Cyber Briefing: 2024.12.18

Cyber Briefing: 2024.12.18

👉 What's trending in cybersecurity today?

Phishing, MSC Files, Backdoor, Pakistan, Bitter APT, Turkey, Defense Sector, WmRAT, MiyaRAT, Malware, Google , RiseLoader, VMProtect, Apache Tomcat, Remote Code Execution, DoS Attacks, University of Central Florida , Hack, Canada, Supermarket, Cyberattack, Avril Supermarché Santé , Ecritel, Ransomware Attack, Waverley Christian College , Ransomware, Kitsap Mental Health Services , Breach, CISA, Federal Agencies, Microsoft Cloud Security, Nebraska, Lawsuit, Change Healthcare, UnitedHealth Group , Moscow, Recorded Future , Undesirable, Meta, Fine, Ireland, Data Protection Commission, Cisco , Acquisition, SnapAttack.


Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please subscribe.


🚨 Cyber Alerts

1. Pakistan Targeted With Malicious Backdoors

A phishing campaign targeting Pakistan has been uncovered, leveraging tax-themed lures and malicious Microsoft Common Console Document (MSC) files to deploy a stealthy backdoor. The attack uses files with double extensions, such as .pdf.msc, to disguise malicious payloads as legitimate PDFs. When opened, these files execute JavaScript via the Microsoft Management Console (MMC) to load obfuscated malware, including a DLL file ("DismCore.dll"), enabling data exfiltration and remote command execution.


2. Bitter APT Targets Turkey with WmRAT Malware

In November 2024, the South Asian cyber espionage group Bitter APT launched a targeted attack on Turkey's defense sector, deploying two malware families, WmRAT and MiyaRAT. The attack utilized a RAR archive containing a decoy document about a World Bank initiative in Madagascar, along with a malicious shortcut (LNK) file and an alternate data stream (ADS) that concealed PowerShell code.


3. Hackers Exploit Google Tools for Phishing

Cybercriminals are increasingly exploiting Google Calendar and Google Drawings to bypass email security and launch sophisticated phishing campaigns. By manipulating trusted Google tools, attackers send deceptive emails that appear to come from trusted sources, including Google, often containing calendar invites or links to malicious Google Drawings. These links redirect victims to fraudulent websites, where they are tricked into entering personal or financial information. This tactic has affected over 300 brands, with thousands of phishing emails detected in a short period.


4. RiseLoader Malware Targets Windows Systems

RiseLoader, a newly discovered malware family, emerged in October 2024 and has been linked to the threat groups behind RisePro and PrivateLoader. This malware utilizes a custom TCP-based binary protocol to download and execute second-stage payloads, often using VMProtect for code obfuscation. It has been observed distributing several malicious families and collects information about cryptocurrency applications and browser extensions. RiseLoader establishes an encrypted connection with a C2 server, exchanging system information, receiving payload URLs, and executing them.


5. Critical Apache Tomcat Flaws Allow RCE

Two critical vulnerabilities in Apache Tomcat, a widely-used open-source web server, were recently discovered, potentially allowing attackers to execute remote code and cause denial-of-service (DoS) attacks. The first vulnerability (CVE-2024-50379) enables remote code execution through a race condition during concurrent file operations on case-insensitive file systems, bypassing Tomcat’s case sensitivity checks. The second (CVE-2024-54677) triggers a DoS attack by exploiting a failure to limit file upload sizes in example web applications, leading to OutOfMemoryErrors.



💥 Cyber Incidents


6. Thieves Steal $107K from UCF in Cyber Heist

In a sophisticated hacking scheme, thieves stole $107,625 from the University of Central Florida (UCF) by compromising a vendor's computers and tricking the university into redirecting a payment to a fraudulent bank account. The scheme unfolded over 12 days, during which the university's email system was overwhelmed by a spam attack that delayed the detection of the fraud. Despite the university’s efforts to recover the funds, the majority of the money was already gone by the time the theft was discovered.


