Weekly Summary Cyberattacks 14-20 Nov

China-backed hackers exploit SIGTRAN and GSM protocols to infiltrate telecommunications networks   

A new China-linked cyber espionage group has been attributed as responsible for a series of cyberattacks targeting telecommunications entities in South Asia and Africa since at least 2020, with the aim of enabling intelligence collection. Researchers are tracking this adversary under the name Liminal Panda, describing it as possessing deep knowledge of telecommunications networks, the protocols that underpin these networks, and the various interconnections between providers. The threat actor’s malware portfolio includes customized tools that facilitate clandestine access, command-and-control (C2), and data exfiltration. According to the researchers, Liminal Panda has used compromised telecommunications servers to initiate intrusions into other providers in different geographic regions.

New Stealthy BabbleLoader Malware Spotted Delivering WhiteSnake and Meduza Stealers   

Cybersecurity researchers have unveiled a new malware loader called BabbleLoader, designed to distribute families of information stealers such as WhiteSnake and Meduza. This loader is highly evasive, with defensive mechanisms that allow it to bypass antivirus and sandbox environments. It targets users looking for pirated software and finance professionals, disguising itself as accounting software. BabbleLoader uses techniques such as junk code and metamorphic transformations to modify its structure and avoid detection based on signatures or behaviour. It resolves functions only at runtime and uses noisy code that makes it difficult to analyse using tools such as IDA or Ghidra. Each sample is unique in its code, metadata and control flow, which forces detection models to constantly adapt, generating errors or false alarms.

Critical WordPress Plugin vulnerability exposes over 4 million sites  

A critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress that, if successfully exploited, could grant an attacker to remotely gain full administrative access to a susceptible site. The vulnerability, tracked as CVE-2024-10924 (CVSS score: 9.8), impacts both free and premium versions of the plugin. The software is installed on over 4 million WordPress sites. The vulnerability is scriptable, meaning that it can be turned into a large-scale automated attack, targeting WordPress websites. According to Wordfence, the authentication bypass vulnerability, found in versions 9.0.0 to 9.1.1.1, arises from improper user check error handling in a function called "check_login_and_get_user," thereby allowing unauthenticated attackers to login as arbitrary users, including administrators, when two-factor authentication is enabled.  

New PXA Stealer malware discovered targeting governments and education in Europe and Asia   

A group of researchers has identified an information theft campaign operated by a Vietnamese-speaking threat actor using a malware called PXA Stealer. Designed in Python, it targets sensitive data, such as account credentials, financial information, cookies, and data from VPNs, password managers, and cryptocurrency wallets. Attacks have affected educational entities in India and government agencies in countries such as Sweden and Denmark. The malware, which employs advanced obfuscation techniques and is distributed via phishing emails with malicious ZIP files, allows attackers to decrypt browser master keys to steal stored information. In addition, it uses a Telegram bot to exfiltrate data and has infrastructure hosted on possibly compromised domains.

Technical analysis of HawkEye malware released   

HawkEye, also known as PredatorPain, is a malware with more than a decade of history that started as a simple keylogger, but has evolved to include data, credential and system persistence theft functions. It emerged around 2008 and gained notoriety in 2013 thanks to spearphishing campaigns. Its easy access on the Dark Web and cracked versions made it a popular tool among cybercriminals and hobbyists. During the COVID-19 pandemic, its use rebounded, taking advantage of the global panic to attack businesses. This malware uses a variety of distribution methods, from emails with malicious attachments to seemingly free software. Once executed, it injects code, steals data and sends it to a server controlled by the attackers.