The Daily Decrypt is a podcast hosted by the Digital Security Collective where we strip down the complex world of cybersecurity into bite-sized, digestible nuggets of wisdom. With a sprinkle of humor, a dash of education, and a commitment to high-quality production, we're here to transform how you understand and interact with the cyber universe.
The Daily Decrypt is a podcast hosted by the Digital Security Collective where we strip down the complex world of cybersecurity into bite-sized, digestible nuggets of wisdom. With a sprinkle of humor, a dash of education, and a commitment to high-quality production, we’re here to transform how you understand and interact with the cyber universe.
Video Episode: https://youtu.be/7et_7YkwAHs
In today’s episode, we dive into the alarming rise of malware delivery through fake job applications targeting HR professionals, specifically focusing on the More_eggs backdoor. We also discuss critical gaming performance issues in Windows 11 24H2 and the vulnerabilities in DrayTek routers that expose over 700,000 devices to potential hacking. Lastly, we address the urgent exploitation of a remote code execution flaw in Zimbra email servers, emphasizing the need for immediate updates to safeguard against evolving threats.
Links to articles:
1. https://thehackernews.com/2024/10/fake-job-applications-deliver-dangerous.html
2. https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-windows-11-24h2-gaming-performance-issues/
3. https://thehackernews.com/2024/10/alert-over-700000-draytek-routers.html
4. https://www.bleepingcomputer.com/news/security/critical-zimbra-rce-flaw-exploited-to-backdoor-servers-using-emails/
Timestamps
00:00 – Introduction
01:14 – Zimbra RCE Vulnerability
02:17 – 700k DrayTek Routers Vulnerable
04:36 – Recruiters Targeted with Malware
06:14 – Microsoft blocks updates for gamers
1. What are today’s top cybersecurity news stories?
2. How is More_eggs malware targeting HR professionals?
3. What vulnerabilities exist in DrayTek routers?
4. Why did Microsoft block Windows 11 24H2 upgrades?
5. What is the impact of the Zimbra RCE flaw?
6. How do fake job applications spread malware?
7. What security measures can protect against More_eggs malware?
8. What are the latest gaming issues with Windows 11?
9. How can DrayTek router vulnerabilities be mitigated?
10. What are the latest tactics used by cybercriminals in email attacks?
More_eggs, Golden Chickens, spear-phishing, credential theft, Microsoft, Windows 11, Asphalt 8, Intel Alder Lake+, DrayTek, vulnerabilities, exploits, cyber attackers, Zimbra, RCE, vulnerability, exploitation,
# Intro
HR professionals are under siege as a spear-phishing campaign disguised as fake job applications delivers the lethal More_eggs malware, leading to potentially devastating credential theft. Powered by the notorious Golden Chickens group, this malware-as-a-service targets recruiters with chilling precision.
**How are recruitment officers unknowingly downloading malicious files, and what methods are threat actors using to bypass security measures?**
“Microsoft is blocking Windows 11 24H2 upgrades on some systems due to critical gaming performance issues like Asphalt 8 crashes and Easy Anti-Cheat blue screens. The company is scrambling to resolve these problems that uniquely impact devices with Intel Alder Lake+ processors.”
How can gamers with affected systems work around these issues until Microsoft releases a fix?
Over 700,000 DrayTek routers are currently vulnerable to 14 newly discovered security flaws, with some critical exploits that could be used to take full control of the devices and infiltrate enterprise networks. Despite patches being released, many routers remain exposed, creating a lucrative target for cyber attackers.
How can these vulnerabilities impact businesses that rely on DrayTek routers for network security?
Hackers are leveraging a critical Zimbra RCE vulnerability to backdoor servers through specially crafted emails that execute malicious commands, revealing widespread exploitation just days after a proof-of-concept was published. Notable security experts warn of attackers embedding harmful code in the email’s CC field, which the Zimbra server inadvertently executes.
How are attackers camouflaging their malicious emails to slip through security measures unnoticed?
# Stories
Welcome back to our podcast. Today, we’re talking about a new cyber threat targeting HR professionals. Researchers at Trend Micro have uncovered a spear-phishing campaign where fake job applications deliver a JavaScript backdoor called More_eggs to recruiters. This malware, sold as malware-as-a-service by a group known as Golden Chickens, can steal credentials for online banking, email accounts, and IT admin accounts.
