Skip to content

Cyber Threat Weekly – #17

Derek Krein
4 min read

The week of March 11th through March 17th was about average with 454 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news.  Let’s start with threat actors deploying n-day exploits and dropping Linux remote access trojan (RAT).

Component Object Model (COM) objects hijacking is abused by threat actors and malware.  Ransomware clowns abusing JetBrains TeamCity flaws.  Yet another stealer malware hits the market.  Criminals screwing criminals over, imagine that.

Sophos 2024 Threat Report is out.  Designed for censorship, Tor’s WebTunnel bridges.  Red Canary’s 2024 Threat Detection Report released.   Kubernetes Remote Code Execution (RCE) bug in Windows nodes.  Fortinet’s Enterprise Management Server critical RCE flaw.

Threat actors exploit Windows SmartScreen bug.  New tool designed to attack remote access services, e-commerce, and hosting panels.  Researchers dissect BunnyLoader 3.0. 


Broken Record Alert:  Prioritize Patching N-day bugs!!!

Known exploited software flaws continue to be abused by threat actors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.


Magnet Goblin Quickly Abusing N-Day Exploits

There are really two trends with this story, the first is the extremely quick deployment of n-day exploits with weaponized proof of concept code available.  Not only by financially motivated threat actors, but also nation states.  This is an ongoing trend picking up steam.  The second is the use of Linux malware.

https://thehackernews.com/2024/03/magnet-goblin-hacker-group-leveraging-1.html

https://www.darkreading.com/threat-intelligence/magnet-goblin-exploits-ivanti-1-day-bug-mere-hours


MITRE Technique COM Objects Hijacking

Utilized for persistence and privilege escalation by threat actors and malware.  The VirusTotal article goes deep into often abused COM objects, covering several malware families.  Understanding threat actor behavior is the key to better prevention and detections.

https://cybersecuritynews.com/malware-com-hijacking-persistence/

https://blog.virustotal.com/2024/03/com-objects-hijacking.html


BianLian Ransomware Clowns Abusing TeamCity Bugs

First observation, N-day abuse for initial access, a trend that is prolific.  Second is a shift in backdoor tools for these clowns.  This could be an observation from different affiliates (clowns) since affiliates work with several / jump between several Ransomware as a Services (RaaS) offerings.

https://thehackernews.com/2024/03/bianlian-threat-actors-exploiting.html]

https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation/


PlanetStealer is on the Loose

There are many stealers on the market, this one appears to be an up-and-comer.  Stealer malware goes after credentials, other sensitive secrets, and data then exfiltrates what they collect. 

https://inquest.net/blog/around-we-go-planet-stealer-emerges/


Incognito Dark Market Mass Extortion Ploy

From Krebs, an exit scam from the clowns who own the Incognito marketplace.  Too funny, cuz criminals can be trusted, NOT!!!

https://krebsonsecurity.com/2024/03/incognito-darknet-market-mass-extorts-buyers-sellers/


Sophos 2024 Theat Report

I’ve put together a quick key take-aways page if you don’t want to read the whole report.  As expected, the ransomware monster continues to grow.  The cybercriminal ecosystem is killing it.  Dual use tools continue to be abused.  Just a few highlights.

https://www.reddit.com/r/31337_InfoSec/comments/1bhg5yj/sophos_2024_threat_report_key_take_aways/

https://www.infosecurity-magazine.com/news/cyber-incident-victims-small/

https://news.sophos.com/en-us/2024/03/12/2024-sophos-threat-report/


Tor’s WebTunnel Blends in with HTTPS Traffic

While designed to bypass censorship, you can bet your bottom dollar adversaries will figure out a way to abuse it.

https://www.bleepingcomputer.com/news/security/tors-new-webtunnel-bridges-mimic-https-traffic-to-evade-censorship/


Red Canary’s 2024 Threat Detection Report

One of my favorite reports, Red Canary offers top trends, threats, and techniques along with detection opportunities for nearly all of them.  Corelating this report with several others will give you a really good view of today’s threat landscape.

https://redcanary.com/threat-detection-report/


RCE Bug Affects Windows Nodes in a Kubernetes Cluster

Tracked as CVE-2023-5528, rated a high with a 7.2 CVSS score.  Successful exploitation leads to SYSTEM privileges on all Windows endpoints.

https://www.darkreading.com/cloud-security/patch-now-kubernetes-flaw-allows-for-full-takeover-of-windows-nodes

https://www.akamai.com/blog/security-research/kubernetes-local-volumes-command-injection-vulnerability-rce-system-privileges


Critical RCE Flaw in Fortinet’s FortiClient Enterprise Management Server

Allowing an unauthenticated attacker remote code execution with SYSTEM privileges is low complexity pwnage.  Given how both cyber criminals and nation states love to abuse Fortinet bugs, it’s worth patching if you are affected.

https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-bug-in-endpoint-management-software/

https://fortiguard.fortinet.com/psirt/FG-IR-24-007


DarkGate Malware Dropped via Windows SmartScreen Flaw

Previously a zero-day, now patched, this N-day bug is being abused in a new DarkGate campaign.

https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/

https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html


TMChecker Attack Tool Now Available on Dark Web

This adversarial tool boasts access login checking and brute-force attack capabilities.  With a list of 17 solutions currently available to abuse, this is a nasty tool. 

https://www.resecurity.com/blog/article/cybercriminals-evolve-tooling-for-remote-access-compromise


BunnyLoader 3.0 Revealed

Continually developed and now boasting a complete redesign.  Researchers share this malware’s secrets including stealer and keylogger modules along with several other modules.

https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #56

The week of December 9th through December 15th, about 348 cyber news articles were reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with HeartCrypt – Packer-as-a-Service (PaaS). Citrix NetScaler / NetScaler Gateway under brute force attack.  Covert Linux multi-stage rootkit attack.  New

Members Public

Cyber Threat Weekly – #55

The week of December 2nd through December 8th there were 353 cyber news articles reviewed.  A relatively large amount of cyber threat trends and adversarial behavior news to share.  Let’s start with a twist on the fake video conferencing apps campaign. New Russian hacktivist group targeting energy systems.  Supply

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8