Threat Briefing: October 25, 2024

As Cybersecurity Awareness Month wraps up, CISA emphasizes the critical role of recognizing and reporting phishing emails. With artificial intelligence making phishing attempts increasingly sophisticated, spotting these threats can be challenging. If you identify a phishing email, avoid the urge to investigate—report it immediately and refrain from clicking any links.

Cyber threat actors use stolen credentials not only to access systems but also to market them to other malicious actors. Tools like the newly observed Lumma Stealer are commonly deployed in fresh phishing campaigns to harvest valuable information.

• Google Launches New Vulnerability Reward Program (VRP) for Google Cloud – The new program aims to specifically identify products and services associated with Google Cloud, distinguishing them from the broader Google Vulnerability Reward Program (VRP). This separation enhances the speed and effectiveness of addressing security issues within Google Cloud. Security researchers can earn rewards of up to $101,000 for discovering vulnerabilities in Google Cloud products. Security Week
• Updates to Qilin Ransomware Increases Evasion Capabilities – The latest version, known as Qilin.B, incorporates an updated encryption method designed to prolong the encryption process. Qilin has been upgraded to disable security tools and services, including Sophos, Windows Volume Shadow Copy Service, Veeam, and more. After encrypting the victim’s files, the ransomware deletes its binary and clears the Windows Event Logs to cover its tracks. Bleeping Computer
• Cisco Confirms Data Breach Following Cyber Threat Actor Offers to Sell Cisco Data on Cybercrime Forum – The cyber threat actor IntelBroker claims to have accessed data from Cisco’s GitHub and SonarQube projects, including encryption keys and API tokens. To support their claims, IntelBroker released screenshots showing access to Cisco’s environment. Cisco’s investigation revealed that IntelBroker had gained access to the company’s public-facing DevHub environment, prompting Cisco to disable access to this environment as a precautionary measure. Security Week
• New Campaign to Distribute Lumma Stealer Using Fake CAPTCHA Pages – Victims are redirected to fraudulent CAPTCHA pages where they are prompted to click “I’m not a robot.” Clicking this button initiates a sequence of actions that ultimately triggers a PowerShell command, leading to the download of malware onto the victim’s system. Once Lumma Stealer is installed, it scans for and exfiltrates data, specifically targeting files containing keywords related to cryptocurrency. The threat actors have been using “.shop” domains as command-and-control (C2) servers to exfiltrate the stolen data. Qualys
• Amazon Identifies Cyber Infrastructure Used by Russian Intelligence Service – The infrastructure supported phishing campaigns targeting various government agencies and military entities, aiming to capture Windows credentials via Microsoft Remote Desktop. These phishing emails used a lure centered on zero trust architecture and a purported integration between Amazon and Microsoft to entice victims into interacting with the emails. Security Week