Weekly summary cyberattacks 19-15 Dec

Phishing campaign targeting European companies detected   

Cybersecurity researchers have discovered a phishing campaign active since June 2024 affecting companies in sectors such as automotive, chemical and manufacturing in Europe, especially in Germany and the UK. The main objective was to steal credentials to access Microsoft Azure cloud infrastructures. The campaign employed emails with malicious PDF files or embedded HTML links, which redirected to fraudulent forms created using HubSpot Free Form Builder. Although HubSpot was not compromised, victims were taken to fake Microsoft Outlook login pages designed to harvest credentials. At least 20,000 affected users were identified. The attackers also demonstrated sophisticated techniques, such as using VPNs to simulate logins from trusted locations and persisting compromised accounts through authorized devices. Attacked institutions received emails with personalized names that mimicked legitimate documents.  

Gozi malware resurfaces on Black Friday: alert for online banking attacks   

This past Black Friday, November 29, 2024, saw a worrying increase in the activity of Gozi malware, a well-known banking Trojan that mainly affects financial institutions in North America. The increase in transaction volume and reduced user attention during this day provided the ideal scenario for attacks using web injection techniques. Web injections allow online banking sessions to be infiltrated to steal credentials and financial data without the user noticing. Gozi, also known as Ursnif, is a modular malware active since the mid-2000s, known for its ability to evade detection and steal sensitive information. During Black Friday, attacks intensified by injecting malicious code into legitimate pages, allowing real-time banking operations to be manipulated. Experts warn that this activity will continue during the holiday shopping season, when consumers make hurried transactions in search of bargains. Researchers stress the need to adopt preventive measures for both companies and individual users, who should remain alert to suspicious activity and protect their data with strong passwords and constant vigilance. 

BellaCiao malware variant rewritten in C++ detected   

Cybersecurity researchers have identified a new variant of the BellaCiao malware, called BellaCPP, that has been rewritten in C++. BellaCiao, attributed to the APT group Charming Kitten, is known for its ability to covertly persist and create clandestine tunnels. The new variant was found on a computer in Asia, where an older version of BellaCiao developed in .NET was also detected. BellaCPP is distributed as a DLL file designed to run as a Windows service. It employs similar techniques to its predecessor, such as generating custom domains and using encryption to hide critical functions. However, this version does not include the webshell functionality present in the original samples. The analysis suggests that BellaCPP follows similar goals, using domains previously linked to Charming Kitten. The researchers note that the evolution of this malware family demonstrates a continuous improvement in its capabilities, underscoring the need for in-depth investigations into compromised networks to identify unknown variants that can bypass existing defenses.  

Massive attacks on vulnerabilities in Ivanti, PHP and network devices detected   

A recent report has revealed massive attacks targeting vulnerabilities in authentication systems, network devices and IoT, among others. Cybercriminals have exploited critical vulnerabilities such as CVE-2024-7593 in Ivanti's virtual traffic manager, which allows bypassing administrator authentications, and CVE-2024-4577 in PHP, which makes it possible to execute arbitrary commands in certain configurations. Also noteworthy are attacks on libraries such as Ruby SAML, which could facilitate unauthorized access. Vulnerable network devices from brands such as Cisco, TP-Link and Citrix are recurring targets, as are older operating systems and remote protocols such as VNC, used in brute-force attacks. In addition, researchers have identified more than 270 recent phishing campaigns focused on obtaining sensitive data through fraudulent emails. Experts stress the importance of updating systems, blocking vulnerable ports and strengthening passwords to mitigate these risks.