Cyber Threat Weekly – #12
The evolving threat landscape simply doesn’t slow down, although this is a relatively light week. Let’s start with Ivanti and yet another vulnerability. Researchers share 2023 Ransomware leak site analysis. JetBrains critical bug allows an unauthenticated attacker to bypass authentication checks.
Volt Typhoon uses small office home office (SOHO) routers to hide activity. Major Linux distros have critical bug in Shim Bootloader. Threat actors use Facebook ads to push malware. Leaky API spews personal info. HijackLoader is under active development.
Another RCE bug, this time in Fortinet SSL VPN. Raspberry Robin malware stealthier and under active development, including using n-day bugs. Split tunneling bug in ExpressVPN leaked DNS requests.
Broken Record Alert: N-day vulnerabilities are killing us!!!
Known exploited vulnerabilities continue to be abused by threat actors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is those with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what we expose to the Internet. Let’s remove some of the low hanging fruit threat actors continue to target.
CISA Known Exploited Vulnerabilities for February 5th to February 11th:
CVE-2023-4762 – Google Chromium V8 Type Confusion Vulnerability
Allows a remote attacker to execute code via a crafted HTML page.
CVE-2024-21762 – Fortinet FortiOS Out-of-Bound Write Vulnerability
Allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP requests.
The Ivanti Mess Continues
One of the latest zero-day bugs, CVE-2024-21893 (now patched), is under mass exploitation. First disclosed January 31st with limited exploitation. Didn't take long for threat actors to turn up the wick a notch or 10. Proof of concept code has been released.
As if this isn’t enough, yet another bug tracked as CVE-2024-22024 has been disclosed, this one allows remote attackers limited access.
This underscores the need to rethink VPNs and RDP for ingress traffic.
2023 Ransomware Leak Site Analysis
Tracking ransomware leak site data provides one perspective of the ransomware threat. While we can't trust all leak site data, there is always plenty not shared and sometimes victims shared that are not compromised, it's good to discover as much as we can from leak site data.
https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/
JetBrains TeamCity Critical Flaw
All on-prem versions of TeamCity are vulnerable to an authentication bypass remote code execution bug tracked as CVE-2024-23917. Mitigations are available! If exposed to the Internet, you should disallow access to the server until mitigations have been completed.
An adversary could take advantage of this vulnerability with a foothold in your internal network if you run TeamCity internally.
Using SOHO Routers to Mask Activity – Volt Typhoon
Volt Typhoon aren’t the only threat actors using SOHO routers to mask network activity, but they are a significant threat in any case. This is a follow up to a botnet used by several clusters of Chinese threat actors.
https://thehackernews.com/2024/02/after-fbi-takedown-kv-botnet-operators.html
https://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/
https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques
Critical Vulnerability in Shim Bootloader Impacting Major Linux Distros
With a few attack paths and possible system compromise before the kernel is loaded, this bug should be patched ASAP. Tracked as CVE-2023-40547, Eclypsium provides details and how to fix it. Sophisticated threat actors may attempt to abuse this flaw.
https://eclypsium.com/blog/the-real-shim-shady-how-cve-2023-40547-impacts-most-linux-systems/
Ov3r_Stealer Delivered Through Facebook Ads
Password stealing malware uses fake job ads to push malware with an interesting attack chain including Discord, GitHub, and Telegram. While not under wide use, Ov3r_Stealer appears to be actively developed and usage may grow over time, this is one to keep an eye on.
https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/FaceBook_Ad_Spreads_Novel_Malware.pdf
Spoutible’s API Leaked a Ton of Personal Info
This is a good read, worth the walk through to understand how API security is a must.
https://www.troyhunt.com/how-spoutibles-leaky-api-spurted-out-a-deluge-of-personal-data/
Hijack Loader Increasing in Popularity
With better defense evasion and interesting process hollowing technique, showing increased complexity and stealthiness. Keeping up with adversary innovation is getting tougher every day.
https://thehackernews.com/2024/02/hijackloader-evolves-researchers-decode.html
https://www.crowdstrike.com/blog/hijackloader-expands-techniques/
Fortinet SSL VPN Remote Code Execution Bug Actively Exploited
This critical vulnerability is rated a 9.6 and tracked as CVE-2024-21762 allowing an unauthenticated attacker remote code execution on the affected device.
https://www.fortiguard.com/psirt/FG-IR-24-015
Stealthy Raspberry Robin Malware Evolving
Now using n-day vulnerabilities and new delivery mechanisms. Researchers are seeing an increase in Raspberry Robin activity, with large waves of attacks worldwide.
https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/
ExpressVPN Leaking DNS Requests
To prevent configured DNS servers from seeing your requests, ExpressVPN uses logless DNS servers through the VPN tunnel. With split tunneling configured, DNS requests were sent outside of ExpressVPN servers to the configured DNS servers.
A good security practice is to use a free privacy focused DNS provider that provides solid security like the quad 9 project.
https://www.expressvpn.com/blog/windows-app-dns-requests/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.