Cyber Defense Advisors

THN Recap: Top Cybersecurity Threats, Tools, and Practices (Nov 04 – Nov 10)

⚠️ Imagine this: the very tools you trust to protect you online—your two-factor authentication, your car’s tech system, even your security software—turned into silent allies for hackers. Sounds like a scene from a thriller, right? Yet, in 2024, this isn’t fiction; it’s the new cyber reality. Today’s attackers have become so sophisticated that they’re using our trusted tools as secret pathways, slipping past defenses without a 🔍 trace.

For banks 🏦, this is especially alarming. Today’s malware doesn’t just steal codes; it targets the very trust that digital banking relies on. These threats are more advanced and smarter than ever, often staying a step ahead of defenses.

And it doesn’t stop there. Critical systems that power our cities are at risk too. Hackers are hiding within the very tools that run these essential services, making them harder to detect and harder to stop. It’s a high-stakes game of hide-and-seek, where each move raises the risk.

As these threats grow, let’s dive into the most urgent security issues, vulnerabilities, and cyber trends this week.

⚡ Threat of the Week

FBI Probes China-Linked Global Hacks: The FBI is urgently calling for public assistance in a global investigation into sophisticated cyber attacks targeting companies and government agencies. Chinese state-sponsored hacking groups—identified as APT31, APT41, and Volt Typhoon—have breached edge devices and computer networks worldwide.

Exploiting zero-day vulnerabilities in edge infrastructure appliances from vendors like Sophos, these threat actors have deployed custom malware to maintain persistent remote access and repurpose compromised devices as stealthy proxies. This tactic allows them to conduct surveillance, espionage, and potentially sabotage operations while remaining undetected.

Tips for Organizations:

  • Update and Patch Systems: Immediately apply the latest security updates to all edge devices and firewalls, particularly those from Sophos, to mitigate known vulnerabilities like CVE-2020-12271, CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236.
  • Monitor for Known Malware: Implement advanced security solutions capable of detecting malware such as Asnarök, Gh0st RAT, and Pygmy Goat. Regularly scan your network for signs of these threats.
  • Enhance Network Security: Deploy intrusion detection and prevention systems to monitor for unusual network activity, including unexpected ICMP traffic that could indicate backdoor communications.

SANS Cyber Defense Initiative 2024SANS Cyber Defense Initiative 2024

Microsoft 365 Cyber Resilience: 3 Keys to Success

Protecting Microsoft 365 data is essential to any modern cybersecurity strategy, since the suite’s applications are so commonly used in businesses of all sizes and industries. Watch this webinar for key steps you can take to build a more proactive approach to securing your organization’s Microsoft 365 data from cyberattacks and ensuring resilience.

WATCH NOW

🔔 Top News

  • Android Banking Trojan ToxicPanda Targets Europe: A new Android banking trojan dubbed ToxicPanda has been observed targeting over a dozen banks in Europe and Latin America. It’s so named for its Chinese roots and its similarities with another Android-focused malware named TgToxic. ToxicPanda comes with remote access trojan (RAT) capabilities, enabling the attackers to conduct account takeover attacks and conduct on-device fraud (ODF). Besides obtaining access to sensitive permissions, it can intercept one-time passwords received by the device via SMS or those generated by authenticator apps, which enables the cybercriminals to bypass multi-factor authentication. The threat actors behind ToxicPanda are likely Chinese speakers.
  • VEILDrive Attack Exploits Microsoft Services: An ongoing threat campaign dubbed VEILDrive has been observed taking advantage of legitimate services from Microsoft, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi. In doing so, it allows the threat actors to evade detection. The attack has been so far spotted targeting an unnamed critical infrastructure entity in the U.S. It’s currently not known who is behind the campaign.
  • Crypto Firms Targeted with New macOS backdoor: The North Korean threat actor known as BlueNoroff has targeted cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices. Unlike other recent campaigns linked to North Korea, the latest effort uses emails propagating fake news about cryptocurrency trends to infect targets with a backdoor that can execute attacker-issued commands. The development comes as the APT37 North Korean state-backed group has been linked to a new spear-phishing campaign distributing the RokRAT malware.
  • Windows Hosts Targeted by QEMU Linux Instance: A new malware campaign codenamed CRON#TRAP is infecting Windows systems with a Linux virtual instance containing a backdoor capable of establishing remote access to the compromised hosts. This allows the unidentified threat actors to maintain a stealthy presence on the victim’s machine.
  • AndroxGh0st Malware Integrates Mozi Botnet: The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, alongside deploying the Mozi botnet malware. While Mozi suffered from a steep decline in activity last year, the new integration has raised the possibility of a possible operational alliance, thereby allowing it to propagate to more devices than ever before.

