The overall level of cyber threat continues to be elevated globally and the impact is being felt across organizations of all sizes and industry sectors.
Security researchers have recently uncovered an ongoing social engineering campaign that bombards enterprises with spam emails with the goal of obtaining initial access to their environments for follow-on exploitation. The campaign began in late April 2024, and consists of emails with newsletter sign-up confirmation messages from legitimate organizations. The intent here is to overwhelm email protection solutions. The impacted users are then approached over phone calls by masquerading as the company’s IT team, tricking them into installing a remote desktop software under the guise of resolving the email issues. The remote access to their computer is subsequently leveraged to download additional payloads to harvest credentials and maintain persistence on the hosts.
Below are some of the top threats that have emerged over the past month.
Chrome Zero-Day
Google released security updates to address a zero-day flaw in Chrome that it said has been actively exploited in the wild. Tracked as CVE-2024-4671, the high-severity vulnerability has been described as a case of use-after-free in the Visuals component. It was reported by an anonymous researcher on May 7, 2024.
“Google is aware that an exploit for CVE-2024-4671 exists in the wild,” the company said in a terse advisory without revealing additional specifics of how the flaw is being weaponized in real-world attacks or the identity of the threat actors behind them.
Fake DocuSign Templates
Phishing emails mimicking DocuSign are rising, thanks to a thriving underground marketplace for fake templates and login credentials. Over the past month, researchers claim to have tracked a significant increase in phishing attacks designed to mimic legitimate DocuSign requests. A quick trip down the rabbit hole took them to a Russian cybercrime forum, where sellers peddled a variety of templates resembling authentic emails and documents.
D-Link AX4800 Zero Day Exploit
The D-Link EXO AX4800 (DIR-X4860) router is vulnerable to remote unauthenticated command execution that could lead to complete device takeovers by attackers with access to the HNAP port. Researchers announced that they discovered flaws in DIR-X4860 devices running the latest firmware version, DIRX4860A1_FWV1.04B03, which enables unauthenticated remote command execution (RCE).
The disclosure reads, “Security vulnerabilities in DIR-X4860 allow remote unauthenticated attackers that can access the HNAP port to gain elevated privileges and run commands as root,” reads SSD’s disclosure.
By combining an authentication bypass with command execution the device can be completely compromised.
Trigona Ransomware
Trigona ransomware, discovered in late October 2022, targeted various industries including manufacturing, finance, construction, agriculture, marketing, and high technology. Researchers have uncovered compromises of at least 15 organizations across multiple countries, including the United States, Italy, France, Germany, Australia, and New Zealand since December 2022.
Its unconventional ransom notes are presented in HTML Application format and contain embedded JavaScript with unique computer and victim IDs. Trigona operators engage in typical ransomware tactics, including initial access, reconnaissance, malware transfer via remote management software, and ransomware deployment. The ransomware employs various malicious tools, including Mimikatz for credential extraction, manipulation, and injection. The use of password-protected executables adds an extra layer of evasion, making detection and analysis that much more difficult. Most of this information was exposed when Unit 42 observed a development leak site and identified Trigona’s infrastructure.
Trigona has some uncanny similarities to CryLock ransomware, potentially indicating a connection between threat actors. Both use the uncommon HTML App format for ransom notes, which contain some of the same phrases, such as “the price depends on how soon you will contact us.”
This threat campaign flew largely under the radar throughout its early years despite its scope of victims and impact. The attackers suffered a somewhat public defeat in October 2023 when the Ukrainian Cyber Alliance compromised the main Trigona leak site and wiped it, but this was quickly replaced with a secondary one. Despite its long-overdue increased cyber news coverage, Trigona remains active and seems to have only gained momentum recently.
Malicious Notepad++ Packages
A recent discovery by AhnLab Security Intelligence Center (ASEC) has shown that a basic Notepad++ plugin, MimeTools.dll, has been altered maliciously and included in installations of Notepad++ packages disguised as normal package files. Mimetools, responsible for encoding functions and loaded automatically upon running Notepad++, is an easy vector for a dll hijacking attack. The file “certificate.pem” contains malicious code as well. Mimetools remains largely the same in terms of function, however DllEntryPoint has been altered. This way, the only action required to initiate the attack is that the user starts Notepad++, which loads the dll and immediately executes that base default function.
The execution flow is simple and fast: As soon as the user runs notepad++, mimeTools.dll is loaded, which decrypts certificate.pem with the loaded decryption code in mimeTools and runs it. Next, “BingMaps.dll” has its “GetBingMapsFactory()” function overwritten with malicious code. Thread injection is done once again, into explorer.exe, which downloads more shellcode from the C2 server.
