ARTICLE
4 December 2024

Ankura CTIX FLASH Update - December 3, 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group LLC logo
Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
The Ankura FLASH Update is prepared by the Cyber Threat Investigations and Expert Services (CTIX) team to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events.
United States Technology

Connecting Busy IT and Business Leaders to the Most Important Cyber News and Threats twice-weekly

The Ankura FLASH Update is prepared by the Cyber Threat Investigations and Expert Services (CTIX) team to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events.

Malware Activity

Phishing Attacks Use Corrupted MS Word Documents to Evade Prevention

Attackers are attaching corrupted Microsoft Word documents to phishing emails in a novel attempt to evade email malware prevention mechanisms. Corrupted Word documents bypass email security due to their damaged state but can still be recoverable by Microsoft Word when opened. New phishing campaigns attach these corrupted documents to emails purporting to be sent from an organization's payroll or HR department announcing information about benefits or bonuses. When the attachment is opened, Microsoft Word will build the document if the user clicks "Yes" to attempt recovery when prompted. The recovered document contains a logo of the target organization along with a QR code users are asked to scan to view the fake benefits or bonus information. The QR code directs users to a phishing site that mimics Microsoft's M365 log-in page, prompting users to enter their credentials which are subsequently harvested by the attacker. The tactic of attaching a corrupted Word document has thus far proven to be a successful means to evade detection by email security solutions. When uploaded to VirusTotal, these corrupted files return as either "Clean" or "Item Not Found". CTIX analysts recommend that organizations educate users on these types of attacks and remain vigilant in auditing user authentication patterns and activity. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

Threat Actor Activity

INTERPOL Seizes $400 Million and Arrests 5,500 in Financial Crime Crackdown Operation

Operation HAECHI-V, a global law enforcement operation involving authorities from forty (40) countries, resulted in the arrest of over five thousand five hundred (5,500) suspects involved in financial crimes and the seizure of more than $400 million in virtual assets and government-backed currencies. The operation, conducted between July and November 2024, targeted various forms of cyber-enabled fraud, including voice phishing, romance scams, online sextortion, investment fraud, illegal online gambling, business email compromise fraud, and e-commerce fraud. This operation also successfully dismantled a widespread voice phishing syndicate that was responsible for financial losses of $1.1 billion, impacting over one thousand nine hundred (1,900) victims. The group used sophisticated techniques, including impersonating law enforcement officials and using fake identification. At least twenty-seven (27) members of this syndicate were arrested, with nineteen (19) subsequently indicted. Operation HAECHI-V built on previous successes, nearly doubling the number of cases solved and tripling the number of virtual asset service provider accounts blocked compared to 2023. It also involved the use of INTERPOL's Global Rapid Intervention of Payments (I-GRIP) mechanism, which played a crucial role in intercepting stolen funds. The operation also highlighted the importance of international police cooperation in combating cybercrime. INTERPOL Secretary General Valdecy Urquiza emphasized that the borderless nature of cybercrime necessitates united efforts to make both the real and digital worlds safer.

Vulnerabilities

Critical Vulnerability Patched in Zabbix Network Monitoring Tool

Zabbix, an open-source enterprise network and application monitoring provider, has disclosed a critical SQL injection vulnerability with a near-perfect CVSS score of 9.9/10. This flaw, tracked as CVE-2024-42327, allows attackers with API access to inject arbitrary SQL queries, escalate privileges, and potentially compromise entire systems. The vulnerability resides in the CUser class's "addRelatedObjects" function, which is accessible to non-admin accounts with API access. It affects Zabbix versions 6.0.0–6.0.31, 6.4.0–6.4.16, and 7.0.0. Zabbix has released patches in versions 6.0.32rc1, 6.4.17rc1, and 7.0.1rc1 to address this issue, along with fixes for other vulnerabilities, including CVE-2024-36466 (authentication bypass, CVSS 8.8/10) and CVE-2024-36462 (denial-of-service). Although over 83,000 Zabbix servers are reportedly exposed to the internet, there is no evidence of active exploitation. This vulnerability highlights the ongoing risk of SQL injection flaws, which have been labeled "unforgivable" by US agencies such as the FBI and CISA due to their prevalence and association with severe cyberattacks, including ransomware and data breaches. Organizations across industries like finance, healthcare, IT, and retail that use Zabbix are urged to update their systems immediately to mitigate these risks. CTIX analysts urge any administrators to ensure that their instances have been upgraded to the most secure version to prevent future exploitation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More