What’s unique this time is that attackers are using spear-phishing emails to build trust, as observed in a case targeting a talent search lead in engineering. The attack sequence involves downloading a ZIP file from a deceptive URL, leading to the execution of the More_eggs backdoor. This malware probes the host system, connects to a command-and-control server, and can download additional malicious payloads.
Trend Micro’s findings highlight the persistent and evolving nature of these attacks, which are difficult to attribute because multiple threat actors can use the same toolkits. The latest insights also connect these activities to known cybercrime groups like FIN6. Stay vigilant, especially if you work in HR or recruitment.
1. **Spear-Phishing**:
– **Definition**: A targeted phishing attack aiming at specific individuals or companies, typically using information about the victim to make fraudulent messages more convincing.
– **Importance**: This method is specifically dangerous because it can trick even tech-savvy users by exploiting personalized details, leading to significant security breaches like credential theft.
2. **More_eggs**:
– **Definition**: A JavaScript backdoor malware sold as a malware-as-a-service (MaaS) with capabilities to siphon credentials and provide unauthorized access to infected systems.
– **Importance**: Due to its ability to latently steal sensitive information and its widespread use by various e-crime groups, More_eggs represents a significant threat to corporate cybersecurity.
3. **Malware-as-a-Service (MaaS)**:
– **Definition**: A business model where malicious software is developed and sold to cybercriminals who can then use it to conduct attacks.
– **Importance**: This model lowers the barrier of entry for cybercriminals, allowing even those with limited technical skills to launch sophisticated attacks using pre-made malware.
4. **Golden Chickens**:
– **Definition**: A cybercriminal group (also known as Venom Spider) attributed with developing and distributing the More_eggs malware.
– **Importance**: Understanding threat actors like Golden Chickens can help cybersecurity professionals anticipate and defend against specific threat tactics.
5. **Command-and-Control (C2) Server**:
– **Definition**: A server used by threat actors to maintain communications with compromised systems within a target network to execute commands and control malware.
– **Importance**: Disrupting C2 servers is crucial because it can cut off the attacker’s control over their malware, mitigating the threat.
6. **LNK File**:
– **Definition**: A shortcut file in Windows that points to another file or executable.
– **Importance**: Misuse of LNK files in phishing campaigns can lead to automated execution of malicious payloads, making them an effective vector for malware distribution.
7. **PowerShell**:
– **Definition**: A task automation framework from Microsoft consisting of a command-line shell and scripting language.
– **Importance**: PowerShell is often used by attackers to execute and conceal malicious scripts due to its powerful capabilities and integration with Windows.
8. **Tactics, Techniques, and Procedures (TTPs)**:
– **Definition**: The behavior patterns or methodologies used by cyber threat actors to achieve their goals.
– **Importance**: Identifying TTPs helps security professionals understand, detect, and mitigate specific attack strategies used by threat actors.
9. **Obfuscation**:
– **Definition**: The process of deliberately making code or data difficult to understand or interpret.
– **Importance**: Obfuscation is commonly used by malware developers to conceal malicious activities and bypass security mechanisms.
10. **Cryptocurrency Miner**:
– **Definition**: Software used to perform the computational work required to validate and add transactions to a blockchain ledger in exchange for cryptocurrency rewards.
– **Importance**: Unauthorized cryptocurrency mining (cryptojacking) can misuse system resources for financial gain, leading to performance degradation and security vulnerabilities.
—
On today’s tech update: Microsoft has blocked upgrades to Windows 11 version 24H2 on certain systems due to gaming performance issues. Players of Asphalt 8 may encounter game crashes, while some systems running Easy Anti-Cheat might experience blue screens. These problems mainly affect devices with Intel Alder Lake+ processors. Until Microsoft resolves these issues, impacted users are advised not to manually upgrade using tools like the Media Creation Tool. Microsoft is working on fixes and will include them in upcoming updates.
1. **Windows 11 24H2**: A version of Microsoft’s Windows 11 operating system, released in the second half (H2) of 2024. It is significant because it represents Microsoft’s ongoing update cycle aimed at improving system performance and user experience, though it also highlights the challenges of software compatibility and stability.
