VIEH Daily threat analysis | 19 September 2024

UNC2970 is turning job hunting into a minefield, using fake job offers from major energy and aerospace companies to deliver a trojanized PDF reader. The North Korean group has been using a new backdoor, MISTPEN, for this purpose.

A subtle flaw in Salesforce’s public link system almost became a treasure trove for hackers. The vulnerability allowed blind SOQL injection attacks through the Aura API, threatening to expose customer PII and sensitive data. 

Marko Polo’s cybercriminal ring is baiting gaming and cryptocurrency influencers with fake job offers, luring them to malware-laden websites. The group has compromised tens of thousands of people.

Top Malware Reported in the Last 24 Hours

UNC2970 uses new MISTPEN backdoor

A North Korea-linked cyber-espionage group, UNC2970, used phishing lures to target victims in critical infrastructure verticals. The attackers posed as job openings from prominent companies in the energy and aerospace industries. They delivered malicious files containing a backdoor, MISTPEN, via a trojanized version of SumatraPDF. The backdoor was capable of downloading and executing PE files and communicated with Microsoft Graph URLs.

Key Group attacks with Chaos ransomware

The Russian ransomware group Key Group is using the .NET-based Chaos ransomware to encrypt files, steal data, and demand ransom via Telegram. The ransomware infects by encrypting files with a random extension and disabling system recovery, sparing certain files. A ransom message is displayed upon completion of encryption, directing victims to two URLs for payment. It is cautioned not to engage with the attackers as data recovery is unreliable, increasing the risk of permanent data loss even after payment. 

Top Vulnerabilities Reported in the Last 24 Hours

Chrome 129 released

Chrome 129 has been released to address multiple security vulnerabilities. The update, version 129. 0. 6668. 58 on Linux and 129. 0. 6668. 58/. 59 on Windows and Mac, includes a number of fixes and improvements. Nine security fixes have been included in this release. The security issues range from high to low severity and include issues such as type confusion in V8 (CVE-2024-8904) and inappropriate implementation (CVE-2024-8905) in various parts of the browser. 

Broadcom fixes critical RCE bug

Broadcom patched a critical VMware vCenter Server vulnerability that could allow attackers to execute remote code on unpatched servers using a network packet. The flaw, CVE-2024-38812, affects vCenter Server, VMware vSphere, and VMware Cloud Foundation products. The security patches are now available for download. Furthermore, a privilege escalation vulnerability (CVE-2024-38813) was also fixed, which could give threat actors root privileges on vulnerable servers. 

Bug in Salesforce’s public link 

Varonis Threat Labs discovered a vulnerability in Salesforce’s public link feature, which could be exploited by threat actors to access sensitive data. The vulnerability was related to the undocumented Salesforce Aura API and SOQL subqueries, allowing for a blind SOQL injection attack to retrieve customer information, including PII. Salesforce patched the vulnerability in February. The vulnerability affected virtually any public link generated by Salesforce, posing a widespread risk to data exposure. 

Top Scams Reported in the Last 24 Hours

Marko Polo and scams

A cybercrime group known as Marko Polo has compromised tens of thousands of devices worldwide through cryptocurrency and gaming-related scams, targeting high-value individuals like gaming personalities, cryptocurrency influencers, and technology professionals. The group lures victims with fake job opportunities on social media, leading them to malicious websites to download harmful software. Marko Polo is a financially motivated traffic team with members primarily from Russia, Ukraine, and English-speaking countries, using various tactics to deceive victims. They have been involved in social media scams, phishing campaigns, distributing malware, and impersonating legitimate software and services to steal sensitive data and make illicit revenue.

Wanna join internship: Click here

Entire post Credit: Google, gbhackers, bleeping computer, varonis, the record, cyware.

Leave a Comment

Your email address will not be published. Required fields are marked *