This Week in Cyber 22nd of November 2024
Analyst Insight
This week in cyber, we have observed a rise in activity from nation-state threat actors actively targeting major telecommunications providers. We can see a pattern of sophisticated attacks aimed at disrupting services and potentially exfiltrating sensitive data. For example, T-Mobile disclosed that they were targeted this week, though it has not yet been confirmed what data, if any, was stolen.
We have also reported on an interesting article written by Lawrence Abrahams, where an increase of SVG Attachments are being utilised in phishing emails to deliver sophisticated phishing documents to the target.
?
SVG Attachments Used in Phishing Emails to Evade Detection
An article written by Lawrence Abrams?at BleepingComputer informs of an increase in threat actors utilising Scalable Vector Graphics (SVG) attachments for phishing or delivering malware. Often disguised as harmless images or documents, these files can contain malicious scripts that execute when opened.
The article shows an example of how this method would be used for phishing. The SVG attachment, when opened, displays an HTML document to the user, disguised as a Microsoft Excel file, prompting the user to log in. This would then send the credentials entered to the threat actor which can be used to compromise the account. This method is particularly concerning as SVG files are typically considered safe and are not always scrutinised by email security filters.
?
Five Suspects Linked to Scattered Spider Cybercrime Gang Charged
Scattered Spider is a cybercriminal group active since early 2022, composed of individuals between the ages of 19 and 22. With their main motivation being financial, they have primarily targeted customer relationship management (CRM) and business-process outsourcing (BPO) firms, as well as telecommunications and technology companies. On Wednesday, the U.S. Department of Justice (DoJ) released information about five suspects believed to be part of the notorious Scattered Spider cybercrime gang.
“The defendants conducted phishing attacks by sending mass short message service (SMS) text messages to mobile phones of numerous victim companies’ employees messages that purported to be from the victim company or contracted information technology or business services supplier of the victim company.”
All five have been charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft. Four of the suspects reside in Texas, Florida, and North Carolina, while one lives in the United Kingdom.
?
T-Mobile Confirms Hack Amidst Recent Wave of Telecom Breaches
Last week, the FBI and CISA released a joint statement warning about nation-state threat actors breaching telecommunications providers to intercept private communications from government officials.
This week, it was confirmed that T-Mobile was affected by the recent wave of telecom hacks. In a report from Wall Street Journal, T-Mobile stated: “T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information”
?
Apple Releases Patches for Two Actively Exploited Zero-Day Vulnerabilities
On Wednesday, Apple released patches for iOS, iPadOS, macOS, visionOS and Safari to address two actively exploited zero-day vulnerabilities within the software. Apple states that the vulnerabilities “may have been actively exploited on Intel-based Mac systems” which Apple since has moved to their own processors in their Mac products.
?
Really Simple Security WordPress Plugin Vulnerability Affects Over 4 Million Websites
WordPress security researchers at Wordfence disclosed a critical vulnerability in the Really Simple Security plugin, formerly known as Really Simple SSL. Installed on over 4 million websites, the vulnerability allows attackers to remotely gain full administrative access to a site running the plugin.
The authentication bypass vulnerability is “due to improper user check error handling in the two-factor REST API actions with the ‘check_login_and_get_user’ function” affecting versions 9.0.0 to 9.1.1.1 and is present in the Free, Pro and Pro Multisite editions of the plugin.??