This Week in Cyber 22nd November 2024

Analyst Insight

This week in cyber, we have observed a rise in activity from nation-state threat actors actively targeting major telecommunications providers. We can see a pattern of sophisticated attacks aimed at disrupting services and potentially exfiltrating sensitive data. For example, T-Mobile disclosed that they were targeted this week, though it has not yet been confirmed what data, if any, was stolen.

We have also reported on an interesting article written by Lawrence Abrahams, where an increase of SVG Attachments are being utilised in phishing emails to deliver sophisticated phishing documents to the target.

SVG Attachments Used in Phishing Emails to Evade Detection

An article written by Lawrence Abrams at BleepingComputer informs of an increase in threat actors utilising Scalable Vector Graphics (SVG) attachments for phishing or delivering malware. Often disguised as harmless images or documents, these files can contain malicious scripts that execute when opened.

The article shows an example of how this method would be used for phishing. The SVG attachment, when opened, displays an HTML document to the user, disguised as a Microsoft Excel file, prompting the user to log in. This would then send the credentials entered to the threat actor which can be used to compromise the account. This method is particularly concerning as SVG files are typically considered safe and are not always scrutinised by email security filters.

Five Suspects Linked to Scattered Spider Cybercrime Gang Charged

Scattered Spider is a cybercriminal group active since early 2022, composed of individuals between the ages of 19 and 22. With their main motivation being financial, they have primarily targeted customer relationship management (CRM) and business-process outsourcing (BPO) firms, as well as telecommunications and technology companies. On Wednesday, the U.S. Department of Justice (DoJ) released information about five suspects believed to be part of the notorious Scattered Spider cybercrime gang.

“The defendants conducted phishing attacks by sending mass short message service (SMS) text messages to mobile phones of numerous victim companies’ employees messages that purported to be from the victim company or contracted information technology or business services supplier of the victim company.”

All five have been charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft. Four of the suspects reside in Texas, Florida, and North Carolina, while one lives in the United Kingdom.

T-Mobile Confirms Hack Amidst Recent Wave of Telecom Breaches

Last week, the FBI and CISA released a joint statement warning about nation-state threat actors breaching telecommunications providers to intercept private communications from government officials.

This week, it was confirmed that T-Mobile was affected by the recent wave of telecom hacks. In a report from Wall Street Journal, T-Mobile stated: “T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information”

Apple Releases Patches for Two Actively Exploited Zero-Day Vulnerabilities

On Wednesday, Apple released patches for iOS, iPadOS, macOS, visionOS and Safari to address two actively exploited zero-day vulnerabilities within the software. Apple states that the vulnerabilities “may have been actively exploited on Intel-based Mac systems” which Apple since has moved to their own processors in their Mac products.

CVE-2024-44308 - Vulnerability in the JavaScriptCore which could lead to arbitrary code execution while processing malicious web content

CVE-2024-44309 - A cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack when processing malicious web content

Really Simple Security WordPress Plugin Vulnerability Affects Over 4 Million Websites

WordPress security researchers at Wordfence disclosed a critical vulnerability in the Really Simple Security plugin, formerly known as Really Simple SSL. Installed on over 4 million websites, the vulnerability allows attackers to remotely gain full administrative access to a site running the plugin.

CVE-2024-10924 (9.8 CRITICAL) – Really Simple Security Authentication Bypass Vulnerability

The authentication bypass vulnerability is “due to improper user check error handling in the two-factor REST API actions with the ‘check_login_and_get_user’ function” affecting versions 9.0.0 to 9.1.1.1 and is present in the Free, Pro and Pro Multisite editions of the plugin.