Threat Briefing: October 18, 2024

In recognition of Cybersecurity Awareness Month, the Cybersecurity and Infrastructure Security Agency (CISA) is emphasizing the critical role of software updates in protecting against cyber threats. Since the beginning of the year, CISA has identified and added 144 vulnerabilities to their Known Exploited Vulnerability Catalog—security gaps that malicious actors have used to infiltrate computer networks nationwide.

• EDRSilencer Tool Used by Cyber Threat Actors to Counter Endpoint Detection & Response (EDR) – The EDRSilencer tool, leveraged by cyber threat actors, is designed to counter Endpoint Detection and Response (EDR) systems by blocking outbound traffic from active EDR processes using the Windows Filtering Platform. It can interfere with the functionality of EDR solutions from providers like Microsoft, SentinelOne, Trend Micro, and others. By deploying EDRSilencer, attackers can evade detection, allowing them to install malware on target systems without being flagged by the victim’s EDR. The Hacker News
• Infostealers Delivered by Malicious Google Meet Invites – The campaign, tracked as ClickFix, has been active since June 2024, targeting both macOS and Windows users. Victims are deceived by a message that directs them to a website containing malicious PowerShell code, which they are prompted to execute manually. Windows users are infected with Rhadamanthys and StealC stealers, while macOS users are compromised by the Atomic malware. Sekoia
• North Korean Government Engages in Extortion of Companies Hiring North Korean Affiliated Information Technology Workers – Companies across the U.S., Europe, and Australia have unknowingly hired IT workers from North Korea, who used stolen or fake identities to secure employment. The salaries earned by these workers are funneled to support North Korea’s military program. Investigations into this scheme have uncovered instances where these North Korean IT workers exfiltrate sensitive data from companies and then demand ransom payments for its return. The Record
• Chinese Government Claims Cyber Threat Actor Group Volt Typhoon is a Creation by U.S. Government – China’s National Computer Virus Emergency Response Center (CVERC) has accused the U.S. government and its allies of conducting cyber espionage against various countries, including China. CVERC previously claimed that reports on the Volt Typhoon cyber-espionage campaign were part of a U.S.-driven misinformation effort and denied that Volt Typhoon had compromised military bases in Guam, as previously alleged. The CVERC also criticized several U.S.-based technology companies for their involvement in identifying and attributing cyber threat groups. The Hacker News
• Microsoft’s Administrator Protection Feature to Limit Elevation of Privilege Feature to Counter Cyber Threat Actor Activity – The new feature is part of the preview edition of Windows updates, marking a shift from Microsoft’s current “split token” model for administrator accounts. The Administrator Protection feature enhances security but is not enabled by default. To activate it, administrators will need to configure it through group policy settings. Dark Reading