Cyber Threat Weekly - #2
Last week we saw some cyber threat patterns and this week they continue. Quite a bit to cover, let’s start with Google Chrome zero-day, now fixed, under active exploitation. Next up, ownCloud bugs mentioned last week are being exploited in the wild.
Defender Application Guard for Office and Windows.Security.Isolation APIs are being deprecated by Microsoft. Google Workspace flaw claimed by researchers. Account credentials and credential reuse by users is big business for criminals, Phishing as a Service (PHaaS) and MFA bypass tools are nasty.
Trending again this week, continued exploitation of Apache ActiveMQ, more threat actors jump into the mix. The adversary can take advantage of a legitimate feature in the database management system to steal Microsoft NTLM tokens.
Researchers report vulnerabilities in Ray Open-Source Framework for AI / ML Workloads. Some custom tools were discovered by researchers targeting the Middle East, Africa, and USA. Ransomware Affiliates are abusing vulnerabilities in Qlik Sense to gain a foothold into targeted environments.
Scam Club is at it again with a Malvertising campaign. Something we need to keep an eye on, divergence attacks and other simple hacking techniques on large language models (LLMs). Installing UEFI bootkits through bootup logos.
Gh0st RAT variant observed targeting South Koreans and Ministry of Foreign Affairs in Uzbekistan. Law firms and legal departments are under attack by cyber criminals. There were limitations to the Qakbot take-down, the spam delivery infrastructure remains.
Two zero-days for Apple iOS, macOS, and Safari. Quick reminder, life cycle management is critical to minimize your exposure, in this case Microsoft Exchange servers. Third party service provider hit with ransomware affecting 60 credit unions.
Broken Record Alert: Friendly Reminder!!!
Roughly 5% of publicly available vulnerabilities are observed exploited in the wild. Priority #1 should be to patch actively exploited vulnerabilities. You can use CISA’s known exploited vulnerability (KEV) catalog or other tools to prioritize patching exploited vulnerabilities.
Right behind actively exploited vulnerabilities, a close priority #2 is those with proof of concept (PoC) code available. Exploit chances are much higher with PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and PoC code available vulnerabilities.
Exploited vulnerabilities continue to be abused by threat actors, often using time as a weapon, exploits come fast, often before organization have time to patch. Diligent patching can be the difference in preventing a data breach and / or ransomware attack.
Google Chrome’s Fixed Zero-Day Actively Exploited
Google is aware there is an exploit for CVE-2023-6345 in the wild, in addition the CVE could be a patch bypass of an earlier zero-day flaw. The CVE has been added to the Known Exploited Vulnerabilities (KEV) catalog.
https://thehackernews.com/2023/11/zero-day-alert-google-chrome-under.html
https://therecord.media/latest-severe-chrome-bug-prompts-cisa-warning
Exploitation of ownCloud Flaws has Started
Something to note, exploitation started just days after the vulnerability was announced, underscoring the need to have an emergency patch management process in place for actively exploited vulnerabilities. Finally, CVE-2023-49103 has been added to the CISA Known Exploited Vulnerability (KEV) catalog.
https://viz.greynoise.io/tag/owncloud-graph-api-information-disclosure?days=10
Microsoft Deprecating Defender Application Guard for Office and it’s APIs
Looks like Microsoft is starting to deprecate some technical debt, there are several items deprecated or announced to be deprecated earlier this year.
Possible Google Workspace Flaw Shared by Researchers
Hunters’ Security researchers claim to have found issues with Domain Wide delegation in Google Workspace. Google says, not so fast and recommends the principal of least privilege. It’s probably semantics, but if you use GCP and Google Workspace, you might want to keep an eye on this and ensure you’re mitigating possible issues.
Phishing and Social Engineering are Real Threats to Credential Theft
You’re probably saying, thanks Captain Obvious. There are phishing kits and MFA bypass kits available on the Dark Web that make the barrier of entry low. We need to keep an eye on tools available, the trend and pattern of credential abuse in attack campaigns, and how we can better defend against an aggressive adversary utilizing such tools to steal credentials.
https://thehackernews.com/2023/11/how-hackers-phish-for-your-users.html
New Botnet Joins the Exploitation of Apache ActiveMQ
Fortinet details exploitation of CVE-2023-46604 by a newly discovered botnet called GoTitan. In addition, Fortinet provides details on diverse strains of malware being disseminated after exploiting the vulnerability.
