Cyber Threat Weekly – #16
The week of March 4th through March 10th was a bit light with 456 cyber news articles combed through. Still a decent amount of cyber threat trend and adversarial behavior news. Let’s start with cybercriminals observed switching TTPs quickly to maintain effectiveness.
Web browser credential dumping is picking up steam. Bring your own vulnerable drive (BYOVD) is still sought after by threat actors. ToddlerShark malware dropped via ScreenConnect bug exploitation. TeamCity bug exploit code now available. Critical VMware bugs.
Ransomware clowns combining into an a$$clown posse. Fake meeting software websites used to deliver malware. Legit tools used in attack campaigns is normal, QEMU used for tunneling traffic, stealthy. Newer RA World ransomware clowns abuse GPOs in attacks.
Two Apple zero-days fixed; Apple is a much bigger target these days. The NSA releases zero-trust guidance, it’s not bad. The art and science of social engineering. Analysis of a BlackCat attack campaign. Russian threat actors stole Microsoft source code.
Confluence under active exploitation with web shells dropped. QNAP discloses critical auth bypass bug. Critical flaw impacting FortiOS and FortiProxy. The week in ransomware March 4th to March 8th. Muddled Libra threat group analysis.
Ransomware Tracker, March 2024. This one is different, not a threat, but a different take on the security industry from a disgruntled infosec worker.
Broken Record Alert: Please Patch N-day bugs!!!
Known exploited software flaws continue to be abused by threat actors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what we expose to the Internet. Let’s remove some of the low hanging fruit threat actors continue to target.
CISA Known Exploited Vulnerabilities for March 4th to March 10th:
CVE-2024-21338 – Microsoft Windows Kernel Exposed IOCTL with Insufficient Access Control
Allows a local attacker to achieve privilege escalation.
CVE-2023-21237 – Android Pixel Information Disclosure Vulnerability
Android Pixel contains a vulnerability in the Framework component, where the UI may be misleading or insufficient, providing a means to hide a foreground service notification. This could enable a local attacker to disclose sensitive information.
CVE-2021-36380 – Sunhillo SureLine OS Command Injection Vulnerablity
Allows an attacker to cause a denial-of-service or utilize the device for persistence on the network via shell metacharacters in ipAddr or dnsAddr in /cgi/networkDiag.cgi.
CVE-2024-23225 – Apple Multiple Products Memory Corruption Vulnerability
Apple iOS, iPadOS, macOS, tvOS, watchOS, and visionOS kernel contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.
CVE-2024-23296 – Apple Multiple Products Memory Corruption Vulnerability
Apple iOS, iPadOS, macOS, tvOS, and watchOS RTKit contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.
CVE-2024-27198 – JetBrains TeamCity Authentication Bypass Vulnerability
Allows an attacker to perform admin actions.
Researchers Observe TA577 Quickly Adapting TTPs
This threat actor is believed to be an initial access broker and a major Qbot affiliate before takedown. Recently switching to PikaBot, now utilizing an entirely new attack chain never observed by this threat actor. Using thread hijacking and delivering a .zip file with an HTML payload to steal NTLM credentials.
https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft
Stored Web Browser Credentials Targeted
Infostealers and other malware targeting various credentials and cookies stored in web browsers. This trend is becoming more prolific, used by nation states and cybercriminals. We need to get a handle on this, the problem is growing.
https://www.bankinfosecurity.com/alert-info-stealers-target-stored-browser-credentials-a-24490
https://www.reliaquest.com/blog/browser-credential-dumping/
Kernal Level Privileges Via BYOVD
BYOVD is sought after, simple kits are sold on the dark web bringing sophisticated capabilities to the masses.
ToddlerShark Malware Delivered via ScreenConnect Flaw
Exploited by ransomware gangs and now state-sponsored actors for probable espionage campaigns. Kimsuky, a North-Korean nation state threat actor, is dropping polymorphic malware to remain stealthy.
