Skip to content

Cyber Threat Weekly – #18

Derek Krein
4 min read

The week of March 18th through March 24th was what seems to be around average now with 456 cyber news articles reviewed.  This week attempted to be more selective on cyber threat trend and adversarial behavior news shared.  Still a large newsletter. Would love to hear your feedback.

Let’s start with another example of legitimate websites abused by threat actors.  Threat actors testing novel means to bypass ML / AI email security controls.  Some interesting behavioral trends of malicious files.  More threat actors abusing TeamCity flaws.

Ransomware clowns can’t be trusted.  Researchers share a multi-post series on the Remote Desktop Protocol (RDP).  DHCP server exploited in windows domain, there’s a catch.  New visibility into Tiny Turla’s post-compromise behavior.

Sharing Recorded Futures 2023 Annual Report.  Yet another Fortinet RCE bug with exploit code available.  Observed phishing campaign with evasive behavior delivering NetSupport RAT.  Ivanti, the gift that keeps on giving, two more critical bugs.

Researchers share analysis of a new StrelaStealer campaign.  Canada reconsiders it’s ban on Flipper Zero.  Stealer malware pushed by new Go Loader.  Researchers share analysis of suspected Iranian threat actor’s recent tool.


Broken Record Alert:  N-day bugs, please patch quickly!!!

Known exploited software flaws continue to be abused by threat actors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.


HTML Smuggling Azorult Stealer Through Decoy Google Sites

Defense evasion through fake Google Docs pages and an interesting smuggling technique.  Threat actors are getting more creative in taking advantage of legitimate / legitimate appearing infrastructure.  Researchers provide analysis of the campaign.

https://thehackernews.com/2024/03/hackers-using-sneaky-html-smuggling-to.html

https://www.netskope.com/blog/from-delivery-to-execution-an-evasive-azorult-campaign-smuggled-through-google-sites


ML / AI Enabled Email Security Bypass Techniques

Researchers observed a series of novel email attacks designed to evade anomaly-based detection in machine learning algorithms.  The adversary is testing our defenses and probing for weaknesses.  We need to be vigilant and test our controls in a similar fashion.

https://www.darkreading.com/cloud-security/conversation-overflow-cyberattacks-bypass-ai-security

https://slashnext.com/blog/new-attack-techniques-to-bypass-machine-learning-security-controls/


Behavioral Trends of Over 100,000 Malicious Files

While the dataset is not exhaustive and doesn’t cover all types of malware, it’s still interesting and could be useful in threat detection, especially utilizing the 80/20 rule.

https://www.infosecurity-magazine.com/news/new-conversation-overflow-tactic/

https://www.elastic.co/security-labs/unveiling-malware-behavior-trends


Multiple Threat Actors Abusing TeamCity Bugs

N-day bugs are continually abused by a multitude of threat actors.  The TeamCity flaws are no exception.  Researchers are observing several malware types being deployed upon exploitation.

https://thehackernews.com/2024/03/teamcity-flaw-leads-to-surge-in.html

https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html


Ransomware Clowns - You Don’t get What You Pay For

Security experts and researchers are observing ransomware gangs are not selling victim data, releasing victim data, or especially not deleting victim data after a payout.  We’ll release a blog post on ransomware economics soon ish.

https://www.bankinfosecurity.com/blogs/ransomware-groups-trust-us-uh-dont-p-3587


Lots of Data Shared on RDP

A heavily abused living off the land protocol for initial access and lateral movement.  Researchers share findings based on incident response cases from 2021 to 2023.  Each post is relatively short, topics include Exposed RDP, Queries for Investigation, Time Zone Bias, and more.

https://news.sophos.com/en-us/2024/03/20/remote-desktop-protocol-the-series/


Escalate Privileges Using DHCP in Windows Domains

The key to this attack is the DHCP service needs to run on a domain controller.  The lesson, always separate windows services from your domain controllers, especially DHCP and DNS.  In the past DNS bugs allowed domain compromise. 

https://cybersecuritynews.com/dhcp-exploit-privilege-escalation-windows/


Tiny Turla’s Behavior and Kill Chain

As we are looking at malware and breaking down behavior, this is another example that may be useful.  Today’s nation state attack is tomorrow’s commodity attack.

https://blog.talosintelligence.com/tinyturla-full-kill-chain/


Recorded Future Insikt Group Theat Analysis 2023 Report

This report shows some interesting trends, one that caught my eye was a serious increase in exploiting high risk bugs in Operating Systems, Network Infrastructure, and Enterprise Software over 2022. 

https://go.recordedfuture.com/hubfs/reports/ta-2024-0321.pdf


Exploit Code Available for Latest Fortinet Flaw

This one is to continue to track Fortinet bugs.  There is a trend here, many bugs, threat actors love them, exploit code seems to be abundant.

https://www.bleepingcomputer.com/news/security/exploit-released-for-fortinet-rce-bug-used-in-attacks-patch-now/


NetSupport RAT Delivered via New Evasive Behavior

Researchers share new behavior to deliver NetSupport RAT, new campaign, new TTPs.

https://www.csoonline.com/article/2071475/new-phishing-campaign-targets-us-organizations-with-netsupport-rat.html

https://perception-point.io/blog/operation-phantomblu-new-and-evasive-method-delivers-netsupport-rat/


Two More Critical Ivanti Flaws

So far Ivanti has not seen evidence of exploitation, but as popular as the vendor is by attackers, it’s worthwhile to patch quickly. 

https://www.darkreading.com/vulnerabilities-threats/ivanti-security-teams-scrambling-2-vulns


Two StrelaStealer Phishing Campaigns Observed

Researchers share observations on two different phishing campaigns.  Designed to evade detection, these new campaigns include better obfuscation and anti-analysis techniques.

https://thehackernews.com/2024/03/new-strelastealer-phishing-attacks-hit.html

https://unit42.paloaltonetworks.com/strelastealer-campaign/


Flipper Zero Ban by Canada, Reconsidered

Not much of a change, but the appeal from the security community seems to have been heard.

https://www.malwarebytes.com/blog/news/2024/03/canada-revisits-decision-to-ban-flipper-zero


Rhadamanthys Stealer via Go Loader

Another example of malvertising, pushing a Go loader delivering a stealer.  Malvertising is starting to become a trend.  Researchers share observations of the campaign.

https://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader-pushes-rhadamanthys


Curious Serpens New FalseFront Backdoor

Suspected Iranian threat actor’s recent tool.  Researchers provide analysis of an observed campaign.

https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by