Dec 23, 2024Ravie LakshmananCybersecurity / Weekly Recap
The online world never takes a break, and this week shows why. From ransomware creators being caught to hackers backed by governments trying new tricks, the message is clear: cybercriminals are always changing how they attack, and we need to keep up.
Hackers are using everyday tools in harmful ways, hiding spyware in trusted apps, and finding new ways to take advantage of old security gaps. These events aren’t random—they show just how clever and flexible cyber threats can be.
In this edition, we’ll look at the most important cyber events from the past week and share key takeaways to help you stay safe and prepared. Let’s get started.
⚡ Threat of the Week
LockBit Developer Rostislav Panev Charged in the U.S. — Rostislav Panev, a 51-year-old dual Russian and Israeli national, has been charged in the U.S. for allegedly acting as the developer of the now-disrupted LockBit ransomware-as-a-service (RaaS) operation, netting about $230,000 between June 2022 and February 2024. Panev was arrested in Israel in August 2024 and is currently pending extradition. With the latest development, a total of seven LockBit members have been charged in the U.S. That said, the group appears to be readying a new version, LockBit 4.0, that’s scheduled for release in February 2025.
🔔 Top News
- Lazarus Group Continues to Evolve Tactics — The North Korea-linked Lazarus Group has been observed targeting nuclear engineers with a new modular malware called CookiePlus as part of a long-running cyber espionage campaign dubbed Operation Dream Job. CookiePlus is only the latest manifestation of what security researchers have described as the growing sophistication that threat actors have begun incorporating into their malware and tactics. The variety of TTPs used highlights the versatility and diversity of the hacking group.
- APT29 Uses Open-Source Tool to Set Up Proxies in RDP Attacks — The Russian state-sponsored group tracked as APT29 has repurposed a legitimate red teaming attack methodology that involves the use of an open-source proxy tool dubbed PyRDP to set up intermediate servers that are responsible for connecting victim machines to rogue RDP servers, deploy additional payloads, and even exfiltrate data. The development illustrates how it’s possible for bad actors to accomplish their goals without having to design highly customized tools.
- Serbian Journalist Targeted by Cellebrite and NoviSpy — An independent Serbian journalist, Slaviša Milanov, had his phone first unlocked by Cellebrite’s forensic tool and subsequently compromised by a previously undocumented spyware codenamed NoviSpy, which comes with capabilities to capture personal data from a target’s phone and remotely turn on the phone’s microphone or camera. The spyware attacks, detailed by Amnesty International, are the first time two different invasive technologies have been used against civil society members to facilitate the covert gathering of data. Serbia’s police characterized the report as “absolutely incorrect.”
- The Mask Makes a Comeback — A little-known cyber espionage actor known as The Mask has been linked to a new set of attacks targeting an unnamed organization in Latin America twice in 2019 and 2022. The group, first documented by Kaspersky back in early 2014, infected the company with malware such as FakeHMP, Careto2, and Goreto that are designed to harvest files, keystrokes, and screenshots; run shell commands; and deploy more malware. The origins of the threat actor are presently not known.
- Multiple npm Packages Fall Victim to Supply Chain Attacks — Unknown threat actors managed to compromise three different npm packages, @rspack/core, @rspack/cli, and vant, and push malicious versions to the repository containing code to deploy a cryptocurrency miner on infected systems. Following discovery, respective project maintainers stepped in to remove the rogue versions.
️🔥 Trending CVEs
Heads up! Some popular software has serious security flaws, so make sure to update now to stay safe. The list includes — CVE-2024-12727, CVE-2024-12728, CVE-2024-12729 (Sophos Firewall), CVE-2023-48788 (Fortinet FortiClient EMS), CVE-2023-34990, (Fortinet FortiWLM), CVE-2024-12356 (BeyondTrust Privileged Remote Access and Remote Support), CVE-2024-6386 (WPML plugin), CVE-2024-49576, CVE-2024-47810 (Foxit Software), CVE-2024-49775 (Siemens Opcenter Execution Foundation), CVE-2024-12371, CVE-2024-12372, CVE-2024-12373 (Rockwell Automation PowerMonitor 1000), CVE-2024-52875 (GFI KerioControl), CVE-2024-56145 (Craft CMS), CVE-2024-56050, CVE-2024-56052, CVE-2024-56054, CVE-2024-56057 (VibeThemes WPLMS), CVE-2024-12626 (AutomatorWP plugin), CVE-2024-11349 (AdForest theme), CVE-2024-51466 (IBM Cognos Analytics), CVE-2024-10244 (ISDO Software Web Software), CVE-2024-4995 (Wapro ERP Desktop), CVE-2024-10205 (Hitachi Ops Center Analyzer), and CVE-2024-46873 (Sharp router)
📰 Around the Cyber World
- Recorded Future Gets Labeled “Undesirable” in Russia — Russian authorities have tagged U.S. threat intelligence firm Recorded Future as an “undesirable” organization, accusing it of participating in propaganda campaigns and cyberattacks against Moscow. Russia’s Office of Prosecutor General also said the company is “actively cooperating” with U.S. and foreign intelligence services to help search, gather, and analyze data on Russian military activities, as well as Ukraine with “unrestricted access” to programs used in offensive information operations against Russia. “Some things in life are rare compliments. This being one,” Recorded Future’s chief executive, Christopher Ahlberg, wrote on X.