2. **Asphalt 8 (Airborne)**: A popular racing video game often used for showcasing graphical and processing capabilities of devices. Its relevance lies in exposing potential software and hardware compatibility issues when new operating systems are released.
3. **Easy Anti-Cheat**: A software tool designed to detect and prevent cheating in multiplayer games. It is crucial for maintaining fair play and integrity in online gaming environments but can pose compatibility challenges with system updates.
4. **Blue Screen of Death (BSoD)**: An error screen displayed on Windows computers following a system crash. It is important as it signals serious software or hardware issues that could affect system stability and data integrity.
5. **Intel Alder Lake+ processors**: A generation of Intel’s microprocessors known for their hybrid architecture design. Understanding these chips is important for recognizing which systems might be more susceptible to the reported compatibility issues.
6. **vPro platform**: A set of Intel technologies aimed at enhancing business security and manageability. It’s critical to cybersecurity professionals because it allows for hardware-level encryption and more robust security management, but compatibility with OS updates can be problematic.
7. **MEMORY_MANAGEMENT error**: A specific type of error indicating system memory management problems, often leading to system crashes. It is crucial for cybersecurity and IT professionals as it affects the stability and reliability of a system.
8. **Compatibility holds (Safeguard IDs)**: Mechanisms employed by Microsoft to prevent system upgrades when known issues are detected. These are essential for protecting users from potential system failures and ensuring a stable computing environment.
9. **Media Creation Tool**: A Microsoft utility used for installing or upgrading Windows OS. It’s important for IT professionals as it provides a means to manually deploy Windows updates, though it highlights the risks of bypassing automatic update safeguards.
10. **KB5043145 (Preview Update)**: A specific Windows update known to cause issues such as reboot loops and connection failures. Understanding these updates is crucial for maintaining system stability and ensuring that deployed systems are free from vulnerabilities and bugs.
—
In a recent cybersecurity alert, over 700,000 DrayTek routers have been identified as vulnerable to hacking due to 14 newly discovered security flaws. These vulnerabilities, found in both residential and enterprise routers, include two rated critical, with one receiving the maximum CVSS score of 10.0. This critical flaw involves a buffer overflow in the Web UI, potentially allowing remote code execution. Another significant vulnerability is OS command injection via communication binaries. The report highlights the widespread exposure of these routers’ web interfaces online, creating a tempting target for attackers, particularly in the U.S. DrayTek has released patches to address these vulnerabilities, urging users to apply updates, disable unnecessary remote access, and utilize security measures like ACLs and two-factor authentication. This development coincides with international cybersecurity agencies offering guidance to secure critical infrastructure, emphasizing the importance of safety, protecting valuable OT data, secure supply chains, and the role of people in cybersecurity.
1. **Vulnerability**: A weakness in a system or software that can be exploited by hackers.
– **Importance**: Identifying vulnerabilities is crucial in cyber security because it helps protect systems from attacks.
2. **Router**: A device that routes data from one network to another, directing traffic on the internet.
– **Importance**: Routers are essential for internet connectivity and their security is vital to prevent unauthorized access to networks.
3. **Buffer Overflow**: A coding error where a program writes more data to a buffer than it can hold, potentially leading to system crashes or unauthorized code execution.
– **Importance**: Buffer overflows are common vulnerabilities that can be exploited to gain control of a system.
4. **Remote Code Execution (RCE)**: A type of vulnerability that allows an attacker to execute code on a remote system without authorization.
– **Importance**: RCE vulnerabilities are highly critical as they enable attackers to take over affected systems.
5. **Cross-site Scripting (XSS)**: A web security vulnerability that allows attackers to inject malicious scripts into content from otherwise trusted websites.
– **Importance**: XSS can be used to steal information, deface websites, and spread malware.
6. **Adversary-in-the-Middle (AitM) Attack**: An attack where the attacker secretly intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other.
– **Importance**: AitM attacks can lead to data theft, man-in-the-middle proxy attacks, and unauthorized access to sensitive information.
7. **Denial-of-Service (DoS)**: An attack intended to shut down a machine or network, making it inaccessible to its intended users.
