Cyber Bits · · 3 min read

Cyber Bits: May 27, 2024

This week, we dive Foxit PDF Reader being abused, ransomware leveraging BitLocker, malvertising is back (3 weeks in a row!), and MITRE provides more details about the security incident that occurred earlier this year.

Cyber Bits: May 27, 2024

This week, we dive Foxit PDF Reader being abused to spread malware, ransomware leveraging BitLocker as its encryption method, malvertising is back (3 weeks in a row!) targeting antivirus downloads and new web browsers, and MITRE provides more details about the security incident that occurred earlier this year.

Foxit PDF Reader used to spread malware

Link: The Hacker News

Multiple threat actors have been exploiting a design flaw in Foxit PDF Reader to deploy various malware, including Agent Tesla and NanoCore RAT. The exploit manipulates users into executing harmful commands through deceptive pop-ups. Notably, Adobe Acrobat Reader is unaffected by this flaw, resulting in a low detection rate for the attacks. Hackers utilized platforms like Discord and Trello to distribute the malware, with campaigns linked to espionage and cryptocurrency mining. Foxit has acknowledged the issue and plans to release a fix in version 2024.3.

While this may not be the latest or greatest method of deploying malware, its adoption on island warranted being included in this week's update. Make sure to patch as soon as you can!

Attackers use BitLocker to encrypt in ransomware attacks

Link: Bleeping Computer

ShrinkLocker is a newly-detected ransomware leveraging Windows BitLocker to encrypt files by creating new boot partitions. This malicious software, targeting government and industrial sectors, shrinks non-boot partitions to create the new boot volume. Written in VBScript, ShrinkLocker evades detection unless specific conditions are met, ultimately disabling recovery options and remote desktop connections. The ransomware lacks a visible ransom note, indicating potential destructive intent rather than financial gain. We recommend securing BitLocker recovery keys, backing up to Entra ID (if you're leveraging M365), and, of course, maintaining offline backups.

Malvertising masquerading as antivirus

Link: The Hacker News

Breaking the 4th wall, cybersecurity researchers have uncovered a campaign using fake antivirus websites mimicking Avast, Bitdefender, and Malwarebytes to distribute malware targeting Android and Windows devices. These sites deliver various malicious payloads, including the SpyNote trojan, Lumma info stealer, and StealC malware.

Once installed, the malware can steal sensitive data, track user activities, and even mine cryptocurrency. We can't emphasis this enough, if your organization doesn't manage downloads for users, touch on this in your End User Awareness sessions and IT members should only download software from official sources.

MITRE provides more details on their cyber attack

Link: MITRE Blog

MITRE revealed more information in the most recent security incident where attackers exploited zero-day flaws in Ivanti Connect Secure (ICS). Once access was gained, they created rogue virtual machines (VMs) within the VMware environment to evade detection. Using a compromised vCenter Server, they deployed web shells and tunneling tools, maintaining persistent access and sidestepping centralized management interfaces.

The attackers, identified as China-nexus UNC5221, leveraged the vulnerabilities to execute arbitrary commands and harvest credentials. MITRE advises enabling secure boot and utilizing specific PowerShell scripts to detect such rogue VMs.

Arc browser targeted to serve malvertising to users

Link: Bleeping Computer

Again, we can't emphasis this enough: malvertising is going to be a consistent theme for the foreseeable future.

Cybercriminals have targeted the highly anticipated Windows launch of the Arc web browser through a Google Ads malvertising campaign. These malicious ads, appearing legitimate, redirect users to lookalike domains where trojanized installers are downloaded, infecting systems with malware. The malware, concealed behind the Arc installation, includes info-stealers and uses MEGA's API for command and control.

Read next

Cyber Bits: July 8, 2024
Cyber Bits ·

Cyber Bits: July 8, 2024

In this week's Cyber Bits, we look into Cloudflare's BGP incident, a Go-based ransomware variant targeting VMs, Ticketmaster struggling with a ransomware incident, hackers leaking Twilio data, and Cobalt Strike servers being shutdown by the feds.

Cyber Bits: June 24, 2024
Cyber Bits ·

Cyber Bits: June 24, 2024

This week - VMware's urgent security patches, a UEFI vulnerability in Intel PCs, US sanctions on Kaspersky, ransomware attacks on old Android phones, and a breach of 1,590 crypto wallets by North Korean hackers. Stay updated with the latest cybersecurity news and tips.