Connecting Busy IT and Business Leaders to the Most Important Cyber News and Threats twice-weekly
The Ankura FLASH Update is prepared by the Cyber Threat Investigations and Expert Services (CTIX) team to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. Questions about the Flash Update? Send an email directly to the Ankura CTIX Team for additional context or insight.
Malware Activity
Phishing Attacks Use Corrupted MS Word Documents to Evade Prevention
Attackers are attaching corrupted Microsoft Word documents to phishing emails in a novel attempt to evade email malware prevention mechanisms. Corrupted Word documents bypass email security due to their damaged state but can still be recoverable by Microsoft Word when opened. New phishing campaigns attach these corrupted documents to emails purporting to be sent from an organization’s payroll or HR department announcing information about benefits or bonuses. When the attachment is opened, Microsoft Word will build the document if the user clicks “Yes” to attempt recovery when prompted. The recovered document contains a logo of the target organization along with a QR code users are asked to scan to view the fake benefits or bonus information. The QR code directs users to a phishing site that mimics Microsoft’s M365 log-in page, prompting users to enter their credentials which are subsequently harvested by the attacker. The tactic of attaching a corrupted Word document has thus far proven to be a successful means to evade detection by email security solutions. When uploaded to VirusTotal, these corrupted files return as either “Clean” or “Item Not Found”. CTIX analysts recommend that organizations educate users on these types of attacks and remain vigilant in auditing user authentication patterns and activity. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
INTERPOL Seizes $400 Million and Arrests 5,500 in Financial Crime Crackdown Operation
Operation HAECHI-V, a global law enforcement operation involving authorities from forty (40) countries, resulted in the arrest of over five thousand five hundred (5,500) suspects involved in financial crimes and the seizure of more than $400 million in virtual assets and government-backed currencies. The operation, conducted between July and November 2024, targeted various forms of cyber-enabled fraud, including voice phishing, romance scams, online sextortion, investment fraud, illegal online gambling, business email compromise fraud, and e-commerce fraud. This operation also successfully dismantled a widespread voice phishing syndicate that was responsible for financial losses of $1.1 billion, impacting over one thousand nine hundred (1,900) victims. The group used sophisticated techniques, including impersonating law enforcement officials and using fake identification. At least twenty-seven (27) members of this syndicate were arrested, with nineteen (19) subsequently indicted. Operation HAECHI-V built on previous successes, nearly doubling the number of cases solved and tripling the number of virtual asset service provider accounts blocked compared to 2023. It also involved the use of INTERPOL’s Global Rapid Intervention of Payments (I-GRIP) mechanism, which played a crucial role in intercepting stolen funds. The operation also highlighted the importance of international police cooperation in combating cybercrime. INTERPOL Secretary General Valdecy Urquiza emphasized that the borderless nature of cybercrime necessitates united efforts to make both the real and digital worlds safer.
Vulnerabilities
Critical Vulnerability Patched in Zabbix Network Monitoring Tool
Zabbix, an open-source enterprise network and application monitoring provider, has disclosed a critical SQL injection vulnerability with a near-perfect CVSS score of 9.9/10. This flaw, tracked as CVE-2024-42327, allows attackers with API access to inject arbitrary SQL queries, escalate privileges, and potentially compromise entire systems. The vulnerability resides in the CUser class's "addRelatedObjects" function, which is accessible to non-admin accounts with API access. It affects Zabbix versions 6.0.0–6.0.31, 6.4.0–6.4.16, and 7.0.0. Zabbix has released patches in versions 6.0.32rc1, 6.4.17rc1, and 7.0.1rc1 to address this issue, along with fixes for other vulnerabilities, including CVE-2024-36466 (authentication bypass, CVSS 8.8/10) and CVE-2024-36462 (denial-of-service). Although over 83,000 Zabbix servers are reportedly exposed to the internet, there is no evidence of active exploitation. This vulnerability highlights the ongoing risk of SQL injection flaws, which have been labeled "unforgivable" by US agencies such as the FBI and CISA due to their prevalence and association with severe cyberattacks, including ransomware and data breaches. Organizations across industries like finance, healthcare, IT, and retail that use Zabbix are urged to update their systems immediately to mitigate these risks. CTIX analysts urge any administrators to ensure that their instances have been upgraded to the most secure version to prevent future exploitation.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
