Attacks are happening all the time. And if we look closely, there’s always something to learn from them.
Here’s a quick look at three recent cyberattacks that can tell us something useful about the threat landscape or the efficacy of our security strategies.
1. Lumma resorts to YouTube videos
As reported by The Hacker News, threat actors are using YouTube videos to drive downloads of cracked software, and deliver malware Lumma Stealer.
According to Cara Lin (Researcher at Fortinet FortiGuard Labs), the videos themselves usually feature content related to cracked applications – creating a false sense of security by offering seemingly trustworthy installation guides, and malicious URLs shortened by services like TinyURL and Cuttly.
When a victim unpacks the ZIP installer, they click on a Windows shortcut that’s disguised as a setup file. This downloads a loader from a Github repository, which executes a series of anti-debugging checks and then loads the stealer payload.
Lumma Stealer has been available on underground forums since 2022. It harvests and exfiltrates sensitive data to a server controlled by the threat actor.
And the use of YouTube as a platform to access victims is worth noting. Recently, Bitdefender reported that cybercriminals were performing stream-jacking attacks on YouTube, installing RedLine Stealer to access credentials and enable crypto scams. Attacks similar to the Lumma strategy have been observed before – for example, when the Aurora information stealer malware was distributed via YouTube videos in early 2023.
If there’s one thing to take away from this? Include YouTube in your security awareness training programmes.
2. Sea Turtle comes back to the surface
It’s been widely reported that Turkish APT, also known as Sea Turtle, has become active again. It’s a threat group aligned with the interests of the Turkish government, known to target Kurdish opposition groups via supply chain targets.
We haven’t heard much about Sea Turtle for a while now. But new campaigns tracked by research group Hunt & Hackett suggest that it’s been active again – accessing its targets’ cPanel Web hosting environments via a VPN connection, and then dropping an information-gathering reverse shell, SnappyTCP.
It’s a reminder that although ransomware is a growing problem, it’s not the only issue that organisations and governments around the world are facing. Espionage via cyber threat actors is also on the rise.
3. A zero-day in Apache’s ERP framework
A vulnerability in Apache OfBiz, listed as CVE-2023-51467, was disclosed in December 2023. The Apache Software foundation had released a patch for a related vulnerability – but the patch didn’t guard against different variations of the attack, which allows a threat actor to access information and remotely execute code using the ERP framework (according to analysis by SonicWall).
As yet unknown threat groups have launched probes to analyse the patch and identify ways to bypass it.
It shows us that attackers are using patches themselves to analyse potential weaknesses and alternative routes into a network, finding ways to get around the existing fixes.
In short, disclosing a patch brings malicious attention to that patch. So your fixes need to be truly sound.
Never bury your head in the sand
When people ask us why we’re always reading about the latest reported attacks, we tell them this:
Because it’s better to know what’s happening and to learn from it than to bury your head in the sand. Approach attacks with curiosity – and you can avoid repeating other people’s mistakes.
P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!