Skip to content
THN Recap: Top Cybersecurity Threats, Tools and Tips (Nov 25

THN Recap: Top Cybersecurity Threats, Tools and Tips (Nov 25

Dec 02, 2024Ravie LakshmananCyber Threats / Weekly Recap

Ever wonder what happens in the digital world every time you blink? Here’s something wild – hackers launch about 2,200 attacks every single day, which means someone’s trying to break into a system somewhere every 39 seconds.

And get this – while we’re all worried about regular hackers, there are now AI systems out there that can craft phishing emails so convincingly, that even cybersecurity experts have trouble spotting them. What’s even crazier? Some of the latest malware is like a digital chameleon – it literally watches how you try to catch it and changes its behavior to slip right past your defenses.

Pretty mind-bending stuff, right? This week’s roundup is packed with eye-opening developments that’ll make you see your laptop in a whole new light.

⚡ Threat of the Week

T-Mobile Spots Hackers Trying to Break In: U.S. telecom service provider T-Mobile caught some suspicious activity on their network recently – basically, someone was trying to sneak into their systems. The good news? They spotted it early and no customer data was stolen. While T-Mobile isn’t pointing fingers directly, cybersecurity experts think they know who’s behind it – a hacking group nicknamed ‘Salt Typhoon,’ which apparently has ties to China. What makes this really interesting is that these hackers have a brand new trick up their sleeve: they’re using a previously unknown backdoor tool called GHOSTSPIDER. Think of it as a skeleton key that no one knew existed until now. They’ve been using this same tool to target telecom companies across Southeast Asia.

Phish Kit Teardown

Webinar: Phish Kit Teardown — How AitM phish kits evade detection

Do your employees keep getting phished with adversary-in-the-middle (AitM) kits like Evilginx, Nakedpages, and Tycoon? You aren’t the only one… Ride along with Push Security as they tear down popular AitM phishing kits to demonstrate how attackers are finding ways through your detection controls.

Register Now

🔔 Top News

  • Prototype UEFI Bootkit Targeting Linux Detected: Bootkits refer to a type of malware that is designed to infect a computer’s boot loader or boot process. In doing so, the idea is to execute malicious code before even initializing the operating system and bypass security measures, effectively granting the attackers absolute control over the system. While bootkits discovered to date have only targeted Windows machines, the discovery of Bootkitty indicates that it’s no longer the case. That said, it’s assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks.
  • Avast Anti-Rootkit Driver Used to Disarm Security Software: A new malware campaign is leveraging a technique called Bring Your Own Vulnerable Driver (BYOVD) to obtain elevated privileges and terminate security-related processes by making use of the legitimate Avast Anti-Rootkit driver (aswArPot.sys). The exact initial access vector used to drop the malware is currently not clear. It’s also not known what the end goal of these attacks are, who are the targets, or how widespread they are.
  • RomCom Exploits Mozilla Fire and Windows 0-Days: The Russia-aligned threat actor known as RomCom chained two zero-day security flaws in Mozilla Firefox (CVE-2024-9680, CVSS score: 9.8) and Microsoft Windows (CVE-2024-49039, CVSS score: 8.8) as part of attacks designed to deliver the eponymous backdoor on victim systems without requiring any user interaction. The vulnerabilities were fixed by Mozilla and Microsoft in October and November 2024, respectively.
  • LockBit and Hive Ransomware Operator Arrested in Russia: Mikhail Pavlovich Matveev, a Russian national who is wanted in the U.S. in connection with LockBit and Hive ransomware operations, has been arrested and charged in the country for developing malicious programs that can encrypt files and for seeking ransom payments in exchange for a decryption key. While he is unlikely to be extradited to the U.S., the development comes a little over a month after four members of the now-defunct REvil ransomware operation were sentenced to several years in prison in Russia.
  • New Botnet Linked to DDoS Campaign: A script kiddie likely of Russian origin has been using publicly available malware tools from GitHub and exploits targeting weak credentials, configurations, and known security flaws to assemble a distributed denial-of-service (DDoS) botnet capable of disruption on a global scale. The threat actor has established a store of sorts on Telegram, where customers can buy different DDoS plans and services in exchange for a cryptocurrency payment.

‎️‍🔥 Trending CVEs

We’ve spotted some big security issues in popular software this week. Whether you’re running a business or just managing a personal site, these could affect you. The fix? Keep your software updated. Most of these problems are solved with the latest security patches from the vendors.

