SPEAK WITH AN EXPERT
Two individuals sit in front of multiple computer screens, analyzing data and discussing information related to Managed Detection and Response in a dimly lit room with a cityscape visible through the window.

Threat Alerts

Your place for the latest CyberProof cyber threat intelligence alerts and updates

Speak with an Expert
All

Surge in Phishing Campaigns Exploiting Cloudflare Services

09-Dec-2024
Label: Trend
Threat Level: Medium

Cybercriminals are increasingly exploiting Cloudflare’s trusted domains for phishing and other malicious activities. Reports indicate a sharp rise in abuse, with incidents increasing by 100% to 250% compared to 2023. This trend highlights how attackers leverage Cloudflare’s brand credibility, service reliability, and reverse proxying capabilities to bypass detection systems and make their campaigns appear legitimate. These domains have become popular for hosting phishing pages, launching distributed denial-of-service (DDoS) attacks, and injecting malicious scripts.

Cloudflare Pages, a platform for hosting scalable websites, and Cloudflare Workers, a serverless computing solution, have been exploited for hosting fake login sites and conducting credential-stealing campaigns. Phishing incidents on Cloudflare Pages have surged by nearly 200%, with attackers commonly hosting intermediary phishing pages that redirect users to malicious sites. Similarly, abuse of Cloudflare Workers has increased by over 100%, including tactics like hosting fake verification steps to deceive users. Attackers also use techniques like “bccfoldering” in phishing campaigns to conceal their scale, this method hides recipients by including them in the email envelope but not the headers.

New Phishing Tactic Exploits Corrupted Files to Evade Email Security Tools

09-Dec-2024
Label: Malware
Threat Level: Medium

Cybersecurity researchers have identified a new phishing campaign that employs corrupted Microsoft Office documents and ZIP archives to bypass email security mechanisms. This tactic allows attackers to evade antivirus software, avoid sandbox detection, and slip through Outlook’s spam filters. The corrupted nature of these files prevents them from being flagged as malicious by security tools.

The campaign involves emails with ZIP or Office attachments intentionally corrupted to render them unscannable. These messages often use enticing themes, such as employee benefits or bonuses, to lure recipients into opening them. Despite the corruption, programs like Word, Outlook, and WinRAR can use their built-in recovery features to open these damaged files in recovery mode. Once opened, the documents often embed QR codes that redirect victims to malicious websites or fake login pages, facilitating malware deployment or credential theft.

RevC2 & Venom Loader: Major MaaS Malware Campaign Detected

09-Dec-2024
Label: Malware
Threat Level: Medium

Researchers observed two major campaigns in late 2024 that introduced new malware variants – RevC2 and Venom Loader – delivered via Venom Spider’s services. Venom Spider, recognized as GOLDEN CHICKENS, is a malicious entity that sells cyberattack tools through Malware-as-a-Service (MaaS). Their offerings like VenomLNK, TerraLoader, and more have been used by notorious groups such as FIN6 and Cobalt.

The campaigns involved two primary stages: In the first stage, a deceptive LNK file (VenomLNK) tricks users into downloading a disguised PNG file, which in reality kick-starts the malware installation. The second stage is the execution of the RevC2 backdoor, which has stealth checks to evade analysis tools and proceeds to log activities, steal data, and execute remote commands through WebSockets communication.
These attacks emphasize the need for vigilance and robust security measures to protect against sophisticated MaaS-based cyber threats.

Critical Vulnerability in Veeam Service Provider Console Allows Remote Code Execution

09-Dec-2024
Label: Vulnerability
Threat Level: Medium

Veeam has disclosed a critical vulnerability in its Service Provider Console that could allow attackers to execute remote code on affected systems. The flaw, tracked as CVE-2024-42448 (CVSS score 9.9) impacts the cloud-enabled platform used for managing and monitoring data protection services across physical, virtual, and cloud-based environments. Exploiting this vulnerability requires the attacker to have an authorized management agent on the server, potentially enabling full control of the system.

