Cyber Threat Weekly – #14

With 458 cyber threat news articles, the week of February 19^th to the 25^th was relatively light in threat trends and adversary behavior news.  Let’s start with a carryover from last week, over 28,000 exchange servers vulnerable to now patched bug.

Bricks WordPress theme under active exploitation.  Researchers share an incident response report.  Another threat intelligence report shared by IBM, there is some correlation between the two.  Critical bugs, two, under active exploitation.

Open-source worm steals SSH keys, post exploitation.  Some highlights from CrowdStrike’s Global Threat Report.  A pretty good primer on DLL side loading.

Broken Record Alert:  N-day bugs are killing us!!!

Known exploited software flaws continue to be abused by threat actors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is those with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what we expose to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.

CISA Known Exploited Vulnerabilities for February 19^th to February 25^th:

CVE-2024-1709 – ConnectWise ScreenConnect Authentication Bypass Vulnerability
Allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices.

Now Patched Zero-day Bug Affects Over 28,000 Exchange Servers

Just a reminder, exchange is a prolific target, many threat actors love to abuse it.  This now patched bug can be used to perform NTLM relay attacks.  Patching priority matters, actively exploited bugs should be priority 1.

https://www.bleepingcomputer.com/news/security/over-28-500-exchange-servers-vulnerable-to-actively-exploited-bug/

WordPress Theme from Bricks Actively Exploited

The key here is time to exploit the known flaw.  A patch was released on February 13^th, active exploitation started on February 14^th.  We continue to see the time gap decrease and velocity increase.  This sucks for defenders.

https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html

Palo Alto Unit 42 Incident Response Report

It may seem like we can put our guard down, but just because you haven’t seen an incident in a while, doesn’t mean the adversary isn’t busy.  This isn’t FUD, it’s the reality of doing business on the Internet.  Watching the threat trends / behavioral patterns and applying defenses against the most prolific trends and behavior is a prudent defensive action.  You don’t want to get caught in the snare, getting breached sucks.

Things are changing a bit; this is one view from a response team.  We’re going to correlate several of these and look at the most prolific trends and behaviors across multiple vendors.

https://unit42.paloaltonetworks.com/unit42-incident-response-report-2024-threat-guide/

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/2024-unit42-incident-response-report.pdf

IBM Threat Intelligence Report

Interestingly, both reports share that legitimate credential abuse is up.  IBM saw a 266% increase in infostealer usage.  

https://www.cybersecuritydive.com/news/ibm-valid-account-credential-attacks/708022/

https://www.ibm.com/downloads/cas/L0GKXDWJ

ScreenConnect Bugs Under Active Exploitation

Two critical flaws released by vendor, under exploit the next day.  Again, with the timing and speed to exploitation.  Defenders have precious little time if affected, the adversary is speeding up.

https://www.bleepingcomputer.com/news/security/screenconnect-critical-bug-now-under-attack-as-exploit-code-emerges/

https://www.darkreading.com/remote-workforce/connectwise-screenconnect-mass-exploitation-delivers-ransomware

Open Source SSH-Snake Worm Actively Used

This tool maps a network and laterally moves using SSH keys found on a victim machine.  Already used in the wild by a threat actor, released on January 4,2024.  The author released an article describing the tool and Sysdig did a breakdown.
https://www.bleepingcomputer.com/news/security/new-ssh-snake-malware-steals-ssh-keys-to-spread-across-the-network/

https://sysdig.com/blog/ssh-snake/

https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph

CrowdStrike’s Global Threat Report Highlights

Correlations between multiple vendors are always a good thing.  CrowdStrike noticed the heavy abuse of legitimate credentials as well.  Also, an increase in hands-on-keyboard interactive malware-free attack campaigns.  We’ll cover more about persistent threats and what were up against in an upcoming article.

https://www.csoonline.com/article/1309268/identity-hacking-saw-sharp-rise-2023.html

https://www.crowdstrike.com/global-threat-report/

Unit 42 Shares an Analysis of DLL Side Loading Techniques

Real world examples and analysis of DLL side loading.  This is an interesting read.

https://unit42.paloaltonetworks.com/dll-hijacking-techniques/