Cyber Threat Weekly – #13
With 483 cyber news articles combed through, the week of February 12th to the 18th was interesting to say the least. Let’s start with a new stealthy malware using reverse proxy tools. Execs targeted with an Azure account hijacking campaign, still ongoing.
Keeping an eye on dark LLMs. QR code phishing, the hunt is on. Business email compromise (BEC) and vendor email compromise (VEC) are not slowing down. Researchers share analysis of Glupteba. SOHO router botnets are increasingly used in stealthy attacks, another one disrupted.
Ivanti, the gift that keeps on giving. Pikabot is back, a bit simpler this time. A Bumblebee campaign after a 4-month hiatus. Patched Roundcube email flaw now under active exploitation. Microsoft Outlook critical remote code execution bug. Zoom patches critical flaw.
Microsoft Exchange zero-day bug exploited. Researchers observe new Qbot activity. RansomHouse automates ESXi data encryption. Another old, patched vulnerability being actively exploited, this time Cisco ASA / FTD.
New Google Chrome feature for home networks. And finally, remote code execution flaws in SolarWinds access rights solution.
Broken Record Alert: N-day bugs are killing us!!!
Known exploited software flaws continue to be abused by threat actors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is those with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what we expose to the Internet. Let’s remove some of the low hanging fruit threat actors continue to target.
CISA Known Exploited Vulnerabilities for February 12th to February 18th:
CVE-2023-43770 – Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
This leads to information disclosure via malicious link references in plain/text messages.
CVE-2024-21412 – Microsoft Windows Internet Shortcut Files Security Feature Bypass Vulnerability
Contains an unspecified vulnerability that allows for a security feature bypass.
CVE-2024-21351 – Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
Allows an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, which could lead to some data exposure, lack of system availability, or both.
CVE-2020-3259 – Cisco ASA and FTD Information Disclosure Vulnerability
An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.
CVE-2024-21410 – Microsoft Exchange Server Privilege Escalation Vulnerability
Allows for privilege escalation.
Stealthy Zardoor Malware Evades Detection
This new malware uses reverse proxy tools for c2, living off the land techniques such as WMI for lateral movement, and scheduled tasks to remain persistent for several years. Not well known yet, we may be hearing more about his stealthy malware.
https://cybersecuritynews.com/zardoor-malware/
https://blog.talosintelligence.com/new-zardoor-backdoor/
Ongoing Azure Account Takeover Campaign – Execs Targeted
This one is interesting, utilizing phishing techniques with account takeover (ATO). Once ATO is established, going after MFA registration to remain persistent. The party continues with internal and external phishing, data exfil, financial fraud, and covering tracks.
The Use of Malicious LLMs and Malicious Use of LLMs
There are some dark LLMs available, it’s speculated that LLMs have already been used in nation state attacks as well as by cyber criminals.
https://cybersecuritynews.com/rise-of-black-hat-ai-tools/
https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors
Adversaries Using QR Code Phishing to Accomplish Same Goals
The objectives are the same, but instead of links or attachments, QR codes are used. An interesting trend is the targeting of execs. What do we do when using time based one-time passwords for MFA, scan a QR code? Although the hunting for user compromise is Microsoft specific, the concepts are similar for most tools.
https://www.darkreading.com/endpoint-security/qr-code-quishing-attacks-execs-email-security
https://abnormalsecurity.com/blog/data-shows-c-suite-receives-42x-more-qr-code-attacks
BEC and VEC Attacks Still Trending Up
Building trust and social engineering are the basis for these attacks with no malware or link to be suspicious of. Researchers observe BEC attack frequency doubling, while VEC attack frequency is up 50%.
https://abnormalsecurity.com/blog/bec-vec-attacks
Glupteba’s UEFI Bootkit Exposed
This is an interesting analysis of both the PPI ecosystem and a previously undocumented feature of the Glupteba malware.
https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/
Nations States using SOHO Router Botnets for Stealthy Attacks – Disrupted
First it was China’s Volt Typhoon SOHO router botnet disrupted, now it’s APT 28’s Moobot botnet disrupted. The lesson here is that IoC’s such as IPs are becoming less useful as the adversary is launching attacks from the same geographical regions and in some cases through SOHO routers to hide malicious intent and location.
https://www.darkreading.com/cyberattacks-data-breaches/doj-breaks-russian-military-botnet-
Ivanti, Exploitation with New Backdoor Deployed and More
This is getting ridiculous, the SSRF vulnerability is still being exploited and a new DSLog backdoor is being deployed. But that’s not all, researchers were able to reverse engineer the firmware running on Ivanti pulse secure appliances and found the appliances running on an 11-year-old version of Linux. Riddled with problems, an unsupported OS, and 111 possible exploits. Vendors are going to be held to higher standards, as they should be.
https://thehackernews.com/2024/02/ivanti-pulse-secure-found-using-11-year.html
Researchers Analyze the Latest Pikabot Version
A bit of a timeline and a detailed analysis of the latest version of Pikbot.
https://www.zscaler.com/blogs/security-research/d-evolution-pikabot
Researchers Observe a New Bumblebee Campaign
The cybercrime domain is heating up, new versions of malware and new campaigns are springing up left and right (pun intended).
https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black
Roundcube Email Cross-Site Scripting (XSS) Bug Under Active Exploitation
This one, a Winter Vivern (Russians) attack campaign, may not need high attention, but watching the trends is always interesting. Yesterday’s nation state attack is tomorrow’s commodity attack. We’ll keep an eye on this one.
New Outlook Remote Code Execution (RCE) Bug
Tracked as CVE-2024-21413, this critical flaw is trivial to exploit according to Microsoft. The advisory from Microsoft states ‘exploitation unlikely’.
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21413
Zoom Patches Critical Privilege Escalation Bug
With a CVSS score of 9.6, CVE-2024-24691 was discovered by Zoom, very few details are shared.
https://www.zoom.com/en/trust/security-bulletin/ZSB-24008/
Actively Exploited Microsoft Exchange Flaw
Fixed during this month’s patch Tuesday, this privilege escalation bug tracked as CVE-2024-21410 allows for NTLM credential relay attacks.
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21410
Qbot Activity Spotted Since December 2023
Researchers are sharing recent Qbot activity, although it seems somewhat inconsistent currently. Might an attempt as a resurgence.
MrAgent Tool by RansomHouse Ransomware Gang Automates ESXi Encryption
With ransomware gangs gaining massive resources from many large victim ransoms, creating their own tools, and maintaining them becomes the norm. This one is no different, automating ESXi encryption and minimizing administrator impact as a bonus.
https://www.trellix.com/blogs/research/ransomhouse-am-see/
Cisco ASA CVE-2020-3259 Under Exploitation by Akira RaaS
Patched long ago, this one was not on the radar until the recent exploitation.
https://thehackernews.com/2024/02/cisa-warning-akira-ransomware.html
Google Chrome Feature Blocks Unsafe Requests to Internal Networks
The jury is still out on this one, appears to be in testing currently. We’ll have to see how this plays out.
SolarWinds Fixes Five Bugs in Access Rights Manager
Multiple flaws in Access Rights Manager could lead to remote code execution.
https://www.solarwinds.com/trust-center/security-advisories
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
