Skip to content

Cyber Threat Weekly – #16

Derek Krein
7 min read

The week of March 4th through March 10th was a bit light with 456 cyber news articles combed through.  Still a decent amount of cyber threat trend and adversarial behavior news.  Let’s start with cybercriminals observed switching TTPs quickly to maintain effectiveness.

Web browser credential dumping is picking up steam.  Bring your own vulnerable drive (BYOVD) is still sought after by threat actors.  ToddlerShark malware dropped via ScreenConnect bug exploitation.  TeamCity bug exploit code now available.  Critical VMware bugs.

Ransomware clowns combining into an a$$clown posse.  Fake meeting software websites used to deliver malware.  Legit tools used in attack campaigns is normal, QEMU used for tunneling traffic, stealthy.  Newer RA World ransomware clowns abuse GPOs in attacks.

Two Apple zero-days fixed; Apple is a much bigger target these days.  The NSA releases zero-trust guidance, it’s not bad.  The art and science of social engineering.  Analysis of a BlackCat attack campaign.  Russian threat actors stole Microsoft source code.

Confluence under active exploitation with web shells dropped.  QNAP discloses critical auth bypass bug.  Critical flaw impacting FortiOS and FortiProxy.  The week in ransomware March 4th to March 8th.  Muddled Libra threat group analysis.

Ransomware Tracker, March 2024.  This one is different, not a threat, but a different take on the security industry from a disgruntled infosec worker.


Broken Record Alert:  Please Patch N-day bugs!!!

Known exploited software flaws continue to be abused by threat actors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what we expose to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.


CISA Known Exploited Vulnerabilities for March 4th to March 10th:

CVE-2024-21338 – Microsoft Windows Kernel Exposed IOCTL with Insufficient Access Control
Allows a local attacker to achieve privilege escalation.

CVE-2023-21237 – Android Pixel Information Disclosure Vulnerability
Android Pixel contains a vulnerability in the Framework component, where the UI may be misleading or insufficient, providing a means to hide a foreground service notification. This could enable a local attacker to disclose sensitive information.

CVE-2021-36380 – Sunhillo SureLine OS Command Injection Vulnerablity
Allows an attacker to cause a denial-of-service or utilize the device for persistence on the network via shell metacharacters in ipAddr or dnsAddr in /cgi/networkDiag.cgi.

CVE-2024-23225 – Apple Multiple Products Memory Corruption Vulnerability
Apple iOS, iPadOS, macOS, tvOS, watchOS, and visionOS kernel contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.

CVE-2024-23296 – Apple Multiple Products Memory Corruption Vulnerability
Apple iOS, iPadOS, macOS, tvOS, and watchOS RTKit contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.

CVE-2024-27198 – JetBrains TeamCity Authentication Bypass Vulnerability
Allows an attacker to perform admin actions.


Researchers Observe TA577 Quickly Adapting TTPs

This threat actor is believed to be an initial access broker and a major Qbot affiliate before takedown.  Recently switching to PikaBot, now utilizing an entirely new attack chain never observed by this threat actor.  Using thread hijacking and delivering a .zip file with an HTML payload to steal NTLM credentials.

https://www.bleepingcomputer.com/news/security/hackers-steal-windows-ntlm-authentication-hashes-in-phishing-attacks/

https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft


Stored Web Browser Credentials Targeted

Infostealers and other malware targeting various credentials and cookies stored in web browsers.  This trend is becoming more prolific, used by nation states and cybercriminals.  We need to get a handle on this, the problem is growing. 

https://www.bankinfosecurity.com/alert-info-stealers-target-stored-browser-credentials-a-24490

https://www.reliaquest.com/blog/browser-credential-dumping/


Kernal Level Privileges Via BYOVD

BYOVD is sought after, simple kits are sold on the dark web bringing sophisticated capabilities to the masses.

https://news.sophos.com/en-us/2024/03/04/itll-be-back-attackers-still-abusing-terminator-tool-and-variants/


