⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [30 Dec]

Every week, the digital world faces new challenges and changes. Hackers are always finding new ways to breach systems, while defenders work hard to keep our data safe. Whether it's a hidden flaw in popular software or a clever new attack method, staying informed is key to protecting yourself and your organization.

In this week's update, we'll cover the most important developments in cybersecurity. From the latest threats to effective defenses, we've got you covered with clear and straightforward insights. Let’s dive in and keep your digital world secure.

⚡ Threat of the Week

Palo Alto Networks PAN-OS Flaw Under Attack — Palo Alto Networks has disclosed a high-severity flaw impacting PAN-OS software that could cause a denial-of-service (DoS) condition on susceptible devices by sending a specially crafted DNS packet. The vulnerability (CVE-2024-3393, CVSS score: 8.7) only affects firewalls that have the DNS Security logging enabled. The company said it's aware of "customers experiencing this denial-of-service (DoS) when their firewall blocks malicious DNS packets that trigger this issue."

🔔 Top News

• Contagious Interview Drops OtterCookie Malware — North Korean threat actors behind the ongoing Contagious Interview campaign have been observed dropping a new JavaScript malware called OtterCookie. The malware, likely introduced in September 2024, is designed to establish communications with a command-and-control (C2) server using the Socket.IO JavaScript library, and awaits further instructions. It's designed to run shell commands that facilitate data theft, including files, clipboard content, and cryptocurrency wallet keys.

• Cloud Atlas Continues its Assault on Russia — Cloud Atlas, a hacking of unknown origin that has extensively targeted Russia and Belarus, has been observed using a previously undocumented malware called VBCloud as part of its cyber attack campaigns targeting "several dozen users" in 2024. The attacks employ phishing emails containing Microsoft Word documents, which, when opened, trigger an exploit for a seven-year-old security flaw to deliver the malware. VBCloud is capable of harvesting files matching several extensions and information about the system. More than 80% of the targets were located in Russia. A lesser number of victims have been recorded in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.

• Malicious Python Packages Exfiltrate Sensitive Data — Two malicious Python packages, named zebo and cometlogger, have been found to incorporate features to exfiltrate a wide range of sensitive information from compromised hosts. Both the packages were downloaded 118 and 164 times each, before they were taken down. A majority of these downloads came from the United States, China, Russia, and India.

• TraderTraitor Behind DMM Bitcoin Crypto Heist — Japanese and U.S. authorities officially blamed a North Korean threat cluster codenamed TraderTraitor (aka Jade Sleet, UNC4899, and Slow Pisces) for the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024. The attack is notable for the fact that the adversary first compromised the system of an employee of Japan-based cryptocurrency wallet software company named Ginco under the pretext of a pre-employment test. "In late-May 2024, the actors likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack," authorities said.

• WhatsApp Scores Legal Victory Against NSO Group — NSO Group has been found liable in the United States after a federal judge in the state of California ruled in favor of WhatsApp, calling out the Israeli commercial spyware vendor for exploiting a security vulnerability in the messaging app to deliver Pegasus using WhatsApp's servers 43 times in May 2019. The targeted attacks deployed the spyware on 1,400 devices globally by making use of a then zero-day vulnerability in the app's voice calling feature (CVE-2019-3568, CVSS score: 9.8).

️🔥 Trending CVEs

Heads up! Some popular software has serious security flaws, so make sure to update now to stay safe. The list includes — CVE-2024-56337 (Apache Tomcat), CVE-2024-45387 (Apache Traffic Control), CVE-2024-43441 (Apache HugeGraph-Server), CVE-2024-52046 (Apache MINA), CVE-2024-12856 (Four-Faith routers), CVE-2024-47547, CVE-2024-48874, and CVE-2024-52324 (Ruijie Networks).

📰 Around the Cyber World

• ScreenConnect Used to Deploy AsyncRAT — Microsoft has revealed that cybercriminals are leveraging tech support scams to deploy AsyncRAT through the remote monitoring and management (RMM) software ScreenConnect, the first time that ScreenConnect is used to deploy malware, instead of as a persistence or lateral movement tool. The company also said threat actors are using SEO poisoning and typosquatting to deploy SectopRAT, an infostealer used to target browser information and crypto wallets. The disclosure comes as Malwarebytes disclosed that criminals are employing decoy landing pages, also called "white pages," that utilize AI-generated content and are propagated via bogus Google search ads. The scam involves attackers buying Google Search ads and using AI to create harmless pages with unique content. The goal is to use these decoy ads to then lure visitors to phishing sites for stealing credentials and other sensitive data. Malvertising lures have also been used to distribute SocGholish malware by disguising the page as an HR portal for a legitimate company named Kaiser Permanente.

• AT&T, Verizon Acknowledge Salt Typhoon Attacks — U.S. telecom giants AT&T and Verizon acknowledged that they had been hit by the China-linked Salt Typhoon hacking group, a month after T-Mobile made a similar disclosure. Both the companies said they don't detect any malicious activity at this point, and that the attacks singled out a "small number of individuals of foreign intelligence interest." The breaches  occurred in large part due to the affected companies failing to implement rudimentary cybersecurity measures, the White House said. The exact scope of the attack campaign still remains unclear, although the U.S. government revealed that a ninth telecom company in the country was also a target of what now appears to be a sprawling hacking operation aimed at U.S. critical infrastructure. Its name was not disclosed. China has denied any involvement in the attacks.