– **Importance**: DoS attacks disrupt the availability of services and can cause significant downtime and financial loss.
8. **Access Control List (ACL)**: A list of permissions attached to an object that specifies which users or system processes can access the object and what operations they can perform.
– **Importance**: ACLs are crucial for implementing security policies to control access to resources.
9. **Two-Factor Authentication (2FA)**: A security process in which the user provides two different authentication factors to verify themselves.
– **Importance**: 2FA improves security by adding an additional layer of verification, making it harder for attackers to gain unauthorized access.
10. **Operational Technology (OT)**: Hardware and software that detects or causes changes through direct monitoring and control of physical devices, processes, and events in an enterprise.
– **Importance**: OT security is critical for the functioning and safety of critical infrastructure systems, such as those in manufacturing, power generation, and transportation.
—
Today, we’re discussing a critical remote code execution (RCE) vulnerability in Zimbra email servers, tracked as CVE-2024-45519, which hackers are actively exploiting. This flaw allows attackers to trigger malicious commands simply by sending specially crafted emails, which are processed by Zimbra’s post journal service.
First flagged by Ivan Kwiatkowski of HarfangLab and confirmed by Proofpoint, the exploit involves spoofed emails with commands hidden in the “CC” field. Once processed, these emails deliver a webshell to the server, giving attackers full access for data theft or further network infiltration.
A proof-of-concept exploit was released by Project Discovery on September 27, prompting immediate malicious activity.
Administrators are urged to apply security updates released in Zimbra’s latest versions—9.0.0 Patch 41 and later—or disable the vulnerable postjournal service and ensure secure network configurations to mitigate the threat.
Stay vigilant and update your Zimbra servers immediately to protect against this critical vulnerability.
1. **Remote Code Execution (RCE)**
– **Definition**: A type of security vulnerability that enables attackers to run arbitrary code on a targeted server or computer.
– **Importance**: This flaw can be exploited to gain full control over the affected machine, leading to data theft, unauthorized access, and further network penetration.
2. **Zimbra**
– **Definition**: An open-source email, calendaring, and collaboration platform.
– **Importance**: Popular among organizations for its integrated communication tools, making it a significant target for cyberattacks due to the sensitive data it handles.
3. **SMTP (Simple Mail Transfer Protocol)**
– **Definition**: A protocol used to send and route emails across networks.
– **Importance**: Integral to email services, its exploitation can deliver malicious content to servers and users, forming a vector for cyber-attacks.
4. **Postjournal Service**
– **Definition**: A service within Zimbra used to parse incoming emails over SMTP.
– **Importance**: Its vulnerability can be leveraged to execute arbitrary commands, making it a crucial attack point for hackers.
5. **Proof-of-Concept (PoC)**
– **Definition**: A demonstration exploit showing that a vulnerability can be successfully taken advantage of.
– **Importance**: PoC exploits serve as proof that theoretical vulnerabilities are practical and dangerous, necessitating urgent security responses.
6. **Base64 Encoding**
– **Definition**: A method of encoding binary data into an ASCII string format.
– **Importance**: Often used to encode commands within emails or other data streams to evade basic security detections.
7. **Webshell**
– **Definition**: A type of malicious script that provides attackers with remote access to a compromised server.
– **Importance**: Webshells afford attackers sustained control over a server, allowing for ongoing data theft, disruptions, and further exploits.
8. **CVE (Common Vulnerabilities and Exposures)**
– **Definition**: A list of publicly known cybersecurity vulnerabilities and exposures, identified by unique CVE IDs.
– **Importance**: Helps standardize and track security issues, facilitating communication and management of vulnerabilities across the cybersecurity community.
9. **Patch**
– **Definition**: An update to software aimed at fixing security vulnerabilities or bugs.
– **Importance**: Patching vulnerabilities is critical for protecting systems from attacks exploiting known security flaws.
10. **Execvp Function**
– **Definition**: A function in Unix-like operating systems that executes commands with an argument vector, featuring improved input sanitization.
– **Importance**: By replacing vulnerable functions like ‘popen,’ ‘execvp’ helps prevent the execution of malicious code, thus enhancing system security.
—