- China Accuses the U.S. of Conducting Cyber Attacks — The National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT) accused the U.S. government of launching cyber attacks against two Chinese technology companies in a bid to steal trade secrets. CNCERT said one of the attacks, detected in August 2024, singled out an advanced material design and research unit by exploiting a vulnerability in an electronic document security management system to break into the upgrade management server and deliver trojan to over 270 hosts and siphon “a large amount of trade secret information and intellectual property.” The second attack, on the other hand, targeted an unnamed high-tech enterprise of smart energy and digital information since May 2023 by weaponizing flaws in Microsoft Exchange Server to plant backdoors with an aim to harvest mail data. “At the same time, the attacker used the mail server as a springboard to attack and control more than 30 devices of the company and its subordinate enterprises, stealing a large amount of trade secret information from the company,” CNCERT said. The allegations come in the midst of the U.S. accusing Chinese threat actors like Salt Typhoon of breaching its telecommunication infrastructure.
- New Android Spyware Distributed via Amazon Appstore — Cybersecurity researchers uncovered a new Android malware that was available for download from the Amazon Appstore. Masquerading as a body mass index (BMI) calculator, the app (“BMI CalculationVsn” or com.zeeee.recordingappz) came with features to stealthily record the screen, as well as collect the list of installed apps and incoming SMS messages. “On the surface, this app appears to be a basic tool, providing a single page where users can input their weight and height to calculate their BMI,” McAfee Labs said. “However, behind this innocent appearance lies a range of malicious activities.” The app has been taken down following responsible disclosure.
- HeartCrypt Packer-as-a-Service Operation Exposed — A new packer-as-a-service (PaaS) called HeartCrypt has been advertised for sale on Telegram and underground forums since February 2024 to protect malware such as Remcos RAT, XWorm, Lumma Stealer, and Rhadamanthys. Said to be in development since July 2023, its operators charge $20 per file to pack, supporting both Windows x86 and .NET payloads. “In HeartCrypt’s PaaS model, customers submit their malware via Telegram or other private messaging services, where the operator then packs and returns it as a new binary,” Palo Alto Networks Unit 42 said, adding it identified over 300 distinct legitimate binaries that were used to inject the malicious payload. It’s suspected that the service allows clients to select a specific binary for injection so as to tailor them based on the intended target. At its core, the packer works by inserting the main payload into the binary’s .text section and hijacking its control flow in order to enable the execution of the malware. The packer also takes steps to add several resources that are designed to evade detection and analysis, while simultaneously offering an optional method to establish persistence using Windows Registry modifications. “During HeartCrypt’s eight months of operation, it has been used to pack over 2,000 malicious payloads, involving roughly 45 different malware families,” Unit 42 said.
- Chinese and Vietnamese-speaking Users Target of CleverSoar Installer — A highly evasive malware installer called CleverSoar is being used to target Chinese and Vietnamese-speaking victims with the Winos 4.0 framework and the Nidhogg rootkit. The malware distribution starts with MSI installer packages that likely impersonate fake software or gaming-related applications, which extract the files and subsequently execute the CleverSoar installer. “These tools enable capabilities such as keystroke logging, data exfiltration, security bypasses, and covert system control, suggesting that the campaign is part of a potentially prolonged espionage effort,” Rapid7 said, describing it as an advanced and targeted threat. “The campaign’s selective targeting of Chinese and Vietnamese-speaking users, along with its layered anti-detection measures, points to a persistent espionage effort by a capable threat actor.” It’s suspected that the threat actor is also responsible for other campaigns distributing Winos 4.0 and ValleyRAT.
- Thousands of SonicWall Devices Vulnerable to Critical Flaws — As many as 119,503 publicly accessible SonicWall SSL-VPN devices are susceptible to serious security flaws (25,485 of critical severity and 94,018 of high severity), with over 20,000 using a SonicOS/OSX firmware version that’s no longer supported by the vendor. “The majority of series 7 devices exposed online are impacted by at least one vulnerability of high or critical severity,” cybersecurity company Bishop Fox said. A total of 430,363 unique SonicOS/OSX instances have been found exposed on the internet.
