Cyber Bits · · 3 min read

Cyber Bits: May 27, 2024

This week, we dive Foxit PDF Reader being abused, ransomware leveraging BitLocker, malvertising is back (3 weeks in a row!), and MITRE provides more details about the security incident that occurred earlier this year.

Cyber Bits: May 27, 2024

This week, we dive Foxit PDF Reader being abused to spread malware, ransomware leveraging BitLocker as its encryption method, malvertising is back (3 weeks in a row!) targeting antivirus downloads and new web browsers, and MITRE provides more details about the security incident that occurred earlier this year.

Foxit PDF Reader used to spread malware

Link: The Hacker News

Multiple threat actors have been exploiting a design flaw in Foxit PDF Reader to deploy various malware, including Agent Tesla and NanoCore RAT. The exploit manipulates users into executing harmful commands through deceptive pop-ups. Notably, Adobe Acrobat Reader is unaffected by this flaw, resulting in a low detection rate for the attacks. Hackers utilized platforms like Discord and Trello to distribute the malware, with campaigns linked to espionage and cryptocurrency mining. Foxit has acknowledged the issue and plans to release a fix in version 2024.3.

While this may not be the latest or greatest method of deploying malware, its adoption on island warranted being included in this week's update. Make sure to patch as soon as you can!

Attackers use BitLocker to encrypt in ransomware attacks

Link: Bleeping Computer

ShrinkLocker is a newly-detected ransomware leveraging Windows BitLocker to encrypt files by creating new boot partitions. This malicious software, targeting government and industrial sectors, shrinks non-boot partitions to create the new boot volume. Written in VBScript, ShrinkLocker evades detection unless specific conditions are met, ultimately disabling recovery options and remote desktop connections. The ransomware lacks a visible ransom note, indicating potential destructive intent rather than financial gain. We recommend securing BitLocker recovery keys, backing up to Entra ID (if you're leveraging M365), and, of course, maintaining offline backups.

Malvertising masquerading as antivirus

Link: The Hacker News

Breaking the 4th wall, cybersecurity researchers have uncovered a campaign using fake antivirus websites mimicking Avast, Bitdefender, and Malwarebytes to distribute malware targeting Android and Windows devices. These sites deliver various malicious payloads, including the SpyNote trojan, Lumma info stealer, and StealC malware.

Once installed, the malware can steal sensitive data, track user activities, and even mine cryptocurrency. We can't emphasis this enough, if your organization doesn't manage downloads for users, touch on this in your End User Awareness sessions and IT members should only download software from official sources.

MITRE provides more details on their cyber attack

Link: MITRE Blog

MITRE revealed more information in the most recent security incident where attackers exploited zero-day flaws in Ivanti Connect Secure (ICS). Once access was gained, they created rogue virtual machines (VMs) within the VMware environment to evade detection. Using a compromised vCenter Server, they deployed web shells and tunneling tools, maintaining persistent access and sidestepping centralized management interfaces.

The attackers, identified as China-nexus UNC5221, leveraged the vulnerabilities to execute arbitrary commands and harvest credentials. MITRE advises enabling secure boot and utilizing specific PowerShell scripts to detect such rogue VMs.

Arc browser targeted to serve malvertising to users

Link: Bleeping Computer

Again, we can't emphasis this enough: malvertising is going to be a consistent theme for the foreseeable future.

Cybercriminals have targeted the highly anticipated Windows launch of the Arc web browser through a Google Ads malvertising campaign. These malicious ads, appearing legitimate, redirect users to lookalike domains where trojanized installers are downloaded, infecting systems with malware. The malware, concealed behind the Arc installation, includes info-stealers and uses MEGA's API for command and control.

Read next

Cyber Bits: November 25
Cyber Bits ·

Cyber Bits: November 25

Welcome to this week's edition of Cyber Bits, where we cover the latest in malware campaigns, advanced persistent threats, data breaches, vulnerabilities in enterprise systems from Fortinet and Palo Alto, and the economic impact of cyberattacks. Here's what you need to know this week:

Cyber Bits: October 21
Cyber Bits ·

Cyber Bits: October 21

In this week's Cyber Bits, Internet Archive faces another breach, Microsoft sets up Azure tenant honeypots, ransomware attacks are using ESET's name, Microsoft may have lost some security logs, and North Korea is targeting companies looking for temporary IT workers.

Cyber Bits: October 14
Cyber Bits ·

Cyber Bits: October 14

In this weeks Cyber Bits, Microsoft deprecates VPN protocols, OpenAI confirms what everyone already knew about bad guys using ChatGPT for malware, SOC teams lament alert fatigue, qualified personnel gaps in cloud and cyber, and how to build cyber resilience for SMB's.