Product
Jake Trujillo
Aug 8, 2024
Note: These were the top 10 cyber threats to the Government industry as of October 9th, 2024. To see the latest top 10 cyber threats to the Government industry, click here.
1. ShadowCat
A silent infiltrator targeting government secrets.
Summary: Operation ShadowCat is a sophisticated cyberattack campaign discovered by Cyble Research and Intelligence Labs (CRIL), targeting individuals with an interest in Indian political affairs. The attack employs a deceptive shortcut (.LNK) file, masquerading as a legitimate Office document, to initiate the infection process. The campaign specifically avoids infecting systems in Russian-speaking regions, suggesting the threat actor could be Russian-speaking.
Free Advice: Implement email filtering solutions to detect and block phishing emails containing .LNK files or suspicious attachments.
2. Ghostwriter
Master manipulators of information and public opinion.
Summary: Ukrainian organizations have been targeted by the Belarus-linked threat group GhostWriter, aka UAC-0057. The attacks, which occurred from July 12 to 18, involved the use of malicious documents related to taxation, local government reform, and financial and economic measures to distribute PicassoLoader malware, eventually leading to the delivery of Cobalt Strike Beacon.
The Ukrainian Computer Emergency Response Team suggests that the attackers might have aimed at specialists in project offices as well as employees of local government bodies in Ukraine. This incident follows a pattern observed four years earlier when Belarusian organizations were targeted by GhostWriter before the 2020 elections, after which some opposition members were arrested by Belarusian authorities.
Free Advice: Implement email filtering solutions to detect and block phishing attempts, focusing on emails containing attachments or links that could potentially harbor SquidLoader payloads.
3. CVE-2024-4879
A fresh exploit targeting critical infrastructure.
Summary: Two critical vulnerabilities, CVE-2024-4879 and CVE-2024-5217, in ServiceNow's cloud-based software, widely used for employee management and business process automation, were patched in May. However, following the public disclosure of a proof-of-concept exploit on July 11, there has been an increase in exploitation attempts.
Reports indicate up to 42,000 ServiceNow systems could be affected, primarily located in the U.S., the UK, India, and the European Union. The financial services industry has been particularly targeted, with over 6,000 sites facing attempted attacks. These vulnerabilities, along with another identified as CVE-2024-5178, pose a risk of database hijacking and data theft. CISA issued an urgent call for federal agencies to patch these vulnerabilities by August 19.
Free Advice: After patching, verify that the updates have been successfully applied and that the system versions are no longer vulnerable.
4. CVE-2024-6327
A new vulnerability hitting secure government networks.
Summary: A critical remote code execution vulnerability in Progress Telerik Report Servers, identified as CVE-2024-6327, allows for the insecure deserialization of untrusted data, affecting versions up to and including 10.1.24.514. It is not known if the vulnerability has been exploited in the wild, but given the history of vulnerabilities within Progress Telerik Report Server, it is a possibility. Another vulnerability, CVE-2024-6096, also affects all previous versions of Progress Telerik Reporting.
Free Advice: Patch to version 10.1.24.709 or later, or as a temporary mitigation measure change the Report Server Application Pool user to one with limited permissions.
5. GXCTeam
Elite hackers breaching top-level admin defenses.
Summary: A Spanish cybercrime group known as GXC Team has been offering a sophisticated malware-as-a-service (MaaS) platform that combines phishing kits with malicious Android applications. This service targets users of over 36 Spanish banks, governmental bodies, and 30 institutions globally. The campaign has affected financial institutions, tax and governmental services, e-commerce, banks, and cryptocurrency exchanges in various countries including the United States, the UK, Slovakia, and Brazil. Researchers have identified 288 phishing domains associated with this activity.
Free Advice: Install and maintain reputable anti-malware software on all company devices, especially those running Android.
6. APT45
Precision attacks from a nation-state powerhouse.
Summary: North Korean hacker group Andariel, aka APT45, has stolen sensitive data on a wide array of weapon systems and technologies from various countries since 2009 in order to advance North Korea's military. APT45 has targeted critical infrastructure, including hospitals, banks, and defense companies, particularly in South Korea. They are a subgroup of the Lazarus Group and have been involved in financially motivated attacks as well as traditional espionage.
Free Advice: Implement multi-factor authentication for all users, especially those with access to sensitive information or critical infrastructure systems.
7. Gh0stRAT
A remote-access trojan haunting government networks.
Summary: A new threat campaign involving Gh0st RAT, a remote access trojan known for its data collection and remote-control capabilities, uses a dropper, dubbed Gh0stGambit, to deploy the RAT by masquerading as a Google Chrome installer. The dropper is delivered through drive-by downloads when users attempt to download Chrome from deceptive websites.
The RAT variant has been modified with additional capabilities and primarily targets Chinese-speaking users, as evidenced by the language of web lures and targeted applications.
Free Advice: Regularly check system processes for any suspicious or unknown processes running.
8. ConfusedFunction
A tricky malware twisting government defenses.
Summary: A privilege escalation vulnerability in Google Cloud Platform's Cloud Functions service, known as ConfusedFunction, could enable an attacker to gain unauthorized access to other services and sensitive data by escalating their privileges to the level of the default Cloud Build Service account. Attackers could exploit this to access Cloud Storage, Artifact Registry, and Container Registry, potentially leading to data leaks or unauthorized modifications.
Free Advice: Replace legacy Cloud Build service accounts with least-privilege service accounts for each cloud function.
9. CVE-2023-45249
A vulnerability breaching high-value government targets.
Summary: A critical vulnerability, CVE-2023-45249, has been identified in Acronis Cyber Infrastructure, affecting multiple versions up to 5.4.4-132. This vulnerability allows for remote code execution and is particularly concerning due to its association with the use of default passwords. Acronis issued updates addressing the vulnerability in October 2023, but has since confirmed active exploitation incidents. CISA has recognized the severity of this vulnerability by adding it to its Known Exploited Vulnerabilities catalog and has mandated U.S. Federal Civilian Executive Branch agencies to address this issue by August 19, 2024.
Free Advice: Change any default passwords on ACI servers to strong, unique passwords.
10. PKFail
A new vulnerability punching holes in government defenses.
Summary: PKFail is a vulnerability compromising the firmware of numerous production model PCs, potentially allowing for persistent remote takeovers. PKFail stems from a 2016 incident where a private test key from BIOS specialist AMI was leaked and has been found in use on various systems, including recently released enterprise devices. The leaked Platform Key enables attackers to forge an OS installation as genuine, bypassing the Windows UEFI framework and avoiding detection by OS-level antimalware tools. However, exploitation requires administrator or root-level system access.
Free Advice: Review the list of affected devices from the BRLY-2024-005 advisory to identify any hardware in use that may be vulnerable.
Sign up for Fletch to get access more industry threats.