ToddlerShark Malware Delivered via ScreenConnect Flaw

Exploited by ransomware gangs and now state-sponsored actors for probable espionage campaigns.  Kimsuky, a North-Korean nation state threat actor, is dropping polymorphic malware to remain stealthy.

https://www.bleepingcomputer.com/news/security/screenconnect-flaws-exploited-to-drop-new-toddlershark-malware/

https://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark


Exploit Code Released for Critical TeamCity Flaw

JetBrains released an update fixing two bugs.  With exploit code now available, chances are high active exploitation will begin.  We see this every week, n-day vulnerabilities abused a day after exploit code is released.

https://www.bleepingcomputer.com/news/security/exploit-available-for-new-critical-teamcity-auth-bypass-bug-patch-now/

https://therecord.media/jet-brains-advisory-teamcity-vulnerabilities

https://www.bleepingcomputer.com/news/security/critical-teamcity-flaw-now-widely-exploited-to-create-admin-accounts/


Critical VMware Sandbox Escape Bug

Four critical flaws disclosed, one leading to sandbox escape.  ESXi is targeted by ransomware clowns and nation states, these are bugs you want to patch.

https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-sandbox-escape-flaws-in-esxi-workstation-and-fusion/

https://www.vmware.com/security/advisories/VMSA-2024-0006.html


GhostSec’s A$$ Clown Posse and GhostLocker 2.0

Launching a RaaS offering called STMX_GhostLocker as Stormous and GhostSec jointly conduct double extortion attack campaigns and combine.  They a new leak site, Stmx_GhostLocker blog.  In addition, these criminal clowns announced the formation of five families, growing the a$$ clown posse even more.

https://www.darkreading.com/cyberattacks-data-breaches/ghostlocker-two-threatens-businesses-across-middle-east-africa-asia

https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/


Fake Skype, Zoom, and Google Meet Websites Spew Malware

Remote Access Trojans (RATs) such as SpyNote, NjRAT and DCRat spread through fake meeting app websites.  Social engineering is constant, pay attention to the details.

https://www.zscaler.com/blogs/security-research/android-and-windows-rats-distributed-online-meeting-lures


QEMU Used to Fly Under the Radar

A hypervisor and free emulator, QEMU was used for command-and-control traffic.  Using a pivot device to connect to an internal device with no Internet access, then using QEMU from the pivot device with Internet access, the threat actor was able to fly under the radar.  The adversary is getting creative with their use of legitimate tools for attack campaigns.

https://www.bleepingcomputer.com/news/security/hackers-abuse-qemu-to-covertly-tunnel-network-traffic-in-cyberattacks/

https://securelist.com/network-tunneling-with-qemu/111803/


Ransomware Clowns RA World Abusing GPOs in Attacks

Abusing GPOs is not new, this multi-stage attack chain is interesting.  Living off the land is sometimes tough to detect. 

https://www.trendmicro.com/en_ae/research/24/c/multistage-ra-world-ransomware.html


Emergency Fixes Released by Apple for Two Zero-Days

Affected devices include: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.  Fixes released include iOS 17.4, iPadOS 17.4. 

https://www.bleepingcomputer.com/news/apple/apple-fixes-two-new-ios-zero-days-exploited-in-attacks-on-iphones/

https://support.apple.com/en-us/HT214081


NSA Zero-Trust Guidance

Post exploitation behavior and lateral movement is the battle ground today.  Most attack campaigns today are fileless, making prevention and detection difficult.  Breaking your environments into smaller segments with optimal identity and access management to minimize lateral movement is critical.  This is a good methodology guide.

https://www.bleepingcomputer.com/news/security/nsa-shares-zero-trust-guidance-to-limit-adversaries-on-the-network/

https://media.defense.gov/2024/Mar/05/2003405462/-1/-1/0/CSI-ZERO-TRUST-NETWORK-ENVIRONMENT-PILLAR.PDF


