Weekly Cyber Reports

This Week in Cyber 28th June 2024

Latest news and views from our Cyber Analysts

Written by

Team Nucleus

Written on

27th June, 2024


New Technique Targets Management Console Files

Elastic Security Labs has identified a new attach technique, nicknamed 'GrimResource', which leverages specially crafted management saved console (MSC) files to execute malicious code via Microsoft Management Console (MMC), By utilising this method; attackers are able to bypass traditional security defences and execute arbitrary code by exploiting a cross-site-scripting flaw located in the apds.dll library. The malicious MSC files trigger JavaScript code execution when opened in MMC, leading to further potential exploitation. This could include unauthorised access or even system takeovers. This recent news helps to highlight the requirement for non-traditional security methods to help ensure that networks are as safe as they can be, it also highlights the importance of security hardening. Something as simple as disabling macros by default could significantly help to reduce the potential of this attack impacting a network.


'Boolka' Deploying BMANAGER Trojan via SQLi Attacks

Group-IB researchers have identified a new cyberthreat actor named Boolka, which has been compromising websites via SQL injection (SQLi) attacks to deploy the modular BMANAGER trojan. Active since at least 2022, Boolka's campaign involves infecting vulnerable websites with malicious JavaScript designed to capture user inputs and interactions, which are then exfiltrated in a Base64-encoded format. The malicious script also redirects users to a fake loading page, prompting them to download a browser extension that installs the BMANAGER downloader. This trojan further fetches additional malware modules to harvest files, log keystrokes, and establish persistence on the infected host.

Boolka's operations, named after its command-and-control server "boolka[.]tk," reflect a sophisticated evolution of tactics over time. Initially starting with opportunistic SQLi attacks, the threat actor has developed a comprehensive malware delivery platform using the BeEF framework. This approach allows Boolka to exfiltrate sensitive data from compromised websites and deploy advanced trojans like BMANAGER. The campaign demonstrates the increasing complexity of cybercriminal methods in exploiting web security weaknesses and underscores the critical need for robust cybersecurity defences.


Urgent Patch Required: New MOVEit Transfer Vulnerability Actively Exploited

A critical vulnerability affecting Progress Software's MOVEit Transfer, tracked as CVE-2024-5806 with a CVSS score of 9.1, is already under active exploitation. This flaw allows authentication bypass in multiple MOVEit Transfer versions, posing significant security risks. Additionally, another severe vulnerability, CVE-2024-5805, impacting MOVEit Gateway, has been identified and addressed. The vulnerabilities enable attackers to bypass SFTP authentication and access the systems, with detailed technical specifics revealing potential for user impersonation. Progress Software urges users to immediately update to the latest versions and implement recommended security measures, including blocking public inbound RDP access and limiting outbound access to trusted endpoints.


TeamViewer responds to 'Irregularity'

TeamViewer is investigating an intrusion into their corporate IT environment but claims that customer data is not affected and there is no evidence to suggest that their product or customer data has been compromised. The company says they have activated teams to investigate the incident, which was discovered on Wednesday. There are reports of multiple organisations warning members about alleged nation-state attacks involving TeamViewer software, with some attributing it to APT29, a hacking group. Cybersecurity firms and healthcare organisations are advising customers to review logs for unusual remote desktop traffic and take measures to secure their devices. The investigation is ongoing, and the company plans to provide more updates as necessary.


Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus