Cyber Threat Weekly - #1

This week let's start with an information stealer with a novel anti-sandbox technique, using trigonometry to detect human behavior.  Multiple APT groups are exploiting a WinRAR vulnerability.  Cl0p’s mass exploitation of MOVEit vulnerabilities is the gift that keeps on giving. 

The legitimate NetSupport Manager being used for malicious purposes.  Apache ActiveMQ continues to be actively exploited.  LummaC2 info stealer claims a new feature, the ability to restore expired Google cookies, not good.

QakBot may have been re-branded, attack techniques of DarkGate and PikaBot are similar.  Job related campaigns targeting job seekers and employers via North Korean threat actors, these tactics work, unfortunately. 

Ransomware affiliate tracked threat actor is a proficient adversary.  Malicious Chrome browser extensions leveraging Google Chrome API for malicious activities.  If it works, they’ll keep on utilizing the behavior, delivery and shipping themed email messages used to deliver a malware loader. 

North Korea is at it again with software supply chain attacks.  Windows critical SmartScreen bug, proof of concept exploit is publicly available.  Web shells are a popular post exploitation tool, the WSO web shell has been around a while and this new version is stealthy and sophisticated.  Flaws in ownCloud puts users at risk. 

Broken Record Alert:  You are going to hear this often!!! 

Roughly 5% of publicly available vulnerabilities are observed exploited in the wild.  Priority #1 should be to patch actively exploited vulnerabilities.  You can use CISA’s known exploited vulnerability (KEV) catalog or other tools to prioritize patching exploited vulnerabilities. 

Right behind actively exploited vulnerabilities, a close #2 priority is those with proof of concept (PoC) code available.  Exploit chances are much higher with PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and PoC code available vulnerabilities. 

Exploited vulnerabilities continue to be abused by threat actors, often using time as a weapon, exploits come fast, many times before organization have time to patch.  Diligent patching can be the difference in preventing a data breach and / or ransomware attack.

CISA Known Exploited Vulnerabilities - Week of 11-20 to 11-26

CVE-2023-4911 – GNU C Library Buffer Overflow Vulnerability

Multiple Linux distributions are affected.

Novel Anti-Sandbox Technique

The adversary continues to come up with ways to avoid reverse engineering their malware.  This is interesting, ensuring human behavior is detected before detonating.

https://outpost24.com/blog/lummac2-anti-sandbox-technique-trigonometry-human-detection/

Nation State Actors Exploiting a Now Patched WinRAR Zero-Day Vulnerability

This vulnerability was fixed in August, added to the CISA Known Exploited Vulnerabilities catalog in August, and is still being actively exploited. 

https://securityaffairs.com/154414/apt/darkcasino-apt-exploiting-winrar-0day.html

https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/

Cl0ps MOVEit Mass Exploitation Victim Count is Growing

Let’s hope we’re done adding victims.

https://www.emsisoft.com/en/blog/44123/unpacking-the-moveit-breach-statistics-and-analysis/

NetSupport Manager Used for Malicious Purposes

Using legitimate remote management software as a remote access trojan is a threat trend that continues.  Tools such as AnyDesk, Team Viewer, various flavors of VNC, and more are often used by threat actors for persistence, exfiltration, and command and control. 

https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html

CVE-2023-46604 with a Fix Available Continues to be Exploited

Apache ActiveMQ is being exploited by multiple threat actors.  New releases to address the vulnerability were released on the day the CVE was announced.  Proof-of-concept (PoC) code is available.  CISA added the vulnerability to the known exploited vulnerability catalog on November 2^nd.  

https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html

https://www.bleepingcomputer.com/news/security/kinsing-malware-exploits-apache-activemq-rce-to-plant-rootkits/

https://activemq.apache.org/news/cve-2023-46604

LummaC2 New Feature, Scary

Lumma dev promoted a new feature, restoring expired Google cookies.  Google quietly fixed the issue, a few days later, Lumma’s developer released an update.  The feature has not been verified by Google or security researchers. 

https://www.bleepingcomputer.com/news/security/malware-dev-says-they-can-revive-expired-google-auth-cookies/

Has QakBot been Rebranded?  DarkGate Activity Surged About a Month After QakBot Activity Ceased

No guarantees that DarkGate is the new QakBot, but attack behavior and timing are certainly suspect.  Considering the impact QakBot had, if the threat actors have simply moved to new malware using similar and even updating their attack behavior, this could be bad for security practitioners. 

https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/

Job Seekers and Employers Targeted

This isn’t the first time these tactics have been used.  This is a trend worth keeping an eye on.  What’s important here is the tactics themselves, so you can be better prepared.

https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/

ALPHV/Black Cat Ransomware Affiliate is a Challenging Adversary

Employing techniques only nations state threat actors once utilized, this adversary is responsible for the MGM hack.  Capable of compromising large enterprises with sophisticated social engineering tactics.

https://www.darkreading.com/cloud/scattered-spider-hops-nimbly-cloud-on-prem-complex-attack

Malicious Chrome Extensions are not New, this one is Particularly Nasty

Utilizing legitimate websites for downloads and the Chrome browser API for malicious behavior, this extension and framework could be ported to Chromium browsers as well.  While this campaign is focused on Brazil, it’s a fair bet we’ll see more of this browser extension and malicious activity in other geographic locations as well.

https://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html

Shipping Themed Emails Delivers New Malware Loader

The lures are the same, the difference is a new malware loader called WailingCrab is delivered.  This malware has multiple components, is actively maintained, and is stealthy, resisting analysis and detection.

https://thehackernews.com/2023/11/alert-new-wailingcrab-malware-loader.html

Joint Advisory from the UK and South Korea

Multiple instances of North Korean cyber activities have prompted a new strategic partnership between the UK and South Korea, aimed to disrupt DPRK malicious cyber capabilities.

https://therecord.media/south-korea-uk-warning-supply-chain-attacks-north-korea

Proof of Concept Exploit Available for Windows SmartScreen Flaw

CVE-2023-36025 has been added to the CISA known exploited Vulnerability catalog, Proofpoint researcher observed abuse of the flaw this week.  With Proof of Concept (PoC) code available, it’s a sure bet this CVE will continue to be exploited.

https://www.darkreading.com/vulnerabilities-threats/proof-of-concept-exploit-publicly-available-for-critical-windows-smartscreen-flaw

WSO-NG Web Shell Gets Stealthy

Web shells fly under the radar, the web shell traffic blends right in as HTTP or HTTPS traffic, it’s just another website page.  Web shells make attribution difficult, most are commodity. 

https://www.darkreading.com/cloud/web-shells-sophistication-stealth-persistence

3 Critical Bugs in ownCloud

If you use ownCloud, take a look at the mitigations provided by the company.

https://thehackernews.com/2023/11/warning-3-critical-vulnerabilities.html