Skip to content

Cyber Threat Weekly – #12

Derek Krein
4 min read

The evolving threat landscape simply doesn’t slow down, although this is a relatively light week.  Let’s start with Ivanti and yet another vulnerability.  Researchers share 2023 Ransomware leak site analysis.  JetBrains critical bug allows an unauthenticated attacker to bypass authentication checks.

Volt Typhoon uses small office home office (SOHO) routers to hide activity.  Major Linux distros have critical bug in Shim Bootloader.  Threat actors use Facebook ads to push malware.  Leaky API spews personal info.  HijackLoader is under active development.

Another RCE bug, this time in Fortinet SSL VPN.  Raspberry Robin malware stealthier and under active development, including using n-day bugs.  Split tunneling bug in ExpressVPN leaked DNS requests.


Broken Record Alert:  N-day vulnerabilities are killing us!!!

Known exploited vulnerabilities continue to be abused by threat actors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is those with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what we expose to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.


CISA Known Exploited Vulnerabilities for February 5th to February 11th:

CVE-2023-4762 – Google Chromium V8 Type Confusion Vulnerability
Allows a remote attacker to execute code via a crafted HTML page.

CVE-2024-21762 – Fortinet FortiOS Out-of-Bound Write Vulnerability
Allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP requests.


The Ivanti Mess Continues

One of the latest zero-day bugs, CVE-2024-21893 (now patched), is under mass exploitation. First disclosed January 31st with limited exploitation. Didn't take long for threat actors to turn up the wick a notch or 10.  Proof of concept code has been released. 

As if this isn’t enough, yet another bug tracked as CVE-2024-22024 has been disclosed, this one allows remote attackers limited access.

This underscores the need to rethink VPNs and RDP for ingress traffic.

https://www.bleepingcomputer.com/news/security/newest-ivanti-ssrf-zero-day-now-under-mass-exploitation/

https://www.bleepingcomputer.com/news/security/ivanti-patch-new-connect-secure-auth-bypass-bug-immediately/

https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US


2023 Ransomware Leak Site Analysis

Tracking ransomware leak site data provides one perspective of the ransomware threat. While we can't trust all leak site data, there is always plenty not shared and sometimes victims shared that are not compromised, it's good to discover as much as we can from leak site data.

https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/


JetBrains TeamCity Critical Flaw

All on-prem versions of TeamCity are vulnerable to an authentication bypass remote code execution bug tracked as CVE-2024-23917.  Mitigations are available!  If exposed to the Internet, you should disallow access to the server until mitigations have been completed.

An adversary could take advantage of this vulnerability with a foothold in your internal network if you run TeamCity internally.

https://www.bleepingcomputer.com/news/security/jetbrains-warns-of-new-teamcity-auth-bypass-vulnerability/

https://blog.jetbrains.com/teamcity/2024/02/critical-security-issue-affecting-teamcity-on-premises-cve-2024-23917/


Using SOHO Routers to Mask Activity – Volt Typhoon

Volt Typhoon aren’t the only threat actors using SOHO routers to mask network activity, but they are a significant threat in any case.  This is a follow up to a botnet used by several clusters of Chinese threat actors.

https://thehackernews.com/2024/02/after-fbi-takedown-kv-botnet-operators.html

https://www.bleepingcomputer.com/news/security/chinese-hackers-hid-in-us-infrastructure-network-for-5-years/

https://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/

https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques

https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical


Critical Vulnerability in Shim Bootloader Impacting Major Linux Distros

With a few attack paths and possible system compromise before the kernel is loaded, this bug should be patched ASAP.  Tracked as CVE-2023-40547, Eclypsium provides details and how to fix it.  Sophisticated threat actors may attempt to abuse this flaw.

https://www.bleepingcomputer.com/news/security/critical-flaw-in-shim-bootloader-impacts-major-linux-distros/

https://eclypsium.com/blog/the-real-shim-shady-how-cve-2023-40547-impacts-most-linux-systems/


Ov3r_Stealer Delivered Through Facebook Ads

Password stealing malware uses fake job ads to push malware with an interesting attack chain including Discord, GitHub, and Telegram.  While not under wide use, Ov3r_Stealer appears to be actively developed and usage may grow over time, this is one to keep an eye on.

https://www.bleepingcomputer.com/news/security/facebook-ads-push-new-ov3r-stealer-password-stealing-malware/

https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/FaceBook_Ad_Spreads_Novel_Malware.pdf


Spoutible’s API Leaked a Ton of Personal Info

This is a good read, worth the walk through to understand how API security is a must.

https://www.troyhunt.com/how-spoutibles-leaky-api-spurted-out-a-deluge-of-personal-data/


Hijack Loader Increasing in Popularity

With better defense evasion and interesting process hollowing technique, showing increased complexity and stealthiness.  Keeping up with adversary innovation is getting tougher every day.

https://thehackernews.com/2024/02/hijackloader-evolves-researchers-decode.html

https://www.crowdstrike.com/blog/hijackloader-expands-techniques/


Fortinet SSL VPN Remote Code Execution Bug Actively Exploited

This critical vulnerability is rated a 9.6 and tracked as CVE-2024-21762 allowing an unauthenticated attacker remote code execution on the affected device.

https://www.bleepingcomputer.com/news/security/new-fortinet-rce-bug-is-actively-exploited-cisa-confirms/

https://www.fortiguard.com/psirt/FG-IR-24-015


Stealthy Raspberry Robin Malware Evolving

Now using n-day vulnerabilities and new delivery mechanisms.  Researchers are seeing an increase in Raspberry Robin activity, with large waves of attacks worldwide.

https://www.bleepingcomputer.com/news/security/raspberry-robin-malware-evolves-with-early-access-to-windows-exploits/

https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/


ExpressVPN Leaking DNS Requests

To prevent configured DNS servers from seeing your requests, ExpressVPN uses logless DNS servers through the VPN tunnel.  With split tunneling configured, DNS requests were sent outside of ExpressVPN servers to the configured DNS servers.

A good security practice is to use a free privacy focused DNS provider that provides solid security like the quad 9 project.

https://www.bleepingcomputer.com/news/security/expressvpn-bug-has-been-leaking-some-dns-requests-for-years/

https://www.expressvpn.com/blog/windows-app-dns-requests/

https://www.quad9.net/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #52

The week of November 11th through November 17th, 332 cyber news articles were reviewed.  Quite a bit of cyber threat trend and adversarial behavior news to share.  Let’s start with increasing use of SVG attachments in email phishing. An undocumented Fortinet FortiClient bug used to steal VPN credentials.  Palo

Members Public

Cyber Threat Weekly – #51

The week of November 4th through November 10th, 330 cyber news articles were reviewed.  The feed list has been adjusted, so the number of articles should be mostly lower.  Let’s start with threat actors using Zip file concatenation technique. Cybercriminals abuse emergency data requests (EDRs) with compromised credentials.  AWS

Members Public

Cyber Threat Weekly – #50

The week of October 28th through November 3rd, another light week with 346 cyber news articles reviewed.  Still a decent amount of cyber threat trend and adversarial behavior news.  Let’s start with a newer ransomware group targeting FreeBSD servers. Publicly disclosed exploit code used to exploit Microsoft SharePoint flaw.