SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. BazarCall exploits Google Forms in recent phishing attack
BazarCall, a phishing attack scheme initially discovered in 2021, has evolved its tactics by exploiting Google Forms to create deceptive payment receipts. Recent variants of BazarCall impersonate renowned services like Netflix, Disney+, and McAfee, using Google Forms to send false payment confirmations. Abnormal, an email security firm, revealed this new method that leverages Google Forms’ legitimacy to evade traditional security tools, enhancing the credibility of these phishing emails.
The fraudulent invoices, seemingly from ‘firstname.lastname@example.org,’ prompt recipients to dispute charges by calling a provided number within 24 hours. Victims who make the call connect with cybercriminals posing as customer support, leading to the installation of BazarLoader malware onto their systems. To counter such threats, it is recommended to invest in AI-driven email security solutions and integrate behavioral AI for anomaly detection for better threat identification and response.
Once victims access compromised sites, a two-step injection process deploys a seemingly benign loader script, evading detection. This loader dynamically loads an obfuscated script, masquerading as legitimate content delivery, conducting pre-execution security checks, and adapting to commands from the control server. Mitigation strategies involve updating security tools, enhancing employee training, implementing robust endpoint protection, and conducting regular security audits.
3. Security experts uncover new insights into zero-click Outlook RCE exploits
Microsoft addressed two now-patched security flaws (CVE-2023-35384 and CVE-2023-36710) in Windows, posing remote code execution (RCE) risks in Outlook without user interaction. CVE-2023-35384 bypasses a critical March 2023 flaw (CVE-2023-23397), enabling NTLM credential theft and relay attacks.
It works in tandem with CVE-2023-36710, leveraging a Windows Media Foundation Core vulnerability for zero-click code execution on Outlook clients via custom sound file downloads. This flaw manipulates Outlook’s reminder sound autoplay feature. Implementing microsegmentation, blocking outgoing SMB connections, and disabling NTLM can bolster security by limiting lateral threats and preventing unauthorized access.
4. New Go-based JaskaGO malware targeting Windows and macOS systems
JaskaGO, a newly discovered cross-platform information-stealing malware developed in Go programming language, poses a significant threat to both Windows and Apple macOS systems. This malware employs various tactics upon infection, initially targeting macOS through installers posing as legitimate software such as CapCut and AnyConnect.
Once established, it extracts data, executes shell commands, manipulates the clipboard for cryptocurrency theft, and persists on macOS by disabling Gatekeeper protections. To bolster cybersecurity defenses, organizations must prioritize endpoint protection, network monitoring, and regular updates, while also implementing measures like application whitelisting and the principle of least privilege.
5. Google releases urgent updates to patch exploited Chrome zero-day vulnerability
Acknowledging active exploitation in the wild, Google has released immediate security updates (version 120.0.6099.129/130 on Windows and 120.0.6099.129 on macOS and Linux) to curb potential risks. Users of Chromium-based browsers are strongly advised to apply forthcoming fixes promptly.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.