Weekly Cyber Reports

This Week in Cyber 09th August 2024

Latest news and views from our Cyber Analysts

Written by

Team Nucleus

Content
Written on

8th August, 2024

SHARE ARTICLE


Analyst Insight

Phishing is still the most common cyber attack with new data to suggest that the threat is becoming more sophisticated. With 62% of emails passing DMARC verification checks, criminals are adapting to how companies protect against malicious emails. The only true safeguard to this kind of attack, is vigilance of employees and proper training to prevent phishing emails.

 

We also see the regular ransomware groups finding new ways to infect systems. With this week using a compromised ISP to deliver malicious software updates to vulnerable systems, Typosquatting to trick unsuspecting IT professionals to download malware and around 40 French museums being a victim of a ransomware attack.

 


French Museum Network Hit By Ransomware Attack

Around 40 French museums were hit by a Ransomware attack on systems which centralises financial data last weekend. The unnamed group behind the ransomware attack demanded cryptocurrency or the encrypted data would be released within 48 hours if not paid.

 

Local newspaper “Le Parisien” reports that the attack was discovered by a security specialist at Grand Palais Museum on Sunday. Grand Palais servers were cut off affecting 36 bookstores and boutiques. Paris authorities and the Grand Palais-RMN network said that there has been no disruption to the Olympic events.

 


The Hunters International Ransomware Group Targets IT Workers With New Malware

Hunters International is a Ransomware-as-a-Service (RaaS) group that was first detected operating in Q3 of 2023, has been targeting IT workers with a new C# remote access trojan (RAT). The malware (SharpRhino) aids Hunters International achieve an initial foothold, which then can be used to elevate privileges and finally deliver the ransomware payload.

 

The attackers utilised typo squatting which targets users incorrectly inputting website addresses of a brand. For example the real address telesoft-technologies[.]com would be ttelesoft-technologies[.]com instead. Impersonating the website “Angry IP Scanner” which is a legitimate tool used by IT professionals. IT workers are a valuable target for a threat actor, due to the elevated privileges they may already have.

 

 


Evasive Panda APT Group Targets Customers From Compromised ISP

The Evasive Panda APT Group also known as StormBamboo, Daggerfly and StormCloud, has recently been discovered by security researchers to be conducting sophisticated supply chain attacks originating from a previously compromised ISP.

 

“The foothold in the previous ISP was utilised to launch a range of DNS poisoning attacks to deploy malware via an HTTP automatic update mechanism and poison the responses for legitimate hostnames” according to Volexity. Instead of installing the requested update to the user, the group would deliver malware such as MACMA (MacOS) and POCOSTICK (Windows) instead. 

 


62% of Phishing Emails Can Bypass DMARC Verification Checks

Darktrace detected 17.8 million phishing emails between December 2023 and July 2024, but surprisingly 62% of the emails successfully passed DMARC (Domain-based Message Authentication, Reporting & Conformance) verification checks, which are a set of protocols to protect email domains from unauthorised use.

 

This shows the sophistication of phishing scams in 2024 and how cyber criminals are proactively adapting to bypass these control measures. For example, the use of legitimate services such as Dropbox and Slack to evade these detection protocols.

 


Windows Vulnerability Allows Attackers to Downgrade System Files to Outdated Versions

Windows Secure Kernel Mode Elevation of Privilege Vulnerability (CVE-2024-21302) with a CVSS v3 score of 6.7 (Medium) allows attackers with administrator privileges to effectively “downgrade” Windows system files to previous versions where mitigations for vulnerabilities have not been released. Microsoft states that this allows the attacker the ability to reintroduce previously patched vulnerabilities, circumvent VBS security features, and exfiltrate data protected by VBS. Microsoft also said that they were not aware of any attempts to exploit the vulnerability. Recommended actions for remediation can be found on Microsoft MSRC website.

NUCLEUS

Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus