Malware Activity
The Rising Tide of Cyber Threats: From North Korea to Malicious Apps
North Korean hackers have allegedly targeted freelance software developers to craft refined malware. Meanwhile, an Android malware called SpyLend has successfully infiltrated Google Play, racking up more than 100,000 downloads, and increasing the alarm about the safety of mobile applications. Additionally, the Salt Typhoon group has been linked to the JumbledPath Malware. Salt Typhoon has been known to have had successful breaches against American telecom networks and has been found proficient in prolonged infiltration in important infrastructure, by employing advanced techniques like Living of the Living (Lotl). Cisco's Talos team has issued a warning about these ongoing dangers, and outlines the important needs of organizations to enhances its cyber security defense against these evolving tactics. Cybercriminals have recently developed advanced techniques to clone any brand's website, enabling them to create fraudulently convincing replicas that can deceive customers into divulging sensitive information. This alarming trend utilizes Artificial Intelligence and machine learning to improve the authenticity of counterfeit sites, making it increasingly challenging for users to distinguish between legitimate brands and scams. The complexity and reach of these cybercriminal activities indicate a pressing challenge for both individuals and institutions aiming to safeguard their digital environment. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- SecurityWeek: Freelance Software Developers in North Korean Malware Crosshairs article
- BleepingComputer: SpyLend Android Malware article
- BleepingComputer: Salt Typhoon Uses JumbledPath Malware to Spy article
- InfoSecurity Magazine: Salt Typhoon Cisco Custom Tool article
- IndustrialCyber: Cisco Talos Warns of Prolonged Intrusions article
- TheHackerNews: Cybercriminals Can Now Clone Any Brands article
Threat Actor Activity
Internal Black Basta Chat Logs Leaked
The Black Basta ransomware group has recently been exposed through a significant leak of internal chat logs, revealing potentially identifying details about its operations and members. The leak, released by an individual using the handle ExploitWhispers, includes nearly 200,000 messages shared on the Matrix platform between September 2023 and September 2024. This breach follows Black Basta's high-profile extortion incidents since its launch in April 2022, targeting entities like Ascension Health in the U.S. and Capita in the U.K. The leak purportedly stems from Black Basta's attacks on Russian banks, leading to speculation about the leaker's motives, whether as a security researcher, disgruntled member, or part of a covert law enforcement operation. The chat logs detail the group's internal conflicts, with some operators scamming victims by collecting ransoms without providing decryptors, leading to the gang's reduced activity. The chat logs provide insights into the group's operations, including task assignments, testing, debugging, and attempts to sell hacking tools like a modified version of Cobalt Strike. They also reveal strategic decisions, such as avoiding attacks on large or financially troubled companies and using a "whitelist" mechanism to exclude certain targets. Additionally, the messages identify key figures within the group, including admins Lapa and Cortes, and the main administrator, YY, with the leader believed to be Oleg Nefedov. Black Basta, a Ransomware-as-a-Service (RaaS) operation, has breached over 500 organizations worldwide, collecting around $100 million in ransom payments from over ninety (90) victims. The group's affiliations include previous operators of Conti, Ryuk, and TrickBot, with more than a dozen members named and sanctioned by Western law enforcement. The leak mirrors previous incidents, such as the Conti leak by a Ukrainian researcher in response to Conti's support for Russia's invasion of Ukraine.
Vulnerabilities
Bypasses for a Previously Patched Parallel Desktop Vulnerability Allow Attackers to Gain "root" on MacOS
Researchers have publicly disclosed two (2) distinct exploits that take advantage of an unpatched privilege escalation vulnerability in Parallels Desktop, a virtualization software for Mac. The vulnerability, tracked as CVE-2024-34331, was originally patched in September 2024, but still remains exploitable due to bypass techniques discovered by security researcher Mickey Jin. The first exploit employs a time-of-check to time-of-use (TOCTOU) attack that tricks the system by replacing an Apple-signed "createinstallmedia" binary with a maliciously crafted one after its signature is verified. The second exploit targets the "do_repack_manual" function, using symlink manipulation to redirect file writes and overwrite critical root-owned files, thereby enabling attackers to execute code with root privileges. Despite initial disclosure and Jin's notification in June 2024, Parallels has not adequately addressed the issue, leaving all known versions from 19.4.0 and older up to the latest release (20.2.1) vulnerable to exploitation. Until Parallels issues an official patch, CTIX analysts advise users to exercise heightened caution with their systems. Since all known versions of Parallels Desktop are vulnerable to at least one of the exploits, it’s advisable to avoid running untrusted or suspicious code that could trigger the privilege escalation flaw. Using a non-administrative account for daily tasks may help reduce the impact of any potential compromise. Additionally, users should closely monitor official communications from Parallels for any security updates or patches and consider temporarily uninstalling or disabling Parallels Desktop if it isn’t essential to their workflow. Regular system backups and maintaining overall macOS security hygiene can also help mitigate risks in the meantime.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
