Skip to content

Cyber Threat Weekly – #15

Derek Krein
5 min read

With 507 cyber news articles, the week of February 26th to March 3rd was moderately heavy on threat trends and adversary behavioral patterns.  Let’s start with Russian threat actors target cloud infrastructure.  Attackers use unsupported CMS editor to facilitate SEO poisoning. 

Major brands subdomains hijacked for massive spam campaign.   Domain control was established after Gootloader infection via SEO poisoning.  This isn’t a threat, but a cool open source means to dig into website configuration and security.

Open source and freely available Xeno RAT released on GitHub.  Ransomware gangs join ScreenConnect exploitation.  Russian threat actors compromise Ubiquiti EdgeRouters.  Short lived take down, LockBit is back.  Blackcat ransomware gang is evolving their tactics.

Researchers explore cloud lateral movement behavior.  Phobos Ransomware Joint Advisory.  North Korea’s Lazarus Group gets stealthy.  Researchers share a new SAML attack.  Why SMS text should not be used for 2FA.  Malicious PDF payloads on the rise.

The week in ransomware, always interesting.  Major news outlets impersonated with 60+ websites. 


Broken Record Alert:  Patch Actively Exploited Flaws

Known exploited software bugs are continually abused by threat actors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is those with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what we expose to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.


CISA Known Exploited Vulnerabilities for February 26th to March 3rd:

CVE-2023-29360 – Microsoft Streaming Service Untrusted Pointer Dereference Vulnerability
Allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges.


Dormant Cloud Accounts Targeted by Russian Threat Actors

As organizations take to the cloud, threat actors adjust behavior to adapt.  In this case, dormant accounts are being abused.  We’ve seen this with a Microsoft non-production account, over privileged, leading to an embarrassing compromise of executive email accounts.  This isn’t just a nation state threat, criminals are adapting to the cloud as well.

Inventory is critical to understand your weaknesses and be proactive in addressing them.

https://www.securityweek.com/russian-cyberspies-targeting-cloud-infrastructure-via-dormant-accounts/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a


14-Year-Old CMS Editor Allows Abuse of Trusted Domains

Technical debt is often abused, this is a perfect case.  Taking advantage of university and government domains worldwide to deliver malware via redirects.  Inventory goes a long way here to ensure you have the latest and supported software.

https://www.bleepingcomputer.com/news/security/hackers-exploit-14-year-old-cms-editor-on-govt-edu-sites-for-seo-poisoning/


Massive Subdomain Hijacking of Major Brands Leads to Spam

Named “SubdoMailing” this campaign includes over 8,000 legitimate domains and greater than 13,000 subdomains used to send millions of emails a day.  Threat actors are getting smart, but using typically known good infrastructure to conduct attacks, it is more difficult for defenders to find malicious behavior.

We’re seeing this in the use of residential routers as proxies, legitimate domains such as GitHub, discord, Google, Microsoft, and more for malware distribution.  Behavior is the battle ground; we can no longer rely on legitimate websites, SOHO based traffic being benign, and other factors.

https://www.bleepingcomputer.com/news/security/hijacked-subdomains-of-major-brands-used-in-massive-spam-campaign/

https://labs.guard.io/subdomailing-thousands-of-hijacked-major-brand-subdomains-found-bombarding-users-with-millions-a5e5fb892935


SEO Poisoning Leads to Domain Pawnage via Gootloader

The DFIR Report is the gold standard of threat intelligence, this case is no different.  A complete walk-through of all activities, timelines, and behaviors for this campaign. 

https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/


Web Check Open-Source Intelligence for Any Website

If you’re into OSINT, this is a cool tool to add to your toolbox.  Dig into any website to understand its configuration and many attributes of the website.  Great for looking at your own resources.

https://www.helpnetsecurity.com/2024/02/26/web-check-website-open-source-intelligence/

https://github.com/lissy93/web-check


Xeno RAT Observed in the Wild

Open source and freely available Xeno RAT observed disseminated via Discord content delivery network.  Features include hidden virtual network computing, Socks5 reverse proxy, built completely from scratch, continually updated, and more.

https://thehackernews.com/2024/02/open-source-xeno-rat-trojan-emerges-as.html

https://github.com/moom825/xeno-rat

https://www.cyfirma.com/outofband/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/


