SmokeLoader resurfaces and exploits old vulns
SmokeLoader, an old infamous malware known for its sophisticated evasion techniques, has resurfaced to target the IT, manufacturing and healthcare sectors in Taiwan. The new variant is triggered through a Microsoft Excel file sent in a phishing email and exploits old Microsoft Office vulnerabilities (CVE-2017-0199, CVE-2017-11882) to get deployed on compromised hosts. Last month, it was revealed that a new campaign deploying the Remcos RAT has also leveraged these flaws. SmokeLoader’s reappearance comes only six months after the law enforcement “Operation Endgame” which dismantled around 1,000 C2 domains related to the malware.
Mitigate it
Disable Windows HTA handler; In FortiEDR, allow the “Unconfirmed Executable” rule in the Exfiltration Prevention security policy to block the execution of Remcos malware
MOVEit leaks continue
Nam3l3ss, the mysterious threat actor who recently leaked corporate information gained during the 2023 MOVEit mass exploitation campaign, published additional 760K employee records. The new data concerns large firms including Bank of America, Koch, Nokia, JLL, Xerox, Morgan Stanley and Bridgewater.
Vulnerabilities in sports
The Italian Bologna Football Club has been targeted by Ransomhub, one of the most prolific ransomware groups worldwide famous for exploiting a wide range of known vulnerabilities. Followingly, Ransomhub is threatening to publish confidential and medical information of Bologna FC’s players, personal data of fans and financial documents.
Decade-old Cisco flaw is now exploited
Cisco claims that a decade-old vulnerability in its ASA products (CVE-2014-2120) is now exploited in the wild. Last month, it has been reported that the Androxgh0st botnet is now exploiting various vulnerabilities in network devices, including CVE-2014-2120. The exploitation results in XSS attacks against WebVPN users but may require user interaction.
UK's national healthcare targeted again
Ransomware actors recently keep on targeting UK’s healthcare sector. Last month, INC Ransom compromised the NHS Alder Hey Children’s Hospital and RansomHub attacked NHS Trust Foundation Trust. Both groups are highly skilled in vulnerability exploitation.
Palo Alto and Cisco flaws against UK
The head of UK’s National Cyber Security Centre (NCSC) claimed that the country suffered last year "89 nationally significant incidents”. Six of them were allowed through the exploitation of two zero-days: the notorious vulnerability in Palo Alto PAN-OS (CVE-2024-3400) and a flaw in Cisco IOS XE (CVE-2023-20198). The later was part of a mass exploitation campaign compromising around 50K devices one year ago, and it has been leveraged in an attack targeting Norway.
New security features in the next Windows version
Following the Crowdstrike incident and the review of its security policy, Microsoft will release in 2025 a Windows version with enhanced protection features. Among others, it will include stronger controls for malware and script attacks against both applications and drivers, improved identity protection against phishing, quick machine recovery and a mechanism allowing “security solution providers to have the access they need” outside of the kernel.
Mitigate it
For CVE-2023-20198: disable the HTTP server feature on internet-facing systems but deleting the “ip http server” and the “ip http secure-server” Commands from the system configuration.
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
