Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 25 - 31 May
Check Point fixes vulnerability used in VPN attacks
Last Monday, in a security advisory issued by Check Point, the company warned that threat actors were targeting Check Point Remote Access VPN devices to access corporate environments. Subsequently, the vendor has identified that the problem stemmed from the exploitation of a 0-day vulnerability, which has recently been registered as CVE-2024-24919, CVSSv3 of 7.5 according to the vendor.
Exploiting this security flaw could allow an attacker to read information on Internet-connected gateways with remote access VPN or mobile access enabled. Check Point has indicated that this vulnerability affects CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways and Quantum Spark Appliances, in product versions R80.20.x, R80.20SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x and R81.20.
Based on this, it recommends applying the corresponding security patches to update the affected assets.
Brazilian banks targeted by AllaSenha malware
Brazilian banking institutions are the target of a new campaign distributing a variant of the Windows-based remote access Trojan (RAT) called AllaSenha. A security product from HarfangLab detected a malicious payload delivered to a computer in Brazil via a complex infection chain involving Python scripts and a loader developed in Delphi.
The malware is specifically aimed at stealing credentials needed to access Brazilian bank accounts and uses the Azure cloud as command and control (C2) infrastructure. Targets of the campaign include banks such as Banco do Brasil, Bradesco, Banco Safra, Caixa Econômica Federal, Itaú Unibanco, Sicoob and Sicredi. The initial access vector, although not definitively confirmed, points to the use of malicious links in phishing messages.
Anatsa banking trojan being distributed on Google Play
The research team at Zscaler has published the results of an investigation which indicates that more than 90 malicious apps with more than 5.5 million downloads are reportedly being distributed via Google Play. Among these, the experts highlight the rise of the Anatsa banking Trojan, which is notable for targeting more than 650 apps from financial institutions in Europe, the US and Asia with the aim of stealing victims' credentials.
Specifically, Zscaler reports that the malware is being distributed via two applications called ‘PDF Reader & File Manager’ and ‘QR Reader & File Manager’, both of which have accumulated 70,000 downloads. It should be noted that the two Anatsa apps discovered by Zscaler have now been removed from Google Play. It should also be noted that the names of the remaining malicious apps identified have not been reported.
New 0-day vulnerability actively exploited in Chrome
Google has issued a new security advisory alerting users to a new 0-day vulnerability affecting the Chrome browser that has been confirmed to be actively exploited. Specifically, the security flaw has been registered as CVE-2024-5274 and involves a type confusion in V8, Chrome's JavaScript engine responsible for executing JS code, so threat actors could exploit the vulnerability and cause crashes, data corruption and arbitrary code execution.
It should be noted that, for the moment, Google has not shared technical details about this flaw in order to protect users from possible exploitation attempts. However, the manufacturer recommends that users update Chrome to version 125.0.6422.112/.113 for Windows and Mac, while Linux users should wait for the release of version 125.0.6422.112.
Analysis of the LilacSquid APT campaign
Cisco Talos researchers have posted an analysis of a new cyber-espionage and data theft campaign that they have attributed to an APT they have dubbed LilacSquid. This threat actor targets entities in the technology sector in the US, the energy sector in Europe and the pharmaceutical sector in Asia. With respect to its attacks, LilacSquid has been observed employing various tools and malware, including the remote management tool MeshAgent.
The APT has also employed a variant of QuasarRAT that has been dubbed PurpleInk, as well as two other malware loaders called InkBox and InkLoader. On the other hand, the actor's objectives seem to be aimed at gaining access and persistence to victims' systems in order to obtain information relevant to the APT, compromising applications and RDP credentials in the process.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