https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq
Attackers can Steal Microsoft NTLM Hashes, Sending Them to an Attacker Controlled Server
Microsoft can’t phase out NT LAN Manager (NTLM) fast enough. Introduced in the 1990’s, it’s vulnerable to brute-force, relay, and pass-the-hash attacks. In October, Microsoft announced plans to eliminate NTLM, let’s hope, and soon.
https://thehackernews.com/2023/11/hackers-can-exploit-forced.html
Ray Open-Source Framework for Scaling AI / ML Workloads
Bishop Fox researchers shared three vulnerabilities and Protect AI shared two of the same vulnerabilities with Anyscale. The flaws have not been addressed; the vendor claims that the documentation states that Ray clusters are to be deployed in a controlled network environment.
Palo Alto Unit 42 Researchers Observed Attacks in the Middle East, Africa, and US
An interesting set of tools was utilized during these attacks, with C2 infrastructure dating back to 2020. One of the tools, dubbed Ntospy, uses a technique that was shared way back in 2004 at BlackHat. Agent Racoon and a modified mimikatz are also disclosed, this is interesting research and worth a quick read.
https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/
CACTUS Ransomware Affiliates Exploit Qlik Sense Flaws
Artic Wolf researchers have observed threat actors exploiting three Qlik Sense bugs to gain a foothold and download additional tools. The attack chain ends with CACTUS ransomware deployed.
https://thehackernews.com/2023/11/cactus-ransomware-exploits-qlik-sense.html
Scam Club Threat Actor Has Abused Malvertising since 2018
Notable publishers such as The Associated Press, ESPN, and CBS were impacted by a Malvertising campaign targeting mobile devices forcing redirects to a fake virus scanner.
Simple Hacking Techniques on Large Language Models Like ChatGPT
Researchers using simple techniques were able to extract training data from ChatGPT using only $200 USD worth of queries. As we dive deeper into the world of AI, we need to be vigilant on ways they can be abused by an aggressive adversary.
https://www.darkreading.com/cyber-risk/researchers-simple-technique-extract-chatgpt-training-data
Dubbed LogoFAIL, UEFI Bootkits Installed via Bootup Logos
The scope is still being determined, but the potential impact is broad across multiple manufacturers and providers of UEFI firmware. Runtime is not affected, so arbitrary code can exist in a way that is virtually undetected.
Gh0st RAT Variant SugarGh0st RAT has Strong Chinese Links
Gh0st RAT is an open-source remote access trojan with a significant tool set, released to the public back in 2008, and still being used today. The SugarGh0st variant is updated with custom reconnaissance features, custom C2, and for defense evasion, but is largely the same Gh0st RAT tool.
https://www.darkreading.com/threat-intelligence/new-spookier-gh0st-rat-uzbekistan-south-korea
https://blog.talosintelligence.com/new-sugargh0st-rat/
Cybercriminals are Targeting Law Firms and Legal Departments with Ransomware and Business Email Compromise (BEC)
This technique can be used for any industry, just happens to be law specific right now. Using Malvertising and search engine optimization poisoning linked to over 3.5 million search terms, GootLoader is a browser-based threat. As a result, searching for specific content may lead to a GootLoader infected file.
We are not Done with Qakbot Yet
While the command-and-control infrastructure was affected during the Qakbot takedown, the spam delivery infrastructure was untouched. With no arrests, the threat actors are still active and remain a threat.
https://thehackernews.com/2023/12/qakbot-takedown-aftermath-mitigations.html
Apple Zero-Days are Actively Exploited, Patches Released
Software updates have been released fixing a pair of actively exploited zero-day flaws in iOS, macOS, and Safari web browser.
https://thehackernews.com/2023/12/zero-day-alert-apple-rolls-out-ios.html
Over 20,000 Microsoft Exchange Servers Still Exposed Running End of Life Software Versions
Tens of thousands of Microsoft Exchange servers are exposed to the Internet and are vulnerable to multiple security issues. Life cycle management matters, keep an eye on your attack surface, don’t make it easy for the adversary.
Roughly 60 Credit Unions Experiencing Some Degree of Outage
Third party service providers and hinder operations. We vote with our time and our wallets; careful consideration of third-party providers is necessary. Assume and plan for the worst with a tested continuity and resilience plan should there be an incident.
https://therecord.media/credit-unions-facing-outages-due-to-ransomware
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
