Cyber Watch – June 7, 2024

Xforce cyber watch banner
Cyber Watch | DigitalXForce

Welcome to the Cyber Watch series for today, Friday 7th June 2024. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.  

This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. We encourage you to review these stories and take steps to protect your organization. Click on each headline to read the full story.

97% of Cybersecurity Experts Fear That Their Organization Will Face an AI-related Incident, Deep Instinct Reports

In a stark wake-up call, Deep Instinct’s Voice of SecOps report has laid bare the mounting apprehension amongst cybersecurity professionals as they brace for an impending onslaught of AI-powered cyber threats. The report surveyed 500 senior cyber experts from major U.S. enterprises, revealing a sobering reality – an overwhelming 97% believe their organizations will inevitably face an AI-driven cybersecurity event.

This pervasive sense of impending peril has already catalyzed a seismic shift, with 75% of cybersecurity leaders having adjusted their strategies within the past year to address the rise of AI-powered threats. Of particular concern is the surge in deepfake incidents, which 61% of organizations have grappled with over the past 12 months, with a staggering 75% of these attacks audaciously impersonating the company’s CEO or other C-suite executives.

Most Ransomware Victims Lose Over 40% of Data Despite Paying Ransom

Veeam’s 2024 Ransomware Trends Report has unveiled the harsh reality that ransomware victims permanently lose an average of 43% of their affected data, even after paying exorbitant ransom demands. The report, based on a survey of 1,200 cybersecurity professionals who experienced ransomware attacks in 2023, exposes the widespread unpreparedness of organizations to effectively recover from such crippling incidents.

Despite the vast majority having incident response plans and policies in place, the report paints a grim picture, with backup repositories being targeted in a staggering 96% of attacks and successfully breached in 76% of cases. This alarming statistic underscores the urgent need for organizations to implement robust backup strategies, including alternate backup sites, immutable repositories, and better coordination between cybersecurity, IT, and backup administration teams.

Global Malware Surge Exposes Widespread Cyber Vulnerabilities

WatchGuard Technologies’ latest cyber threat research has unveiled a surging tide of malware that is menacing systems across the globe. The report, which meticulously analyzed network, endpoint, and malware threats during the first quarter of 2024, has sounded a deafening alarm bell for organizations and individuals alike.

At the vanguard of this digital onslaught is a formidable array of malware strains, each bearing an ominous moniker – from Generic.3112968 to Heur.RP.Cu2@b8XPSEbj – that belies the sophisticated and ever-evolving nature of these threats. Notably, the Android/Linux.XORDDoS.AT malware variant has emerged as a potent tool for assembling vast distributed denial-of-service (DDoS) attack networks, capable of crippling critical systems and infrastructure.

Perhaps most disconcerting is the report’s revelation of the sheer geographic expanse of this malware scourge. The Asia-Pacific region bore the brunt of the attacks, accounting for a staggering 62.7% of the observed malware volume, while Europe, the Middle East, and Africa collectively weathered 22.53% of the onslaught. Even the Americas were not spared, facing a 14.71% barrage of these insidious digital threats.

UK School Crippled by Cyber Attack, Forced to Close Temporarily

The Billericay School in Essex, UK, has been forced to temporarily close its doors following a significant cyber-attack. The school has declared a critical incident, with its headteacher, Mr. P. Berry, informing parents that the institution’s entire IT system has been compromised and rendered inaccessible due to a complex encryption attack.

Despite having industry-standard firewalls, firmware, and malware security measures in place, the school fell victim to the relentless onslaught of cyber adversaries. The attack has crippled the school’s ability to operate safely and effectively, prompting a closure on Monday, June 3rd, to allow teaching staff time to prepare alternative instructional methods without access to resources stored on the compromised system.

While public examinations and revision classes for students in Years 11, 12, and 13 will proceed as scheduled, all other timetabled classes have been suspended until Tuesday, June 4th.

FBI Deals Major Blow to Ransomware Gangs, Recovers 7,000 Decryption Keys

The Federal Bureau of Investigation (FBI) has announced the recovery of over 7,000 decryption keys, enabling countless victims to reclaim their data and restore operations in the aftermath of crippling cyber attacks. This monumental achievement is the culmination of the agency’s multi-faceted strategy to disrupt cybercriminal activities and support those impacted by these insidious intrusions.

At the forefront of this comprehensive approach is the FBI’s relentless pursuit of ransomware operations, particularly those emanating from Russian-speaking criminal syndicates. Through a concerted global effort codenamed Operation Endgame, the agency, in collaboration with international partners, has dismantled the infrastructure behind four major malware variants responsible for hundreds of millions of dollars in damages.

