New phishing attack distributes NetSupport RAT via MS Office

Last week, a surge in cyber threats emerged, including sophisticated phishing campaigns, critical vulnerabilities, and novel denial-of-service (DoS) attacks. Notable incidents involved RedCurl’s exploitation of the PCA in Windows, a critical Remote Code Execution (RCE) vulnerability in Fortra FileCatalyst Workflow, and Fujitsu’s report of a malware attack compromising customer data. Additionally, a new phishing scheme, Operation PhantomBlu, distributed the NetSupport RAT, while the emergence of the ‘Loop DoS’ attack impacted hundreds of thousands of systems, emphasizing the urgency of prompt patching and enhanced security measures.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. RedCurl exploits Windows PCA utility in corporate cyberattacks

The cybercriminal group RedCurl has been exploiting the Program Compatibility Assistant (PCA) feature in Microsoft Windows to execute nefarious activities, using it as an alternative command-line interpreter to evade detection. Operating predominantly in Russian-speaking regions, RedCurl, also known as Earth Kapre and Red Wolf, has been engaging in corporate cyber espionage since at least 2018. Their sophisticated tactics involve distributing phishing emails with malicious attachments, leveraging legitimate utilities like curl to download malicious payloads, and exploiting PCA to execute unauthorized commands.

Recent attacks targeted a major Russian bank and an Australian company, resulting in the theft of confidential data. Analysis by security experts underscores the persistent threat posed by RedCurl and emphasizes the importance of patching systems, implementing access controls, and deploying robust endpoint protection measures to mitigate such threats effectively.

2. New phishing scheme utilizes Microsoft Office technique to distribute NetSupport RAT

Operation PhantomBlu, a new phishing campaign targeting U.S. organizations, employs sophisticated techniques to distribute the NetSupport RAT via Microsoft Office documents. The campaign begins with salary-themed emails, leveraging the Brevo email marketing platform for added legitimacy. Recipients are tricked into opening a Word document containing a malicious payload, triggering the execution of a PowerShell dropper from a ZIP archive file. This dropper retrieves and runs the NetSupport RAT binary from a remote server.

Notably, the use of encrypted .docs and OLE template injection marks a departure from typical deployment tactics for NetSupport RAT. To mitigate this threat, organizations should verify email authenticity before opening attachments, implement email filtering and anti-phishing solutions, and conduct regular security training and software updates.

3. CVE-2024-25153: Critical RCE vulnerability patched in Fortra FileCatalyst Workflow

Fortra FileCatalyst Workflow faces a severe threat due to a critical RCE vulnerability, CVE-2024-25153, allowing attackers to perform directory traversal attacks via the web portal. This vulnerability, with a CVSSv3 score of 9.8, enables attackers to bypass security measures by manipulating POST requests, potentially uploading malicious files outside safe zones, and executing unauthorized code remotely.

The existence of a Proof-of-Concept (PoC) exploit, detailed technical analysis, and exploit code publication on GitHub further increases the risk, as attackers could leverage this PoC to target vulnerable systems. Organizations are strongly advised to apply the recommended patch, FileCatalyst 5.1.6 Build 114 or higher, to mitigate the threat, especially considering the history of ransomware attacks targeting similar products.

4. Fujitsu confirms cyberattack, fears possible data breach

Fujitsu, a leading Japanese tech company, faced a significant cybersecurity incident when malware infiltrated its business systems, potentially compromising sensitive customer data. The breach, disclosed through the company’s news portal, revealed the discovery of malware on business computers, leading to unauthorized access and potential removal of files containing personal and customer-related information.

Fujitsu promptly isolated affected systems and intensified monitoring across its network, while initiating an investigation to determine the breach’s extent and how the malware infiltrated its systems. Despite no reports of customer data misuse, Fujitsu notified regulatory authorities and is preparing individual notices for affected customers, underscoring the importance of robust cybersecurity measures in today’s digital landscape.

5. New ‘Loop DoS’ attack impacts hundreds of thousands of systems

A novel form of denial-of-service (DoS) attack known as Loop DoS, targeting application-layer protocols using User Datagram Protocol (UDP), has emerged, posing a significant threat to a wide range of hosts. Researchers identified a critical vulnerability, CVE-2024-2169, exposing flaws in UDP’s implementation, making it susceptible to IP spoofing and lacking packet validation. This vulnerability enables attackers to orchestrate incessant communication loops, inundating target systems with unbounded traffic.

The potential impact extends to both outdated and contemporary protocols crucial for fundamental internet functions, affecting approximately 300,000 vulnerable internet hosts. To mitigate this risk, it is recommended to apply vendor patches promptly, replace outdated products, implement firewall rules, disabling unnecessary UDP services, and enhance protocol security with TCP or request validation measures.