Abusing Trust – Social Engineering

The art and science of deception and abusing the trust factor.  Business email compromise is especially abusive.  The Dark Reading article is high level, the Microsoft article digs a bit deeper into some of the science.

https://www.darkreading.com/cyberattacks-data-breaches/the-rise-of-social-engineering-fraud-in-business-email-compromise

https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/feeding-from-the-trust-economy-social-engineering-fraud/


BlackCat Ransomware Attack Campaign

This is a nice walk-through of an attack campaign that lasted about 30 days.  Ransomware affiliates are persistent threats, we’ll drop a blog post about persistent threats and ransomware economics soon.

https://www.sygnia.co/blog/blackcat-ransomware/


Midnight Blizzard (Apt 29) Accessed Microsoft Source Code Repositories

Using secrets found in stolen data, Russian threat actors are access systems and source code repositories, says Microsoft.  This sucks, stolen emails containing secrets, including some customers whose secrets were exposed in stolen emails.  Russians are also ramping up password spray attacks against targeted systems.

https://www.bleepingcomputer.com/news/microsoft/microsoft-says-russian-hackers-breached-its-systems-accessed-source-code/

https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/


Confluence Exploit Drops In-Memory Web Shells

Multiple exploits are available for CVE-2023-22527, one is using novel techniques to drop Godzilla web shells in memory after exploitation. 

https://www.darkreading.com/application-security/stealth-bomber-atlassian-confluence-exploits-drop-web-shells-in-memory

https://vulncheck.com/blog/confluence-dreams-of-shells


Critical Auth Bypass Flaw in QNAP NAS Devices

Three flaws were disclosed, one being low complexity, remote unauthorized user access.  These types of devices should not be exposed to the Internet, but even locally hosted present a risk if an attacker has a foothold in your environment. 

https://www.bleepingcomputer.com/news/security/qnap-warns-of-critical-auth-bypass-flaw-in-its-nas-devices/

https://www.qnap.com/en/security-advisory/qsa-24-09


Critical FortiOS and FortiProxy Bug Actively Exploited

Nearly a month after disclosure it appears around 150,000 devices are still susceptible to the flaw.  BishopFox released a python script to verify if you are vulnerable.  There are mitigations available, this may not be a completely accurate number.

https://www.bleepingcomputer.com/news/security/critical-fortinet-flaw-may-impact-150-000-exposed-devices/

https://github.com/BishopFox/cve-2024-21762-check


March 4th to March 8th – The Week in Ransomware

These are always interesting and worth a read.

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-8th-2024-waiting-for-the-blackcat-rebrand/


Muddled Libra Shifting Behavior - Assessment

This is a good analysis of Muddled Libra.  They are a sophisticated threat group.  They perform consistent persistent threat characteristics.  This one is worth a read, many threat actors are performing the same post exploitation behavior.

https://unit42.paloaltonetworks.com/muddled-libra/


Ransomware Tracker – March 2024

This is a monthly tracker of ransomware statistics.

https://therecord.media/ransomware-tracker-the-latest-figures


CrankySec – Disgruntled InfoSec Worker (Mature Audience – Language)

I find this a bit humorous, thought I would share, it’s not for everyone.  She makes some good points, IMHO, but  not the best way to showcase her view.

https://crankysec.com/blog/gap/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #56

The week of December 9th through December 15th, about 348 cyber news articles were reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with HeartCrypt – Packer-as-a-Service (PaaS). Citrix NetScaler / NetScaler Gateway under brute force attack.  Covert Linux multi-stage rootkit attack.  New

Members Public

Cyber Threat Weekly – #55

The week of December 2nd through December 8th there were 353 cyber news articles reviewed.  A relatively large amount of cyber threat trends and adversarial behavior news to share.  Let’s start with a twist on the fake video conferencing apps campaign. New Russian hacktivist group targeting energy systems.  Supply

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8