Skip to content

Cyber Threat Weekly - #2

Derek Krein
6 min read

Last week we saw some cyber threat patterns and this week they continue.  Quite a bit to cover, let’s start with Google Chrome zero-day, now fixed, under active exploitation.  Next up, ownCloud bugs mentioned last week are being exploited in the wild. 

Defender Application Guard for Office and Windows.Security.Isolation APIs are being deprecated by Microsoft.  Google Workspace flaw claimed by researchers.  Account credentials and credential reuse by users is big business for criminals, Phishing as a Service (PHaaS) and MFA bypass tools are nasty. 

Trending again this week, continued exploitation of Apache ActiveMQ, more threat actors jump into the mix.  The adversary can take advantage of a legitimate feature in the database management system to steal Microsoft NTLM tokens. 

Researchers report vulnerabilities in Ray Open-Source Framework for AI / ML Workloads.  Some custom tools were discovered by researchers targeting the Middle East, Africa, and USA.  Ransomware Affiliates are abusing vulnerabilities in Qlik Sense to gain a foothold into targeted environments.

Scam Club is at it again with a Malvertising campaign.  Something we need to keep an eye on, divergence attacks and other simple hacking techniques on large language models (LLMs).  Installing UEFI bootkits through bootup logos. 

Gh0st RAT variant observed targeting South Koreans and Ministry of Foreign Affairs in Uzbekistan.  Law firms and legal departments are under attack by cyber criminals. There were limitations to the Qakbot take-down, the spam delivery infrastructure remains. 

Two zero-days for Apple iOS, macOS, and Safari.  Quick reminder, life cycle management is critical to minimize your exposure, in this case Microsoft Exchange servers.  Third party service provider hit with ransomware affecting 60 credit unions.


Broken Record Alert:  Friendly Reminder!!! 

Roughly 5% of publicly available vulnerabilities are observed exploited in the wild.  Priority #1 should be to patch actively exploited vulnerabilities.  You can use CISA’s known exploited vulnerability (KEV) catalog or other tools to prioritize patching exploited vulnerabilities. 

Right behind actively exploited vulnerabilities, a close priority #2 is those with proof of concept (PoC) code available.  Exploit chances are much higher with PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and PoC code available vulnerabilities.

Exploited vulnerabilities continue to be abused by threat actors, often using time as a weapon, exploits come fast, often before organization have time to patch.  Diligent patching can be the difference in preventing a data breach and / or ransomware attack.


Google Chrome’s Fixed Zero-Day Actively Exploited

Google is aware there is an exploit for CVE-2023-6345 in the wild, in addition the CVE could be a patch bypass of an earlier zero-day flaw.  The CVE has been added to the Known Exploited Vulnerabilities (KEV) catalog.

https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-6th-zero-day-exploited-in-2023/

https://thehackernews.com/2023/11/zero-day-alert-google-chrome-under.html

https://therecord.media/latest-severe-chrome-bug-prompts-cisa-warning

Exploitation of ownCloud Flaws has Started

Something to note, exploitation started just days after the vulnerability was announced, underscoring the need to have an emergency patch management process in place for actively exploited vulnerabilities.  Finally, CVE-2023-49103 has been added to the CISA Known Exploited Vulnerability (KEV) catalog.

https://www.bleepingcomputer.com/news/security/hackers-start-exploiting-critical-owncloud-flaw-patch-now/

https://viz.greynoise.io/tag/owncloud-graph-api-information-disclosure?days=10

https://www.rapid7.com/blog/post/2023/12/01/etr-cve-2023-49103-critical-information-disclosure-in-owncloud-graph-api/

Microsoft Deprecating Defender Application Guard for Office and it’s APIs

Looks like Microsoft is starting to deprecate some technical debt, there are several items deprecated or announced to be deprecated earlier this year. 

https://www.bleepingcomputer.com/news/microsoft/microsoft-deprecates-defender-application-guard-for-office/

Possible Google Workspace Flaw Shared by Researchers

Hunters’ Security researchers claim to have found issues with Domain Wide delegation in Google Workspace.  Google says, not so fast and recommends the principal of least privilege.  It’s probably semantics, but if you use GCP and Google Workspace, you might want to keep an eye on this and ensure you’re mitigating possible issues.

https://www.darkreading.com/cloud-security/vendor-claims-design-flaw-in-google-workspace-is-putting-organizations-at-risk

https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover

Phishing and Social Engineering are Real Threats to Credential Theft

You’re probably saying, thanks Captain Obvious.  There are phishing kits and MFA bypass kits available on the Dark Web that make the barrier of entry low.  We need to  keep an eye on tools available, the trend and pattern of credential abuse in attack campaigns, and how we can better defend against an aggressive adversary utilizing such tools to steal credentials.

https://thehackernews.com/2023/11/how-hackers-phish-for-your-users.html

New Botnet Joins the Exploitation of Apache ActiveMQ

Fortinet details exploitation of CVE-2023-46604 by a newly discovered botnet called GoTitan.  In addition, Fortinet provides details on diverse strains of malware being disseminated after exploiting the vulnerability.