The list includes:: CVE-2024-11680 (ProjectSend), CVE-2023-28461 (Array Networks AG and vxAG), CVE-2024-10542, CVE-2024-10781 (Spam protection, Anti-Spam, and FireWall plugin), CVE-2024-49035 (Microsoft Partner Center), CVE-2024-49806, CVE-2024-49803, CVE-2024-49805 (IBM Security Verify Access Appliance), CVE-2024-50357 (FutureNet NXR routers), CVE-2024-52338 (Apache Arrow R package), CVE-2024-52490 (Pathomation), CVE-2024-8672 (Widget Options – The #1 WordPress Widget & Block Control plugin), CVE-2024-11103 (Contest Gallery plugin), CVE-2024-42327 (Zabbix), and CVE-2024-53676 (Hewlett Packard Enterprise Insight Remote Support).

📰 Around the Cyber World

  • Five Unpatched NTLM Flaws Detailed: While Microsoft may have confirmed its plans to deprecate NTLM in favor of Kerberos, the technology continues to harbor security weaknesses that could enable attackers to obtain NTLM hashes and stage pass-the-hash attacks that allow them to authenticate themselves as a victim user. Cybersecurity firm Morphisec said it identified five significant NTLM vulnerabilities that could be exploited to leak the credentials via Malicious RTF Document Auto Link in Microsoft Word, Remote Image Tag in Microsoft Outlook, Remote Table Refresh in Microsoft Access, Legacy Player Files in Microsoft Media Player, and Remote Recipient List in Microsoft Publisher. Microsoft has acknowledged these flaws but noted that they are either by design or do not meet the bar for immediate servicing. It’s recommended to restrict NTLM usage, enable SMB signing and encryption, block outbound SMB connections to untrusted networks, and switch to Kerberos-only authentication.
  • Raspberry Robin’s Anti-Analysis Methods Revealed: Cybersecurity researchers have detailed the several binary-obfuscation and techniques Raspberry Robin, a malware downloader also known as Roshtyak, has incorporated to fly under the radar. “When Raspberry Robin detects an analysis environment, it responds by deploying a decoy payload to mislead researchers and security tools,” Zscaler ThreatLabz said. “Raspberry Robin is protected and unwrapped by several code layers. All code layers use a set of obfuscation techniques, such as control flow flattening and Mixed Boolean-Arithmetic (MBA) obfuscation.” Obfuscation and encryption have also been hallmarks of another malware family tracked as XWorm, highlighting the threat actor’s ability to adapt and bypass detection effects. The disclosure comes as Rapid7 detailed the technical similarities and differences between AsyncRAT and Venom RAT, two open-source trojans that have been widely adopted by several threat actors over the years. “While they indeed belong to the Quasar RAT family, they are still different RATs,” it noted. “Venom RAT presents more advanced evasion techniques, making it a more sophisticated threat.”
  • BianLian Ransomware Shifts to Pure Extortion: U.S. and Australian cybersecurity agencies have revealed that the developers of the BianLian ransomware are likely based in Russia and that they “shifted primarily to exfiltration-based extortion around January 2023 and shifted to exclusively exfiltration-based extortion around January 2024.” The change follows the release of a free BianLian decryptor in early 2023. Besides using PowerShell scripts to conduct reconnaissance, the attacks are notable for printing ransom notes on printers connected to the compromised network and placing threatening calls to employees of the victim companies to apply pressure. According to data collected by Corvus, RansomHub, Play, LockBit 3.0, MEOW, and Hunters International have accounted for 40% of all attacks observed in Q3 2024. A total of 1,257 victims were posted on data leak sites, up from 1,248 in Q2 2024. “The number of active ransomware groups increased to 59, continuing the trend of new groups entering the landscape, with activity overall becoming more distributed across numerous smaller groups,” the company said.
  • VietCredCare and Ducktail Campaigns Compared: Both VietCredCare and Ducktail are information stealers that are specifically designed to target Facebook Business accounts. They are believed to be operated by threat actors within Vietnam. A law enforcement exercise undertaken by Vietnamese law enforcement agencies in May 2024 led to the arrest of more than 20 individuals likely involved in these activities, resulting in a substantial reduction in campaigns distributing VietCredCare. However, Ducktail-related campaigns appear to be ongoing. “While both target Facebook business accounts, they differ significantly in their code structures,” Group-IB said. “Threat actors use different methods of malware proliferation and approaches to monetizing stolen credentials. This makes us think that the operators behind both campaigns are not related to each other.” Despite these differences, it has been discovered that the threat actors behind the different malware families share the same Vietnamese-speaking communities to sell the stolen credentials for follow-on malvertising campaigns.
  • CyberVolk, a Pro-Russian Hacktivist Collective Originating from India: The threat actors behind CyberVolk (aka GLORIAMIST) have been observed launching ransomware and DDoS attacks against public and government entities that it perceives as opposed to Russian interests. It’s allegedly led by a threat actor, who goes by the online alias Hacker-K. But it’s unclear where the group is currently based or who its other members are. Since at least May 2024, the group has been found to quickly embrace and modify existing ransomware builders such as AzzaSec, Diamond, Doubleface (aka Invisible), LockBit, Chaos, and Babuk to launch its attacks. It’s worth noting that the source code of AzzaSec and Doubleface have suffered leaks of their own in recent months. “Additionally, CyberVolk has promoted other ransomware families like HexaLocker and Parano,” SentinelOne said, while distributing info stealer malware and webshells. “These groups and the tools they leverage are all closely intertwined.” As of early November 2024, CyberVolk has had its Telegram channel banned, prompting it to shift to X.

