Saturday 7th December 2024

Happy Saturday! I hope you're all having a great start to the weekend Today, we’re looking into how a Russian hacking group is levelling up its malware game with clever use of Cloudflare Tunnels, uncovering Mitel MiCollab’s patching woes with a critical zero-day bug still in the wild, and meeting a Nebraskan cryptojacker who managed to rack up $3.5 million in unpaid cloud bills.

Enjoy! Have a great weekend

Gamaredon: Cloudflare Tunnels in a Cybercrime Playbook

The Russian-linked threat actor Gamaredon, also known as BlueAlpha, is upping its game. A new analysis by Recorded Future reveals the group has adopted Cloudflare Tunnels to obscure malware staging infrastructure in its ongoing spear-phishing attacks targeting Ukrainian organisations since early 2024. Their tool of choice? GammaDrop, a malware dropper deploying a variety of tools designed for data theft and persistence.

BlueAlpha, active since 2014, leverages techniques like HTML smuggling and fast-flux DNS to evade detection. Recent attacks involve phishing emails with malicious HTML attachments, which drop archives containing payloads such as GammaDrop. This dropper fetches further malware, including tools to exfiltrate credentials, cookies, and even Telegram and Signal data.

• The arsenal: Tools like PteroSteal, PteroCookie, and PteroSig target data inside browsers and apps. Others, like PteroScreen, capture screenshots, while PteroSocks provides partial proxy functionality.
• Not stealthy but effective: While Gamaredon’s tools lack sophistication, their frequent updates and obfuscation tactics complicate detection.

By piggybacking on legitimate services like Cloudflare, BlueAlpha makes it harder for traditional defences to block their operations. Security experts warn organisations with limited detection capabilities may face evolving challenges.

As BlueAlpha refines its evasion tactics, vigilance and adaptive defenses remain crucial for organisations in their crosshairs.

Mitel MiCollab’s Security Bugchain: Exploit Unleashed

Mitel’s enterprise collaboration tool, MiCollab, is under scrutiny after researchers at watchTowr published a proof-of-concept (PoC) exploit combining a patched critical flaw with an unpatched zero-day vulnerability. This exploit could allow attackers to access sensitive files on vulnerable systems.

1. CVE-2024-35286: A critical SQL injection flaw in MiCollab's NuPoint Unified Messaging component, patched in May, allowing attackers to extract sensitive data and perform database operations.
2. CVE-2024-41713: An authentication bypass vulnerability enabling attackers to conduct path traversal attacks, patched in October.
3. Unpatched zero-day: An arbitrary file read flaw requiring authentication. Chaining this with the bypass bug lets attackers access files like /etc/passwd without credentials.

With over 16,000 instances in use, MiCollab is a prime target for ransomware gangs and cybercriminals. While Mitel addressed two of the flaws, the arbitrary file read vulnerability remains unpatched despite a promise to fix it by early December. WatchTowr disclosed the issue to Mitel in August and decided to publish the PoC after waiting over 100 days.

Mitel users should ensure patches for CVE-2024-35286 and CVE-2024-41713 are applied immediately. Meanwhile, stay alert for updates on the unpatched vulnerability and consider additional mitigations to protect against potential exploits.

Nebraska Man Pleads Guilty to $3.5M Cryptojacking Scheme

Charles O. Parks III, aka "CP3O," admitted to running a large-scale cryptojacking operation, racking up $3.5 million in unpaid cloud computing fees to mine about $970,000 worth of cryptocurrency.

Between January and August 2021, Parks created fake accounts under aliases like "MultiMillionaire LLC" and "CP3O LLC" to access computing power from two cloud providers, suspected to be Amazon and Microsoft. Using deferred billing and elevated service levels, he launched tens of thousands of mining instances to churn out cryptocurrencies like Ether (ETH), Litecoin (LTC), and Monero (XMR).

• Parks used mining pools and software to maximise output and monitor active mining operations.
• He laundered proceeds through crypto exchanges, an NFT marketplace, and online payment services before splurging on luxury items like a Mercedes Benz, first-class travel, and jewelry.

Parks faces up to 20 years in prison for defrauding cloud providers of millions in computing resources. Federal prosecutors highlighted the case as a warning against exploiting technology for financial gain.

While crypto mining isn’t illegal, Parks' fraudulent tactics turned this into a high-stakes cybercrime, underscoring the need for robust cloud security and billing checks.