Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.RESEARCH UPDATE: THREAT ACTORS BEHIND THE DEV#POPPER CAMPAIGN HAVE RETOOLED AND ARE CONTINUING TO TARGET SOFTWARE DEVELOPERS VIA SOCIAL ENGINEERING by @Securonix Threat Research
- including support for Linux, Windows and macOS.
2.Mint Stealer: A Comprehensive Study of a Python-Based Information Stealer by @CyfirmaR
- functioning as MaaS designed to covertly exfil sensitive data
- targets web browsers, crypto wallets, gaming creds, VPN clients, messaging apps, and FTP client data
3.ServiceNow RCE (CVE-2024-4879) Vulnerability Analysis and Exploitation by @CyfirmaR
- Allows remote code execution and data theft for unauthenticated attackers
- Significant risk to data security and service disruption
4.Social Media Malvertising Campaign Promotes Fake AI Editor Website for Credential Theft by @TrendMicro
- use spam messages with phishing links to steal admin creds
- links lead to fake account protection pages & trick users into providing their login info
5.Phishing targeting Polish SMBs continues via ModiLoader by @ESETresearch
- Attackers deployed 3 malware families via ModiLoader: Rescoms, Agent Tesla & Formbook
- used previously compromised emails & company servers, to spread malicious emails
https://www.welivesecurity.com/en/eset-research/phishing-targeting-polish-smbs-continues-modiloader/
6.UNC4393 Goes Gently into the SILENTNIGHT by @Mandiant
- detail the evolution of UNC4393’s operational tactics and malware usage throughout its active lifespan, with a focus on the period following the QAKBOT botnet takedown
https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight
7.Fighting Ursa Luring Targets With Car for Sale by #PaloAlto‘s #Unit42
- Russian threat actor Fighting Ursa advertised a car for sale as lure to distribute HeadLace backdoor malware. The campaign likely targeted diplomats and began as early as March 2024
https://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/
8.BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor by @elasticseclabs
- uses built-in Microsoft feature BITS for command-and-control communication
- has numerous command handlers used for discovery/enumeration, execution & collection purposes
https://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth
9.Quartet of Trouble: XWorm, AsyncRAT, VenomRAT, and PureLogs Stealer Leverage TryCloudflare by @esthreat
- initial access vector – phishing email, user received ZIP with URL shortcut, which led to .lnk file hosted on TryCloudflare-proxied WebDAV server
10.APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike by @TalosSecurity
- campaign exploited outdated vulnerable version of MS Office IME binary as loader to load customized second-stage loader
Thanks a lot for reading.
