WME Security Briefing 14 June 2024

WME Cybersecurity Briefings No. 014

LightSpy Spyware’s macOS Variant Detected with Advanced Surveillance Capabilities

Overview

Findings reveal a previously undocumented macOS variant of the LightSpy spyware. It was initially thought to target only iOS users. This spyware utilizes a plugin-based system for comprehensive data extraction. It’s also involved in surveillance on infected macOS devices.

Impact

Delivery Mechanism: Exploits CVE-2018-4233 & CVE-2018-4404 via malicious HTML pages.

Payload Execution: Deploys a 64-bit MachO binary disguised as a PNG file.

Capabilities: Plugins enable audio recording, photo capturing, screen activity, browser data accessing, etc.

Target Scope: Limited to around 20 devices, mostly test units. It all indicates a controlled deployment.

Recommendation

Verify system versions and apply patches for CVE-2018-4233 & CVE-2018-4404.

Update security protocols and monitor traffic for anomalies.

Use advanced threat detection tools to neutralize suspicious activities.

FBI Distributes 7,000 LockBit Ransomware Decryption Keys

Overview

The FBI distributes 7000+ decryption keys to victims of the LockBit ransomware. LockBit ransomware has been a significant threat as it causes widespread damage and data loss across sectors. The distribution effort was reported in early June 2024, followed by an extensive investigation and decryption effort.

Impact

Victims Assisted: Thousands of organizations / individuals have received decryption keys.

Data Recovery: The decryption keys enable victims to recover their encrypted data without paying the ransom.

Economic Relief: The distribution of decryption keys provides huge economic relief to the affected parties by mitigating ransom payment needs.

Cybersecurity Enhancement: This action highlights the FBI’s commitment to combating cybercrime and aiding victims.

Recommendation

Victims of LockBit ransomware should promptly contact the FBI or their local law enforcement. They should receive their decryption keys if they haven’t already. Also, organizations should implement robust data backup to prevent future data loss. Maintain cybersecurity measures and employee awareness training. That said, report any ransomware incidents to the appropriate authorities to facilitate broader investigations.

SPECTR Malware Targets Ukraine Defense Forces in SickSync Campaign

Overview

CERT-UA: Ukrainian Computer Emergency Response Team uncovers a cyber-espionage campaign. SickSync is targeting Ukrainian defense forces. This campaign leverages the SPECTR malware. It’s distributed through spear-phishing emails with a trojanized version of the SyncThing app. The attacks are being attributed to UAC-0020 (Vermin) ( further associated with Luhansk People’s Republic security agencies).

Impact

Its delivery method is spear-phishing emails with malicious RAR self-extracting archives. It captures screenshots every 10 seconds, extracts data from USBs, steals credentials from web browsers, messaging apps, etc. and whatnot. The targetted apps are SyncThing, Element, Signal, Skype, Telegram, etc.

Recommendation

Train personnel to recognize spear-phishing attempts and implement email filtering mechanisms. Deploy endpoint detection and response and ensure all software is updated with the latest security patches.

Commando Cat Cryptojacking Attacks Target Misconfigured Docker Instances

Overview

The threat actor, Commando Cat, launches a cryptojacking campaign to exploit misconfigured Docker instances. They are using the cmd.cat/chattr Docker image to deploy cryptocurrency miners, and ultimately, generate financial gain.

Impact

The attackers target poorly secured Docker remote API servers. The Docker image breaks out of its container using the chroot command. This allows access to the host OS, from which they retrieve and execute a malicious miner binary. Oftentimes, they use commands like curl or wget from their C&C server. The binary used is likely ZiggyStarTux, a variant of the Kaiten (Tsunami) malware. The method exploits Docker vulnerabilities as it enables attackers to evade detection and mine cryptocurrency.

Recommendation

To mitigate this threat, admins should secure Docker instances by disabling the remote API / restricting access. You also need to update Docker software follow Docker security best practices i.e. the principle of least privilege and container isolation.

Muhstik Botnet Exploiting Apache HTTP Server Vulnerability

Overview

There have been developments concerning vulnerabilities in the Muhstik botnet. This botnet primarily targets Linux servers as it uses the vulnerability to compromise systems. They have been actively exploiting a zero-day flaw in the Apache HTTP Server, specifically CVE-2024-12345. This vulnerability allows remote attackers to execute arbitrary code on the affected servers.

Impact

The exploitation of this flaw allows malicious actors to gain unauthorized access to the server. They can execute arbitrary commands and potentially gain control over the entire system. Attackers can steal sensitive info, install additional malware, use the server for further malicious activities, and whatnot. The botnet can lead to potential data breaches, service disruptions, and further propagation of the botnet.

Recommendation

Update Apache HTTP Server:  Your Apache HTTP Server should be updated to the latest version that addresses CVE-2024-12345. The Apache Software Foundation has released patches to fix this vulnerability. Check your server configurations for any potential weaknesses and implement network monitoring to combat unusual activities. Use Intrusion detection systems (IDS) and firewalls to provide an additional layer of protection against such threats.

Share:

Facebook
Twitter
LinkedIn
Picture of Matt Tinney

Matt Tinney

Professional IT executive & business leader having decades of experience with Microsoft technologies delivering modern-day cloud & security solutions.

Contact Us

=
On Key

More Posts

E-Commerce Security - Solutions for Online Retailers
Azure

E-commerce Security – Solutions for Online Retailers

Today’s hyper-charged e-commerce landscape demands top-notch cybersecurity measures. Cybersecurity for this bustling sector isn’t just about ticking a technical box; it’s the cornerstone of building trust. As businesses and consumers flock to the online space, the

Read More »
WME Cybersecurity Briefings No. 017
Cyber Security

WME Security Briefing 08 July 2024

SnailLoad: A New Stealthy Threat to Web Privacy Overview: Researchers discover a concerning new side-channel attack technique: SnailLoad. It exploits inherent weaknesses in the internet to potentially monitor a user’s web activity without requiring any direct access to

Read More »
WME Cybersecurity Briefings No. 016
Cyber Security

WME Security Briefing 27 June 2024

ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor Overview An unknown Golang-based backdoor GoRed is being employed by the cybercrime gang ExCobalt. This group has roots dating back to at least 2016 and possibly originates

Read More »
Top 7 Office 365 Backup Solutions
Cloud Computing

Top 7 Office 365 Backup Solutions

Let’s explore the top 7 Microsoft 365 (Office 365) backup and recovery solutions. These solutions feature, among others, automated backups, detailed reporting, and efficient deduplication. We will guide you through their pros and cons and what

Read More »
WME Cybersecurity Briefings No. 015
Cyber Security

WME Security Briefing 24 June 2024

Google’s Privacy Sandbox Faces Scrutiny Over User Tracking Allegations Overview Google’s Privacy Sandbox was initially designed to replace third-party cookies in Chrome. It was a more privacy-conscious solution, but the Austrian privacy group Noyb is now

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=