Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 30 March - 5 April
Critical vulnerability found in XZ points to possible supply chain attack
Critical vulnerability CVE-2024-3094, CVSSv3 10 according to Red Hat, has been detected in versions 5.6.0 and 5.6.1 of the XZ compression utility and its associated liblzma libraries. The malicious code, not present in the public Git repositories but found in the official release tarballs, was intentionally inserted by a contributor to the project and represents a significant threat against Linux systems by manipulating elementary authentication processes used, for example, in OpenSSH servers.
The widespread use of XZ on Linux distributions and macOS systems amplifies the potential impact, as systems running compromised versions of the software are vulnerable to unauthorized access and remote code execution if they publicly expose SSHD servers. The incident has prompted urgent warnings from CISA and several vendors such as RedHat, advising a return to XZ version 5.4.6 which would not include the backdoor.
In parallel, further investigations are being conducted into other contributions made by the developer who introduced this change to other high-impact repositories.
Venom RAT campaign detected targeting several sectors in Latin America
A massive new phishing campaign, attributed to threat actor TA558, was recently observed hitting multiple sectors in Latin America, aiming to distribute Venom RAT. As reported by Idan Tarab, researcher at Perception Point, the campaign has affected the tourism and leisure, commercial, financial, manufacturing, industrial and government sectors in several countries in the region.
TA558 is known to have been active since 2018 and has used various types of malwares such as Loda RAT, Vjw0rm and Revenge RAT in previous attacks in the region. In this new campaign, the infection chain uses phishing emails to install Venom RAT, an offshoot of Quasar RAT, which allows for the collection of sensitive data and remote control of systems. Most of the attacks have been observed in Mexico, Colombia, Brazil, the Dominican Republic, and Argentina. However, countries such as Spain, the United States and Portugal have also been affected.
Report on the Storm-0558 incident against Microsoft
Last year Microsoft published a report explaining how it had mitigated an attack by the Chinese actor known as Storm-0558 that targeted email accounts of multiple different entities, including US government agencies, including the State Department. According to the report, the threat actor exploited a token validation issue to impersonate Azure AD users and gain access to corporate email.
However, recently the US Department of Homeland Security's Cybersecurity Review Board (CSRB) issued a report warning that the company must improve data security and be more candid about how malicious actors stole the signing key, as the agency claims there is no definitive evidence on how the threat actor obtained the signing key. However, they point out that it could have been due to a concatenation of security flaws in Microsoft.
The CSRB says that the threat actor would have obtained some 60,000 emails belonging to the State Department alone.
CONTINUATION Flood allows DoS attacks with only one TCP connection
Recently discovered vulnerabilities dubbed CONTINUATION Flood and affecting the HTTP/2 protocol can lead to Denial of Service (DoS) attacks via a single TCP connection. According to researcher Barket Nowotarski, this flaw is due to the omission of frame checks in HTTP/2 messages, allowing attackers to send a string of frames without the "END_HEADERS" flag and with a length that would cause server outages.
It is also highlighted that these DoS attacks could occur due to a lack of memory or a CPU resource exhaustion caused by the processing of these frames, whose size would not be limited due to the use of "CONTINUATION" frames. Some of the vulnerabilities detected so far related to CONTINUATION Flood include CVE-2024-27983, CVE-2024-27919 (CVSSv3 7.5 according to GitHub), CVE-2024-2758 and CVE-2024-2653.
Darcula: Phishing as a Service analysis
Netcraft researchers have published a paper analysing a phishing as a service called Darcula. Specifically, the researchers say the platform would use more than 20,000 domains on 11,000 IP addresses to spoof more than 200 brands to trick users of both Android and iPhone devices in more than 100 countries.
According to experts, Darcula is notable for its use of JavaScript, React, Docker and Harbour, which allows for continuous updates and new features without the need to reinstall phishing kits. Also, Darcula does not use SMS messages, but instead uses RCS (Android) and iMessage (iOS) to send messages to victims with links to phishing URLs.
Netcraft further notes that the most common TLDs are .top and .com, followed by other low-cost TLDs, and they recommend being suspicious of all incoming messages urging access to URLs, especially if the sender is not recognised.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
