Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here.
NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
Windows vulnerability abused braille “spaces” in zero-day attacks.
(TLP: CLEAR) CISA has directed U.S. federal agencies to secure their systems against a Windows MSHTML spoofing vulnerability (CVE-2024-43461), which was exploited by the Void Banshee APT hacking group before being patched. Initially classified as not exploited, Microsoft later confirmed that the flaw was used in attacks prior to its fix in September 2024. The exploit was part of a chain involving another MSHTML vulnerability (CVE-2024-38112). Void Banshee used this vulnerability to deliver malicious HTA files disguised as PDFs, deploying Atlantida malware to steal passwords, authentication cookies, and cryptocurrency wallets. Federal agencies have until October 7 to patch their systems under CISA’s directive, as the flaw poses significant risks. While this directive targets federal systems, private organizations are also urged to prioritize mitigating this vulnerability. Additionally, Microsoft patched three other zero-days in September 2024, including CVE-2024-38217, which had been exploited to bypass security features since 2018.
(TLP: CLEAR) Comments: Void Banshee APT group is known for conducting sophisticated cyber espionage campaigns and often targets the government, defence, and technology industries. The Void Banshee typically uses three main techniques to gain unauthorized access to networks:
- Phishing and Spear Phishing: Frequently used to gain initial access by targeting individuals with tailored phishing emails containing malicious attachments or links.
- Custom Malware: They are known for deploying custom malware that has evasion capabilities to avoid detection by standard security measures.
- Zero-Day Exploits: Void Banshee has used zero-day vulnerabilities to compromise networks, which makes their attacks harder to prevent.
It is advised that the organization security policy includes routine reviews of all IT infrastructure including applications to ensure they are up to date with the latest security patches. If no security patches are being released for known vulnerabilities, organizations should look at either replacing the outdated systems or establishing extra security-in-depth measures to protect non-updated systems.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”: One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.
Medusa ransomware exploiting Fortinet flaw for sophisticated attacks.
(TLP: CLEAR) The Medusa ransomware group has been exploiting a critical SQL injection vulnerability (CVE-2023-48788) in Fortinet’s FortiClient EMS software to conduct sophisticated ransomware attacks. This flaw allows attackers to execute arbitrary commands on vulnerable systems, affecting FortiClient EMS versions 7.2 to 7.2.2 and 7.0.1 to 7.0.10. By manipulating SQL statements through the FCTUID parameter, Medusa gains access to compromised servers, deploying webshells for data exfiltration and ransomware delivery. The group uses tools like bitsadmin for file transfers and persistence and employs PowerShell scripts to execute ransomware payloads. Medusa also uses tampered legitimate tools, such as ConnectWise and AnyDesk, to evade detection. To mitigate such attacks, organizations are advised to adopt robust patch management, network segmentation, regular backups, and employee security awareness training. Given Medusa’s evolving tactics, maintaining vigilant and proactive cybersecurity practices is essential.
(TLP: CLEAR) Comments: The Medusa ransomware group is known for conducting financially motivated ransomware attacks by encrypting their victims’ files and demand payment for the decryption keys. This group typically operates as a Ransomware-as-a-Service (Raas) and provides their malware tools to their affiliates for a portion of the ransom payment. The Medusa ransomware group is also known for employing double extortion tactics by not only encrypting data but also exfiltrating sensitive data and threatens to release stolen data publicly if the ransom is not paid. This group has targeted several industries including the healthcare, education and government.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”: By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds.
NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “The HTTP protocol used in web servers has been exploited by attackers in many ways, such as to place malicious software on the computer of someone browsing the web, or to fool a person into revealing private information that they might not have otherwise. Many of these exploits can be detected by specialized application firewalls called web application firewalls that reside in front of the web server.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Vercara’s Web Application Firewall, UltraWAF, can defend critical applications with even the most complex workflows and prevent the most common threats that target the application layer, such as SQLi, XSS, and CSRF.
Source: https://cybersecuritynews.com/medusa-ransomware-exploiting-fortinet-flaw/
Beware Of weaponized Excel document that delivers fileless Remcos RAT.
(TLP: CLEAR) Remcos is a Remote Access Trojan (RAT) used by cybercriminals to gain control over infected systems. Recently, Trellix researchers identified a malware campaign delivering a fileless version of Remcos through weaponized Excel documents, exploiting the Microsoft Office vulnerability CVE-2017-0199. The attack begins with a phishing email containing an encrypted Excel file that, once opened, downloads a malicious HTA file, triggering PowerShell commands to retrieve further payloads. The malware campaign employs sophisticated evasion techniques, including process injection into legitimate Windows processes like RegAsm.exe, making detection difficult. Threat actors primarily target sectors such as government, manufacturing, IT, and banking across multiple countries, including Belgium, Japan, and the U.S. This campaign is part of a broader trend involving similar malware like RevengeRAT and SnakeKeylogger, using techniques such as Template Injection (T1221) and Visual Basic Scripting (T1059.001). The attack involves multi-stage payload delivery and the use of memory-only .NET assemblies to inject Remcos RAT, highlighting the increasing complexity of modern cyber threats.