- Industrial Systems Targeted in New Malware Attacks — Siemens engineering workstations (EWS) have been targeted by a malware called Chaya_003 that’s capable of terminating the Siemens TIA portal process, alongside those related to Microsoft Office applications, Google Chrome, and Mozilla Firefox. The malware, once installed, establishes connections with a Discord webhook to fetch instructions for carrying out system reconnaissance and process disruption. Forescout said it also identified two incidents in which Mitsubishi EWSs were infected with the Ramnit worm. It’s currently not clear if the attackers directly targeted the operational technology (OT) systems or if it was propagated via some other means, such as phishing or compromised USB drives. OT networks have also been increasingly the target of ransomware attacks, with 552 incidents reported in Q3 2024, up from 312 in Q2 2024, per Dragos. No less than 23 new ransomware groups have targeted industrial organizations during the time period. Some of the most impacted verticals included manufacturing, industrial control systems (ICS) equipment and engineering, transportation, communications, oil and gas, electric, and government.
- Cracked Version of Acunetix Scanner Linked to Turkish IT Firm — Threat actors are selling thousands of credential sets stolen using Araneida, a cracked version of the Acunetix web app vulnerability scanner. According to Krebs on Security and Silent Push, Araneida is believed to be sold as a cloud-based attack tool to other criminal actors. Further analysis of the digital trail left by the threat actors has traced them to an Ankara-based software developer named Altuğ Şara, who has worked for a Turkish IT company called Bilitro Yazilim.
🎥 Expert Webinar
- Preparing for the Next Wave of Ransomware in 2025 — Ransomware is getting smarter, using encryption to hide and strike when you least expect it. Are you prepared for what’s coming next? Join Emily Laufer and Zscaler ThreatLabz to explore the latest ransomware trends, how attackers use encrypted channels to stay hidden, and smart strategies to stop them. Learn how to protect your organization before it’s too late—secure your spot today!
- The Enterprise Guide to Certificate Automation and Beyond — Join our live demo to see how DigiCert ONE simplifies trust across users, devices, and software. Discover how to centralize certificate management, automate operations, and meet compliance demands while reducing complexity and risk. Whether for IT, IoT, or DevOps, learn how to future-proof your digital trust strategy. Don’t miss out—register now!
🔧 Cybersecurity Tools
- AttackGen — It is an open-source tool that helps organizations prepare for cyber threats. It uses advanced AI models and the MITRE ATT&CK framework to create incident response scenarios tailored to your organization’s size, industry, and selected threat actors. With features like quick templates for common attacks and a built-in assistant for refining scenarios, AttackGen makes planning for cyber incidents easy and effective. It supports both enterprise and industrial systems, helping teams stay ready for real-world threats.
- Brainstorm — It is a tool that makes web fuzzing more effective by using local AI models alongside ffuf. It analyzes links from a target website and generates smart guesses for hidden files, directories, and API endpoints. By learning from each discovery, it reduces the number of requests needed while finding more endpoints compared to traditional wordlists. This tool is perfect for optimizing fuzzing tasks, saving time, and avoiding detection. It’s easy to set up, works with local LLMs like Ollama, and adapts to your target.
- GPOHunter – This tool helps identify and fix security flaws in Active Directory Group Policy Objects (GPOs). It detects issues like clear text passwords, weak authentication settings, and vulnerable GPP passwords, providing detailed reports in multiple formats. Easy to use and highly effective, GPOHunter simplifies securing your GPOs and strengthening your environment.
🔒 Tip of the Week
Don’t Let Hackers Peek into Your Cloud — Cloud storage makes life easier, but it can also expose your data if not secured properly. Many people don’t realize that misconfigured settings, like public folders or weak permissions, can let anyone access their files. This is how major data leaks happen—and it’s preventable.
Start by auditing your cloud. Tools like ScoutSuite can scan for vulnerabilities, such as files open to the public or missing encryption. Next, control access by only allowing those who need it. A tool like Cloud Custodian can automate these policies to block unauthorized access.
Finally, always encrypt your data before uploading it. Tools like rclone make it simple to lock your files with a key only you can access. With these steps, your cloud will stay safe, and your data will remain yours.
Conclusion
The holidays are a time for celebration, but they’re also peak season for cyber risks. Cybercriminals are more active than ever, targeting online shoppers, gift exchanges, and even festive email greetings. Here’s how you can enjoy a secure and worry-free holiday:
- 🎁 Wrap Your Digital Gifts with Security: If you’re gifting smart gadgets, set them up with strong passwords and enable updates before wrapping them. This ensures your loved ones start safe from day one.
- 📦 Track Packages, Not Scammers: Be wary of fake delivery notifications. Use official apps or tracking links from trusted retailers to follow your shipments.
- ✨ Make Your Accounts Jolly Secure: Use a password manager to update weak passwords across your accounts. A few minutes now can save hours of frustration later.
- 🎮 Game On, Safely: If new gaming consoles or subscriptions are on your list, make sure to activate parental controls and use unique account details. Gaming scams spike during the holidays.
As we head into the New Year, let’s make cybersecurity a priority for ourselves and our families. After all, staying safe online is the gift that keeps on giving.
Happy Holidays, and here’s to a secure and joyful season! 🎄🔒