https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq

Attackers can Steal Microsoft NTLM Hashes, Sending Them to an Attacker Controlled Server

Microsoft can’t phase out NT LAN Manager (NTLM) fast enough.  Introduced in the 1990’s, it’s vulnerable to brute-force, relay, and pass-the-hash attacks.  In October, Microsoft announced plans to eliminate NTLM, let’s hope, and soon.

https://thehackernews.com/2023/11/hackers-can-exploit-forced.html

Ray Open-Source Framework for Scaling AI / ML Workloads

Bishop Fox researchers shared three vulnerabilities and Protect AI shared two of the same vulnerabilities with Anyscale.  The flaws have not been addressed; the vendor claims that the documentation states that Ray clusters are to be deployed in a controlled network environment.

https://www.darkreading.com/vulnerabilities-threats/researchers-discover-trio-of-critical-vulns-in-ray-open-source-framework-for-scaling-ai-ml-workloads

Palo Alto Unit 42 Researchers Observed Attacks in the Middle East, Africa, and US

An interesting set of tools was utilized during these attacks, with C2 infrastructure dating back to 2020.  One of the tools, dubbed Ntospy, uses a technique that was shared way back in 2004 at BlackHat.  Agent Racoon and a modified mimikatz are also disclosed, this is interesting research and worth a quick read.

https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/

CACTUS Ransomware Affiliates Exploit Qlik Sense Flaws

Artic Wolf researchers have observed threat actors exploiting three Qlik Sense bugs to gain a foothold and download additional tools.  The attack chain ends with CACTUS ransomware deployed.
https://thehackernews.com/2023/11/cactus-ransomware-exploits-qlik-sense.html

Scam Club Threat Actor Has Abused Malvertising since 2018

Notable publishers such as The Associated Press, ESPN, and CBS were impacted by a Malvertising campaign targeting mobile devices forcing redirects to a fake virus scanner.

https://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts

Simple Hacking Techniques on Large Language Models Like ChatGPT

Researchers using simple techniques were able to extract training data from ChatGPT using only $200 USD worth of queries.  As we dive deeper into the world of AI, we need to be vigilant on ways they can be abused by an aggressive adversary.

https://www.darkreading.com/cyber-risk/researchers-simple-technique-extract-chatgpt-training-data

Dubbed LogoFAIL, UEFI Bootkits Installed via Bootup Logos

The scope is still being determined, but the potential impact is broad across multiple manufacturers and providers of UEFI firmware.  Runtime is not affected, so arbitrary code can exist in a way that is virtually undetected.

https://www.bleepingcomputer.com/news/security/logofail-attack-can-install-uefi-bootkits-through-bootup-logos/

Gh0st RAT Variant SugarGh0st RAT has Strong Chinese Links

Gh0st RAT is an open-source remote access trojan with a significant tool set, released to the public back in 2008, and still being used today.  The SugarGh0st variant is updated with custom reconnaissance features, custom C2, and for defense evasion, but is largely the same Gh0st RAT tool.

https://www.darkreading.com/threat-intelligence/new-spookier-gh0st-rat-uzbekistan-south-korea

https://blog.talosintelligence.com/new-sugargh0st-rat/

Cybercriminals are Targeting Law Firms and Legal Departments with Ransomware and Business Email Compromise (BEC)

This technique can be used for any industry, just happens to be law specific right now.  Using Malvertising and search engine optimization poisoning linked to over 3.5 million search terms, GootLoader is a browser-based threat.  As a result, searching for specific content may lead to a GootLoader infected file.

https://www.darkreading.com/cyberattacks-data-breaches/law-firms-face-a-more-dangerous-threat-landscape

We are not Done with Qakbot Yet

While the command-and-control infrastructure was affected during the Qakbot takedown, the spam delivery infrastructure was untouched.  With no arrests, the threat actors are still active and remain a threat.

https://thehackernews.com/2023/12/qakbot-takedown-aftermath-mitigations.html

Apple Zero-Days are Actively Exploited, Patches Released

Software updates have been released fixing a pair of actively exploited zero-day flaws in iOS, macOS, and Safari web browser. 

https://thehackernews.com/2023/12/zero-day-alert-apple-rolls-out-ios.html

Over 20,000 Microsoft Exchange Servers Still Exposed Running End of Life Software Versions

Tens of thousands of Microsoft Exchange servers are exposed to the Internet and are vulnerable to multiple security issues.  Life cycle management matters, keep an eye on your attack surface, don’t make it easy for the adversary.

https://www.bleepingcomputer.com/news/security/over-20-000-vulnerable-microsoft-exchange-servers-exposed-to-attacks/

Roughly 60 Credit Unions Experiencing Some Degree of Outage

Third party service providers and hinder operations.  We vote with our time and our wallets; careful consideration of third-party providers is necessary.  Assume and plan for the worst with a tested continuity and resilience plan should there be an incident.

https://therecord.media/credit-unions-facing-outages-due-to-ransomware


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by