Cybersecurity Dossier - August 26, 2024

Threat Actor in Focus -?Iranian Cyberattacks Targeting Presidential Campaigns

APT42, an Iranian state-backed threat actor, is targeting individuals connected to the Harris and Trump Presidential campaigns through spear phishing attacks. In May and June, APT42 attempted to compromise the personal email accounts of about a dozen individuals affiliated with both President Biden and former President Trump, including current and former U.S. government officials. These efforts have resulted in several successful breaches, notably including the Gmail account of a prominent political consultant. APT42 continues to make unsuccessful attempts to breach personal accounts associated with President Biden, Vice President Harris, and former President Trump, reflecting the group’s ongoing focus on military and political figures to advance Iran’s geopolitical objectives. it has been reported that APT42 has significantly increased its cyberattacks against users in Israel since April 2024. READ MORE?

CVE-2024-30078 Remote Code Execution Vulnerability Analysis and Exploitation

CYFIRMA Research has evaluated CVE-2024-30078, a vulnerability causing significant concern in the cybersecurity community due to its critical impact on organizations globally. This flaw affects multiple versions of Microsoft Windows and enables remote code execution (RCE), potentially granting malicious actors unauthorized access to sensitive networks. This highlights the imperative for enhanced cybersecurity measures and proactive threat intelligence to effectively defend against such evolving cyber threats. CVE-2024-30078 reveals a severe vulnerability in the Wi-Fi drivers across multiple Microsoft Windows versions, potentially enabling threat actors within the Wi-Fi range to remotely execute malicious code on susceptible systems. This issue affects a broad spectrum of Windows versions, with the potential to impact over 1.6 billion active devices worldwide. To mitigate this risk, organizations must take prompt action by applying the patches released by Microsoft and enhancing their security measures. READ MORE

Tactics and Motivations of Modern Hacktivists

Hacktivists, who see themselves as digital activists, use their technical skills to promote social, political, or religious causes, and often operate under a banner of justice, targeting organizations or governments they perceive as oppressive, corrupt, or unjust. Motivated by a desire to bring about change, they use various cyber tactics to make their voices heard, from DDoS attacks and website defacements to data leaks and doxing. In this report, we cover how hacktivists develop ransomware variants from leaked source codes to sell them for profit, breaching low-security private organization websites and using stealer logs to their advantage. We also explore the strategic alliances formed between hacktivist groups, their partnerships with DDoS or botnet developers, and their cooperation with state-owned threat actors. In this report, we explore the various tactics and techniques employed by modern hacktivists. Among these, DDoS attacks are a common method used to disrupt websites by stressing them with traffic. READ MORE

QWERTY INFORMATION STEALER

The sample was retrieved from a publicly indexed web server with the domain mailservicess[.]com. The server, based in Frankfurt am Main (Germany) is identified as running a Linux-based virtual private server with limited services exposed. This report details the technical aspects of the malware, including its file characteristics, anti-debugging techniques, data collection methods, and interaction with the C2 server. The analysis reveals the malware’s sophisticated mechanisms for evading analysis and its capability to perform extensive data exfiltration operations. Based on the HTTP communications with the C2 server and the unique strings found in the samples, we have named this unknown stealer “Qwerty Info Stealer.”At CYFIRMA, our commitment is to provide timely insights into prevalent threats and malicious tactics affecting both organizations and individuals. This report provides a comprehensive analysis of a recent malware identified as QWERTY Info Stealer. READ MORE

Ransomware of the Week

CYFIRMA Research and Advisory Team has found Blue ransomware while monitoring various underground forums as part of our Threat Discovery Process. Researchers have uncovered a new ransomware variant from the Phobos family, known as Blue. This ransomware encrypts files and renames them by appending the victim’s ID, the email address, and the “.blue” extension. Additionally, Blue generates “info.hta” and “info.txt” files, which contain the ransom note, demanding payment for the decryption key. The Blue ransomware’s ransom note informs victims that their files have been encrypted due to a security issue with their computers. To restore access, victims are instructed to pay ransom. The note specifies that payment must be made in Bitcoin, with the amount depending on how quickly victims reach out to the threat actors. Upon payment, victims will receive a decryption tool. Before making the payment, they are allowed to send up to five files (under 4MB) for free decryption. READ MORE

Trending Malware of the Week

This week “BANSHEE Stealer” is trending. Researchers have identified a new macOS-specific malware named BANSHEE Stealer, developed by Russian threat actors and introduced on an underground forum. This sophisticated stealer, designed for both macOS x86_64 and ARM64 architectures, targets critical system information, a wide range of browsers, cryptocurrency wallets, and around 100 browser extensions, making it highly versatile and dangerous. With a notable monthly subscription fee of $3,000, BANSHEE Stealer highlights the growing market for macOS- targeted threats, signaling a concerning trend as macOS continues to gain attention from cybercriminals. The malware examined in this analysis retained all C++ symbols, which is notable because it allows researchers to infer the project’s code structure based on these source code file names. By analyzing the C++-generated global variable initialization functions, they could identify values configured during the build process. READ MORE

CYFIRMA is a?threat?discovery?and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.

SCHEDULE A DEMO HERE

Visit www.cyfirma.com

Message sent by CYFIRMA at 16 Raffles Quay #09-01 S(048581), Singapore, Singapore.