Threat Briefing: September 6, 2024

This week, the U.S. government indicted five Russian military members for their involvement in computer intrusions targeting organizations across North America and Europe. Additionally, a cyber criminal linked to multiple business email compromise schemes was sentenced.

While legal actions against cyber actors are crucial for mitigating threats, it’s also important to stay vigilant about online interactions. Researchers recently revealed a campaign distributing malware using a fake version of the GlobalProtect VPN.

• Five Members of Russian Military Indicted by U.S. Government for Cyber Activity Against NATO Countries – The U.S. government has previously indicted a Russian civilian in addition to the five Russian military members. These six individuals, associated with Russia’s Main Intelligence Directorate, are linked to efforts to steal and leak data from the Ukrainian government and have also been involved in computer attack attempts against the U.S. and NATO members. U.S. Department of Justice
• Malicious Version of GlobalProtect VPN Used to Deploy WIkiLoader Malware – The malicious activity was first observed in June 2024. Cyber threat actors are using deceptive ads for GlobalProtect VPN to direct victims to malicious websites that initiate the infection process. Victims are tricked into downloading a legitimate application that has been renamed to impersonate GlobalProtect, along with a malicious DLL file involved in downloading WikiLoader. After installation, victims receive a fake error message indicating missing libraries, further facilitating the attack. The Hacker News
• Microsoft to Disable ActiveX Controls by Default in October – This change is a result of Office 2024 launching in October. With the launch of Office 2024 in October, users will no longer be able to create or interact with ActiveX objects by default, as announced by Microsoft. However, ActiveX controls can still be enabled through changes to group policy settings, the registry, or Trust Center Settings. ActiveX controls have been used by various nation-state and cybercriminal actors to exploit zero-days and install malware on victim systems. Bleeping Computer
• Two Nigerian National Sentenced for Participating in Business Email Compromise (BEC)Scheme – Between 2016 and 2021, the two individuals, along with several co-conspirators, were involved in criminal activities. They sent phishing emails containing malware to victims, who were then deceived into making wire transfers to accounts controlled by the criminal actors. This scheme led to a loss of $5 million for the victim organizations. U.S. Department of Justice
• “Revival Hijack” Method Used to Distribute Malware on PyPi Package Repository – Cyber threat actors can re-register malicious packages using names of legitimate packages that were previously registered but are no longer in the PyPi repository. Users trying to update to the latest version of a package might inadvertently install the malicious version. Researchers identified around 120,000 packages removed from PyPi that could potentially be used to distribute malware. To address this, researchers have implemented measures to reduce the risk of cybercriminals re-registering these packages. Dark Reading