ScreenConnect Flaws Targeted by Black Basta and Bloody Ransomware Gangs

Widespread exploitation continues with new threat actors entering the fray.  After initial access, post exploitation behavior commences.

https://www.bleepingcomputer.com/news/security/black-basta-bl00dy-ransomware-gangs-join-screenconnect-attacks/

https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html


Joint Advisory – Ubiquti EdgeRouters Abused to Facilitate Malicious Operations

Threat actors tracked as APT28 are using compromised routers for nefarious activities.  This Joint Advisory provides an overview of activities and mitigations.

https://www.bleepingcomputer.com/news/security/russian-hackers-hijack-ubiquiti-routers-to-launch-stealthy-attacks/

https://www.ic3.gov/Media/News/2024/240227.pdf


LockBit is Back with New Infrastructure

Let’s hope this is an attempt to come back that fails.  LockBit has significant resources, if they can come back to their original strength, they’ll be a formidable foe.  Lessons learned will help them harden their processes and infrastructure, making another takedown much more difficult.

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-to-attacks-with-new-encryptors-servers/


Joint Advisory – Blackcat Ransomware Gang’s Evolving Behavior

The gang and affiliates have honed their social engineering skills to gain initial access.  Once they have a foothold, post exploitation behavior begins to move laterally.  Their updated ransomware 2.0 Sphynx update is cross platform for windows, Linux, and VMware.

https://thecyberexpress.com/cisa-fbi-hhs-update-advisory-alphv-blackcat/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a


Cloud Lateral Movement Behavior

This is a great primer to understand cloud lateral movement, API’s and credentials are the keys to the kingdom.  Misconfigurations can lead to compromise.

https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/


Joint Advisory – Phobos Ransomware

First emerging in 2019, Phobos ransomware is a prolific RaaS service with several variants. 

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a


Lazarus Group Exploited Zero-Day to Gain System Privileges

This is interesting, gaining system privileges to install their rootkit.  There is a lot to unpack, here are a few links.

https://thehackernews.com/2024/02/lazarus-hackers-exploited-windows.html

https://www.bleepingcomputer.com/news/security/windows-kernel-bug-fixed-last-month-exploited-as-zero-day-since-august/

https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338


Silver SAML Attack Disclosed

We knew about Golden SAML long before it was abused in the SolarWinds attack campaign.  Researchers are sharing a new SAML attack, it’s worth noting and understanding.

https://thehackernews.com/2024/02/new-silver-saml-attack-evades-golden.html

https://www.semperis.com/blog/meet-silver-saml/


Database Leaked 2FA SMS Text Codes

SMS text messages can be sent by email, are in the clear, and not very secure.  Now a leaky database exposed millions of 2FA codes.

https://techcrunch.com/2024/02/29/leaky-database-two-factor-codes/


A Rise in Malicious PDF Payloads Observed by Researchers

Researchers see a trend in malware delivered through non-portable executable means.  PDF file payloads have spiked, leading to multistep attack chains. 

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-in-deceptive-pdf-the-gateway-to-malicious-payloads/


The Week in Ransomware – Februsary 25th to March 1st

The relentless attack on healthcare continues and lots happening on the ransomware scene.

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-1st-2024-healthcare-under-siege/


Content Farm Impersonating 60+ News Websites

The websites appear to be from a proprietor in India, reposting articles from credible organizations without attribution.

https://www.bleepingcomputer.com/news/security/news-farm-impersonates-60-plus-major-outlets-bbc-cnn-cnbc-guardian/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #52

The week of November 11th through November 17th, 332 cyber news articles were reviewed.  Quite a bit of cyber threat trend and adversarial behavior news to share.  Let’s start with increasing use of SVG attachments in email phishing. An undocumented Fortinet FortiClient bug used to steal VPN credentials.  Palo

Members Public

Cyber Threat Weekly – #51

The week of November 4th through November 10th, 330 cyber news articles were reviewed.  The feed list has been adjusted, so the number of articles should be mostly lower.  Let’s start with threat actors using Zip file concatenation technique. Cybercriminals abuse emergency data requests (EDRs) with compromised credentials.  AWS

Members Public

Cyber Threat Weekly – #50

The week of October 28th through November 3rd, another light week with 346 cyber news articles reviewed.  Still a decent amount of cyber threat trend and adversarial behavior news.  Let’s start with a newer ransomware group targeting FreeBSD servers. Publicly disclosed exploit code used to exploit Microsoft SharePoint flaw.