7. Avril Supermarket Chain Hit by Cyberattack

Avril, a supermarket chain based in Canada, has been targeted by a cyberattack that has disrupted its operations since December 12, 2024. The attack caused slowdowns across Avril's locations, including long lines due to limited cash registers and manual entry of product codes. Although the supermarkets remain open, some checkouts were closed, and the transactional site experienced delays in order preparation and deliveries. Avril is currently working with cybersecurity experts to assess the impact and restore normal operations.


8. France's Ecritel Hit With Ransomware Attack

On December 8, 2024, the French digital services company Ecritel was targeted in a cyberattack claimed by the ransomware group Hunters International. The attack, which involved the theft of approximately 270 GB of data, was quickly detected and thwarted by Ecritel’s cybersecurity team. The company emphasized that the incident had no impact on business continuity or customer platforms.


9. Waverley Christian College Hit by Ransomware

Waverley Christian College, located in Victoria, Australia, has confirmed it was targeted by a ransomware attack, with the Fog ransomware group claiming responsibility. The attack, which occurred in December 2024, allegedly resulted in the theft of five gigabytes of data, including financial and insurance documents, as well as internal correspondence. The gang posted the college's name on their darknet leak site, but no ransom amount or deadline for the data's release has been disclosed.


10. Kitsap Mental Health Services Suffers Breach

Kitsap Mental Health Services, a nonprofit organization based in Bremerton, Washington, recently confirmed a data breach that exposed sensitive personal information of its consumers. The breach, which was detected on October 17, 2024, involved unauthorized access to confidential data, including names, addresses, birth dates, Social Security numbers, driver's license numbers, medical and health insurance information, and financial details.



📢 Cyber News


11. CISA Mandates Federal Cloud Security Upgrade

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive requiring federal civilian agencies to enhance the security of their Microsoft cloud systems following recent cyber intrusions. The directive builds on CISA’s Secure Cloud Business Applications (SCuBA) project, which provides secure configuration baselines for cloud environments. Agencies must inventory their cloud systems by February 2025, deploy SCuBA tools by April 2025, and achieve full compliance by June 2025.


12. Nebraska Sues Change Healthcare Over Breach

Nebraska's Attorney General has filed a lawsuit against Change Healthcare, a subsidiary of UnitedHealth Group (UHG), for violating state consumer protection and data security laws following a major ransomware attack in February 2024. The attack, which exposed sensitive healthcare information and disrupted critical medical services, affected around 100 million Americans, including thousands in Nebraska. The lawsuit claims that the breach, which crippled the payment and claim processing systems, led to delayed patient care, financial strain on healthcare providers, and an increase in scams targeting affected individuals.


13. Moscow Bans US Firm Recorded Future

Russia has labeled the U.S. cybersecurity firm Recorded Future as an "undesirable" organization, accusing it of involvement in cyberattacks against Moscow. The company's staff allegedly cooperate with U.S. intelligence agencies, including the CIA, and contribute to anti-Russian propaganda efforts. Founded in the U.S. and now a part of Mastercard, Recorded Future specializes in threat intelligence and cybersecurity services. This move adds Recorded Future to a growing list of 194 entities deemed undesirable by the Russian government since 2015.


14. Meta Fined €251M for 2018 Facebook Breach

Meta Platforms has been fined €251 million by the Irish Data Protection Commission (DPC) for a 2018 Facebook data breach that affected approximately 29 million accounts globally, including 3 million in the European Union. The breach was caused by a vulnerability in Facebook's "View As" feature, which allowed attackers to steal account access tokens and access sensitive user information, including names, emails, phone numbers, and even children’s data. The fine, issued under GDPR regulations, highlights Meta’s failure to incorporate data protection measures during system design and development.


15. Cisco Acquires SnapAttack to Boost Security

Cisco has acquired SnapAttack, a leading threat detection and defense company, to further enhance its cybersecurity capabilities through Splunk, which Cisco acquired in March for $28 billion. SnapAttack’s expertise in threat detection and engineering will accelerate Splunk’s "detection-as-code" roadmap, benefiting organizations by improving their security operations centers (SOC).



Subscribe and Comment.

Copyright © 2024 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.



To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics