Security Spotlight: Navigating the Cybersecurity Landscape and Illuminating the Dark Corners of the Web
Pro-Houthi Group Targets Yemen Aid Organizations with Android Spyware
Overview
A suspected pro-Houthi group, OilAlpha, is targeting humanitarian organizations in Yemen with advanced Android spyware. The operation is associated with the activity cluster codenamed OilAlpha. It utilizes malicious mobile apps to harvest sensitive info from their victims.
Impact
The OilAlpha group specifically targets humanitarian organizations i.e. CARE International, the Norwegian Refugee Council (NRC), the Saudi Arabian King Salman Humanitarian Aid and Relief Centre, etc. That said, these attacks have been ongoing. And, the most recent campaign was discovered in early June 2024. The spyware-laden apps are disguised as legit apps related to humanitarian relief programs. They infiltrate devices and steal data once installed.
The malware strain used in these attacks, SpyNote, requests intrusive permissions to access victim data. That said, the campaign includes credential harvesting through fake login pages impersonating humanitarian organizations. This tactic aims to gather intelligence to potentially facilitate controlling aid distribution and delivery.
Recommendation
✓ Only download apps from official and verified sources.
✓ Conduct regular security audits of devices used in the field.
✓ Raise awareness among staff about the risks of downloading apps from unknown sources.
✓ Implement robust mobile security solutions that can prevent the installation of spyware.
✓ Monitor for any unusual activities.
APT41 Cyber Espionage Campaign in Multiple Countries
Overview
APT41 is a prolific hacking group based in China. It’s been targeting several organizations across Italy, Spain, Taiwan, Turkey, and the U.K. Since 2023, they have been infiltrating various sectors i.e. global shipping and logistics, media and entertainment, technology, etc. They’ve managed to access numerous networks without authorization and extracted sensitive data for an extended period.
Impact
✔ They have successfully extracted vast amounts of sensitive data.
✔ They use a combo of custom malware (DUSTPAN & DUSTTRAP) and publicly available tools (SQLULDR2 & PINEGROVE) to maintain persistence and exfiltrate data.
✔ Web shells like ANTSWORD and BLUEBEAM are used to download droppers that compromise remote systems.
✔ They use techniques like code-signing with stolen certificates and exploit legit platforms like Microsoft OneDrive to evade detection.
Recommendation
🔧 Enhance Network Monitoring
🔧 Update Security Protocols
🔧 Use ATP tools to neutralize custom malware and web shells
🔧 Employ data encryption and strict access controls
SolarWinds Patches Critical Vulnerabilities in Access Rights Manager Software
Overview
SolarWinds just fixed several major security issues in its Access Rights Manager (ARM) software. These problems could have let bad actors access sensitive data or run harmful code. Out of the 13 vulnerabilities found, eight were very serious, scoring 9.6 out of 10 on the CVSS scale. On the other hand, the other five were also significant.
Impact
The most severe vulnerabilities, if exploited, could permit attackers to read/delete files.
The specific vulnerabilities include:
✔️ CVE-2024-23472: Directory Traversal Arbitrary File Deletion & Information Disclosure
✔️ CVE-2024-28074: Internal Deserialization Remote Code Execution
✔️ CVE-2024-23469: Exposed Dangerous Method Remote Code Execution
✔️ CVE-2024-23475: Traversal and Information Disclosure
✔️ CVE-2024-23467: Traversal Remote Code Execution
✔️ CVE-2024-23466: Directory Traversal Remote Code Execution
✔️ CVE-2024-23470: UserScriptHumster Exposed Dangerous Method Remote Command Execution
✔️ CVE-2024-23471: CreateFile Directory Traversal Remote Code Execution.
Recommendation
SolarWinds has fixed these issues in version 2024.3. It’s important for admins to update to this latest version.
Major Security Breach at WazirX Cryptocurrency Exchange Leads to $230 Million Loss
Overview
Indian cryptocurrency exchange WazirX announces a major security breach. It led to the theft of $230 million in cryptocurrency assets. Despite using Liminal’s advanced digital asset custody and wallet infrastructure, hackers were able to target their multi-signature wallet.
Impact
The cyber attack stemmed from a mismatch between the information displayed on Liminal’s interface and the actual signed data. This discrepancy allowed the attacker to replace the payload, thereby transferring wallet control to their address. Liminal seams responsible for transaction verifications as one of the six signatories. However, they stated that the compromised wallet was created outside of their ecosystem. They have affirmed that wallets within their platform remain secure.
Blockchain analytics firm Elliptic has indicated that the attack bears the hallmarks of North Korean threat actors. These threat actors have a history of targeting the cryptocurrency sector since 2017.
Recommendation
- Verify Wallet Security
- Implement Robust Multi-Signature Protocols
- Monitor Transactions for Any Discrepancies
- Regularly Audit Security Measures
HotPage Adware Posing as Ad Blocker Installs Malicious Kernel Driver
Overview
Cybersecurity researchers uncover an adware module masquerading as an ad blocker. It covertly installs a kernel driver enabling attackers to execute arbitrary code with elevated permissions on Windows systems. Its named HotPage as it gets its name from the notorious installer “HotPage.exe”
Impact
HotPage adware deceptively offers to block ads and malicious websites. However, in reality, it deploys a driver capable of injecting code into remote processes. This malware can modify webpage contents and redirect users to different pages. It can also open new tabs based on specific conditions.
The adware is designed to display game-related ads and harvest system info. It then sends it to a remote server linked to a Chinese company. The embedded driver lacks proper access control lists (ACLs) and allows attackers with non-privileged accounts to gain elevated privileges. It then runs code as the NT AUTHORITY\System account.
This kernel component’s vulnerability permits other threats to exploit it. It can then compromise windows system security. That said, the driver is signed by Microsoft and highlights that the Chinese company managed to obtain an Extended Verification (EV) certificate. However, the fact of the matter is, it has since been removed from the Windows Server Catalog.
Recommendations
- Admins should inspect their systems for the presence of HotPage.exe and associated malicious drivers.
- If detected, immediately remove the HotPage installer and any related components.
- Ensure that all systems have updated security patches.
- Implement stricter policies for driver installations.
Windows Management Experts
Now A Microsoft Solutions Partner for:
- Data & AI
- Digital and App Innovation
- Infrastructure
- Security
The Solutions Partner badge highlights WME’s excellence and commitment. Microsoft’s thorough evaluation ensures we’re skilled, deliver successful projects, and prioritize security over everything. This positions WME in a global tech community, ready to innovate on the cloud for your evolving business needs.
Why not reach out to us at WME?
Contact us and let us transform your business’s security into a strategic advantage for your business. Be sure, with WME, you’re just beginning a path toward a more streamlined and secure future.
WME Cybersecurity Briefings 020