Exploit Code Released for Critical TeamCity Flaw
JetBrains released an update fixing two bugs. With exploit code now available, chances are high active exploitation will begin. We see this every week, n-day vulnerabilities abused a day after exploit code is released.
https://therecord.media/jet-brains-advisory-teamcity-vulnerabilities
Critical VMware Sandbox Escape Bug
Four critical flaws disclosed, one leading to sandbox escape. ESXi is targeted by ransomware clowns and nation states, these are bugs you want to patch.
https://www.vmware.com/security/advisories/VMSA-2024-0006.html
GhostSec’s A$$ Clown Posse and GhostLocker 2.0
Launching a RaaS offering called STMX_GhostLocker as Stormous and GhostSec jointly conduct double extortion attack campaigns and combine. They a new leak site, Stmx_GhostLocker blog. In addition, these criminal clowns announced the formation of five families, growing the a$$ clown posse even more.
https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/
Fake Skype, Zoom, and Google Meet Websites Spew Malware
Remote Access Trojans (RATs) such as SpyNote, NjRAT and DCRat spread through fake meeting app websites. Social engineering is constant, pay attention to the details.
QEMU Used to Fly Under the Radar
A hypervisor and free emulator, QEMU was used for command-and-control traffic. Using a pivot device to connect to an internal device with no Internet access, then using QEMU from the pivot device with Internet access, the threat actor was able to fly under the radar. The adversary is getting creative with their use of legitimate tools for attack campaigns.
https://securelist.com/network-tunneling-with-qemu/111803/
Ransomware Clowns RA World Abusing GPOs in Attacks
Abusing GPOs is not new, this multi-stage attack chain is interesting. Living off the land is sometimes tough to detect.
https://www.trendmicro.com/en_ae/research/24/c/multistage-ra-world-ransomware.html
Emergency Fixes Released by Apple for Two Zero-Days
Affected devices include: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later. Fixes released include iOS 17.4, iPadOS 17.4.
https://support.apple.com/en-us/HT214081
NSA Zero-Trust Guidance
Post exploitation behavior and lateral movement is the battle ground today. Most attack campaigns today are fileless, making prevention and detection difficult. Breaking your environments into smaller segments with optimal identity and access management to minimize lateral movement is critical. This is a good methodology guide.
Abusing Trust – Social Engineering
The art and science of deception and abusing the trust factor. Business email compromise is especially abusive. The Dark Reading article is high level, the Microsoft article digs a bit deeper into some of the science.
BlackCat Ransomware Attack Campaign
This is a nice walk-through of an attack campaign that lasted about 30 days. Ransomware affiliates are persistent threats, we’ll drop a blog post about persistent threats and ransomware economics soon.
https://www.sygnia.co/blog/blackcat-ransomware/
Midnight Blizzard (Apt 29) Accessed Microsoft Source Code Repositories
Using secrets found in stolen data, Russian threat actors are access systems and source code repositories, says Microsoft. This sucks, stolen emails containing secrets, including some customers whose secrets were exposed in stolen emails. Russians are also ramping up password spray attacks against targeted systems.
Confluence Exploit Drops In-Memory Web Shells
Multiple exploits are available for CVE-2023-22527, one is using novel techniques to drop Godzilla web shells in memory after exploitation.
https://vulncheck.com/blog/confluence-dreams-of-shells
Critical Auth Bypass Flaw in QNAP NAS Devices
Three flaws were disclosed, one being low complexity, remote unauthorized user access. These types of devices should not be exposed to the Internet, but even locally hosted present a risk if an attacker has a foothold in your environment.
https://www.qnap.com/en/security-advisory/qsa-24-09
Critical FortiOS and FortiProxy Bug Actively Exploited
Nearly a month after disclosure it appears around 150,000 devices are still susceptible to the flaw. BishopFox released a python script to verify if you are vulnerable. There are mitigations available, this may not be a completely accurate number.
https://github.com/BishopFox/cve-2024-21762-check
March 4th to March 8th – The Week in Ransomware
These are always interesting and worth a read.
Muddled Libra Shifting Behavior - Assessment
This is a good analysis of Muddled Libra. They are a sophisticated threat group. They perform consistent persistent threat characteristics. This one is worth a read, many threat actors are performing the same post exploitation behavior.
https://unit42.paloaltonetworks.com/muddled-libra/
Ransomware Tracker – March 2024
This is a monthly tracker of ransomware statistics.
https://therecord.media/ransomware-tracker-the-latest-figures
CrankySec – Disgruntled InfoSec Worker (Mature Audience – Language)
I find this a bit humorous, thought I would share, it’s not for everyone. She makes some good points, IMHO, but not the best way to showcase her view.
https://crankysec.com/blog/gap/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.