Increased Vigilance from Defenders by @Mandiant
- new generation of hacktivism has grown to encompass a more complex and often impactful fusion of tactics different actors leverage for their specific objectives.
https://cloud.google.com/blog/topics/threat-intelligence/global-revival-of-hacktivism
Examining Water Sigbin’s Infection Routine Leading to an XMRig Cryptominer by @TrendMicro
- CVE-2017-3506 & CVE-2023-21839 to deploy crypto miners via PowerShell
- using DLL reflective & process injection to run in memory & avoid disk-based detection
https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html
ICO Scams Leverage 2024 Olympics to Lure Victims, Use AI for Fake Sites by @TrendMicro
- use AI-generated pics for fake ICO websites
- More ICO scams with AI-generated content is expected to max tool’s cost-and time-efficiency in creating convincing lures
Attackers in Profile: menuPass and ALPHV/BlackCat by @TrendMicro
- The structural complexities of menuPass/APT10 Umbrella points to one of the basic challenges of threat intelligence: threat actors are not always tidily defined or homogenous.
https://www.trendmicro.com/en_us/research/24/f/menupass-alphv-blackcat-threats.html
Lumma Stealer: Tactics, Impact, and Defense Strategies by @CyfirmaR
- operating as malware-as-a-service since Aug 2022
- written in C and targets wide range of data, including personal, financial & various apps
https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/
APT PROFILE – FANCY BEAR by @CyfirmaR
- exploiting security flaw in MS Outlook & vulns in Windows Print Spooler service to gain elevated privileges on targeted systems
- using Kubernetes clusters for brute-force attacks by exploiting weak passwords
https://www.cyfirma.com/research/apt-profile-fancy-bear/
Thanks a lot for reading.