Sunday 25th August 2024

Good morning everyone, I hope you're all having a great weekend. Thank you for joining me for the latest instalment of Cyber Daily. Today, we’re looking into the latest chapter in the digital cat-and-mouse game—from North Korea’s evolving malware to Singapore’s relentless scam surge. Plus, a new vulnerability lands on CISA's radar, proving that when it comes to cybersecurity, there’s never a dull moment.

Versa Networks Vulnerability Lands on CISA's Watchlist

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new security flaw to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation. The vulnerability, CVE-2024-39717, affects the Versa Director software and is linked to the “Change Favicon” feature, which can be exploited to upload malicious files disguised as PNG images. Despite its medium-severity rating (CVSS score: 6.6), the flaw requires an authenticated user with specific admin privileges to exploit.

Interestingly, Versa Networks acknowledged at least one confirmed instance of this vulnerability being exploited, due to outdated firewall guidelines. Federal agencies are now mandated to patch this flaw by September 13, 2024.

This addition comes on the heels of CISA including older vulnerabilities, like those affecting Microsoft Exchange and Dahua IP Cameras, into the KEV catalog. The ongoing threats highlight the persistent risks posed by unpatched software in critical infrastructure.

Singapore's Surge in Scams: Messaging Apps Fuel a $294M Crime Wave

Scams and cybercrimes in Singapore are skyrocketing, with a significant rise in cases linked to messaging and social media platforms. The Singapore Police Force (SPF) reports that Meta's platforms—Facebook, Instagram, and WhatsApp—alongside Telegram, are primary channels for these cybercriminals. Notably, Telegram was involved in 45% of scam cases.

From January to June 2024, scam cases jumped by 16.3% year-on-year, totaling 28,751 cases and accounting for 92.5% of all cybercrime incidents. Victims lost a staggering SG$385.6 million (about $294.65 million), with the average loss per scam increasing to SG$14,503.

Messaging apps were the mode of contact in 8,336 scams, with WhatsApp leading at 50.2%. Social media platforms saw 7,737 scam cases, with Facebook responsible for 64.4% of these incidents. Alarmingly, scams involving government impersonation had the highest average loss, reaching SG$116,534 per case.

While phishing scams caused SG$13.3 million in losses, the SPF noted a positive trend: malware-enabled scams plummeted by 86.2%, reducing total losses to SG$295,000.

MoonPeak Malware: A New Weapon in North Korea's Cyber Arsenal

A North Korean-linked threat actor, likely associated with the infamous Kimsuky group, is deploying a new version of the XenoRAT malware, dubbed MoonPeak. Researchers at Cisco Talos recently discovered this variant, which is under active development and continuously evolving, making it increasingly difficult to detect.

MoonPeak retains most of XenoRAT's powerful capabilities, including keylogging and bypassing User Access Control (UAC), but has been consistently modified to evade detection. These modifications include changes to the malware's client namespace and the implementation of state machines to obscure the program's flow, complicating reverse engineering efforts.

Cisco Talos identified this activity cluster as UAT-5394, which closely resembles Kimsuky's operations but may represent an independent North Korean Advanced Persistent Threat (APT) group. The attackers have been adjusting their command-and-control (C2) infrastructure, moving from public cloud services to privately controlled systems, likely in response to previous exposures.

MoonPeak’s ongoing development and the sophisticated tactics surrounding its deployment highlight the persistent and evolving nature of North Korean cyber threats.