Cyber Threat Weekly – #17
The week of March 11th through March 17th was about average with 454 cyber news articles reviewed. Only a moderate amount of cyber threat trend and adversarial behavior news. Let’s start with threat actors deploying n-day exploits and dropping Linux remote access trojan (RAT).
Component Object Model (COM) objects hijacking is abused by threat actors and malware. Ransomware clowns abusing JetBrains TeamCity flaws. Yet another stealer malware hits the market. Criminals screwing criminals over, imagine that.
Sophos 2024 Threat Report is out. Designed for censorship, Tor’s WebTunnel bridges. Red Canary’s 2024 Threat Detection Report released. Kubernetes Remote Code Execution (RCE) bug in Windows nodes. Fortinet’s Enterprise Management Server critical RCE flaw.
Threat actors exploit Windows SmartScreen bug. New tool designed to attack remote access services, e-commerce, and hosting panels. Researchers dissect BunnyLoader 3.0.
Broken Record Alert: Prioritize Patching N-day bugs!!!
Known exploited software flaws continue to be abused by threat actors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what is exposed to the Internet. Let’s remove some of the low hanging fruit threat actors continue to target.
Magnet Goblin Quickly Abusing N-Day Exploits
There are really two trends with this story, the first is the extremely quick deployment of n-day exploits with weaponized proof of concept code available. Not only by financially motivated threat actors, but also nation states. This is an ongoing trend picking up steam. The second is the use of Linux malware.
https://thehackernews.com/2024/03/magnet-goblin-hacker-group-leveraging-1.html
https://www.darkreading.com/threat-intelligence/magnet-goblin-exploits-ivanti-1-day-bug-mere-hours
MITRE Technique COM Objects Hijacking
Utilized for persistence and privilege escalation by threat actors and malware. The VirusTotal article goes deep into often abused COM objects, covering several malware families. Understanding threat actor behavior is the key to better prevention and detections.
https://cybersecuritynews.com/malware-com-hijacking-persistence/
https://blog.virustotal.com/2024/03/com-objects-hijacking.html
BianLian Ransomware Clowns Abusing TeamCity Bugs
First observation, N-day abuse for initial access, a trend that is prolific. Second is a shift in backdoor tools for these clowns. This could be an observation from different affiliates (clowns) since affiliates work with several / jump between several Ransomware as a Services (RaaS) offerings.
https://thehackernews.com/2024/03/bianlian-threat-actors-exploiting.html]
https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation/
PlanetStealer is on the Loose
There are many stealers on the market, this one appears to be an up-and-comer. Stealer malware goes after credentials, other sensitive secrets, and data then exfiltrates what they collect.
https://inquest.net/blog/around-we-go-planet-stealer-emerges/
Incognito Dark Market Mass Extortion Ploy
From Krebs, an exit scam from the clowns who own the Incognito marketplace. Too funny, cuz criminals can be trusted, NOT!!!
https://krebsonsecurity.com/2024/03/incognito-darknet-market-mass-extorts-buyers-sellers/
Sophos 2024 Theat Report
I’ve put together a quick key take-aways page if you don’t want to read the whole report. As expected, the ransomware monster continues to grow. The cybercriminal ecosystem is killing it. Dual use tools continue to be abused. Just a few highlights.
https://www.reddit.com/r/31337_InfoSec/comments/1bhg5yj/sophos_2024_threat_report_key_take_aways/
https://www.infosecurity-magazine.com/news/cyber-incident-victims-small/
https://news.sophos.com/en-us/2024/03/12/2024-sophos-threat-report/
Tor’s WebTunnel Blends in with HTTPS Traffic
While designed to bypass censorship, you can bet your bottom dollar adversaries will figure out a way to abuse it.
Red Canary’s 2024 Threat Detection Report
One of my favorite reports, Red Canary offers top trends, threats, and techniques along with detection opportunities for nearly all of them. Corelating this report with several others will give you a really good view of today’s threat landscape.
https://redcanary.com/threat-detection-report/
RCE Bug Affects Windows Nodes in a Kubernetes Cluster
Tracked as CVE-2023-5528, rated a high with a 7.2 CVSS score. Successful exploitation leads to SYSTEM privileges on all Windows endpoints.
Critical RCE Flaw in Fortinet’s FortiClient Enterprise Management Server
Allowing an unauthenticated attacker remote code execution with SYSTEM privileges is low complexity pwnage. Given how both cyber criminals and nation states love to abuse Fortinet bugs, it’s worth patching if you are affected.
https://fortiguard.fortinet.com/psirt/FG-IR-24-007
DarkGate Malware Dropped via Windows SmartScreen Flaw
Previously a zero-day, now patched, this N-day bug is being abused in a new DarkGate campaign.
TMChecker Attack Tool Now Available on Dark Web
This adversarial tool boasts access login checking and brute-force attack capabilities. With a list of 17 solutions currently available to abuse, this is a nasty tool.
https://www.resecurity.com/blog/article/cybercriminals-evolve-tooling-for-remote-access-compromise
BunnyLoader 3.0 Revealed
Continually developed and now boasting a complete redesign. Researchers share this malware’s secrets including stealer and keylogger modules along with several other modules.
https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
