Skip to content

Cyber Threat Weekly – #11

Derek Krein
7 min read

A busy week in threat news.  Let’s start with a new ZLoader variant emerges.  An exploration of Telegram’s dark markets and a phishing expedition.  Criminals actively target network operator’s credentials.  Scanning attempts of Atlassian Confluence RCE Bug.

Discovery and analysis of a new DLL Loader.  GitLab releases bug fixes again, one is rated CVSS 9.9 critical.  DarkGate malware distributed via Teams group chat phishing.  Local privilege escalation bug on major Linux distros.

Large-scale evasive scareware and PUP delivery.  The Ivanti zero-day mess continues with new vulnerabilities and active exploitation.  Researchers provide technical analysis of APT28 activity.  Container RunC bug enables attacker host access.

More malvertising serving a realistic website with malicious download link.  New Android Banking Trojan.  Docker API used to deploy malware.  Windows event log crasher zero-day, unofficially fixed.  Mercenary for hire group released new VileRAT variant.

CloudFlare reveals details of November 2023 cyber-attack.  Threat actors breached AnyDesk, gained access to production servers.  Mastodon bug allows account take over.


Broken Record Alert:  Please prioritize patching!!!

Known exploited vulnerabilities continue to be abused by threat actors.  We continue to share vulnerabilities with patches available being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is those with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

Let’s remove some of the low hanging fruit threat actors continue to target.


CISA Known Exploited Vulnerabilities for January 29th to February 4th:

CVE-2022-48618 – Apple Multiple Products Improper Authentication Vulnerability

Allows an attacker with read and write capabilities to bypass Pointer Authentication on Apple iOS, iPadOS, macOS, tvOS, and watchOS.


CVE-2024-21893 – Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability

The SAML component that allows an attacker to access certain restricted resources without authentication on Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons.


New 64-Bit Compatible ZLoader Variant

After nearly 2 years, ZLoader is back.  This new version has new obfuscation techniques, an updated domain generation algorithm, RSA encryption for network communications, and is now 64-bit compatible. 

https://thehackernews.com/2024/01/new-zloader-malware-variant-surfaces.html

https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night

https://redcanary.com/blog/msix-installers/


Telegram and Exploring the Dark Markets

How to create a profitable phishing campaign for as little a few hundred dollars.  This walk-through shows how dark markets mimic real businesses with ‘free offers’, money-back guarantee, customer support, and more.

https://labs.guard.io/scammers-paradise-exploring-telegrams-dark-markets-breeding-ground-for-modern-phishing-a2225e51898e


Hundreds of Network Operators Credentials Stolen

Over 1,500 victims of credential theft were discovered.  This is a perfect case for better cyber hygiene.  We must be vigilant and pay attention to the details to minimize impact on our organizations.

https://cybersecuritynews.com/credentials-dark-web/

https://www.resecurity.com/blog/article/hundreds-of-network-operators-credentials-found-circulating-in-dark-web


Active Scanning of Critical Atlassian Confluence Bug

Another group of researchers are picking up scanning attempts to exploit the recent Confluence CVE-2023-22527 disclosed January 16th, 2024.  Rated a CVSS:3.1 score of 9.8, exploitation can lead to remote code execution.  The correlation of malicious activity is a good thing, we reported similar activity last week.

https://cyble.com/blog/exploitation-of-atlassian-confluence-rce-vulnerability-cve-2023-22527/


New DLL Loader from Blackwood APT Group

Currently targeting users in Japan and China, we’ll keep our eyes open if targeting expands into other geo locations.  This one appears to lack malicious intent, but digging a bit deeper shows its true intent.  To minimize detection, this loader uses anti-analysis techniques and specific language checks.

https://cybersecuritynews.com/blackwood-apt-escalate-privileges/

https://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/


Critical GitLab Bug Fixed

With a CVSS score of 9.9, CVE-2024-0402 has been fixed along with 4 other medium vulnerabilities.  Just two weeks after the last two critical flaws were fixed.

https://thehackernews.com/2024/01/urgent-upgrade-gitlab-critical.html

https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/


DarkGate Threat Actors Social Engineer Victims via Microsoft Teams

Social engineering can be done in so many ways, in this case, since Microsoft Teams allows external connections by default, Teams users are often targeted.  We must be careful to minimize ingress traffic to our environments, including instant message chat systems.

https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-pushes-darkgate-malware-via-group-chats/

https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response


Major Linux Distro’s Local Privilege Escalation Vulnerability

This flaw affects glibc, a must have component of virtually every Linux distro.  A heap-based buffer overflow, CVE-2023-6246 is identified in the GNU C libraries syslog and qsort functions.  A threat allowing a local unprivileged user to escalate to root access.

