Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 6 - 12 July
Microsoft patches 142 vulnerabilities in July Patch Tuesday
On the occasion of July's Patch Tuesday, Microsoft has released patches for 142 vulnerabilities, including four 0-days, two of them actively exploited. Among all the patched flaws, five of them allow allow attackers to execute remote code and have been considered critical, including CVE-2024-38074, CVE-2024-38076 and CVE-2024-38077, all of them with CVSSv3 9.8 according to Microsoft and affecting Windows Remote Desktop Licensing Service.
Also, the four patched 0-days would be CVE-2024-38080 (CVSSv3 7.8 according to vendor), CVE-2024-38112 (CVSSv3 7.5 according to vendor), CVE-2024-35264 (CVSSv3 8.1 according to vendor) and CVE-2024-37985. These would allow malicious actors to elevate their Hyper-v privileges on various versions of Windows 11, perform spoofing attacks on the MSHTML platform, execute .NET and Visual Studio code remotely, and view the heap memory of a privileged process running on the Windows 11 version 22H2 product server, respectively.
Zergeca: new botnet designed for DDoS attacks
Researchers at QiAnXin XLab discovered a new Golang-based botnet called Zergeca, designed to perform DDoS attacks. The botnet uses multiple DNS resolution methods and prioritizes DNS over HTTPS for C2, using the Smux library for encrypted communication.
In addition, it consists of four modules known as persistence, proxy, silivaccine and zombie, the latter being the core of the botnet, responsible for reporting information and executing commands. Zergeca also maintains persistence in compromised devices through the geomi.service, which generates new processes if the device is restarted. The analysis concluded that Zergeca has advanced capabilities, including proxying, scanning, auto-updating, persistence, file transfer, reverse shell and sensitive information collection. In addition, it was noted that its C2 IP address has been linked to the Mirai botnet since 2023, suggesting that its creator has prior experience in operating these networks.
New FishXProxy phishing kit
The research team at SlashNext Email Security has published research detailing a new phishing kit dubbed FishXProxy. According to experts, it is a dangerous tool that is designed to create and manage phishing sites in order to evade detection and maximise the success rate without requiring any technical knowledge on the part of the user.
Among its most notable features is that it reportedly offers a wide range of advanced functions such as antibot settings, Cloudflare Turnstile integration, integrated redirects and page expiration settings. In addition, the kit provides users who sign up for the platform with upgrades and support.
China-sponsored APT cyber espionage campaign detected
Threat actors from the Chinese-sponsored APT40 group are hijacking SOHO routers to launch cyberespionage attacks against government entities, a joint advisory from international cybersecurity agencies said. APT40, active since at least 2011, has attacked government and private organizations using vulnerabilities in software such as Microsoft Exchange and WinRAR; and they also use web shells and techniques such as Kerberoasting and RDP to move laterally within compromised networks.
In this new campaign observed, they would be using SOHO (Small Office, Home Office) routers at the end of their useful life, using N-day vulnerabilities to hijack them and make them act as proxies to launch attacks while mixing with legitimate traffic. In the later stages of the attack, APT40 exfiltrates data to C2 servers and maintains a stealthy presence. Finally, the advisory recommends timely patching, thorough logging, network segmentation and EoL equipment replacement to defend against these attacks.
Poco RAT's active campaign against Latin American organizations
Cofense has identified a new malware campaign named Poco RAT targeting victims geolocated in Latin America, mainly in the context of the mining sector. The campaign, which has been operating since February 2024, is generally spread through emails under financial pretexts, usually containing links to 7zip files hosted on Google Drive. These emails may include a direct link, a link in an HTML file or a link in an attached PDF.
Once executed and persistence established through a registration key, the application communicates against the same C2 that only responds if the computer is located in Latin America. Among the functionalities identified is the ability to download and run other applications and the not widely exploited possibility to access computer credentials and user input.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