🎥 Expert Webinar

  • 🤖 Building Secure AI Apps—No More Guesswork — AI is taking the world by storm, but are your apps ready for the risks? Whether it’s guarding against data leaks or preventing costly operational chaos, we’ve got you covered. In this webinar, we’ll show you how to bake security right into your AI apps, protect your data, and dodge common pitfalls. You’ll walk away with practical tips and tools to keep your AI projects safe and sound. Ready to future-proof your development game? Save your spot today!
  • 🔑 Protect What Matters Most: Master Privileged Access Security — Privileged accounts are prime targets for cyberattacks, and traditional PAM solutions often leave critical gaps. Join our webinar to uncover blind spots, gain full visibility, enforce least privilege and Just-in-Time policies, and secure your organization against evolving threats. Strengthen your defenses—register now!

🔧 Cybersecurity Tools

  • Sigma Rule ConverterAn open-source tool that simplifies translating Sigma rules into query formats compatible with various SIEM systems like Splunk and Elastic. Ideal for threat hunting, incident response, and security operations, it streamlines integration, ensures rapid deployment of updated detection rules, and supports multiple backends via pySigma. With its user-friendly interface and regular updates, it enables security teams to adapt quickly to evolving threats.
  • CodeQL Vulnerability Detection Tool: CodeQL is a powerful tool that helps developers and security researchers find bugs in codebases like Chrome. It works by creating a database with detailed information about the code, allowing you to run advanced searches to spot vulnerabilities. Pre-built Chromium CodeQL databases make it easy to dive into Chrome’s massive codebase of over 85 million lines. With its ability to track data flow, explore code structures, and detect similar bugs, CodeQL is perfect for improving security. Google’s collaboration with the CodeQL team ensures continuous updates for better performance.

🔒 Tip of the Week

Your Screenshots Are Secretly Talking Behind Your Back — Every screenshot you share could reveal your device info, location, OS version, username, and even internal system paths without your knowledge. Last month, a tech company accidentally leaked their project codenames through screenshot metadata! Here’s your 30-second fix: On Windows, right-click → Properties → Details → Remove Properties before sharing. Mac users can use Preview’s export feature (uncheck “More Options”), while mobile users should use built-in editing tools before sharing. For automation, grab ImageOptim (free) – it strips metadata with a simple drag-and-drop. Quick verification: Upload any screenshot to exif.app and prepare to be surprised at how much hidden data you’ve been sharing. Pro tip: Create a designated ‘sanitized screenshots’ folder with automated metadata stripping for your sensitive work-related captures. Remember, in 2023, screenshot metadata became a primary reconnaissance tool for targeted attacks – don’t let your images do the attackers’ work for them.

Conclusion

So here’s the thing that keeps security folks up at night – some of today’s smartest malware can actually hide inside your computer’s memory without ever touching the hard drive (spooky, right?). It’s like a ghost in your machine.

But don’t worry, it’s not all doom and gloom. The good guys are cooking up some seriously cool defenses too. Think AI systems that can predict attacks before they happen (kind of like Minority Report, but for cyber crimes), and new ways to encrypt data that even quantum computers can’t crack. Wild stuff!

Before you head back to your digital life, remember this fun fact: your smartphone today has more computing power than all of NASA had when they first put humans on the moon – and yes, that means both the good guys and the bad guys have that same power at their fingertips. Stay safe out there, keep your updates running, and we’ll see you next week with more fascinating tales from the cyber frontier.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



Source link