Skip to content

Cyber Threat Weekly – #13

Derek Krein
6 min read

With 483 cyber news articles combed through, the week of February 12th to the 18th was interesting to say the least.  Let’s start with a new stealthy malware using reverse proxy tools.  Execs targeted with an Azure account hijacking campaign, still ongoing. 

Keeping an eye on dark LLMs.  QR code phishing, the hunt is on.  Business email compromise (BEC) and vendor email compromise (VEC) are not slowing down.  Researchers share analysis of Glupteba.  SOHO router botnets are increasingly used in stealthy attacks, another one disrupted.

Ivanti, the gift that keeps on giving.  Pikabot is back, a bit simpler this time.  A Bumblebee campaign after a 4-month hiatus.  Patched Roundcube email flaw now under active exploitation.  Microsoft Outlook critical remote code execution bug.  Zoom patches critical flaw.

Microsoft Exchange zero-day bug exploited.  Researchers observe new Qbot activity.  RansomHouse automates ESXi data encryption.  Another old, patched vulnerability being actively exploited, this time Cisco ASA / FTD. 

New Google Chrome feature for home networks.  And finally, remote code execution flaws in SolarWinds access rights solution.


Broken Record Alert:  N-day bugs are killing us!!!

Known exploited software flaws continue to be abused by threat actors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is those with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what we expose to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.


CISA Known Exploited Vulnerabilities for February 12th to February 18th:

 CVE-2023-43770 – Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
This leads to information disclosure via malicious link references in plain/text messages.

CVE-2024-21412 – Microsoft Windows Internet Shortcut Files Security Feature Bypass Vulnerability
Contains an unspecified vulnerability that allows for a security feature bypass.

CVE-2024-21351 – Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
Allows an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, which could lead to some data exposure, lack of system availability, or both.

CVE-2020-3259 – Cisco ASA and FTD Information Disclosure Vulnerability
An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.

CVE-2024-21410 – Microsoft Exchange Server Privilege Escalation Vulnerability
Allows for privilege escalation.


Stealthy Zardoor Malware Evades Detection

This new malware uses reverse proxy tools for c2, living off the land techniques such as WMI for lateral movement, and scheduled tasks to remain persistent for several years.  Not well known yet, we may be hearing more about his stealthy malware.

https://cybersecuritynews.com/zardoor-malware/

https://blog.talosintelligence.com/new-zardoor-backdoor/


Ongoing Azure Account Takeover Campaign – Execs Targeted

This one is interesting, utilizing phishing techniques with account takeover (ATO).  Once ATO is established, going after MFA registration to remain persistent.  The party continues with internal and external phishing, data exfil, financial fraud, and covering tracks.

https://www.bleepingcomputer.com/news/security/ongoing-microsoft-azure-account-hijacking-campaign-targets-executives/

https://www.proofpoint.com/uk/blog/cloud-security/community-alert-ongoing-malicious-campaign-impacting-azure-cloud-environments


The Use of Malicious LLMs and Malicious Use of LLMs

There are some dark LLMs available, it’s speculated that LLMs have already been used in nation state attacks as well as by cyber criminals.

https://cybersecuritynews.com/rise-of-black-hat-ai-tools/

https://www.csoonline.com/article/1307613/nation-state-threat-actors-using-llms-to-boost-cyber-operations.html

https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors


Adversaries Using QR Code Phishing to Accomplish Same Goals

The objectives are the same, but instead of links or attachments, QR codes are used.  An interesting trend is the targeting of execs.  What do we do when using time based one-time passwords for MFA, scan a QR code?  Although the hunting for user compromise is Microsoft specific, the concepts are similar for most tools. 

https://www.darkreading.com/endpoint-security/qr-code-quishing-attacks-execs-email-security

https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/hunting-for-qr-code-aitm-phishing-and-user-compromise/ba-p/4053324

https://abnormalsecurity.com/blog/data-shows-c-suite-receives-42x-more-qr-code-attacks


BEC and VEC Attacks Still Trending Up

Building trust and social engineering are the basis for these attacks with no malware or link to be suspicious of.  Researchers observe BEC attack frequency doubling, while VEC attack frequency is up 50%. 

https://abnormalsecurity.com/blog/bec-vec-attacks


Glupteba’s UEFI Bootkit Exposed

This is an interesting analysis of both the PPI ecosystem and a previously undocumented feature of the Glupteba malware.

https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/


Nations States using SOHO Router Botnets for Stealthy Attacks – Disrupted

First it was China’s Volt Typhoon SOHO router botnet disrupted, now it’s APT 28’s Moobot botnet disrupted.  The lesson here is that IoC’s such as IPs are becoming less useful as the adversary is launching attacks from the same geographical regions and in some cases through SOHO routers to hide malicious intent and location.