The vulnerability affects Veeam Service Provider Console versions 8.1.0.21377 and earlier builds of versions 7 and 8. A second flaw, CVE-2024-42449 (CVSS score of 7.1), could allow attackers to leak NTLM hashes and delete files on the server. Both vulnerabilities were identified during internal testing, and Veeam has released patches in version 8.1.0.21999 to address them.

Organizations using affected versions are strongly urged to apply the updates immediately, as no mitigation measures are available. Those running unsupported versions are advised to upgrade to the latest supported release to secure their systems from potential exploitation.

RomCom Exploits Firefox and Windows Zero-Days in Sophisticated Campaign

02-Dec-2024
Label: Malware
Threat Level: Medium

The attack begins with CVE-2024-9680, a use-after-free vulnerability in Firefox’s animation timeline feature. This flaw is exploited when victims visit a malicious webpage, allowing attackers to execute arbitrary shellcode within the browser’s sandbox. Once this initial compromise occurs, the campaign pivots to CVE-2024-49039, a privilege escalation vulnerability in Windows Task Scheduler. By exploiting this, the attackers escape the browser’s sandbox and execute code with elevated privileges.

The attack chain is strategically designed and deceptively simple. Upon visiting a booby-trapped site, the Firefox exploit is triggered to bypass memory protections, injecting shellcode that downloads a secondary payload. This payload exploits the Windows Task Scheduler vulnerability to run a hidden PowerShell process. From there, the RomCom backdoor is downloaded and installed, granting attackers full control over the victim’s system. To ensure persistence, obfuscated PowerShell scripts are used alongside staging servers hosting the malware.

The RomCom backdoor deployed in this campaign is a versatile tool, enabling attackers to execute arbitrary commands, steal sensitive information, and deploy further malicious modules. The attack has been observed targeting victims across multiple sectors, including government, healthcare, and critical infrastructure in Europe and North America. This campaign demonstrates RomCom’s growing sophistication, as the group now incorporates advanced zero-day exploitation into its arsenal.

UEFI Bootkit Bootkitty Emerges as Linux-Specific Threat

02-Dec-2024
Label: Malware
Threat Level: Medium

In a significant development for the UEFI threat landscape, researchers have identified the first UEFI bootkit specifically designed for Linux systems, named Bootkitty by its creators, a group known as BlackCat. While the bootkit is assessed to be a proof-of-concept (PoC) with no evidence of use in real-world attacks.

Bootkitty’s primary objective is to disable the Linux kernel’s signature verification feature and preload two as-yet-unknown ELF binaries during the system startup process. This is achieved via the Linux init process, the first process executed by the kernel upon startup. Additionally, researchers uncovered a potentially related unsigned kernel module that appears to have been developed by the same author(s). This module deploys an ELF binary that facilitates the loading of yet another unknown kernel module, indicating a possible modular architecture.

Bootkitty is signed using a self-signed certificate, which means it cannot execute on systems with UEFI Secure Boot enabled unless an attacker-controlled certificate has been pre-installed. Interestingly, the bootkit contains two unused functions. One of these functions prints special strings to the screen during execution, while the other can display a list of potential authors and individuals who may have contributed to its development. These features, while unused in this PoC, could hint at the bootkit’s future capabilities or provide clues about its creators.

Despite its PoC nature, Bootkitty represents a meaningful advancement in the UEFI threat space by targeting Linux systems. Its discovery challenges the prevailing assumption that modern UEFI bootkits are exclusively a Windows threat, broadening the scope of potential attack surfaces in the Linux ecosystem.

NEWS AND RESOURCES

What’s on at CyberProof

Speak with a cybersecurity expert

Speak with an expert

Explore how CyberProof can help you anticipate, prevent, and mitigate ever-evolving cyberattacks in hybrid and cloud-native environments.

SPEAK WITH AN EXPERT