Welcome to this week's edition of Nomios Weekly CyberWednesday! This week’s roundup dives into the most pressing cybersecurity developments impacting enterprises across Europe and beyond. From Chinese cyber espionage campaigns targeting telecoms and Russian malware infiltrating critical sectors to North Korean hackers leveraging AI for advanced scams, these stories highlight the evolving tactics of global threat actors. Stay informed with the latest insights to safeguard your organisation against emerging threats in the ever-changing digital landscape.
1. Russian Hackers Deploy HATVIBE and CHERRYSPY Malware
Russian cyber espionage group TAG-110, associated with APT28, has intensified its activities across Europe and Asia using custom malware tools—HATVIBE and CHERRYSPY. The campaign targets government agencies, human rights groups, and educational institutions, focusing primarily on Central Asia but also reaching parts of Europe.
HATVIBE serves as a loader to deploy CHERRYSPY, a Python-based backdoor used for data exfiltration and espionage. The group has exploited vulnerabilities in public-facing applications and leveraged phishing emails to infiltrate systems. Since 2021, more than 60 victims have been identified, including entities in Hungary and Greece, as well as in post-Soviet states like Kazakhstan and Uzbekistan.
Recorded Future noted that these efforts align with Russia’s hybrid warfare strategy, aimed at destabilising NATO allies and maintaining influence in post-Soviet states. By exploiting regional instability and leveraging custom malware, the group underscores the increasing sophistication of cyber espionage. (Source: The Hacker News)
2. China-Backed Hackers Exploit SIGTRAN and GSM Protocols to Infiltrate Telecom Networks
A China-linked espionage group, Liminal Panda, has been attributed to a series of sophisticated attacks targeting telecommunications providers in South Asia, Africa, and Europe. The group uses bespoke tools like SIGTRANslator, CordScan, and PingPong to infiltrate telecom infrastructure, enabling the exfiltration of mobile subscriber information, call metadata, and SMS messages.
These attacks often begin by exploiting external DNS servers and weak passwords to establish a foothold. Once inside, the group uses tools like TinyShell and an SGSN emulator to tunnel traffic through telecommunications networks. Liminal Panda’s knowledge of telecom protocols and infrastructure allows it to infiltrate multiple providers and move laterally across interconnected systems.
The campaign underscores the vulnerability of telecom providers to state-sponsored cyber threats, highlighting the need for stronger defences in critical infrastructure sectors. (Source: The Hacker News)
3. North Korean Hackers Steal $10M Using AI-Driven Scams on LinkedIn
North Korea's Sapphire Sleet group, overlapping with APT38 and BlueNoroff, has orchestrated social engineering campaigns on LinkedIn to steal cryptocurrency. The group creates fake recruiter profiles, posing as representatives from firms like Goldman Sachs, to lure victims into downloading malware disguised as skills assessments.
Once installed, the malware enables attackers to access victims’ credentials and cryptocurrency wallets. The group also leverages AI tools like Faceswap to create convincing professional profiles, enhancing the credibility of their scams.
Microsoft reported that these efforts are part of a broader strategy by North Korea to generate revenue amidst sanctions. The group has also deployed IT workers abroad to secure legitimate jobs while conducting cyber theft and espionage. (Source: The Hacker News)
4. CISA Warns of VMware vCenter Vulnerabilities Actively Exploited
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory for two critical vulnerabilities in VMware’s vCenter Server: CVE-2024-38812 and CVE-2024-38813.
CVE-2024-38812 is a heap-based buffer overflow in the DCERPC protocol, allowing attackers to execute remote code. CVE-2024-38813, a privilege escalation flaw, lets attackers gain root access to systems. These vulnerabilities have been exploited to compromise virtualised environments, which are foundational to enterprise infrastructure.
VMware has released patches and strongly advises organisations to implement them by December 11, 2024, to avoid potentially catastrophic breaches. (Source: Cyber Security News)
5. Oracle Patches Exploited Agile PLM Zero-Day
Oracle has patched a high-severity zero-day vulnerability (CVE-2024-21287) in Agile Product Lifecycle Management (PLM). The flaw, exploited in the wild, allowed unauthenticated attackers to access critical files under the application’s privileges.
Agile PLM, used for managing product data and processes, remains widely deployed despite Oracle’s plans to discontinue it by 2027. The exploit highlights the risks of unpatched legacy systems in enterprises. Oracle has urged all users to apply updates immediately to mitigate data breaches and safeguard sensitive information. (Source: SecurityWeek)
6. ENISA’s Role to Expand as EU Reviews Cybersecurity Act
The European Commission has been urged to strengthen ENISA’s mandate amidst increasing cyber threats and new EU legislation like NIS 2 and the Cyber Resilience Act. National governments advocate for enhanced funding, staffing, and technical resources for the EU’s cybersecurity agency to better address its growing responsibilities.
Currently operating with just over 100 staff members, ENISA plays a pivotal role in supporting member states and certifying ICT products. The ongoing review of the EU Cybersecurity Act provides an opportunity to redefine the agency’s objectives and address gaps in its operational capacity. (Source: Euronews)
7. Apple Patches Exploited Zero-Days in macOS and iOS
Apple has released emergency updates for macOS and iOS to address two zero-day vulnerabilities: CVE-2024-44308 and CVE-2024-44309. Discovered by Google’s Threat Analysis Group, these flaws have been exploited in the wild to execute arbitrary code and conduct cross-site scripting attacks on Intel-based macOS systems.
The updates—macOS Sequoia 15.1.1 and iOS 18.1.1—are critical for securing Apple devices, especially as attackers continue to target these platforms in high-profile campaigns. (Source: SecurityWeek)
8. Russian Nearest Neighbour Wi-Fi Attack Exposes New Espionage Risks
APT28 (Fancy Bear) utilised an innovative "Nearest Neighbour Attack," infiltrating networks by compromising nearby Wi-Fi connections. By hacking systems in a building across the street from their target, they bypassed multi-factor authentication (MFA) and accessed sensitive data. This tactic underscores the need for advanced Wi-Fi encryption and secure network segmentation to mitigate such risks. (Source: SecurityWeek)
9. Secure by Demand: Ensuring Software Supply Chain Security
The rise in software supply chain attacks, such as NotPetya and SolarWinds, highlights the need for enterprises to go beyond traditional security measures. CISA’s "Secure by Demand" initiative urges organisations to demand stricter security assurances from vendors and independently validate software integrity.
While tools like security questionnaires and Software Bills of Materials (SBOMs) provide transparency, they fall short in detecting hidden threats like compromised build pipelines or malicious code. Enterprises must adopt proactive measures such as independent software validation and continuous risk analysis to safeguard critical applications against vulnerabilities, malware, and tampering. (Source: Dark Reading)
10. Microsoft Exposes ONNX Phishing Service, Seizes 240 Domains
Microsoft has dismantled the ONNX phishing-as-a-service operation, seizing 240 malicious domains and exposing its Egyptian operator, Abanoub Nady. ONNX offered phishing kits enabling attackers to bypass MFA and steal credentials. Microsoft’s crackdown highlights the need for enterprises to implement layered defences, including advanced email security and real-time phishing detection. (Source: Dark Reading)
Stay ahead of the latest cybersecurity developments by keeping an eye on these stories, and ensure your organisation's security protocols remain up to date.