Skip to content

Cyber Threat Weekly – #14

Derek Krein
3 min read

With 458 cyber threat news articles, the week of February 19th to the 25th was relatively light in threat trends and adversary behavior news.  Let’s start with a carryover from last week, over 28,000 exchange servers vulnerable to now patched bug.

Bricks WordPress theme under active exploitation.  Researchers share an incident response report.  Another threat intelligence report shared by IBM, there is some correlation between the two.  Critical bugs, two, under active exploitation.

Open-source worm steals SSH keys, post exploitation.  Some highlights from CrowdStrike’s Global Threat Report.  A pretty good primer on DLL side loading.


Broken Record Alert:  N-day bugs are killing us!!!

Known exploited software flaws continue to be abused by threat actors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is those with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what we expose to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.


CISA Known Exploited Vulnerabilities for February 19th to February 25th:

CVE-2024-1709 – ConnectWise ScreenConnect Authentication Bypass Vulnerability
Allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices.


Now Patched Zero-day Bug Affects Over 28,000 Exchange Servers

Just a reminder, exchange is a prolific target, many threat actors love to abuse it.  This now patched bug can be used to perform NTLM relay attacks.  Patching priority matters, actively exploited bugs should be priority 1.

https://www.bleepingcomputer.com/news/security/over-28-500-exchange-servers-vulnerable-to-actively-exploited-bug/


WordPress Theme from Bricks Actively Exploited

The key here is time to exploit the known flaw.  A patch was released on February 13th, active exploitation started on February 14th.  We continue to see the time gap decrease and velocity increase.  This sucks for defenders.

https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html


Palo Alto Unit 42 Incident Response Report

It may seem like we can put our guard down, but just because you haven’t seen an incident in a while, doesn’t mean the adversary isn’t busy.  This isn’t FUD, it’s the reality of doing business on the Internet.  Watching the threat trends / behavioral patterns and applying defenses against the most prolific trends and behavior is a prudent defensive action.  You don’t want to get caught in the snare, getting breached sucks.

Things are changing a bit; this is one view from a response team.  We’re going to correlate several of these and look at the most prolific trends and behaviors across multiple vendors.

https://unit42.paloaltonetworks.com/unit42-incident-response-report-2024-threat-guide/

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/2024-unit42-incident-response-report.pdf


IBM Threat Intelligence Report

Interestingly, both reports share that legitimate credential abuse is up.  IBM saw a 266% increase in infostealer usage.  

https://www.cybersecuritydive.com/news/ibm-valid-account-credential-attacks/708022/

https://www.ibm.com/downloads/cas/L0GKXDWJ


ScreenConnect Bugs Under Active Exploitation

Two critical flaws released by vendor, under exploit the next day.  Again, with the timing and speed to exploitation.  Defenders have precious little time if affected, the adversary is speeding up.

https://www.bleepingcomputer.com/news/security/screenconnect-critical-bug-now-under-attack-as-exploit-code-emerges/

https://www.darkreading.com/remote-workforce/connectwise-screenconnect-mass-exploitation-delivers-ransomware


Open Source SSH-Snake Worm Actively Used

This tool maps a network and laterally moves using SSH keys found on a victim machine.  Already used in the wild by a threat actor, released on January 4,2024.  The author released an article describing the tool and Sysdig did a breakdown.
https://www.bleepingcomputer.com/news/security/new-ssh-snake-malware-steals-ssh-keys-to-spread-across-the-network/

https://sysdig.com/blog/ssh-snake/

https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph


CrowdStrike’s Global Threat Report Highlights

Correlations between multiple vendors are always a good thing.  CrowdStrike noticed the heavy abuse of legitimate credentials as well.  Also, an increase in hands-on-keyboard interactive malware-free attack campaigns.  We’ll cover more about persistent threats and what were up against in an upcoming article.

https://www.csoonline.com/article/1309268/identity-hacking-saw-sharp-rise-2023.html

https://www.crowdstrike.com/global-threat-report/


Unit 42 Shares an Analysis of DLL Side Loading Techniques

Real world examples and analysis of DLL side loading.  This is an interesting read.

https://unit42.paloaltonetworks.com/dll-hijacking-techniques/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by