(TLP: CLEAR) Comments: The Remaco RAT is a widely used Remote Access Trojan (RAT) that allows malicious actors the remotely control compromised systems. Although originally marketed as a legitimate remote administration tool, malicious actors have been using it for malicious purposes including espionage, data theft and unauthorized access to systems. Some key capabilities of the Remaco RAT are:
- Keystroke Logging: Remcos can log everything typed by the victim, enabling attackers to capture sensitive information such as login credentials.
- File Management: Attackers can upload, download, and delete files on the compromised system.
- Screen and Audio Recording: Remcos can capture screenshots and record audio or video using the victim’s microphone and camera.
- System Control: Full control of system processes, allowing attackers to terminate, start, or alter running programs.
It is highly advised that organizations have a robust and continuous cybersecurity training program that teaches their employees how to identify malicious emails and other social engineering attacks.
(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections
Source: https://cybersecuritynews.com/beware-weaponized-excel-fileless-remcos-rat/
Over half of breached UK firms pay ransom.
(TLP: CLEAR) Ransomware attacks are increasing in the UK, with organizations showing a willingness to pay ransoms, according to Cohesity’s Global Cyber Resilience Report 2024. The study, which surveyed over 3100 IT and security decision-makers globally, revealed that 53% of UK respondents experienced ransomware attacks in the past year, up from 38% in 2023. Of those, 59% admitted to paying a ransom, and 74% said they would do so if attacked again, despite 66% of organizations having policies against paying ransoms. Globally, 67% of respondents were hit by ransomware, with 83% stating they would pay if victimized. In France, 86% of respondents experienced ransomware, and 97% said they would pay. The average ransom paid by UK victims was £870,000, with some organizations paying as much as £10m-£20m. Recovery from ransomware remains slow, with only 4% of respondents fully recovering all data, and fewer than 2% restoring business operations within 24 hours. While some could recover within 1-3 days, 19% took three weeks to two months. The report emphasizes that organizations must prioritize cyber-resilience, as threat actors’ persistence makes total prevention difficult. Cohesity’s global head of cyber-resiliency strategy, James Blake, stressed the importance of cyber-resilience beyond regulatory compliance, urging business leaders to focus on strengthening both data security and recovery capabilities.
(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Source: https://www.infosecurity-magazine.com/news/over-half-breached-uk-firms-pay/
Chinese botnet infects 260,000 SOHO routers, IP cameras with malware.
(TLP: CLEAR) The FBI and cybersecurity researchers have disrupted a large Chinese botnet called “Raptor Train,” which infected over 260,000 networking devices worldwide, targeting critical infrastructure in sectors such as military, government, telecommunications, and IT, primarily in the US and Taiwan. The botnet, operational since 2020, uses compromised routers, IP cameras, NVRs/DVRs, and NAS devices for distributed denial-of-service (DDoS) attacks, though no DDoS attacks have been observed yet. Raptor Train operates with a multi-tiered architecture for command and control (C2), managing exploitation and payload servers. At its peak, it controlled over 60,000 devices, and it continues to fluctuate in activity with tens of thousands of infected systems. The FBI linked the botnet to the Chinese state-sponsored Flax Typhoon group, indicating Chinese government involvement. The botnet is sophisticated, leveraging both 0-day and known vulnerabilities in over 20 device types. However, because the botnet payloads lack persistence, infected devices are typically controlled for about 17 days before the operators recruit new devices. Despite its complexity, the FBI managed to execute court-authorized operations to take control of the botnet’s infrastructure, removing malware from infected devices. Raptor Train is also connected to attacks against US military and government sectors, as well as global targets. The botnet’s infrastructure has been partially disrupted, with security researchers working to null-route traffic and limit its capabilities. Recommendations for network administrators include monitoring for unusual outbound data transfers, rebooting routers, installing updates, and replacing outdated devices.
(TLP: CLEAR) Comments: Malicious actors exploit vulnerable Internet-of-Things (IoT) devices to install botnet malware for use in future Distributed Denial-of-Service (DDoS) attacks. What makes Raptor Train particularly interesting is that the malware is lost upon the infected system’s reboot, making it stealthier since it leaves little trace once the system is restarted. However, this lack of persistence means that attackers must continuously search for and reinfect vulnerable devices to maintain their botnet. Despite this limitation, Raptor Train can rapidly spread across unpatched or poorly secured IoT devices, making it a valuable tool for cybercriminals looking to build a temporary yet powerful botnet for DDoS attacks.
(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust protections against larger or more advanced DDoS attacks. Protect systems and services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.”
(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale.
Source: https://cybersecuritynews.com/chinese-hackers-hijacked-routers/
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please contact us.