‎️‍🔥 Trending CVEs

Recently trending CVEs include: CVE-2024-39719, CVE-2024-39720, CVE-2024-39721, CVE-2024-39722, CVE-2024-43093, CVE-2024-10443, CVE-2024-50387, CVE-2024-50388, CVE-2024-50389, CVE-2024-20418, CVE-2024-5910, CVE-2024-42509, CVE-2024-47460, CVE-2024-33661, CVE-2024-33662. Each of these vulnerabilities represents a significant security risk, emphasizing the importance of regular updates and monitoring to protect data and systems.

📰 Around the Cyber World

  • Unpatched Flaws Allow Hacking of Mazda Cars: Multiple security vulnerabilities identified in the Mazda Connect Connectivity Master Unit (CMU) infotainment unit (from CVE-2024-8355 through CVE-2024-8360), which is used in several models between 2014 and 2021, could allow for execution of arbitrary code with elevated permissions. Even more troublingly, they could be abused to obtain persistent compromise by installing a malicious firmware version and gain direct access to the connected controller area networks (CAN buses) of the vehicle. The flaws remain unpatched, likely because they all require an attacker to physically insert a malicious USB into the center console. “A physically present attacker could exploit these vulnerabilities by connecting a specially crafted USB device – such as an iPod or mass storage device – to the target system,” security researcher Dmitry Janushkevich said. “Successful exploitation of some of these vulnerabilities results in arbitrary code execution with root privileges.”
  • Germany Drafts Law to Protect Researchers Reporting Flaws: The Federal Ministry of Justice in Germany has drafted a law to provide legal protection to researchers who discover and responsibly report security vulnerabilities to vendors. “Those who want to close IT security gaps deserve recognition—not a letter from the prosecutor,” the ministry said. “With this draft law, we will eliminate the risk of criminal liability for people who take on this important task.” The draft law also proposes a penalty of three months to five years in prison for severe cases of malicious data spying and data interception that include acts motivated by profit, those that result in substantial financial damage, or compromise critical infrastructure.
  • Over 30 Vulnerabilities Found in IBM Security Verify Access: Nearly a three dozen vulnerabilities have been disclosed in IBM Security Verify Access (ISVA) that, if successfully exploited, could allow attackers to escalate privileges, access sensitive information, and compromise the entire authentication infrastructure. The vulnerabilities were found in October 2022 and were communicated to IBM at the beginning of 2023 by security researcher Pierre Barre. A majority of the issues were eventually patched at the end of June 2024.
  • Silent Skimmer Actor Makes a Comeback: Organizations that host or create payment infrastructure and gateways are being targeted as part of a new campaign mounted by the same threat actors behind the Silent Skimmer credit card skimming campaign. Dubbed CL-CRI-0941, the activity is characterized by the compromise of web servers to gain access to victim environments and gather payment information. “The threat actor gained an initial foothold on the servers by exploiting a couple of one-day Telerik user interface (UI) vulnerabilities,” Palo Alto Networks Unit 42 said. The flaws include CVE-2017-11317 and CVE-2019-18935. Some of the other tools used in the attacks are reverse shells for remote access, tunneling and proxy utilities such as Fuso and FRP, GodPotato for privilege escalation, and RingQ to retrieve and launch the Python script responsible for harvesting the payment information to a .CSV file.
  • Seoul Accuses Pro-Kremlin Hacktivists of Targeting South Korea: As North Korea joins hands with Russia in the ongoing Russo-Ukrainian War, DDoS attacks on South Korea have ramped up, the President’s Office said. “Their attacks are mainly private-targeted hacks and distributed denial-of-service (DDoS) attacks targeting government agency home pages,” according to a statement. “Access to some organizations’ websites has been temporarily delayed or disconnected, but aside from that, there has been no significant damage.”
  • Canada Predicts Indian State-Sponsored Attacks amid Diplomatic Feud: Canada has identified India as an emerging cyber threat in the wake of growing geopolitical tensions between the two countries over the assassination of a Sikh separatist on Canadian soil. “India very likely uses its cyber program to advance its national security imperatives, including espionage, counterterrorism, and the country’s efforts to promote its global status and counter narratives against India and the Indian government,” the Canadian Centre for Cyber Security said. “We assess that India’s cyber program likely leverages commercial cyber vendors to enhance its operations.”
  • Apple’s New iOS Feature Reboots iPhones after 4 Days of Inactivity: Apple has reportedly introduced a new security feature in iOS 18.1 that automatically reboots iPhones that haven’t been unlocked for a period of four days, according to 404 Media. The newly added code, called “inactivity reboot,” triggers the restart so as to revert the phone to a more secure state called “Before First Unlock” (aka BFU) that forces users to enter the passcode or PIN in order to access the device. The new feature has apparently frustrated law enforcement efforts to break into the devices as part of criminal investigations. Apple has yet to formally comment on the feature.

