Weekly Cyber Threat Intelligence Summary

Welcome to this week’s Cyber Threat Intelligence Summary, where we bring you the latest updates and insights on significant cyber threats. This edition covers the UK-based winter fuel payment scams, a China-linked telecom hack targeting US politicians, and a new Google Chrome flaw exploited by Lazarus.

1. UK-based winter fuel payment scams identified

Full report available for CYMON users here.

Key Takeaways:

• Researchers have identified nearly 600 domains related to UK-based winter fuel payment scams.
• The scams used SMS messages containing TinyURL links, with content stating that the victim qualifies to apply for winter heating subsidy benefits. These messages were masqueraded as being from a representative of the UK government.
• The TinyURL links lead to domains with the ‘.top’ TLD, with domain names including keywords such as “winter” and “payment”.

Analyst Comment:

• Smishing and phishing scams such as these often take advantage of political developments or any event affecting a large proportion of the population.
• This increases the likelihood of successful attacks when sending large amounts of messages.

2. China-linked telecom hack targets US politicians

Full report available for CYMON users here.

Key Takeaways:

• Intrusions targeting phone communications of US presidential candidates (including Donald Trump, Kamala Harris, and JD Vance) and other high-ranking officials have been detected. The attacks are suspected to be linked to Chinese threat actors.
• The intrusions are part of a months-long campaign, with attackers successfully infiltrating US telecommunications companies.
• Researchers believe the objective is to obtain sensitive information, such as wiretap requests, potentially influencing the presidential elections.
• While the Chinese government denies involvement, US intelligence notes China’s past influence attempts in US elections through social media campaigns.

Analyst comment: 

• Attacks attempting to influence the presidential race will likely continue until the day of the election on 5 November 2024.
• The election outcome will affect many nations, providing significant motivation for outside threat actors who attempt to influence it. 

3. Lazarus exploits the Google Chrome flaw via the tank game website

Full report available for CYMON users here.

Key Takeaways:

• North Korean threat actor Lazarus exploited a Google Chrome zero-day, CVE-2024-4947, disclosed on 23 May 2024.
• Google issued a patch for this vulnerability on 25 May 2024 in Chrome versions 125.0.6422.60 and 125.0.6422.60.61.
• Lazarus targeted users through a DeFi NFT tank game, “detankzone[.]com,” which used stolen source code from the legitimate game DeFiTankLand.
• A hidden script on the website triggered the exploit, allowing Lazarus to access cookies, authentication tokens, saved passwords, and browsing history.
• To bypass Chrome’s V8 sandbox, they leveraged a separate issue (330404819) to remotely execute shellcode, collecting data and sending it to a command-and-control (C2) server.

Analyst comment: 

• Lazarus is a North Korean state-sponsored APT group which has been in operation since at least 2009.
• Its attacks have targeted numerous countries and sectors, including government, military, aerospace, media, and finance.
• Some Lazarus intrusions result in the exfiltration of sensitive data, whilst others are destructive.