Google addresses third Chrome zero-day in a week
- SISA Weekly Threat Watch - May 20, 2024
Last week witnessed a surge in cyber threats across various fronts, with notable incidents involving financially motivated threat groups like FIN7 exploiting Google ads to distribute the NetSupport RAT, the emergence of the Black Basta ransomware targeting critical infrastructure sectors globally, a large-scale LockBit Black ransomware campaign orchestrated through the Phorpiex botnet, Google addressing a third Chrome zero-day vulnerability, and CISA issuing warnings about actively exploited vulnerabilities in D-Link routers. These incidents underscore the evolving tactics of threat actors and the critical importance of robust cybersecurity measures to safeguard against malicious activities.
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. FIN7 exploits malicious Google Ads for NetSupport RAT delivery
The financially motivated threat group FIN7, also known as Carbon Spider and Sangria Tempest, has been using malicious Google ads to distribute MSIX installers disguised as legitimate brands like AnyDesk, WinSCP, and Google Meet. These installers contain PowerShell scripts that ultimately deploy the NetSupport RAT, allowing FIN7 to deliver additional malware, including DICELOADER. Active since 2013, FIN7 has evolved from stealing payment data from PoS devices to sophisticated ransomware campaigns and malvertising techniques.
Recent attacks detected reveal FIN7’s abuse of signed MSIX files to bypass security mechanisms. Recommendations to mitigate this threat include implementing web filtering, updating antivirus software, disabling unnecessary browser extensions, using Endpoint Detection and Response (EDR) solutions, and establishing a Phishing and Security Awareness Training (PSAT) program.
2. Google addresses third Chrome zero-day exploited in a week
Google has released fixes for nine security issues in Chrome, including a zero-day vulnerability, CVE-2024-4947, marking the third zero-day patched in a week after CVE-2024-4671 and CVE-2024-4761. CVE-2024-4947, a type confusion bug in the V8 JavaScript and WebAssembly engine, allows for out-of-bounds memory access and execution of arbitrary code via a crafted HTML page.
As per the reports, this vulnerability adds to the seven zero-days fixed in Chrome since the beginning of the year. Users are advised to upgrade to Chrome version 125.0.6422.60/.61 for Windows and macOS, and version 125.0.6422.60 for Linux. Users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should also apply these fixes as they become available.
3. CISA reports Black Basta ransomware breaching 500+ organizations globally
Since April 2022, the ransomware-as-a-service (RaaS) operation Black Basta has targeted over 500 entities across North America, Europe, and Australia, impacting 12 critical infrastructure sectors. Affiliates use phishing and known vulnerabilities to access systems, employing a double-extortion model that encrypts systems and exfiltrates data.
Black Basta’s attacks often involve tools for network scanning, lateral movement, and privilege escalation, exploiting vulnerabilities such as ZeroLogon and PrintNightmare. The group uses the ChaCha20 algorithm for encryption, deleting volume shadow copies to prevent recovery. Recent statistics highlight a significant increase in activity, with ties to the cybercrime group FIN7. Other emerging ransomware groups include APT73, DoNex, DragonForce, and Hunt. Recommendations include blocking common entry points, preventing intrusions with endpoint security software, and implementing network segmentation and EDR solutions.
4. Millions of emails sent by Phorpiex botnet in LockBit Black ransomware campaign
A large-scale LockBit Black ransomware campaign has been active since April 2024, leveraging the Phorpiex botnet to distribute ransomware through phishing emails. Phorpiex, an evolved botnet known for spreading via USB and email spam, uses ZIP attachments containing executables to deploy ransomware globally. Phishing emails, often titled “your document” or “photo of you???”, are sent from various aliases and over 1,500 IP addresses, including those in Kazakhstan, Uzbekistan, Iran, Russia, and China.
This campaign, which uses the leaked LockBit 3.0 builder, involves recipients opening ZIP attachments to execute binaries that download and execute the ransomware, leading to data theft, service disruption, and file encryption. To prevent such attacks, recommendations include regular and tested backups, encryption of sensitive data, up-to-date antivirus software, automated patching, and adherence to the Principle of Least Privilege.
5. CISA warns of actively exploited D-Link router vulnerabilities
CISA has added two security flaws affecting D-Link routers to its Known Exploited Vulnerabilities catalog, urging organizations to apply mitigations by June 6, 2024. The vulnerabilities include a CSRF flaw in DIR-600 routers enabling configuration changes via hijacked administrator sessions and an information disclosure flaw in DIR-605 routers allowing retrieval of usernames and passwords.
Additionally, an authentication bypass and command execution vulnerability in DIR-X4860 routers enables remote attackers to access the HNAP port and execute commands as root. Affected organizations are advised to apply vendor-provided mitigations, replace legacy D-Link devices, monitor for exploitation signs, segment networks, and disable the Remote Management feature to prevent exploitation.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.