π What’s trending in cybersecurity today?
Phishing, MSC Files, Backdoor, Pakistan, Bitter APT, Turkey, Defense Sector, WmRAT, MiyaRAT, Malware, Google, RiseLoader, VMProtect, Apache Tomcat, Remote Code Execution, DoS Attacks, University of Central Florida, Hack, Canada, Supermarket, Cyberattack, Avril, Ecritel, Ransomware Attack, Waverley Christian College, Ransomware, Kitsap Mental Health, Breach, CISA, Federal Agencies, Microsoft Cloud Security, Nebraska, Lawsuit, Change Healthcare, UnitedHealth, Moscow, Recorded Future, Undesirable, Meta, Fine, Ireland, Data Protection Commission, Cisco, Acquisition, SnapAttack.
Listen to the full podcast
π¨Β Cyber Alerts
A phishing campaign targeting Pakistan has been uncovered, leveraging tax-themed lures and malicious Microsoft Common Console Document (MSC) files to deploy a stealthy backdoor. The attack uses files with double extensions, such as .pdf.msc, to disguise malicious payloads as legitimate PDFs. When opened, these files execute JavaScript via the Microsoft Management Console (MMC) to load obfuscated malware, including a DLL file (“DismCore.dll”), enabling data exfiltration and remote command execution.
In November 2024, the South Asian cyber espionage group Bitter APT launched a targeted attack on Turkey’s defense sector, deploying two malware families, WmRAT and MiyaRAT. The attack utilized a RAR archive containing a decoy document about a World Bank initiative in Madagascar, along with a malicious shortcut (LNK) file and an alternate data stream (ADS) that concealed PowerShell code.
Cybercriminals are increasingly exploiting Google Calendar and Google Drawings to bypass email security and launch sophisticated phishing campaigns. By manipulating trusted Google tools, attackers send deceptive emails that appear to come from trusted sources, including Google, often containing calendar invites or links to malicious Google Drawings. These links redirect victims to fraudulent websites, where they are tricked into entering personal or financial information. This tactic has affected over 300 brands, with thousands of phishing emails detected in a short period.
RiseLoader, a newly discovered malware family, emerged in October 2024 and has been linked to the threat groups behind RisePro and PrivateLoader. This malware utilizes a custom TCP-based binary protocol to download and execute second-stage payloads, often using VMProtect for code obfuscation. It has been observed distributing several malicious families and collects information about cryptocurrency applications and browser extensions. RiseLoader establishes an encrypted connection with a C2 server, exchanging system information, receiving payload URLs, and executing them.
Two critical vulnerabilities in Apache Tomcat, a widely-used open-source web server, were recently discovered, potentially allowing attackers to execute remote code and cause denial-of-service (DoS) attacks. The first vulnerability (CVE-2024-50379) enables remote code execution through a race condition during concurrent file operations on case-insensitive file systems, bypassing Tomcatβs case sensitivity checks. The second (CVE-2024-54677) triggers a DoS attack by exploiting a failure to limit file upload sizes in example web applications, leading to OutOfMemoryErrors.
π₯ Cyber Incidents
In a sophisticated hacking scheme, thieves stole $107,625 from the University of Central Florida (UCF) by compromising a vendor’s computers and tricking the university into redirecting a payment to a fraudulent bank account. The scheme unfolded over 12 days, during which the university’s email system was overwhelmed by a spam attack that delayed the detection of the fraud. Despite the universityβs efforts to recover the funds, the majority of the money was already gone by the time the theft was discovered.
Avril, a supermarket chain based in Canada, has been targeted by a cyberattack that has disrupted its operations since December 12, 2024. The attack caused slowdowns across Avril’s locations, including long lines due to limited cash registers and manual entry of product codes. Although the supermarkets remain open, some checkouts were closed, and the transactional site experienced delays in order preparation and deliveries. Avril is currently working with cybersecurity experts to assess the impact and restore normal operations.
On December 8, 2024, the French digital services company Ecritel was targeted in a cyberattack claimed by the ransomware group Hunters International. The attack, which involved the theft of approximately 270 GB of data, was quickly detected and thwarted by Ecritelβs cybersecurity team. The company emphasized that the incident had no impact on business continuity or customer platforms.
Waverley Christian College, located in Victoria, Australia, has confirmed it was targeted by a ransomware attack, with the Fog ransomware group claiming responsibility. The attack, which occurred in December 2024, allegedly resulted in the theft of five gigabytes of data, including financial and insurance documents, as well as internal correspondence. The gang posted the college’s name on their darknet leak site, but no ransom amount or deadline for the data’s release has been disclosed.
Kitsap Mental Health Services, a nonprofit organization based in Bremerton, Washington, recently confirmed a data breach that exposed sensitive personal information of its consumers. The breach, which was detected on October 17, 2024, involved unauthorized access to confidential data, including names, addresses, birth dates, Social Security numbers, driver’s license numbers, medical and health insurance information, and financial details.
π’ Cyber News
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive requiring federal civilian agencies to enhance the security of their Microsoft cloud systems following recent cyber intrusions. The directive builds on CISAβs Secure Cloud Business Applications (SCuBA) project, which provides secure configuration baselines for cloud environments. Agencies must inventory their cloud systems by February 2025, deploy SCuBA tools by April 2025, and achieve full compliance by June 2025.
Nebraska’s Attorney General has filed a lawsuit against Change Healthcare, a subsidiary of UnitedHealth Group (UHG), for violating state consumer protection and data security laws following a major ransomware attack in February 2024. The attack, which exposed sensitive healthcare information and disrupted critical medical services, affected around 100 million Americans, including thousands in Nebraska. The lawsuit claims that the breach, which crippled the payment and claim processing systems, led to delayed patient care, financial strain on healthcare providers, and an increase in scams targeting affected individuals.
Russia has labeled the U.S. cybersecurity firm Recorded Future as an “undesirable” organization, accusing it of involvement in cyberattacks against Moscow. The company’s staff allegedly cooperate with U.S. intelligence agencies, including the CIA, and contribute to anti-Russian propaganda efforts. Founded in the U.S. and now a part of Mastercard, Recorded Future specializes in threat intelligence and cybersecurity services. This move adds Recorded Future to a growing list of 194 entities deemed undesirable by the Russian government since 2015.
Meta Platforms has been fined β¬251 million by the Irish Data Protection Commission (DPC) for a 2018 Facebook data breach that affected approximately 29 million accounts globally, including 3 million in the European Union. The breach was caused by a vulnerability in Facebook’s “View As” feature, which allowed attackers to steal account access tokens and access sensitive user information, including names, emails, phone numbers, and even childrenβs data. The fine, issued under GDPR regulations, highlights Metaβs failure to incorporate data protection measures during system design and development.
Cisco has acquired SnapAttack, a leading threat detection and defense company, to further enhance its cybersecurity capabilities through Splunk, which Cisco acquired in March for $28 billion. SnapAttackβs expertise in threat detection and engineering will accelerate Splunkβs “detection-as-code” roadmap, benefiting organizations by improving their security operations centers (SOC).
Copyright Β© 2024 CyberMaterial. All Rights Reserved.