US Unveils Cybersecurity Pilot to Fortify Schools Against Ransomware Scourge

 the US government has approved a pioneering cybersecurity pilot program aimed at bolstering the defenses of schools and library systems nationwide. The Federal Communications Commission (FCC) announced the adoption of the “Schools and Libraries Cybersecurity Pilot Program” on Thursday, a three-year initiative proposed by the Cybersecurity and Infrastructure Security Agency (CISA) in response to the alarming surge in ransomware incidents targeting the education sector.

The stark realities underpinning this program are sobering – a lack of budgets, manpower, and cybersecurity expertise has rendered school districts and libraries vulnerable prey for ruthless ransomware groups. According to Comparitech research, the first half of 2023 alone witnessed nearly double the number of attacks on educational institutions compared to the entirety of 2022, impacting the records of 6.7 million students globally and costing local economies a staggering $53 billion in downtime.

The $200 million pilot program, a pet project of FCC Chairwoman Jessica Rosenworcel, aims to provide a lifeline to these embattled institutions. Not only will it cover the costs of essential cybersecurity services and equipment, such as advanced firewall solutions, but it will also gather invaluable data to determine the most effective strategies for fortifying defenses and coordinating responses.

Old ThinkPHP Flaws Exploited in Recent Attacks, Akamai Warns

Akamai has issued a warning about a fresh wave of attacks exploiting two remote code execution (RCE) vulnerabilities in ThinkPHP, a popular open-source web application framework. The vulnerabilities, CVE-2018-20062 and CVE-2019-9082, were publicly disclosed and patched over five years ago, but they continue to impact content management systems using older versions of ThinkPHP.

In two separate campaigns, one in October 2023 and another ongoing since April 2024, a Chinese-speaking threat actor has been exploiting these flaws to fetch malicious files and deploy a web shell called Dama on vulnerable servers. This web shell allows attackers to navigate file systems, tamper with local files, harvest information, and upload files.

Post-exploitation, the attackers perform various malicious activities, including network port scanning, accessing existing databases, and escalating privileges by bypassing disabled PHP functions and executing shell commands. The Dama web shell can also abuse the Windows task scheduler to reconfigure Windows Management Instrumentation (WMI) and add high-privileged users.

New Deceptive ‘Browser Update’ Campaign Spreads Malware

A new malware campaign has been active since late April 2024, tricking users into downloading malicious software by displaying fake “browser update” popups on compromised websites. While mimicking previous notorious campaigns like SocGholish, this one has several unique concerning characteristics.

The infection chain begins with injecting malicious code into vulnerable sites. This code then triggers a poorly written popup saying “Warning Exploit Chrome Detect. Update Chrome Browser” with an “Update” button. Clicking this deceptively redirects users to shady URLs like hxxps:// to initiate a malware download.

The malicious domains involved seem to have been created as early as March 2024, like (March 14). The redirects previously served files named “GoogleChrome-x86.msix” containing malware payloads from the server

Muhstik Botnet Exploits Apache RocketMQ Flaw to Expand its Reach

The notorious Muhstik distributed denial-of-service (DDoS) botnet has been observed leveraging a now-patched critical vulnerability (CVE-2023-33246) in Apache RocketMQ to compromise vulnerable servers and expand its scale. This flaw, with a CVSS score of 9.8, allows remote code execution by forging RocketMQ protocol content or abusing the update configuration function.

Once the vulnerability is exploited to gain initial access, Muhstik executes a remote shell script to retrieve its binary (“pty3”) from another server. It then achieves persistence by copying itself to multiple directories, editing /etc/inittab to autostart, and employing evasion techniques like masquerading as a pseudoterminal process and executing from memory.

The malware gathers system information, moves laterally via SSH, and contacts a command-and-control server over IRC to receive instructions. Its ultimate goal is to weaponize compromised devices for various flooding attacks, overwhelming targets with traffic and causing denial of service.

Major Cyber Attack Disrupts Global Shipping Networks

A major cyber attack has caused significant disruptions to several major global shipping and maritime logistics companies. The attack, which began early Thursday morning, has crippled the computer systems and networks of three of the world’s largest shipping conglomerates – Maersk, MSC, and CMA CGM.

The incident is already having widespread ramifications across global supply chains. With their core freight management and tracking systems down, the impacted companies have had to suspend most operations at ports on every inhabited continent. Vessels at sea have been instructed to proceed to the nearest port until systems can be restored.

While details are still emerging, cybersecurity analysts suspect the attack employed a new strain of file-encrypting ransomware. However, the unprecedented scale, sophistication, and speed of the disruption have led some to theorize it may be a complex wiper or destructive data-corrupting malware designed to cause maximum chaos.

That’s all for today. Stay tuned for our next episode. See you next week!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top

How Can We Help?

Lets collaborate for mutual success