Welcome to the 11th edition Cyber Weekly Digest of 2024.

In a week we've all been obsessing over 'that' photo, we can at least confirm the whereabouts of our Office Queen. Katie has been busy podcasting and if you haven't already checked out the latest episode with ThreatAware's Jon Abbott you can check it out here‍

‍

New and noteworthy this week:

Last week we saw the launch of Pentera Cloud. With 82% of data breaches involving information stored in the cloud, we are really looking forward to Pentera's upcoming webinar - Putting Cloud Security to the Stress Test. The session is being held on 27th March and you can register here‍

We had to share this blog from Cequence... Automated Antagonists: The Quest for Better Bot Management. We're not talking anti-cellulite or BBLs here, we are redefining bot protection - stopping bad actors in their tracks, evolving alongside ever-changing threats and safeguarding all web traffic, including direct API hits. You can read the full blog post here‍

At CV HQ we are also very excited to share the launch of One Identity Cloud PAM Essentials - Your ultimate SaaS-based solution for streamlined, secure and compliant privileged access management. You can read about the exciting features and benefits here‍

Last but not least... did you know we can assist with Cyber Essentials and Cyber Essentials Plus? As an accredited certification body, our consultancy partner URM has an unrivalled record in assisting organisations of all sizes achieve certification. Check out the FAQ here and let us know if we can help!

‍

Now, let's take a look at our Cyber Weekly Digest, highlighting our top cyber security news picks of the week.

‍

This week we were warned of a new phishing campaign via AWS and GitHub, malware targeting Latin American Banks and heard how a French unemployment agency have been breached which could spell trouble for their 43 million registered users

‍

Keep reading to stay up to date on the latest cyber security news.‍

‍

1. DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack‍

A DarkGate malware campaign observed in mid-January 2024 leveraged a recently patched security flaw in Microsoft Windows as a zero-day using bogus software installers. "During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers," Trend Micro said. CVE-2024-21412 (CVSS score: 8.1) concerns an internet shortcut files security feature bypass vulnerability that permits an unauthenticated attacker to circumvent SmartScreen protections by tricking a victim into clicking on a specially crafted file.‍

‍

2. PixPirate Android Malware Uses New Tactic to Hide on Phones‍

PixPirate is a new Android malware first documented by the Cleafy TIR team last month seen targeting Latin American banks. Though Cleafy noted that a separate downloader app launches the malware, the report didn't delve into its innovative hiding or persistence mechanisms, or these were introduced only recently. A new report by IBM explains that contrary to the standard tactic of malware attempting to hide its icon, which is possible on Android versions up to 9, PixPirate does not use a launcher icon. This enables the malware to remain hidden on all recent Android releases up to version 14.‍

‍

3. French Unemployment Agency Data Breach Impacts 43 Million People‍

France Travail, formerly known as Pôle Emploi, is warning that hackers breached its systems and may leak or exploit personal details of an estimated 43 million individuals. France Travail is the French governmental agency responsible for registering unemployed individuals, providing financial aid, and assisting them in finding jobs. Yesterday, the agency disclosed that hackers stole details belonging to job seekers registered with the agency in the last 20 years in a cyberattack between February 6 and March 5. Data from individuals with a job candidate profile was also exposed.‍

‍

4. Alert: Cybercriminals Deploying VCURMS and STRRAT Trojans via AWS and GitHub‍

A new phishing campaign has been observed delivering remote access trojans (RAT) such as VCURMS and STRRAT by means of a malicious Java-based downloader.

"The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware," Fortinet FortiGuard Labs researcher Yurren Wan said. An unusual aspect of the campaign is VCURMS' use of a Proton Mail email address ("sacriliage@proton[.]me") for communicating with a command-and-control (C2) server.‍

‍

5. SIM Swappers Hijacking Phone Numbers in eSIM Attacks‍

SIM swappers have adapted their attacks to steal a target's phone number by porting it into a new eSIM card, a digital SIM stored in a rewritable chip present on many recent smartphone models. Embedded Subscriber Identity Modules (eSIMs) are digital cards stored on the chip of the mobile device and serve the same role and purpose as a physical SIM card but can be remotely reprogrammed and provisioned, deactivated, swapped, deleted. A user can typically add an eSIM to a device that supports the functionality by scanning a QR code from the service provider.