Cyber Threat Weekly – #19

The week of March 25^th through March 31^st was on the lighter side of average with 438 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a tool that fuels cybercrime and nation state anonymity utilizing cheap hardware.

Attacking vulnerabilities starts at their source.  Lessons learned from the British Library ransomware attack.  Phishing as a service designed to bypass typical MFA.  LockBit ransomware clowns, disruption barely slowed them down, still very active.

Cyber criminals are going after small office home office (SOHO) routers to anonymize malicious traffic.  Apple users under attack vis MFA bombing.  Agenda ransomware clowns turning up the heat.  ReliaQuest’s Annual Cyber Threat Report.

Password spraying attacks target VPNs.  Local privilege escalation is a growing trend, researchers share insights.  Supply chain vulnerability in major distributions of Linux.  And finally, Linux servers targeted by DinodasRAT.

Broken Record Alert:  Patch N-Day Bugs Quickly!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.

CISA Known Exploited Vulnerabilities for March 25^th to March 31^st:

CVE-2019-7256 – Nice Linear eMerge E3-Series OS Command Injection Vulnerability

Allows an attacker to conduct remote code execution.

CVE-2021-44529 – Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability

Allows an unauthenticated user to execute malicious code with limited permissions (nobody).

CVE-2023-48788 – Fortinet FortiClient EMS SQL Injection Vulnerability

Allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.

CVE-2023-24955 – Microsoft SharePoint Server Code Injection Vulnerability

Allows an authenticated attacker with Site Owner privileges to execute code remotely.

GEOBOX - Inexpensive Raspberry Pi and $700 Software

Fake your location to remain anonymous, this little device allows any threat actor to appear to be coming from any desired location.    Over the past several months, we have seen both nation states and cyber criminals using SOHO routers as proxies to remain anonymous and appear benign. 

This really sucks for defenders; it becomes much more difficult to ascertain malicious behavior from location.  Imagine chaining several of these together as if you’re jumping though multiple proxies, tracing threat actors becomes extremely difficult.

https://www.bleepingcomputer.com/news/security/700-cybercrime-software-turns-raspberry-pi-into-an-evasive-fraud-tool/

https://www.resecurity.com/blog/article/cybercriminals-transform-raspberry-pi-into-a-tool-for-fraud-and-anonymization-geobox-discovery

Secure by Design – Reducing SQL Injection Bugs

While mostly for manufacturers, any dev team should be thinking about reducing known flaws before releasing code into production.  We’ve known about SQL injection bugs and how to eliminate them for decades.  This goes for other insecure firmware and software as well.

https://www.bleepingcomputer.com/news/security/cisa-urges-software-devs-to-weed-out-sql-injection-vulnerabilities/

https://www.cisa.gov/sites/default/files/2024-03/SbD%20Alert%20-%20Eliminating%20SQL%20Injection%20Vulnerabilities%20in%20Software_508c.pdf

https://www.cisa.gov/securebydesign/alerts

British Library Ransomware Attack Lessons Learned

This is a great overview of lessons learned and how to be proactive in defending against an aggressive adversary.

https://www.malwarebytes.com/blog/ransomware/2024/03/3-important-lessons-from-a-devastating-ransomware-attack

https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf

MFA Consistently Under Attack by Phishing as a Service (PHaaS)

New, stealthier, adversary in the middle service attacking standard MFA capabilities.  There are plenty of these kits available, Tycoon 2FA is a strong up and comer.

https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/

https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/

LockBit Ransomware Attacks So Far 2024

Here is a vendor view of LockBit, we’ll work on some correlation between multiple sources.

https://www.blackfog.com/lockbit-attacks-2024/

Thousands of SOHO Routers Under Siege

Researchers have observed 6,000 ASUS routers targeted by “The Moon” malware botnet.  This one is a bit complicated, there appears to be two different cybercrime groups.

https://www.bleepingcomputer.com/news/security/themoon-malware-infects-6-000-asus-routers-in-72-hours-for-proxy-service/

https://blog.lumen.com/the-darkside-of-themoon/

MFA Fatigue Attacks Pummel Some Apple Customers

Threat actors can be relentless in their pursuit of access to your accounts.  Krebs shares details on how sophisticated the adversary can be.

https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/

vCenter and ESXi Servers Under Attack by Agenda Ransomware

As typical with ransomware clowns, dual use tools such as PsExec, remote management and monitoring (RMM) tools, and powershell scripts are abused.  Also jumping on a popular trend, bring your own vulnerable driver (BYOVD). 

https://www.darkreading.com/cloud-security/agenda-ransomware-vmware-esxi-servers

https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates-to-vcenters-and-esxi-via-custom-pow.html

ReliaQuest’s Annual Cyber Threat Report

Overall, a decent report, a few key takeaways with this one.  Social engineering has a big impact, including phishing.  Living off the land and malware free attacks represented about 86% of attacks, comparable to CrowdStrike’s 78%.  Command and control traffic was mostly achieved through HTTPS traffic.

https://www.cybersecuritydive.com/news/phishing-initial-access-cyber-attack/711371/

https://www.reliaquest.com/wp-content/uploads/2024/03/2024-ReliaQuest-Annual-Threat-Report-4.pdf

VPN Services Under Active Password Spray Attacks

Cisco warns of password spraying attacks, but researchers say this is botnet activity targeting SSLVPNs from multiple vendors including Fortinet, Palo Alto, SonicWall, and Cisco and is expanding. 

https://www.bleepingcomputer.com/news/security/cisco-warns-of-password-spraying-attacks-targeting-vpn-services/

https://annoyed.engineer/2024/03/23/the-brutus-botnet/

Detection Engineering and Insights into Local Privilege Escalation

A few attack vectors are covered in this interesting article, if you have a detection engineering team, this is a good read.  Worth a look just to keep on trends.

https://www.elastic.co/security-labs/itw-windows-lpe-0days-insights-and-detection-strategies

Major Linux Distros Affected: XZ Utils Data Compression Library

This was a quick decent overall threat recap including mitigations.

https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094/

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Linux Version of DindodasRAT Observed by Researchers

This is the first public shared observation of this Linux variant of DonodasRAT.  Researchers share analysis.

https://www.bleepingcomputer.com/news/security/dinodasrat-malware-targets-linux-servers-in-espionage-campaign/

https://securelist.com/dinodasrat-linux-implant/112284/