Skip to content

Cyber Threat Weekly – #10

Derek Krein
5 min read

This week’s newsletter is a bit lighter than earlier this month, although news volumes continue to increase.  Let’s start with exploit attempts on the critical Atlassian Confluence bug disclosed last week.  First zero-day flaw of the year for Apple.  Digging deeper into a pair of malicious traffic direction systems.

SEC X account hacked via SIM-swapping.  Bring Your Own Vulnerable Driver (BYOVD) is a growing trend.  Threat researchers share observations of BianLian ransomware group.  New GoAnywhere MFT critical bug.  Exposed API leaks private email addresses.

Google Kubernetes loophole could allow threat actors with a Google account to take control of a Kubernetes cluster.  Researchers observe a new Go-based loader called CherryLoader.  Critical Jenkins bug could lead to remote code execution.

Threat actors targeting WordPress database plugin.  Researchers share analysis of SystemBC C2 Server.  Cisco communications software critical remote code execution bug.  Microsoft shares details of APT29 attack against Microsoft executives email accounts, that went undetected for roughly two months.


Broken Record Alert:  Patch management prioritization is a must!!!

Known exploited vulnerabilities continue to be abused by threat actors.  We continue to share vulnerabilities with patches available being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is those with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

Let’s remove some of the low hanging fruit threat actors continue to target.


CISA Known Exploited Vulnerabilities for January 22nd to January 28th:

CVE-2023-34048 – VMware vCenter Server Out-of-Bounds Write Vulnerability

Affecting the DCERPC protocol that allows an attacker to conduct remote code execution on VMware vCenter Server.


CVE-2024-23222 – Apple Multiple Products Type Confusion Vulnerability

A type confusion vulnerability that leads to code execution when processing maliciously crafted web content affecting Apple iOS, iPadOS, macOS, tvOS, and Safari WebKit.


CVE-2023-22527 – Atlassian Confluence Data Center and Server Template Injection Vulnerability

An unauthenticated OGNL template injection vulnerability that can lead to remote code execution.


Atlassian Confluence Bug 10,000’s of Exploit Attempts

Researchers are observing callback attempts with ‘whoami’ execution against CVE-2023-22527 disclosed last week.  This trend continues, rapid exploit attempts on newly disclosed vulnerabilities.

https://www.bleepingcomputer.com/news/security/hackers-start-exploiting-critical-atlassian-confluence-rce-flaw/


Apple Zero-Day Bug Fixed

CVE-2024-23222 could be exploited to gain code execution.  This bug impacts iOS, macOS, iPadOS, and tvOS.

https://www.bleepingcomputer.com/news/apple/apple-fixes-first-zero-day-bug-exploited-in-attacks-this-year/


Parrot and VexTrio Traffic Direction Systems (TDS)

An interesting breakdown of how two different TDSs, how they work, and stay stealthy.  Parrot TDS is the newer of the two, being active since October 2021.  VexTrio is believed to have been active since at least 2017. 

https://www.bleepingcomputer.com/news/security/malicious-web-redirect-scripts-stealth-up-to-hide-on-hacked-sites/

https://thehackernews.com/2024/01/vextrio-uber-of-cybercrime-brokering.html

https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/

https://blogs.infoblox.com/cyber-threat-intelligence/cybercrime-central-vextrio-operates-massive-criminal-affiliate-program/


SIM-Swapping Responsible for SEC X Account Hack

The industry seems to be taking the easy way out, turning to MFA that is easily socially engineered such as SMS based MFA.  While SMS based MFA is better than nothing, it won’t stop a determined threat actor.

https://thecyberexpress.com/sec-x-account-hacked/


Kasseika Ransomware, Latest to Abuse BYOVD

Trend Micro shares the attack chain and finds similarities with the BlackMatter ransomware operation attack chains.  In addition, there are source code similarities between Kasseika and BlackMatter.

https://www.bleepingcomputer.com/news/security/kasseika-ransomware-uses-antivirus-driver-to-kill-other-antiviruses/

https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html


BianLian Threat Assessment

Threat researchers share observations and analysis of the BianLian threat group.  The group recently moved from the double extortion scheme to extortion without encryption.  They simply exfiltrate data and threaten to publish it if victims don’t pay the ransom.

