Cyber Threat Weekly – #15
With 507 cyber news articles, the week of February 26th to March 3rd was moderately heavy on threat trends and adversary behavioral patterns. Let’s start with Russian threat actors target cloud infrastructure. Attackers use unsupported CMS editor to facilitate SEO poisoning.
Major brands subdomains hijacked for massive spam campaign. Domain control was established after Gootloader infection via SEO poisoning. This isn’t a threat, but a cool open source means to dig into website configuration and security.
Open source and freely available Xeno RAT released on GitHub. Ransomware gangs join ScreenConnect exploitation. Russian threat actors compromise Ubiquiti EdgeRouters. Short lived take down, LockBit is back. Blackcat ransomware gang is evolving their tactics.
Researchers explore cloud lateral movement behavior. Phobos Ransomware Joint Advisory. North Korea’s Lazarus Group gets stealthy. Researchers share a new SAML attack. Why SMS text should not be used for 2FA. Malicious PDF payloads on the rise.
The week in ransomware, always interesting. Major news outlets impersonated with 60+ websites.
Broken Record Alert: Patch Actively Exploited Flaws
Known exploited software bugs are continually abused by threat actors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is those with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what we expose to the Internet. Let’s remove some of the low hanging fruit threat actors continue to target.
CISA Known Exploited Vulnerabilities for February 26th to March 3rd:
CVE-2023-29360 – Microsoft Streaming Service Untrusted Pointer Dereference Vulnerability
Allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges.
Dormant Cloud Accounts Targeted by Russian Threat Actors
As organizations take to the cloud, threat actors adjust behavior to adapt. In this case, dormant accounts are being abused. We’ve seen this with a Microsoft non-production account, over privileged, leading to an embarrassing compromise of executive email accounts. This isn’t just a nation state threat, criminals are adapting to the cloud as well.
Inventory is critical to understand your weaknesses and be proactive in addressing them.
https://www.securityweek.com/russian-cyberspies-targeting-cloud-infrastructure-via-dormant-accounts/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a
14-Year-Old CMS Editor Allows Abuse of Trusted Domains
Technical debt is often abused, this is a perfect case. Taking advantage of university and government domains worldwide to deliver malware via redirects. Inventory goes a long way here to ensure you have the latest and supported software.
Massive Subdomain Hijacking of Major Brands Leads to Spam
Named “SubdoMailing” this campaign includes over 8,000 legitimate domains and greater than 13,000 subdomains used to send millions of emails a day. Threat actors are getting smart, but using typically known good infrastructure to conduct attacks, it is more difficult for defenders to find malicious behavior.
We’re seeing this in the use of residential routers as proxies, legitimate domains such as GitHub, discord, Google, Microsoft, and more for malware distribution. Behavior is the battle ground; we can no longer rely on legitimate websites, SOHO based traffic being benign, and other factors.
SEO Poisoning Leads to Domain Pawnage via Gootloader
The DFIR Report is the gold standard of threat intelligence, this case is no different. A complete walk-through of all activities, timelines, and behaviors for this campaign.
https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/
Web Check Open-Source Intelligence for Any Website
If you’re into OSINT, this is a cool tool to add to your toolbox. Dig into any website to understand its configuration and many attributes of the website. Great for looking at your own resources.
https://www.helpnetsecurity.com/2024/02/26/web-check-website-open-source-intelligence/
https://github.com/lissy93/web-check
Xeno RAT Observed in the Wild
Open source and freely available Xeno RAT observed disseminated via Discord content delivery network. Features include hidden virtual network computing, Socks5 reverse proxy, built completely from scratch, continually updated, and more.
https://thehackernews.com/2024/02/open-source-xeno-rat-trojan-emerges-as.html
https://github.com/moom825/xeno-rat
https://www.cyfirma.com/outofband/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/
ScreenConnect Flaws Targeted by Black Basta and Bloody Ransomware Gangs
Widespread exploitation continues with new threat actors entering the fray. After initial access, post exploitation behavior commences.
Joint Advisory – Ubiquti EdgeRouters Abused to Facilitate Malicious Operations
Threat actors tracked as APT28 are using compromised routers for nefarious activities. This Joint Advisory provides an overview of activities and mitigations.
https://www.ic3.gov/Media/News/2024/240227.pdf
LockBit is Back with New Infrastructure
Let’s hope this is an attempt to come back that fails. LockBit has significant resources, if they can come back to their original strength, they’ll be a formidable foe. Lessons learned will help them harden their processes and infrastructure, making another takedown much more difficult.
Joint Advisory – Blackcat Ransomware Gang’s Evolving Behavior
The gang and affiliates have honed their social engineering skills to gain initial access. Once they have a foothold, post exploitation behavior begins to move laterally. Their updated ransomware 2.0 Sphynx update is cross platform for windows, Linux, and VMware.
https://thecyberexpress.com/cisa-fbi-hhs-update-advisory-alphv-blackcat/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a
Cloud Lateral Movement Behavior
This is a great primer to understand cloud lateral movement, API’s and credentials are the keys to the kingdom. Misconfigurations can lead to compromise.
https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/
Joint Advisory – Phobos Ransomware
First emerging in 2019, Phobos ransomware is a prolific RaaS service with several variants.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a
Lazarus Group Exploited Zero-Day to Gain System Privileges
This is interesting, gaining system privileges to install their rootkit. There is a lot to unpack, here are a few links.
https://thehackernews.com/2024/02/lazarus-hackers-exploited-windows.html
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338
Silver SAML Attack Disclosed
We knew about Golden SAML long before it was abused in the SolarWinds attack campaign. Researchers are sharing a new SAML attack, it’s worth noting and understanding.
https://thehackernews.com/2024/02/new-silver-saml-attack-evades-golden.html
https://www.semperis.com/blog/meet-silver-saml/
Database Leaked 2FA SMS Text Codes
SMS text messages can be sent by email, are in the clear, and not very secure. Now a leaky database exposed millions of 2FA codes.
https://techcrunch.com/2024/02/29/leaky-database-two-factor-codes/
A Rise in Malicious PDF Payloads Observed by Researchers
Researchers see a trend in malware delivered through non-portable executable means. PDF file payloads have spiked, leading to multistep attack chains.
The Week in Ransomware – Februsary 25th to March 1st
The relentless attack on healthcare continues and lots happening on the ransomware scene.
Content Farm Impersonating 60+ News Websites
The websites appear to be from a proprietor in India, reposting articles from credible organizations without attribution.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
