This week, we dive Foxit PDF Reader being abused to spread malware, ransomware leveraging BitLocker as its encryption method, malvertising is back (3 weeks in a row!) targeting antivirus downloads and new web browsers, and MITRE provides more details about the security incident that occurred earlier this year.
Foxit PDF Reader used to spread malware
Link: The Hacker News
Multiple threat actors have been exploiting a design flaw in Foxit PDF Reader to deploy various malware, including Agent Tesla and NanoCore RAT. The exploit manipulates users into executing harmful commands through deceptive pop-ups. Notably, Adobe Acrobat Reader is unaffected by this flaw, resulting in a low detection rate for the attacks. Hackers utilized platforms like Discord and Trello to distribute the malware, with campaigns linked to espionage and cryptocurrency mining. Foxit has acknowledged the issue and plans to release a fix in version 2024.3.
While this may not be the latest or greatest method of deploying malware, its adoption on island warranted being included in this week's update. Make sure to patch as soon as you can!
Attackers use BitLocker to encrypt in ransomware attacks
Link: Bleeping Computer
ShrinkLocker is a newly-detected ransomware leveraging Windows BitLocker to encrypt files by creating new boot partitions. This malicious software, targeting government and industrial sectors, shrinks non-boot partitions to create the new boot volume. Written in VBScript, ShrinkLocker evades detection unless specific conditions are met, ultimately disabling recovery options and remote desktop connections. The ransomware lacks a visible ransom note, indicating potential destructive intent rather than financial gain. We recommend securing BitLocker recovery keys, backing up to Entra ID (if you're leveraging M365), and, of course, maintaining offline backups.
Malvertising masquerading as antivirus
Link: The Hacker News
Breaking the 4th wall, cybersecurity researchers have uncovered a campaign using fake antivirus websites mimicking Avast, Bitdefender, and Malwarebytes to distribute malware targeting Android and Windows devices. These sites deliver various malicious payloads, including the SpyNote trojan, Lumma info stealer, and StealC malware.
Once installed, the malware can steal sensitive data, track user activities, and even mine cryptocurrency. We can't emphasis this enough, if your organization doesn't manage downloads for users, touch on this in your End User Awareness sessions and IT members should only download software from official sources.
MITRE provides more details on their cyber attack
Link: MITRE Blog
MITRE revealed more information in the most recent security incident where attackers exploited zero-day flaws in Ivanti Connect Secure (ICS). Once access was gained, they created rogue virtual machines (VMs) within the VMware environment to evade detection. Using a compromised vCenter Server, they deployed web shells and tunneling tools, maintaining persistent access and sidestepping centralized management interfaces.
The attackers, identified as China-nexus UNC5221, leveraged the vulnerabilities to execute arbitrary commands and harvest credentials. MITRE advises enabling secure boot and utilizing specific PowerShell scripts to detect such rogue VMs.
Arc browser targeted to serve malvertising to users
Link: Bleeping Computer
Again, we can't emphasis this enough: malvertising is going to be a consistent theme for the foreseeable future.
Cybercriminals have targeted the highly anticipated Windows launch of the Arc web browser through a Google Ads malvertising campaign. These malicious ads, appearing legitimate, redirect users to lookalike domains where trojanized installers are downloaded, infecting systems with malware. The malware, concealed behind the Arc installation, includes info-stealers and uses MEGA's API for command and control.
