Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.
In this week’s round-up, we dive into some of the latest developments in cybersecurity, from newly discovered Windows vulnerabilities being exploited as zero-day attacks, to the data breach at Seattle Airport caused by a ransomware attack. We’ll also cover Apple’s decision to drop its spyware lawsuit against NSO Group, the rise of phishing attacks using HTTP headers for credential theft, and a new malware campaign that locks browsers in kiosk mode to steal Google credentials.
-
Microsoft Says Recent Windows Vulnerability Exploited as Zero-Day
Microsoft has flagged a second Windows vulnerability exploited as a zero-day flaw, allowing code execution via the disabled Internet Explorer (IE) browser. The vulnerability, identified as CVE-2024-43461, is a high-severity spoofing bug in the MSHTML platform, which remains in use despite the retirement of IE. It was addressed in the September 2024 Patch Tuesday update, over two months after being exploited in the wild.
CVE-2024-43461 affects MSHTML, the platform supporting IE, and can be leveraged by attackers when a user visits a malicious website or opens a compromised file. Trend Micro’s Zero Day Initiative (ZDI), which discovered the bug, explains that the flaw occurs when IE prompts the user after downloading a file. A specially crafted file name can hide its true extension, tricking the user into executing malicious code under the current user’s privileges.
Microsoft updated its advisory, stating that CVE-2024-43461 was part of an attack chain with CVE-2024-38112, another MSHTML spoofing vulnerability. While CVE-2024-38112 was patched in July 2024, CVE-2024-43461 was exploited alongside it prior to July, and both patches are required for full protection.
Trend Micro reports that the APT group Void Banshee exploited these vulnerabilities to launch attacks. The group used crafted URLs that reopened IE, redirecting victims to a compromised site that executed a malicious HTML Application (HTA) file, ultimately leading to Atlantida stealer infections. This highlights the continued risk posed by legacy platforms like MSHTML and reinforces the need for timely patch management.
-
Data Stolen in Ransomware Attack That Hit Seattle Airport
The Port of Seattle, which oversees Seattle-Tacoma International Airport (SEA), has confirmed that the cyberattack in August, which caused widespread service disruptions, was a ransomware incident. The attack, attributed to the Rhysida ransomware gang, led to significant system outages, impacting key services across the airport and the Port’s operations.
The breach was first reported on August 24, when the Port announced on X (formerly Twitter) that critical systems had been isolated in response to the cyberattack. Despite the airport and other facilities remaining operational, services such as passenger display boards, Wi-Fi, check-in kiosks, baggage handling, reserved parking, and the flySEA app were disrupted. The Port’s website also went offline during the incident.
As of September 13, the Port reported that most of the affected systems were restored within a week of the attack. However, the external website and internal portals remain offline. Although no further malicious activity has been detected, the investigation into the breach is ongoing. Enterprise applications critical to operations, including accounts payable, contract management, and phone services, were also affected, with temporary workarounds currently in place.
The Port confirmed that some of its data was encrypted and exfiltrated during the attack. While the exact nature of the stolen data is still under review, the Port is actively assessing the breach and is committed to notifying affected stakeholders as necessary. Although Rhysida has not publicly claimed responsibility, the Port has refused to pay the ransom, which raises concerns that stolen data may be leaked online.
“The Port has refused to pay the ransom demanded, and as a result, the actor may respond by posting data they claim to have stolen on their dark web site,” the Port said in a statement.
-
Apple Drops Spyware Case Against NSO Group, Citing Risk of Threat Intelligence Exposure
Apple has filed a motion to voluntarily dismiss its lawsuit against the commercial spyware vendor NSO Group, citing evolving risks that could expose critical threat intelligence. The motion reflects the changing landscape in the commercial spyware industry, where, despite successes in weakening NSO Group and others, new malicious actors have emerged. Apple’s original lawsuit, filed in November 2021, aimed to hold NSO Group accountable for using its Pegasus spyware to target iPhone users illegally. Apple described NSO as “amoral 21st-century mercenaries” engaged in sophisticated cyber-surveillance activities that enabled widespread abuse. Despite the merits of the case, Apple now argues that continuing litigation could compromise vital security measures used to defend against spyware.
This decision is influenced by several key developments. First, the potential exposure of sensitive threat intelligence, particularly following a July 2024 *Guardian* report. The report detailed Israeli authorities seizing NSO Group documents in 2020 to prevent the disclosure of information related to Pegasus in another legal case with WhatsApp. This seizure was part of an effort to avoid diplomatic and security damage to Israel, given the global implications of the Pegasus spyware. Second, Apple acknowledged the rapidly changing spyware market, with new players entering the scene, posing ongoing security challenges. The company expressed concerns that continuing the lawsuit might reveal the security strategies it uses to protect users, which could then be exploited by other threat actors.