• Pro-Russian Hacker Group Targets Italian Websites — Around ten official websites in Italy were targeted by a pro-Russian hacker group named Noname057(16). The group claimed responsibility for the distributed denial-of-service (DDoS) attacks on Telegram, stating Italy's "Russophobes get a well deserved cyber response." Back in July, three members of the group were arrested for alleged cyber attacks against Spain and other NATO countries. Noname057(16) is one of the many hacktivist groups that have emerged in response to the ongoing conflicts in Ukraine and the Middle East, with groups aligned on both sides engaging in disruptive attacks to achieve social or political goals. Some of these groups are also state-sponsored, posing a significant threat to cybersecurity and national security. According to a recent analysis by cybersecurity company Trellix, it's suspected that there's some kind of an operational relationship between Noname057(16) and CyberArmyofRussia_Reborn, another Russian-aligned hacktivist group active since 2022. "The group has created alliances with many other hacktivist groups to support their efforts with the DDoS attacks," Trellix said. "However, the fact that one of the previous CARR administrators, 'MotherOfBears,' has joined NoName057(16), the continuous forwarding of CARR posts, and previous statements, suggest that both groups seem to collaborate closely, which can also indicate a cooperation with Sandworm Team."

• UN Approves New Cybercrime Treaty to Tackle Digital Threats — The United Nations General Assembly formally adopted a new cybercrime convention, called the United Nations Convention against Cybercrime, that's aimed at bolstering international cooperation to combat such transnational threats. "The new Convention against Cybercrime will enable faster, better-coordinated, and more effective responses, making both digital and physical worlds safer," the UN said. "The Convention focuses on frameworks for accessing and exchanging electronic evidence, facilitating investigations and prosecutions." INTERPOL Secretary General Valdecy Urquiza said the UN cybercrime convention "provides a basis for a new cross-sector level of international cooperation" necessary to combat the borderless nature of cybercrime.

• WDAC as a Way to Impair Security Defenses — Cybersecurity researchers have devised a new attack technique that leverages a malicious Windows Defender Application Control (WDAC) policy to block security solutions such as Endpoint Detection and Response (EDR) sensors following a system reboot. "It makes use of a specially crafted WDAC policy to stop defensive solutions across endpoints and could allow adversaries to easily pivot to new hosts without the burden of security solutions such as EDR," researchers Jonathan Beierle and Logan Goins said. "At a larger scale, if an adversary is able to write Group Policy Objects (GPOs), then they would be able to distribute this policy throughout the domain and systematically stop most, if not all, security solutions on all endpoints in the domain, potentially allowing for the deployment of post-exploitation tooling and/or ransomware."

🎥 Expert Webinar

1. Don’t Let Ransomware Win: Discover Proactive Defense Tactics — Ransomware is getting smarter, faster, and more dangerous. As 2025 nears, attackers are using advanced tactics to evade detection and demand record-breaking payouts. Are you ready to defend against these threats? Join the Zscaler ThreatLabz webinar to learn proven strategies and stay ahead of cybercriminals. Don’t wait—prepare now to outsmart ransomware.

2. Simplify Trust Management: Centralize, Automate, Secure — Managing digital trust is complex in today’s hybrid environments. Traditional methods can’t meet modern IT, DevOps, or compliance demands. DigiCert ONE simplifies trust with a unified platform for users, devices, and software. Join the webinar to learn how to centralize management, automate operations, and secure your trust strategy.

🔧 Cybersecurity Tools

• LogonTracer is a powerful tool for analyzing and visualizing Windows Active Directory event logs, designed to simplify the investigation of malicious logons. By mapping host names, IP addresses, and account names from logon-related events, it creates intuitive graphs that reveal which accounts are being accessed and from which hosts. LogonTracer overcomes the challenges of manual analysis and massive log volumes, helping analysts quickly identify suspicious activity with ease.

• Game of Active Directory (GOAD) is a free, ready-to-use Active Directory lab designed specifically for pentesters. It offers a pre-built, intentionally vulnerable environment where you can practice and refine common attack techniques. Perfect for skill-building, GOAD eliminates the complexity of setting up your own lab, allowing you to focus on learning and testing various pentesting strategies in a realistic yet controlled setting.

🔒 Tip of the Week

Isolate Risky Apps with Separate Spaces — When you need to use a mobile app but aren’t sure if it’s safe, protect your personal data by running the app in a separate space on your phone. For Android users, go to Settings > Users & Accounts and create a Guest or new user profile.

Install the uncertain app within this isolated profile and restrict its permissions, such as disabling access to contacts or location. iPhone users can use Guided Access by navigating to Settings > Accessibility > Guided Access to limit what the app can do. This isolation ensures that even if the app contains malware, it cannot access your main data or other apps.

If the app behaves suspiciously, you can easily remove it from the separate space without affecting your primary profile. By isolating apps you’re unsure about, you add an extra layer of security to your device, keeping your personal information safe while still allowing you to use necessary tools.

Conclusion

This week’s cybersecurity updates highlight the importance of staying vigilant and prepared. Here are some simple steps to keep your digital world secure:

• Update Regularly: Always keep your software and devices up-to-date to patch security gaps.

• Educate Your Team: Teach everyone to recognize phishing emails and other common scams.

• Use Strong Passwords: Create unique, strong passwords and enable two-factor authentication where possible.

• Limit Access: Ensure only authorized people can access sensitive information.

• Backup Your Data: Regularly backup important files to recover quickly if something goes wrong.

By taking these actions, you can protect yourself and your organization from emerging threats. Stay informed, stay proactive, and prioritize your cybersecurity. Thank you for joining us this week—stay safe online, and we look forward to bringing you more updates next week!