Defx Cyber Labs - Blogs & Articles

Zero-Click Flaw Exposes Potentially Millions of Synology Devices to Risk

Synology, a leading Taiwanese manufacturer of network-attached storage (NAS) devices, quickly addressed two critical zero-day vulnerabilities discovered during the recent Pwn2Own hacking event. The vulnerabilities, identified as CVE-2024–10443 and dubbed RISK:STATION, were found by Midnight Blue security researcher Rick de Jager in Synology Photos and BeePhotos for BeeStation software. These zero-click vulnerabilities, demonstrated on a Synology BeeStation BST150–4T, allowed remote attackers to execute code with root access on vulnerable, internet-exposed NAS systems. Immediately following the demonstration, Synology was informed, and within 48 hours, patches were released to mitigate the risks. Midnight Blue highlighted the urgent need for users to apply these updates due to the high potential for criminal misuse and the millions of devices potentially impacted. To reinforce this urgency, a media announcement was also made to encourage users to take immediate action.

The Future of Blockchain in Enterprise Security

CACTUS Ransomware Strikes with Qlik Sense Exploits: Microsoft issues Malvertising Warning

Microsoft has issued an alert on a fresh wave of CACTUS ransomware attacks utilizing malvertising to deploy DanaBot, orchestrated by the ransomware operator Storm-0216 (Twisted Spider, UNC2198). DanaBot, identified as Storm-1044, functions as a versatile tool, akin to Emotet and TrickBot, capable of stealing data and serving as a gateway for subsequent payloads. UNC2198, previously associated with IcedID, has a history of deploying ransomware like Maze and Egregor. Microsoft disclosed the threat actor’s shift from QakBot to DanaBot, likely influenced by a law enforcement operation in August 2023. The current DanaBot campaign, observed since November, employs a private version of the info-stealing malware. Credentials harvested by the malware are sent to an actor-controlled server, enabling lateral movement and granting access to Storm-0216. This revelation follows recent reports of CACTUS ransomware attacks exploiting vulnerabilities in Qlik Sense and the emergence of a macOS ransomware strain called Turtle.

Microsoft Warns of Kremlin-Backed APT28 Exploiting Critical Outlook Vulnerability

The intrusions were attributed to a threat actor named Forest Blizzard (formerly Strontium), also known as APT28, BlueDelta, Fancy Bear, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The exploited security vulnerability, CVE-2023–23397 (CVSS score: 9.8), was a critical privilege escalation bug patched by Microsoft in March 2023. This bug could allow an adversary to access a user’s Net-NTLMv2 hash, potentially leading to a relay attack against another service to authenticate as the user. The Polish Cyber Command (DKWOC) stated that the goal was to gain unauthorized access to mailboxes of public and private entities in the country. In the subsequent malicious activity stage, the adversary modified folder permissions within the victim’s mailbox, particularly changing the default permissions of the ‘Default’ group to ‘Owner.’ This alteration allowed the threat actor to read the contents of mailbox folders with the modified permissions, extracting valuable information from high-value targets. Notably, these modifications enabled the maintenance of unauthorized access even after direct access to the mailbox was lost.

Undisclosed Cyber Threat Actor Unleashes Advanced AeroBlade Attack on U.S. Aerospace Organization

The BlackBerry Threat Research and Intelligence team is actively monitoring this series of activities, code-named AeroBlade. The origin of the threat remains unknown, and the success of the attack remains uncertain. As outlined in an analysis published last week, the attacker employed spear-phishing as the delivery mechanism. Specifically, a weaponized document was sent as an email attachment, containing an embedded remote template injection technique and a malicious VBA macro code to facilitate the execution of the next stage of the payload. The network infrastructure used for the attack became operational around September 2022, with the offensive phase taking place almost a year later in July 2023. Notably, the adversary took steps to refine its toolset during this interim period, aiming to enhance stealthiness. The initial attack, which unfolded in September 2022, began with a phishing email featuring a Microsoft Word attachment. Upon opening, the attachment utilized a technique called remote template injection to retrieve a next-stage payload, activated once the victim allowed macros.

Silent Intrusion: Thailand Telecom Companies Face Covert ‘Krasue’ Linux Trojan

An unidentified Linux remote access trojan, Krasue, has been identified targeting telecommunications firms in Thailand, with threat actors utilizing it to establish covert access to victim networks since at least 2021. Named after a nocturnal female spirit in Southeast Asian folklore, the malware possesses the capability to conceal its presence during the initialization phase, as reported by Group-IB in a document shared with The Hacker News. The specific initial access vector for deploying Krasue remains undisclosed, though suspicions point towards potential vulnerability exploitation, credential brute-force attacks, or distribution through deceptive software packages or binaries. The extent of the campaign is yet to be determined. The trojan’s fundamental functionalities are executed through a rootkit, derived from open-source projects like Diamorphine, Suterusu, and Rooty, enabling it to persist on the host inconspicuously. This prompts speculation that Krasue might be employed within a botnet or traded by initial access brokers to other cybercriminals, including ransomware affiliates seeking specific targets.