The Atlantic Council has reported that spyware vendors are renaming, rebranding, or relocating to avoid detection and sanctions. One prominent example is Intellexa, the now-sanctioned developer of Predator spyware, which has resurfaced with enhanced infrastructure in countries like Angola, the Democratic Republic of the Congo, and Saudi Arabia. According to cybersecurity firm Recorded Future, Intellexa has added layers of complexity to its operations, making it increasingly difficult to detect which nations are using the spyware.
In light of these developments, Apple has concluded that pursuing the lawsuit could unintentionally provide adversaries with valuable insights into its countermeasures, further complicating the battle against commercial spyware.
-
Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks
Cybersecurity researchers have identified an ongoing phishing campaign that exploits HTTP header refresh entries to deliver spoofed email login pages, aiming to steal users’ credentials. Unlike typical phishing tactics that rely on HTML content, these attacks manipulate response headers from servers, triggering an automatic page refresh or reload without user interaction, according to Palo Alto Networks Unit 42 researchers.
The campaign, active between May and July 2024, has targeted large corporations in South Korea, U.S. government agencies, and educational institutions, with around 2,000 malicious URLs linked to the operation. The business and economy sector accounted for over 36% of the attacks, followed by financial services, government, healthcare, and IT sectors.
In these attacks, malicious links redirect victims to credential-harvesting web pages by embedding a redirection URL within the HTTP refresh header. Victims are often directed to seemingly legitimate login pages, with their email addresses pre-filled to enhance credibility. Some attacks use legitimate URL-shortening and tracking services to obfuscate malicious intent, increasing the likelihood of success. These tactics, coupled with the rise of business email compromise (BEC), continue to pose significant risks to organizations. According to the FBI, BEC attacks have resulted in global losses exceeding $55 billion between 2013 and 2023, with over 305,000 reported incidents.
-
Malware Locks Browser in Kiosk Mode to Steal Google Credentials
A recent malware campaign employs a novel method to coerce users into revealing their Google credentials by locking them in browser “kiosk mode,” making it difficult to exit. The attack hinges on the user’s frustration, aiming to compel them to input their Google credentials, which are subsequently stolen by the StealC information-stealing malware.
Once activated, the malware locks the user’s browser on Google’s login page and disables the “ESC” and “F11” keys, which typically allow users to exit full-screen mode. This leaves the user seemingly trapped on the login page, leading them to believe that entering their credentials will “unlock” the system. Instead, the credentials are stored in the browser and exfiltrated by StealC.
The attack method was identified by OALABS researchers, who reported its use in the wild since August 2024, primarily by the Amadey malware loader. Amadey, known for its info-stealing and reconnaissance capabilities, has been active since 2018. When launched, it deploys an AutoIt script designed to manipulate the browser into kiosk mode, redirecting the user to Google’s password change page.
Kiosk mode is typically used to limit user interaction in controlled environments, such as public terminals or demonstration setups. However, in this case, it is weaponized to restrict the user’s options, with the only visible path forward being the submission of login credentials. Once entered, any credentials saved in the browser are promptly harvested by StealC, an efficient information stealer that has been active since early 2023. This malware can capture stored data from browser credential stores and transmit it back to the attacker.
Users encountering this issue should avoid entering any sensitive information and refrain from attempting to authenticate. Instead, they can try key combinations like ‘Alt + F4,’ ‘Ctrl + Shift + Esc,’ or ‘Ctrl + Alt + Delete’ to regain control. Accessing the Task Manager via these shortcuts may allow the user to terminate the browser session.
If the issue persists, launching the command prompt via ‘Win Key + R’ and executing a ‘taskkill’ command to close the browser may resolve the problem. In extreme cases, a hard reset may be necessary. Upon reboot, entering Safe Mode and running a comprehensive antivirus scan is essential to remove the malware. Spontaneous kiosk mode launches are abnormal and should never be disregarded. Affected users should take immediate action to safeguard their systems and credentials.
References:
- https://www.securityweek.com/microsoft-says-recent-windows-vulnerability-exploited-as-zero-day/
- https://www.securityweek.com/data-stolen-in-ransomware-attack-that-hit-seattle-airport/
- https://thehackernews.com/2024/09/apple-drops-spyware-case-against-nso.html
- https://thehackernews.com/2024/09/cybercriminals-exploit-http-headers-for.html
- https://www.bleepingcomputer.com/news/security/malware-locks-browser-in-kiosk-mode-to-steal-google-credentials/