In November 2024, adversaries used a new technique to exploit Microsoft Word’s file recovery feature, and a group known as RomCom exploited zero-day vulnerabilities in Firefox and Tor Browser.
Major incidents included a ransomware attack on Blue Yonder, disrupting operations for retailers like Starbucks and Sainsbury’s, and a data breach at Amazon, exposing 2.8 million lines of employee data. Additionally, the Salt Typhoon attack on US telecommunications infrastructure was described as the worst in history, and France’s second-largest ISP, Free, suffered a breach compromising the personal data of over 19 million customers.

New/Improved Techniques

Corrupt Word File Attack

A recent phishing campaign has emerged, exploiting Microsoft’s Word file recovery feature to bypass email security filters. Malicious actors distribute intentionally corrupted Word documents as email attachments, often masquerading as communications from payroll or human resources departments. These emails entice recipients with subjects related to employee benefits and bonuses.

Upon attempting to open a corrupted attachment, Microsoft Word prompts the user to recover the unreadable content. If the user agrees, the document displays a message instructing them to scan a QR code to access the purported information. Scanning this QR code directs the user to a phishing website designed to harvest Microsoft account credentials under the guise of a legitimate login page.

This tactic effectively evades standard email security measures, as the corrupted state of the documents prevents detection by automated scanning tools. The success of this method relies on social engineering, prompting users to take specific actions that compromise their security. To mitigate such threats, users should exercise caution with unexpected email attachments, especially those prompting unusual actions like scanning QR codes.

Firefox and Tor Vulnerability Exploited in Wild

In a recent campaign, the Russian-aligned cybercrime group RomCom exploited two zero-day vulnerabilities to target users of Firefox and Tor Browser across Europe and North America. The first vulnerability, identified as CVE-2024-9680, is a critical use-after-free bug in Firefox’s animation timeline feature, allowing code execution within the browser’s sandbox. Mozilla promptly patched this flaw on October 9, 2024, following a report by ESET.

The second vulnerability, CVE-2024-49039, is a privilege escalation flaw in the Windows Task Scheduler service, enabling attackers to execute code outside the browser’s sandbox. Microsoft addressed this security issue on November 12, 2024. By chaining these two vulnerabilities, RomCom achieved remote code execution without user interaction; victims merely needed to visit a maliciously crafted website, which would then download and execute the RomCom backdoor on their systems.

ESET’s analysis indicates that the attackers also targeted Tor Browser users, specifically versions 12 and 13, as suggested by the naming of one of the JavaScript exploits used in the attacks. The compromise chain involved fake websites redirecting potential victims to servers hosting the exploit, culminating in the execution of shellcode that installed the RomCom backdoor.

Happenings

[Global] Ransomware – Into the Blue Yonder

In late November 2024, Blue Yonder, a prominent supply chain management software provider, suffered a ransomware attack that disrupted operations for several major retailers. The incident affected Blue Yonder’s managed services hosted environment, leading to significant operational challenges for its clients.

Starbucks experienced difficulties in managing employee schedules and payroll systems, compelling managers to revert to manual processes to ensure accurate compensation for their staff.  In the UK, grocery chains such as Morrisons and Sainsbury’s faced disruptions in their supply chains, resulting in product shortages and necessitating the implementation of contingency plans to maintain store operations.

Blue Yonder has been collaborating with external cybersecurity firms to investigate the incident and restore affected services. As of the latest updates, the company has not provided a specific timeline for full recovery.

[US] Hacking to Find Work

In a notable cybersecurity case, Nicholas Michael Kloster, a 31-year-old from Kansas City, Missouri, was indicted by a federal grand jury for allegedly hacking into the computer systems of a health club business and a nonprofit organization to promote his cybersecurity services. The indictment includes charges of unauthorized access to protected computers and causing reckless damage during unauthorised access.

