Securonix Threat Labs

Intel Source:

ASEC

Intel Name:

Surge_in_Phishing_Attacks_Impersonating_Korean_Websites

Date of Scan:

2024-04-22

Impact:

MEDIUM

Summary:

AhnLab’s Security Intelligence Center (ASEC) has identified a significant rise in phishing attempts mimicking Korean portal websites, logistics brands, and webmail login pages. These attacks utilize sophisticated tactics, such as replicating the appearance of legitimate websites and leveraging NoCodeForm for credential exfiltration.

Source:
https://asec.ahnlab.com/en/64294/

Intel Source:

ISC.SANS

Intel Name:

A_Malicious_PDF_File_Using_to_Deliver_Malware

Date of Scan:

2024-04-22

Impact:

LOW

Summary:

Researchers at SANS have noted that billions of PDF files are shared on a regular basis, and that many individuals take these files for trust because they believe they are “read-only” and contain just “a bunch of data”. Previously, PDF viewers were vulnerable to nasty vulnerabilities in poorly crafted PDF files. Particularly the Acrobat or FoxIt readers, they were all impacted at least once. Additionally, a PDF file can be rather “dynamic” by containing embedded JavaScript scripts, auto-open actions that cause scripts (like PowerShell on Windows) to run, or any other kind of embedded data.

Source:
https://isc.sans.edu/diary/Malicious+PDF+File+Used+As+Delivery+Mechanism/30848/

Intel Source:

Microsoft

Intel Name:

Microsoft_Defender_Exposes_Kubernetes_Vulnerabilities

Date of Scan:

2024-04-22

Impact:

LOW

Summary:

Microsoft Defender recently identified a significant attack targeting Kubernetes workloads leveraging critical vulnerabilities in OpenMetadata for cryptomining. Exploiting flaws disclosed on March 15, 2024, attackers gained access to Kubernetes clusters, executed reconnaissance commands, and deployed cryptomining malware. Microsoft recommends updating OpenMetadata to version 1.3.1 or later, provides guidance for vulnerability checks, and highlights the role of Defender for Cloud in detecting and mitigating such threats, underlining the importance of proactive security measures in containerized environments.

Source:
https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/

Intel Source:

Securelist

Intel Name:

The_APT_group_ToddyCat_compromise_infrustructure

Date of Scan:

2024-04-22

Impact:

LOW

Summary:

This month, Securelist researchers ran an investigation on how attackers got constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they used for it. ToddyCat is a threat actors group that in general targets governmental organizations located in the Asia-Pacific region. The group’s main goal is to steal sensitive information from hosts.

Source:
https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/

Intel Source:

CERT-UA

Intel Name:

Sandworm_Groups_Cyber_Scheme

Date of Scan:

2024-04-22

Impact:

LOW

Summary:

Researchers at CERT-UA found that the Sandworm group had a plan to mess with almost 20 important places in March 2024. They wanted to mess up the computer systems that control energy, water, and heat in different parts of Ukraine. CERT-UA also found out that three supply chains were messed with, either because of weak software or because employees from the supplier could get into the systems.

Source:
https://cert.gov.ua/article/6278706

Intel Source:

Ars Technica

Intel Name:

Phishing_campaign_attacks_LastPass_users

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

The article discusses a recent phishing attack that targeted users of the password manager LastPass. The attack utilized a sophisticated phishing-as-a-service kit called CryptoChameleon, which provided all the necessary resources to deceive even knowledgeable individuals into revealing their master passwords. The attackers used a combination of email, SMS, and voice calls to trick victims into giving up their login credentials. LastPass was just one of the many sensitive services targeted by CryptoChameleon, and the attack was able to bypass multi-factor authentication. The section also mentions previous attacks on LastPass and offers tips for preventing these types of scams from being successful.

Source:
https://arstechnica.com/security/2024/04/lastpass-users-targeted-in-phishing-attacks-good-enough-to-trick-even-the-savvy/

Intel Source:

SOC Radar

Intel Name:

Security_Risks_in_OpenMetadata

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

Researchers from Microsoft have discovered the critical vulnerabilities within the OpenMetadata platform, an open-source system designed to manage metadata across various data sources. These vulnerabilities affect versions of OpenMetadata earlier than 1.3.1, potentially allowing attackers to bypass authentication and execute Remote Code Execution (RCE).

Source:
https://socradar.io/openmetadata-attackers-cryptomine-in-kubernetes/

Intel Source:

Avast

Intel Name:

Technical_Analysis_of_Lazarus_Groups_Sophisticated_Attack_Chain_Targeting_Asian_Individuals

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

Avast’s investigation uncovers a sophisticated campaign by the Lazarus group targeting individuals in Asia with fabricated job offers. The attack, employing fileless malware and multi-layered loaders, showcases advanced evasion techniques and intricate C&C communication. The involvement of the Kaolin RAT highlights the group’s commitment to control and data extraction.

Source:
https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams

Intel Source:

picussecurity

Intel Name:

Threat_Landscape_Update_Exploits_and_Breaches

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

The Red Report 2024 by Picus Security include critical vulnerabilities exploited by threat actors, such as PAN-OS command injection and PuTTY SSH client vulnerability, alongside targeted attacks by groups like IntelBroker and Sandworm

Source:
https://www.picussecurity.com/resource/blog/april-19-top-threat-actors-malware-vulnerabilities-and-exploits

Intel Source:

Stairwell

Intel Name:

The_CVE_2024_31497_PuTTY_vulnerability

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

In the Stairwell blog, the analysts discuss the details of a vulnerability, CVE-2024-31497, found in the PuTTY SSH libraries by researchers at Ruhr University Bochum. It allows attackers to access private keys used in key-based authentication. The blog provides a list of potentially vulnerable software, known vulnerable hashes, and a YARA rule for detection, and mentions the importance of quickly addressing supply chain vulnerabilities. The background of the vulnerability is explained, along with a list of potentially vulnerable software not mentioned in the NIST advisory.

Source:
https://stairwell.com/resources/stairwell-threat-report-vulnerable-putty-ssh-libraries-cve-2024-31497/