VIEH Daily threat Analysis | 10 August 2024

The cyber espionage group Earth Baku has significantly broadened its operational reach, moving from the Indo-Pacific into Europe, the Middle East, and Africa. The threat group has been deploying advanced tools like the Godzilla webshell, StealthVector, StealthReacher, and a new backdoor. 

Kimsuky makes the headline again as it has been found targeting university professors with phishing emails. The goal is to capture login credentials and redirect victims to decoy PDF documents hosted on Google Drive.

Meanwhile, Cisco has issued a critical warning concerning five remote code execution vulnerabilities in the web-based management interface of its now end-of-life Small Business SPA 300 and SPA 500 series IP phones.

Top Malware Reported in the Last 24 Hours

Earth Baku expands operations

Earth Baku, linked to APT41, has expanded its operations from the Indo-Pacific to Europe, Middle East, and Africa. Countries like Italy, Germany, the UAE, and Qatar are targeted, with suspected activity in Georgia and Romania. The attackers use IIS servers as entry points, deploying advanced tools like Godzilla webshell, StealthVector, StealthReacher, and SneakCross. The latest backdoor, SneakCross, utilizes Google services for command-and-control. Post-exploitation, Earth Baku uses tools like iox, Rakshasa, Tailscale, and MEGAcmd for persistence and data exfiltration. 

Google Authenticator phishing site 

Cyble discovered a phishing website posing as Google Safety Centre, distributing two types of malware – Latrodectus and ACR Stealer. The ACR Stealer uses Dead Drop Resolver to hide its Command and Control server details within legitimate platforms, while Latrodectus shows signs of continuous development. The phishing site tricks users into downloading a file disguised as Google Authenticator, which installs the malicious software.

Kimsuky targets university professors

The North Korean APT group Kimsuky has been found phishing university professors, staff, and researchers. The group uses DMARC exploitation to conceal social engineering and employs a webshell called Green Dinosaur to facilitate its attacks. Green Dinosaur allows remote operators to upload, download, and delete files, enabling the creation of phishing websites disguised as legitimate university portals. These phishing pages target specific universities like Dongduk, Korea, and Yonsei, capturing credentials and redirecting victims to decoy PDFs hosted on Google Drive.

Top Vulnerabilities Reported in the Last 24 Hours

Sonos smart speakers bug allows eavesdropping

NCC Group disclosed vulnerabilities in Sonos smart speakers, including a flaw that could allow attackers to eavesdrop on users. One of the vulnerabilities, CVE-2023-50809, could be exploited by attackers in Wi-Fi range for remote code execution. Sonos has released patches for the issue, which was caused by a wireless driver failing to validate information during a WPA2 four-way handshake. Additionally, NCC researchers found flaws in the Sonos Era-100 secure boot implementation, allowing for persistent code execution with elevated privileges. 

Cisco warns of RCE 0-days

Cisco has issued a warning about five critical remote code execution vulnerabilities in the web-based management interface of the Small Business SPA 300 and SPA 500 series IP phones, which have reached their end of life. The vulnerabilities allow attackers to execute arbitrary commands and cause denial of service. Cisco has not provided fixes or mitigation tips, so users are urged to transition to newer and supported models. The flaws are tracked as CVE-2024-20450, CVE-2024-20452, CVE-2024-20454, CVE-2024-20451, and CVE-2024-20453.

Looking for internship: Click here

Post Credit: trendmicro, cyble, cyberressilience, security week, bleeping computer, cyware

Leave a Comment

Your email address will not be published. Required fields are marked *