🔥 Resources, Guides & Insights

🎥 Expert Webinar

🔧 Cybersecurity Tools

P0 Labs recently announced the release of new open-source tools designed to enhance detection capabilities for security teams facing diverse attack vectors.

  • YetiHunter – Detects indicators of compromise in Snowflake environments.
  • CloudGrapplerQueries high-fidelity, single-event detections related to well-known threat actors in cloud environments like AWS and Azure.
  • DetentionDodger – Identifies identities with leaked credentials and assesses potential impact based on privileges.
  • BucketShield – A monitoring and alerting system for AWS S3 buckets and CloudTrail logs, ensuring consistent log flow and audit-readiness.
  • CAPICHE Detection Framework (Cloud API Conversion Helper Express) – Simplifies cloud API detection rule creation, supporting defenders in creating multiple detection rules from grouped APIs.

🔒 Tip of the Week

Strengthen Security with Smarter Application Whitelisting — Lock down your Windows system like a pro by using built-in tools as your first line of defense. Start with Microsoft Defender Application Control and AppLocker to control which apps can run – think of it as a bouncer that only lets trusted apps into your club. Keep an eye on what’s happening with Sysinternals Process Explorer (it’s like CCTV for your running programs) and use Windows Security Center to guard your browsers and folders. For older Windows versions, Software Restriction Policies (SRP) will do the job. Remember to set up alerts so you know when something suspicious happens.

Don’t trust any app until it proves itself – check for digital signatures (like an app’s ID card) and use PowerShell safely by requiring signed scripts only. Keep risky apps in a sandbox (like Windows Sandbox or VMware) – it’s like a quarantine zone where apps can’t hurt your main system. Watch your network with Windows Firewall and GlassWire to spot any apps making suspicious connections. When it’s time for updates, test them in a safe space first using Windows Update management tools. Keep logs of everything using Windows Event Forwarding and Sysmon, and review them regularly to spot any trouble. The key is layering these tools – if one fails, the others will catch the threat.

Conclusion

As we face this new wave of cyber threats, it’s clear that the line between safety and risk is getting harder to see. In our connected world, every system, device, and tool can either protect us or be used against us. Staying safe now means more than just better defenses; it means staying aware of new tactics that change every day. From banking to the systems that keep our cities running, no area is immune to these risks.

Moving forward, the best way to protect ourselves is to stay alert, keep learning, and always be ready for the next threat. Don’t forget to subscribe for our next edition. 👋

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.