This month focuses on the Chrome Zero-day vulnerability, the Microsoft Exchange Server vulnerability being exploited to deploy Keylogger malware, Kimsuky Hacking Group  Social Engineering campaign via Facebook Messenger, and the Gift Card fraud campaign by Storm-0539

Google Chrome Zero-day vulnerability

Google has just rolled out some critical security updates aimed at fixing a zero-day vulnerability found in Chrome.

Summary

• The vulnerability, tracked as CVE-2024-4671 has been identified as a use-after-free bug (UAF).
• UAF bugs occur when a program continues to access a memory location after the memory has been freed or deallocated. This can lead to unexpected behavior, crashes or even security vulnerabilities such as remote code execution or privilege escalation.
• As at when the vulnerability was reported by an anonymous researcher on May 7, 2024, thevulnerability was actively being exploited in the wild.
• This is the second actively exploited zero-day vulnerability Google has addressed since January 2024.
• Three other vulnerabilities have also been disclosed by Google the past couple of months; CVE-2024-2886 – Use-after-free in WebCodecs, CVE-2024-2887 – Type confusion in WebAssembly, and CVE-2024-3159 – Out-of-bounds memory access in V8.
• Chrome users are recommended to upgrade to version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux to mitigate potential threats.
• Chromium browser users (Microsoft Edge, Brave, Opera, and Vivaldi) are also advised to apply the fixes.
• Read more about the vulnerability here, and more about user-after-free vulnerabilities here

Microsoft Exchange Server Vulnerability

A yet to be named threat actor has been exploiting security vulnerabilities in Microsoft Exchange Server to deploy a keylogger malware in attacks against targets in Africa and the Middle East.

Summary

• So far over 30 victims spanning government agencies, IT companies, banks and educational institutions have been identified by Russian cybersecurity firm Positive Technologies. 
• The first-ever compromise dates back to 2021.
• This keylogger was observed collecting account credentials into a file accessible via a special path from the internet.
• Countries targeted by the intrusion set include Russia, the U.A.E., Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.
• The attack chains starts with the exploitation of three ProxyShell vulnerabilities, CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, originally patched by Microsoft in May 2021.
• If the exploitation is Successful an attacker can bypass authentication, elevate their privileges, and carry out unauthenticated, remote code execution.
• Read more about it here.

Kimsuky Hacking Group Social Engineering campaign via Facebook Messenger

Known North Korea-linked hacking group Kimusky have been identified as the group behind a new social engineering campaign using fake Facebook accounts against its victims. The hackers engage individuals through Facebook Messenger, ultimately aiming to deliver malware.

Summary

• The attack strategy follows the following steps; creating ficticious facebook accounts, engaging targets via facebook messenger, Delivery of Decoy Documents, and the Use of MSC Files.
• When the victim opens the MSC File and consents to using Microsoft Management Console (MMC), they are presented with a console screen containing a Word document that when launched, activates the attack sequence.
• The attack sequence involves data exfiltration and command-and-control stages.
• Read more about the campaign here

Gift card Fraud and Storm-0539

Between March and May, a 30% rise in intrusion activity by the threat actor Storm-0539 was observed by various threat researchers.

Summary

• Storm-0539 is a threat actor group operating out of Morocco that focuses on compromising cloud and identity services in the criminal targeting of gift card portals linked to large retailers, luxury brands and well-known fast-food restaurants across several countries.
• According to Microsoft, Storm-0539 uses deep reconnaissance and sophisticated cloud-based techniques to target gift card creators, similar to espionage campaigns by nation-state actors.
• The group has been active since late 2021 and it initially focused on compromised payment card data with point-of-sale (POS) malware. 
• To conduct its initial reconnaissance, Storm-0539 attempts to infiltrate employees’ accounts at target organizations by sending smishing texts to personal and work mobile phones. It does this by accessing employee directories and schedules, contact lists and email inboxes.
• Once an account has been compromised, a complete mapping of the network is done.
• To disguise themselves and their infrastructure during attacks, the group presents itself as a legitimate organization to cloud providers to gain temporary application, storage, and other initial free resources for their attack activity.
• Read more about the attack campaign here

Sources

• https://thehackernews.com/2024/05/chrome-zero-day-alert-update-your.html
• https://thehackernews.com/2024/05/ms-exchange-server-flaws-exploited-to.html
• https://cybersrcc.com/2024/05/21/kimsuky-hacking-group-employs-social-engineering-via-facebook-messenger/
• https://www.infosecurity-magazine.com/news/microsoft-gift-card-fraud-costing/
• https://www.infosecurity-magazine.com/news/microsoft-gift-card-fraud-costing/