Cyber Threat Weekly – #18
The week of March 18th through March 24th was what seems to be around average now with 456 cyber news articles reviewed. This week attempted to be more selective on cyber threat trend and adversarial behavior news shared. Still a large newsletter. Would love to hear your feedback.
Let’s start with another example of legitimate websites abused by threat actors. Threat actors testing novel means to bypass ML / AI email security controls. Some interesting behavioral trends of malicious files. More threat actors abusing TeamCity flaws.
Ransomware clowns can’t be trusted. Researchers share a multi-post series on the Remote Desktop Protocol (RDP). DHCP server exploited in windows domain, there’s a catch. New visibility into Tiny Turla’s post-compromise behavior.
Sharing Recorded Futures 2023 Annual Report. Yet another Fortinet RCE bug with exploit code available. Observed phishing campaign with evasive behavior delivering NetSupport RAT. Ivanti, the gift that keeps on giving, two more critical bugs.
Researchers share analysis of a new StrelaStealer campaign. Canada reconsiders it’s ban on Flipper Zero. Stealer malware pushed by new Go Loader. Researchers share analysis of suspected Iranian threat actor’s recent tool.
Broken Record Alert: N-day bugs, please patch quickly!!!
Known exploited software flaws continue to be abused by threat actors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what is exposed to the Internet. Let’s remove some of the low hanging fruit threat actors continue to target.
HTML Smuggling Azorult Stealer Through Decoy Google Sites
Defense evasion through fake Google Docs pages and an interesting smuggling technique. Threat actors are getting more creative in taking advantage of legitimate / legitimate appearing infrastructure. Researchers provide analysis of the campaign.
https://thehackernews.com/2024/03/hackers-using-sneaky-html-smuggling-to.html
ML / AI Enabled Email Security Bypass Techniques
Researchers observed a series of novel email attacks designed to evade anomaly-based detection in machine learning algorithms. The adversary is testing our defenses and probing for weaknesses. We need to be vigilant and test our controls in a similar fashion.
https://www.darkreading.com/cloud-security/conversation-overflow-cyberattacks-bypass-ai-security
https://slashnext.com/blog/new-attack-techniques-to-bypass-machine-learning-security-controls/
Behavioral Trends of Over 100,000 Malicious Files
While the dataset is not exhaustive and doesn’t cover all types of malware, it’s still interesting and could be useful in threat detection, especially utilizing the 80/20 rule.
https://www.infosecurity-magazine.com/news/new-conversation-overflow-tactic/
https://www.elastic.co/security-labs/unveiling-malware-behavior-trends
Multiple Threat Actors Abusing TeamCity Bugs
N-day bugs are continually abused by a multitude of threat actors. The TeamCity flaws are no exception. Researchers are observing several malware types being deployed upon exploitation.
https://thehackernews.com/2024/03/teamcity-flaw-leads-to-surge-in.html
Ransomware Clowns - You Don’t get What You Pay For
Security experts and researchers are observing ransomware gangs are not selling victim data, releasing victim data, or especially not deleting victim data after a payout. We’ll release a blog post on ransomware economics soon ish.
https://www.bankinfosecurity.com/blogs/ransomware-groups-trust-us-uh-dont-p-3587
Lots of Data Shared on RDP
A heavily abused living off the land protocol for initial access and lateral movement. Researchers share findings based on incident response cases from 2021 to 2023. Each post is relatively short, topics include Exposed RDP, Queries for Investigation, Time Zone Bias, and more.
https://news.sophos.com/en-us/2024/03/20/remote-desktop-protocol-the-series/
Escalate Privileges Using DHCP in Windows Domains
The key to this attack is the DHCP service needs to run on a domain controller. The lesson, always separate windows services from your domain controllers, especially DHCP and DNS. In the past DNS bugs allowed domain compromise.
https://cybersecuritynews.com/dhcp-exploit-privilege-escalation-windows/
Tiny Turla’s Behavior and Kill Chain
As we are looking at malware and breaking down behavior, this is another example that may be useful. Today’s nation state attack is tomorrow’s commodity attack.
https://blog.talosintelligence.com/tinyturla-full-kill-chain/
Recorded Future Insikt Group Theat Analysis 2023 Report
This report shows some interesting trends, one that caught my eye was a serious increase in exploiting high risk bugs in Operating Systems, Network Infrastructure, and Enterprise Software over 2022.
https://go.recordedfuture.com/hubfs/reports/ta-2024-0321.pdf
Exploit Code Available for Latest Fortinet Flaw
This one is to continue to track Fortinet bugs. There is a trend here, many bugs, threat actors love them, exploit code seems to be abundant.
NetSupport RAT Delivered via New Evasive Behavior
Researchers share new behavior to deliver NetSupport RAT, new campaign, new TTPs.
Two More Critical Ivanti Flaws
So far Ivanti has not seen evidence of exploitation, but as popular as the vendor is by attackers, it’s worthwhile to patch quickly.
https://www.darkreading.com/vulnerabilities-threats/ivanti-security-teams-scrambling-2-vulns
Two StrelaStealer Phishing Campaigns Observed
Researchers share observations on two different phishing campaigns. Designed to evade detection, these new campaigns include better obfuscation and anti-analysis techniques.
https://thehackernews.com/2024/03/new-strelastealer-phishing-attacks-hit.html
https://unit42.paloaltonetworks.com/strelastealer-campaign/
Flipper Zero Ban by Canada, Reconsidered
Not much of a change, but the appeal from the security community seems to have been heard.
https://www.malwarebytes.com/blog/news/2024/03/canada-revisits-decision-to-ban-flipper-zero
Rhadamanthys Stealer via Go Loader
Another example of malvertising, pushing a Go loader delivering a stealer. Malvertising is starting to become a trend. Researchers share observations of the campaign.
https://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader-pushes-rhadamanthys
Curious Serpens New FalseFront Backdoor
Suspected Iranian threat actor’s recent tool. Researchers provide analysis of an observed campaign.
https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