https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/


Critical Authentication Bypass Flaw: Forta’s GoAnywhere Managed File Transfer (MFT)

Recently disclosed bug CVE-2024-0204 is rated a CVSS 3.1 score of 9.8, was quietly patched on December 7th, 2023.  A technical analysis and exploit code has been released by security researchers.

https://www.bleepingcomputer.com/news/security/fortra-warns-of-new-critical-goanywhere-mft-auth-bypass-patch-now/

https://www.fortra.com/security/advisory/fi-2024-001

https://cybersecuritynews.com/goanywhere-mft-bypass/

https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/


Trello API Abused Allowing Links to Account Information

An exposed API allowed a threat actor to query for account information using an email.  A list of 500 million emails was fed into the API to ascertain if there was an associated account.  Trello offers this API to allow developers to query for public information about a profile, the threat actor found a way to abuse it.

This incident underscores the criticality of API security.

https://www.bleepingcomputer.com/news/security/trello-api-abused-to-link-email-addresses-to-15-million-accounts/


Any Gmail Account Could Control Your Google Kubernetes Cluster

Security researchers discovered a misconfiguration allowing anyone with a Google account to take over Google Kubernetes clusters.  The loophole is a permissions issue, default configuration was excessive.  This showcases the need to audit permissions and authorization in all systems.

https://thehackernews.com/2024/01/google-kubernetes-misconfig-lets-any.html

https://orca.security/resources/blog/sys-all-google-kubernetes-engine-risk/


CherryLoader, a New Go-based Loader

Researchers discovered the tool in two recent intrusions.  A multi-stage loader that utilizes different encryption methods and anti-analysis techniques.

https://thehackernews.com/2024/01/new-cherryloader-malware-mimics.html

https://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/


Jenkins Bug Leads to Remote Code Execution, Exploit Code Released

This bug CVE-2024-23897 affects the command line interface (CLI).  A short-term mitigation is to turn off access to the CLI.    Exploit code is now available, we may see active exploitation soon. 

https://thehackernews.com/2024/01/critical-jenkins-vulnerability-exposes.html

https://www.bleepingcomputer.com/news/security/exploits-released-for-critical-jenkins-rce-flaw-patch-now/

https://www.jenkins.io/security/advisory/2024-01-24/

https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/


WordPress Database Plugin Actively Targeted

Wordfence is blocking active exploitation on the ‘Better Search Replace’ plugin.  The vendor, WP Engine released a fix for a critical bug tracked as CVE-2023-6933, rated 9.8 out of 10.  There are over 1 million active installations, although it is unknown how many are vulnerable.

https://www.bleepingcomputer.com/news/security/hackers-target-wordpress-database-plugin-active-on-1-million-sites/


SystemBC C2 Server Exposed by Researchers

Researchers have seen increased activity in Q2 and Q3 2023.  SystemBC includes an implant, command and control server, and web administration portal.  Designed for post exploitation activities, it can deliver additional payloads, and uses SOCKS5 proxies to hide network traffic to and from its C2 infrastructure.

https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html

https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server


Cisco Communications Products Vulnerable to CVE-2024-20253

The bug receiving a 9.9 out of 10 base score affects Unified Communications Manager and Contact Center Solutions products.  Exploitation could lead to remote code execution.  So far, no evidence of available exploit code or targeting the flaw.

https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-rce-flaw-in-communications-software/


APT29 Attack Against Microsoft Executives Email Accounts

Microsoft discovered, on January 12th, 2024, that Russian threat actors had breached their systems in late November 2023.  Using a tactic previously shared in depth by Microsoft.  The adversary was able to gain access to a non-production test account with access to an Oauth application with elevated access to Microsoft’s corporate environment.

This underscores the necessity for asset inventory, identity and access management, and thorough knowledge of our environments.

https://therecord.media/microsoft-says-russian-hackers-used-previously-identified-technique-to-breach-executive-emails

https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/

https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by