top of page

Threat Intelligence, June 13, 2024

In the shadowy corners of the cyber world, a Pakistan-based threat actor called Cosmic Leopard has unleashed a sinister campaign dubbed Operation Celestial Force. This intricate malware offensive has been targeting Windows, Android, and macOS platforms since 2018, with a trio of malicious tools in its arsenal, primarily aimed at Indian organizations and individuals.

Meanwhile, a critical vulnerability has cast a dark shadow over Apple devices. This flaw, lurking within the NSXPC component, grants unauthorized access, putting user data and business information at grave risk, compromising privacy safeguards.

Are you planning to score tickets for the Paris 2024 Summer Olympics? Be wary of the digital predators donning the garb of legitimacy! Cybersecurity researchers at Proofpoint have unmasked a devious scam – fraudulent websites masquerading as authorized ticket vendors for the upcoming Games. These cunning counterfeits even managed to secure sponsored listings on Google, luring unsuspecting fans into their trap. In an era where cyber trickery runs rampant, and every too-good-to-be-true offer could be a meticulously disguised ruse, staying vigilant is paramount.

Top Malware Reported in the Last 24 Hours

Operation Celestial Force

An insidious malware offensive, codenamed Operation Celestial Force, has been unleashed by the Pakistani cyber menace known as Cosmic Leopard. This relentless campaign, active since at least 2018, wields a trio of malicious tools - GravityRAT, HeavyLift, and GravityAdmin - capable of infiltrating Windows, Android, and macOS systems. Indian entities, particularly those linked to defense, government, and technology sectors, have borne the brunt of these attacks.

New phishing kit emerges

Cybercriminals have a new weapon in their arsenal - a phishing toolkit that enables the creation of deceptive Progressive Web Apps (PWAs). These PWAs can seamlessly blend with the operating system, sporting convincing corporate login forms aimed at stealing user credentials. The toolkit's fake address bar, mimicking legitimate URLs, adds an extra layer of trickery. Threat actors can now craft websites promoting bogus software or remote management tools, luring victims with a seemingly innocuous PWA installation.

PhantomLoader drops SSLoad malware

A new and nefarious malware strain, SSLoad, is being disseminated through a previously undetected loader called PhantomLoader. This cunning loader evades detection by modifying legitimate files. SSLoad has been employed to deploy the infamous Cobalt Strike, employing various evasion techniques. Delivered through an MSI installer, its final payload communicates with a command-and-control server to download additional malware payloads, perpetuating a vicious cycle of persistent operation.

Top Vulnerabilities Reported in the Last 24 Hours

Critical vulnerability in Apple platforms

A critical security flaw (CVE-2024-27801) lurks within Apple platforms, granting threat actors unauthorized access and posing severe risks to user and business data security. This vulnerability, rooted in the low-level implementation of NSXPC, could enable attackers to compromise security features and gain extensive control over affected devices. The potential consequences are dire, ranging from data exfiltration to weakened privacy and security assurances, jeopardizing both users and businesses.

Did Black Basta abuse Windows zero-day?

Symantec has revealed that the notorious Cardinal cybercrime group, operators of the Black Basta ransomware, may have exploited a recently patched Windows privilege escalation vulnerability as a zero-day before its public disclosure. The vulnerability (CVE-2024-26169), found in the Windows Error Reporting Service, allows attackers to elevate their privileges. Although patched on March 12, analysis suggests the group's exploit tool may have been compiled prior to the patch, indicating its potential abuse as a zero-day.

Firefox 127 comes with 15 patched bugs

Mozilla has released Firefox 127, addressing 15 security vulnerabilities. The fixes range from high to low impact, mitigating potential consequences such as memory corruption, phishing vectors, and user confusion. Mozilla strongly urges all users to update to Firefox 127 to safeguard their browsers against these vulnerabilities.

Top Scams Reported in the Last 24 Hours

Phishing emails exploit Windows Search

A new phishing campaign has emerged, leveraging HTML attachments to launch Windows searches on remote servers, enabling threat actors to deliver malware. The attackers abuse the Windows search protocol to conceal malicious files, luring victims into clicking on them. The HTML attachment masquerades as an invoice document, automatically opening a malicious URL upon launch. If the automatic redirect fails, a clickable link serves as a backup. The search parameters disguise the server as a legitimate source, and if the victim clicks on the file, a batch script hosted on the server is triggered, initiating the attack.

Criminals impersonate CISA employees

The Cybersecurity and Infrastructure Security Agency (CISA) has warned of a disturbing trend where criminals impersonate its employees through phone calls, attempting to trick victims into sending money. This alarming tactic is part of a broader scheme where fraudsters exploit the authority and legitimacy of government employees' titles and names to lend credibility to their scams. CISA has reiterated that its staff will never contact individuals requesting wire transfers, cash, cryptocurrency, gift cards, or insist on keeping discussions secret.

Fraudulent Olympics ticketing websites

Proofpoint has uncovered a devious scheme involving a fraudulent website, paris24tickets[.]com, masquerading as a legitimate ticket vendor for the Paris 2024 Summer Olympic Games. The website's convincing appearance, even appearing as a sponsored result on Google, adds to its deceptive allure. Users can select and purchase tickets, potentially revealing personal and payment information to the threat actors behind these sites, who may be attempting to steal money and sensitive data from unsuspecting victims. Proofpoint also discovered a related website, seatsnet[.]com, plagued by numerous complaints from users who failed to receive the tickets they had paid for.

8 views0 comments


bottom of page