https://www.darkreading.com/cyberattacks-data-breaches/doj-breaks-russian-military-botnet-

https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian


Ivanti, Exploitation with New Backdoor Deployed and More

This is getting ridiculous, the SSRF vulnerability is still being exploited and a new DSLog backdoor is being deployed.  But that’s not all, researchers were able to reverse engineer the firmware running on Ivanti pulse secure appliances and found the appliances running on an 11-year-old version of Linux.  Riddled with problems, an unsupported OS, and 111 possible exploits.  Vendors are going to be held to higher standards, as they should be.

https://www.bleepingcomputer.com/news/security/hackers-exploit-ivanti-ssrf-flaw-to-deploy-new-dslog-backdoor/

https://www.orangecyberdefense.com/fileadmin/general/pdf/Ivanti_Connect_Secure_-_Journey_to_the_core_of_the_DSLog_backdoor.pdf

https://thehackernews.com/2024/02/ivanti-pulse-secure-found-using-11-year.html

https://eclypsium.com/blog/flatlined-analyzing-pulse-secure-firmware-and-bypassing-integrity-checking/


Researchers Analyze the Latest Pikabot Version

A bit of a timeline and a detailed analysis of the latest version of Pikbot. 

https://www.zscaler.com/blogs/security-research/d-evolution-pikabot


Researchers Observe a New Bumblebee Campaign

The cybercrime domain is heating up, new versions of malware and new campaigns are springing up left and right (pun intended). 

https://www.bleepingcomputer.com/news/security/bumblebee-malware-attacks-are-back-after-4-month-break/

https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black


Roundcube Email Cross-Site Scripting (XSS) Bug Under Active Exploitation

This one, a Winter Vivern (Russians) attack campaign, may not need high attention, but watching the trends is always interesting.  Yesterday’s nation state attack is tomorrow’s commodity attack.  We’ll keep an eye on this one.

https://www.bleepingcomputer.com/news/security/cisa-roundcube-email-server-bug-now-exploited-in-attacks/


New Outlook Remote Code Execution (RCE) Bug

Tracked as CVE-2024-21413, this critical flaw is trivial to exploit according to Microsoft.  The advisory from Microsoft states ‘exploitation unlikely’.

https://www.bleepingcomputer.com/news/security/new-critical-microsoft-outlook-rce-bug-is-trivial-to-exploit/

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21413


Zoom Patches Critical Privilege Escalation Bug

With a CVSS score of 9.6, CVE-2024-24691 was discovered by Zoom, very few details are shared.

https://www.bleepingcomputer.com/news/security/zoom-patches-critical-privilege-elevation-flaw-in-windows-apps/

https://www.zoom.com/en/trust/security-bulletin/ZSB-24008/


Actively Exploited Microsoft Exchange Flaw

Fixed during this month’s patch Tuesday, this privilege escalation bug tracked as CVE-2024-21410 allows for NTLM credential relay attacks.

https://www.bleepingcomputer.com/news/security/microsoft-new-critical-exchange-bug-exploited-as-zero-day/

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21410


Qbot Activity Spotted Since December 2023

Researchers are sharing recent Qbot activity, although it seems somewhat inconsistent currently.  Might an attempt as a resurgence.

https://www.bleepingcomputer.com/news/security/new-qbot-malware-variant-uses-fake-adobe-installer-popup-for-evasion/


MrAgent Tool by RansomHouse Ransomware Gang Automates ESXi Encryption

With ransomware gangs gaining massive resources from many large victim ransoms, creating their own tools, and maintaining them becomes the norm.  This one is no different, automating ESXi encryption and minimizing administrator impact as a bonus.

https://www.bleepingcomputer.com/news/security/ransomhouse-gang-automates-vmware-esxi-attacks-with-new-mragent-tool/

https://www.trellix.com/blogs/research/ransomhouse-am-see/


Cisco ASA CVE-2020-3259 Under Exploitation by Akira RaaS

Patched long ago, this one was not on the radar until the recent exploitation. 

https://thehackernews.com/2024/02/cisa-warning-akira-ransomware.html


Google Chrome Feature Blocks Unsafe Requests to Internal Networks

The jury is still out on this one, appears to be in testing currently.  We’ll have to see how this plays out.

https://www.bleepingcomputer.com/news/google/new-google-chrome-feature-blocks-attacks-against-home-networks/


SolarWinds Fixes Five Bugs in Access Rights Manager

Multiple flaws in Access Rights Manager could lead to remote code execution. 

https://www.bleepingcomputer.com/news/security/solarwinds-fixes-critical-rce-bugs-in-access-rights-audit-solution/

https://www.solarwinds.com/trust-center/security-advisories


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by