Fake hotfix distributes Remcos RAT amid CrowdStrike glitch

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.?

1. MuddyWater deploys new BugSleep malware in latest cyber attacks

The Iranian-backed MuddyWater hacking group, also known as Earth Vetala, has introduced a new malware called BugSleep to steal files and execute commands on compromised systems. Distributed through sophisticated phishing lures, BugSleep targets various entities globally, including government organizations, municipalities, airlines, and media outlets. ?

The malware is delivered via phishing emails disguised as webinar or course invitations, leading targets to download malicious payloads. MuddyWater, active since 2017, continuously upgrades its toolkit and conducts cyber-espionage campaigns against entities in the Middle East, Asia, Europe, and North America. To stay protected, it is recommended to enhance email security with advanced filtering and training, keep software updated, and deploy robust endpoint protection.?

2. Cybercriminals leverage CrowdStrike update bug to spread Remcos RAT malware

CrowdStrike, facing backlash over a disruptive Windows update that caused global system failures, warns that cybercriminals are exploiting the situation to target its customers in Latin America with Remcos RAT malware disguised as a legitimate hotfix. Attackers are distributing a ZIP file named “crowdstrike-hotfix.zip ,” containing a malware loader (Hijack Loader) and instructions in Spanish to execute “setup.exe,” which installs the Remcos RAT. ?

The campaign, attributed to a suspected e-crime group, coincides with a CrowdStrike sensor update error on July 19 that caused a Blue Screen of Death (BSoD) on systems running Falcon sensor for Windows version 7.11 and above. Malicious actors have since created typosquatting domains and advertised fake services demanding cryptocurrency payments, highlighting the need for users to rely on official channels and proper guidance to avoid further risks.?

3. PHP flaw CVE-2024-4577 exploited for malware and DDoS within 24 hours?

Multiple threat actors have begun exploiting the newly disclosed PHP security flaw CVE-2024-4577 within 24 hours of its release. This critical vulnerability, with a CVSS score of 9.8, allows remote execution of malicious commands on Windows systems using Chinese and Japanese locales. Attackers are leveraging this flaw to deliver remote access trojans, cryptocurrency miners, and DDoS botnets, with notable activity from Gh0st RAT, RedTail, XMRig, and Muhstik botnet, as well as TellYouThePass ransomware. ?

Security researchers emphasize the need for immediate action, recommending updates to PHP installations, robust network monitoring, application of security patches, strong authentication mechanisms, deployment of intrusion detection systems, regular backups, and comprehensive incident response plans.?

4. Exim mail server flaw exposes millions to malicious threats?

A critical vulnerability in the Exim mail transfer agent, CVE-2024-39929, with a CVSS score of 9.1, allows attackers to bypass extension-blocking protections and deliver malicious executable attachments to users’ inboxes. Affecting Exim versions 4.97.1 and earlier, this flaw arises from improper parsing of RFC2231 header filenames and impacts 1.56 million public-facing servers, primarily in the U.S., Russia, and Canada. ?

While no active exploitation has been reported, users should immediately upgrade to Exim version 4.98, audit servers for vulnerabilities, apply security patches, and enable detailed monitoring to mitigate risks.?

5. AT&T data breach: Extensive customer records exfiltrated by threat actors?

AT&T confirmed a data breach affecting all wireless and MVNO customers, with threat actors accessing call and text records via a third-party cloud platform between April 14-25, 2024. The stolen data includes telephone numbers, call counts, call durations, and some cell site IDs, but not call/text content or sensitive personal information. AT&T promptly responded and collaborated with law enforcement, leading to the arrest of John Binns, linked to a 2021 T-Mobile breach.?

The breach involved unsecured Snowflake storage accounts, now secured with mandatory MFA. Ways to contain or prevent such breaches are to implement MFA, conduct regular security audits, use data encryption, educate employees on social engineering, and maintain an incident response plan.?

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.