Threat Alerts
Your place for the latest CyberProof cyber threat intelligence alerts and updates
Speak with an ExpertUnicode QR Code Scams: Bypassing Security with Invisible Threats
Researchers have discovered a new cyber threat called “Unicode QR Code Phishing”, where attackers use Unicode text characters to create QR codes that evade traditional image-based security measures. This technique takes advantage of the ubiquity of QR codes in digital interactions, which has led to a significant rise in QR code phishing attacks. Traditional defenses that scan for suspicious images are ineffective against this text-based approach. These Unicode QR codes can be scanned and function correctly on smartphones, yet look different in plain text, complicating their detection. The rise of this new threat, with a reported 587% increase in attacks, underscores the need for updated security strategies to address these sophisticated phishing techniques.
New Voldemort Espionage Campaign
Security researchers have identified a sophisticated malware campaign named “Voldemort”, which likely represents an espionage operation. The campaign employed a novel attack chain that blends commonly used techniques with less frequent methods like using Google Sheets for command and control (C&C) and abusing file schema URIs for malware staging. The malware exploits vulnerabilities such as CVE-2023-23397 (Windows search protocol) and CVE-2023-21716 (DLL hijacking) to infiltrate systems and execute malicious payloads. The campaign has targeted a wide range of organizations globally, posing a threat due to its advanced capabilities, especially in intelligence gathering.
The infection chain begins with phishing emails impersonating tax authorities from various countries, designed to deceive recipients into clicking on malicious links. These emails contain URLs that lead to a landing page hosted on InfinityFree, which checks the User Agent of the user’s browser. If the User Agent indicates a Windows environment, the browser is redirected to a search-ms URI, prompting the user to open Windows Explorer and load a file from a WebDAV share. This file, disguised as a local PDF, is actually a Windows shortcut (LNK) or ZIP file containing a similar LNK, which, when executed, invokes PowerShell to run Python scripts directly from the WebDAV share without downloading them locally.
The malware then collects system information, including the computer name, Windows version, and CPU details, sending this data to the attacker’s server. It downloads a decoy PDF to distract the user while extracting and executing a password-protected ZIP file containing a DLL vulnerable to side-loading via a legitimate executable. The DLL, named “Voldemort,” then connects to a Google Sheets-based C&C, where it uploads the user’s system information and awaits further commands.
Critical Server-Side Template Injection Flaw in WPML WordPress Plugin
The WPML plugin, a key component for managing multilingual WordPress websites, has a newly identified vulnerability designated as CVE-2024-6386, with a CVSS score of 9.9. This server-side template injection flaw permits attackers to introduce malicious code into the plugin’s environment, leading to potential arbitrary code execution on the host server. Originating from improper handling of input data, the exploit could result in serious consequences like site defacement or data breaches.
WPML users should immediately upgrade to the patched version and reassess their security measures to mitigate this significant threat.
Critical Apache OFBiz Vulnerability Exploited in the Wild
A new critical vulnerability has been exploited in the wild and subsequently added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog.
This flaw, tracked as CVE-2024-38856 (CVSS 9.8), is an Incorrect Authorization Vulnerability within Apache OFBiz software. It stands as a prevalent attack vector for cybercriminals and creates a considerable threat to the security of federal information systems.
The issue affects Apache OFBiz versions up to 18.12.14. The security flaw enables the execution of screen rendering code without proper user permission checks under certain conditions, such as when screens are configured to implicitly rely on endpoint security rather than explicit permission verification.
Strategic Shift in BlackByte Ransomware Group’s Tactics
The BlackByte ransomware group, traditionally known for their phishing and direct network intrusion strategies, has recently showcased a shift in its modus operandi. A notable example is their exploitation of CVE-2024-37085, a zero-day vulnerability within VMware ESXi hypervisors. This exploit enables the bypassing of authentication barriers and grants attackers unauthorized control over targeted systems. With this development, BlackByte demonstrates a strategic shift towards methods that circumvent established defenses, enhancing their ability to infiltrate and exert control over victim networks quietly and effectively.
Moreover, the group has introduced a new tool called BlackByteNT, an encryptor developed in C/C++. This tool represents another layer of evolution in their techniques, responsible for inserting as many as four vulnerable drivers into compromised systems—compared to the previous count of three—signaling an increase in operational complexity.
Further emphasizing their adaptability and determination, BlackByte now utilizes the victim organization’s Active Directory credentials to spread laterally across networks. This tactic not only demonstrates their resourcefulness but also a troubling proficiency in navigating and exploiting network environments.
Such strategic maneuvering threatens to intensify the impact of their ransomware campaigns, potentially leading to extensive encryption of critical data and amplifying the threat posed by their malicious activities.
Critical SAML SSO Authentication Vulnerability in GitHub Enterprise Server Patched
GitHub has recently patched three security vulnerabilities in its Enterprise Server Product.
This includes critical CVE-2024-6800(CVSS 9.5), particularly affecting instances using SAML SSO authentication in conjunction with certain Identity Providers that make federation metadata XML publicly available. Attackers could exploit this flaw to create or compromise user accounts with site administrator rights.
In addition to the critical vulnerability, GitHub remediated two medium-severity issues:
CVE-2024-7711 (CVSS 5.3), is an authorization bug that could let an attacker modify the title, assignees, and labels of any issue in public repositories.
CVE-2024-6337 (CVSS 5.9), is another authorization flaw that could permit an attacker to view issue content in a private repository by utilizing a GitHub App with limited permissions, specifically ‘contents: read’ and ‘pull requests: write’.
NEWS AND RESOURCES
What’s on at CyberProof
Speak with an expert
Explore how CyberProof can help you anticipate, prevent, and mitigate ever-evolving cyberattacks in hybrid and cloud-native environments.
SPEAK WITH AN EXPERT