This downloaded payload can be anything, from ransomware to spyware. Once again, the main goal of this malware is to establish a beachhead and download more complex malware from an outside source. What is particularly dangerous about this malware is not only how common it is, but how the techniques allow it to execute immediately upon opening the file, likely without the user noticing or being suspicious at all given that Notepad++ will run otherwise normally.
Given that Notepad++ is a common tool used by IT, Sysadmin, Developer, and other employees with access to extremely sensitive core IT infrastructure, this can easily pose an extreme danger to organizations that do not maintain strict hygiene and protocols regarding the use of personal/third party software.
Having an approved list of sources for software will greatly reduce the risk of these events occurring. Maintaining an on-site image or repository for these pieces of software can be advisable, however this of course can introduce its own risks should the on-site repository be compromised. These risks must be carefully weighed by companies, however, any of these alternatives is better than allowing users to simply download software from the internet without oversight, which is one of the most common vectors for malware into environments.
Malicious Discord PyPI Package
FortiGuard Labs, using an AI-driven OSS malware detection system, identified a malicious PyPI package named “discordpy_bypass-1.7,” published by the user “theaos” on March 10, 2024, and detected two days later. This package, along with its precursor “upgrade-colored_0.0.1” and seven different versions, executes sophisticated attacks designed to steal sensitive data from users by employing persistence, browser data extraction, and token harvesting techniques. The package is adept at evading detection, with mechanisms in place to identify and shut down in debugging or analytic environments. It includes checks against blocked processes, network-related, and system-related block lists, indicating a deliberate attempt to thwart any attempts at reverse engineering the package.
The malicious payload, comprising three layers of encoding and obfuscation, is ultimately compiled into an executable file that is retrieved and executed on the victim’s device. This intricate design underlines the complexity and ever-evolving nature of cyber threats. The malware also features command handling functions allowing remote system control and monitoring, thus enabling directory navigation, file manipulation, and command execution.
The core malicious intent lies in browser data extraction and token harvesting, with the latter focusing on Discord authentication tokens. The malware not only locates and extracts browser credentials, cookies, and history, but also decrypts and validates tokens before transmitting them to a remote server.
The discovery of “discordpy_bypass-1.7” exemplifies the persistent cybersecurity risks presented by seemingly benign software packages and the necessity of constant vigilance. It serves as a stern reminder of the importance of safe online practices, such as using code from verified sources and continuous monitoring to protect against such potent threats. Understanding and collaborating on cyber threats are crucial steps in ensuring personal and digital security, no matter how big or small an organization may be.
Sandworm APT44
Over the past two years, the Sandworm hacker group has significantly contributed to Russian military objectives in Ukraine while expanding its cyber threat operations globally. Google Cloud’s Mandiant security group, tracking Sandworm under the name APT44, discovered its involvement in nearly all disruptive and destructive cyberattacks in Ukraine since Russia’s 2022 invasion.
Analysis reveals Sandworm’s integration within Russia’s Main Intelligence Directorate (GRU) and its status as a primary cyberattack unit. Sandworm’s operations span various regions, reflecting Russia’s geopolitical interests. Despite ongoing conflict, Sandworm maintains global access and espionage operations, targeting North America, Europe, the Middle East, Central Asia, and Latin America.
Sandworm’s global reach was evident in attacks on water and hydroelectric facilities in the US and France, orchestrated by a group believed to be controlled by them. Additionally, Sandworm targeted logistics providers in Poland with ransomware in 2022, demonstrating a shift towards disruptive actions against NATO countries.
The group, known for previous high-profile attacks, focuses on government and critical infrastructure organizations, including defense, transportation, and energy sectors. Sandworm’s tactics involve exploiting vulnerabilities in routers, VPNs, and other edge infrastructure, often relying on legitimate tools to evade detection.
Organizations need to develop robust threat models and detection mechanisms against Sandworm’s tactics. Sandworm’s use of hacking fronts like CyberArmyofRussia_Reborn aims to draw attention to its campaigns and create a false sense of support for Russia’s military actions.
Given Sandworm’s elusive nature, organizations must prioritize network mapping, segmentation, and digital safety training to mitigate potential threats. Sandworm’s ability to pivot between espionage and disruptive goals underscores the need for proactive cybersecurity measures to counter its operations effectively.
The global cyber threat level has continued to increase as a function of general global political unrest around the Middle East, Ukraine and China-Taiwan. The number of cybersecurity incidents continues to rise and their impact continues to increase. Organizations of all sizes and in all sectors need to increase their awareness of both the overall threat environment and threats specifically relevant to their organization or industry. Threat hunting, offered as part of Marcum Technology’s Managed Security Services, can help provide this visibility in identifying potential risks to an organization.
If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.