In April 2024, Kloster reportedly entered the premises of a health club operator managing multiple locations in Kansas and Missouri. The following day, he emailed one of the owners, claiming to have accessed their computer system and offered his cybersecurity services, attaching his resume. Employees later discovered that his monthly gym membership fee had been reduced to $1, his photograph was erased from the gym’s network, and a staff nametag was missing. Subsequently, Kloster allegedly posted a screenshot on social media showing control over the company’s security cameras, captioned, “how to get a company to use your security service.”

In a separate incident in May 2024, Kloster is accused of accessing a restricted area of a nonprofit organization to infiltrate its computer network. He allegedly used a boot disk to bypass password protections, changed user passwords, and installed a virtual private network (VPN) on the system. The nonprofit reportedly incurred losses exceeding $5,000 to remediate the intrusion.

If convicted, Kloster faces up to 15 years in prison—five years for unauthorized access and ten years for causing reckless damage—along with potential fines and restitution to the victims.

[US] 2.8 Million Lines of Amazon Employee Data Leaked

Amazon have confirmed a data breach containing 2.8 million lines of Amazon employee data, including full names, email address, phone numbers, building locations, cost codes, and information about the department each employee belongs to. The data is believed to have been initially stolen in the May 2023 MOVEit attacks, as the date on the data lines up with the attack. Amazon have indicated that the information was stolen from systems belonging to a third-party and have reiterated that they have not experienced a security event.

The data was leaked for free by a threat actor known as “Name3L3ss”, which likely indicates that no one was willing to pay for the dataset. While the data does not appear to be directly monetizable, the breach poses a significant risk for Amazon and its affected employees, with increased vulnerability to phishing, social engineering attacks, and financial fraud. The fact that Amazon is still affected by this data breach a year and a half after the data was stolen highlights the importance of effective management of third-party vendor risk.

[US] Salt Typhoon – Worst Telecommunications Hack in US History

.U.S. security agencies, including the FBI and CISA confirmed in December that malicious actors had infiltrated critical systems, exposing vulnerabilities in the US telecommunications infrastructure. The actors managed to steal a vast amount of data, including customer call records, metadata, and in some cases, the actual audio files of calls and content from text messages, affecting hundreds of thousands of users.

The scale and impact of the Salt Typhoon attack is unprecedented, and it has been described as the worst telecom hack in U.S. history by Senator Mark Warner, chairman of the Senate Intelligence Committee. Among the affected Telcos are T-Mobile, Verizon, and AT&T, and the group were believed to be specifically targeting, and managed to gain access to the U.S governments wiretapping platform. Salt Typhoon have been active since last 2019 and are believed to be a highly skilled Chinese state-sponsored APT who have predominantly been targeting countries in the Southeast Asia region. Salt Typhoon use known but unpatched vulnerabilities, living off the land techniques (LotL), and often target network devices to maintain persistent access to networks.

In response to the attack, the Federal Communications Commission (FCC) proposed new cybersecurity measures to strengthen the resilience of U.S. telecommunications networks. These measures included clarifying legal obligations for telecom carriers to secure their networks and implementing an annual certification requirement for cybersecurity risk management plans.

[FR] Second Largest French ISP Breached

In December 2024 the second-largest internet services provider (ISP) in France, Free’, experienced a significant cyber-attack that compromised the personal data of over 19 million customers. The breach was discovered on December 4, 2024, when the attacker, known as drussellx, infiltrated Free’s internal management systems. There was no impact to the operations of Free, and according to the organisation the breach did not expose, passwords, bank card, or the content of any communications for users of their services.

The attackers posted two databases containing the stolen data on a dark web forum for auction, one containing the over 19 million customer records, the other containing over 5 million international bank account numbers (IBAN), in contrast to the statements made by Free about the exposed data.

In response to the breach, Free took immediate action by notifying affected customers and reporting the incident to France’s National Commission for Information Technology and Civil Liberties (CNIL) and the National Agency for the Security of Information Systems (ANSSI). The company has launched an internal investigation to understand the full extent of the breach and to prevent future incidents.