https://www.bleepingcomputer.com/news/security/new-linux-glibc-flaw-lets-attackers-get-root-on-major-distros/

https://blog.qualys.com/vulnerabilities-threat-research/2024/01/30/qualys-tru-discovers-important-vulnerabilities-in-gnu-c-librarys-syslog


Researchers Analysis Massive Scareware and PUP Delivery Campaign - ApateWeb

While most will be quick to dismiss, it’s important to understand these campaigns, they can lead to access by more malicious cybercriminals.  If it works, it will be commoditized and used by others.  This access could also be sold to cyber criminals.

https://unit42.paloaltonetworks.com/apateweb-scareware-pup-delivery-campaign/


Ivanti Releases Fixes and Discloses New Zero-Day Flaws, One Actively Exploited

Wow, this is bad.  Active exploitation by multiple threat actors, multiple malwares deployed on exploited devices, over 20 days without patches available.  Finally, fixes are released, but also two more vulnerabilities. CISA released the first emergency directive of the year, ordering federal agencies to disconnect Ivanti devices.

Mandiant analyzes multiple web shells and malware. 

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-new-connect-secure-zero-day-exploited-in-attacks/

https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation

https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-disconnect-ivanti-vpn-appliances-by-saturday/

https://www.cisa.gov/news-events/directives/supplemental-direction-v1-ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure


Researchers Examine a Pawn Storm / APT28 Campaign

From the use of VPNs, TOR, and compromised EdgeOS routers to anonymize traffic to NTLMv2 hash relay attacks and spear phishing, this threat actor is stealthy.  There is evidence of sharing infrastructure with cyber criminals to further blend in.

https://thehackernews.com/2024/02/russian-apt28-hackers-targeting-high.html

https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html


Leaky Vessels RunC Bug Enables Container Escape

Four vulnerabilities disclosed, the most severe CVE-2024-21626 could lead to container escape.  AWS, Google Cloud, and Ubuntu have also released alerts. 

https://thehackernews.com/2024/02/runc-flaws-enable-container-escapes.html

https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/

https://www.docker.com/blog/docker-security-advisory-multiple-vulnerabilities-in-runc-buildkit-and-moby/

https://aws.amazon.com/security/security-bulletins/AWS-2024-001/

https://cloud.google.com/support/bulletins#gcp-2024-005

https://ubuntu.com/security/notices/USN-6619-1


Malvertising Targeting IT and System Administrators

Malicious ads are being used to lure technology administrators to malicious websites.  Analysis shared by researchers shows an interesting pattern, we have seen this over the past several months.

https://www.malwarebytes.com/blog/threat-intelligence/2024/01/nitrogen-shelling-malware-from-hacked-sites


Android Banking Trojan Utilizing Simple RealTime Server

A phishing campaign disseminating this banking trojan.  What’s interesting is the use of video streaming to keep tabs on the victim in real time.

https://cyble.com/blog/greenbean-latest-android-banking-trojan-leveraging-simple-realtime-server-srs-for-cc-communication/


Malware Deployed via Docker API

After escaping the container, multiple payloads are deployed including a credential stealer and cryptominer. 

https://thehackernews.com/2024/02/exposed-docker-apis-under-attack-in.html

https://www.cadosecurity.com/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker/


Windows Zero-day Bug Dubbed EventLogCrasher Affects All Versions

Apparently, Microsoft doesn’t see this as a bug that needs immediate attention.  It appears to be a duplicate of a 2022 flaw, LogCrusher disclosed by Varonis, still waiting for a patch.  The researcher also shared proof of concept code.

https://www.bleepingcomputer.com/news/microsoft/new-windows-event-log-zero-day-flaw-gets-unofficial-patches/


VileRAT Distributed by Mercenary for Hire Group

A new variant is being deployed at scale.  Stealthy, designed to run in memory with minimal to no disk artifacts, VileRAT is extensible and modular. 

https://cybersecuritynews.com/vilerat-attacking-windows-machines/


CloudFlare Cyber Attack Details Released

The attack lasted from November 14th to the 24th, 2023, and was detected on the 23rd.  The threat actors analyzed wiki pages, bug database issues, and stole source code. 

https://thehackernews.com/2024/02/cloudflare-breach-nation-state-hackers.html

https://blog.cloudflare.com/thanksgiving-2023-security-incident


AnyDesk Cyber Attack

Change passwords and update to the latest version, the old code signing certificate is going to be revoked.  Multiple threat actors selling AnyDesk credentials.

https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/

https://www.resecurity.com/blog/article/following-the-anydesk-incident-customer-credentials-leaked-and-published-for-sale-on-the-dark-web


A Critical Mastodon Flaw Tracked as CVE-2024-23832

A critical bug allows for account impersonation and take over.  No technical details are available, Mastodon advises details will be available February 15th, 2024. 

https://www.bleepingcomputer.com/news/security/mastodon-vulnerability-allows-attackers-to-take-over-accounts/

Mastodon CVE-2024-23832

Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by