Cyber Threat Weekly – #20
The week of April 1st through April 7th was light compared to previous weeks with only 391 cyber news articles reviewed. That said, there was still a moderate amount of cyber threat trend and adversarial behavior news. Let’s start with a new adversary tool designed to hide malware.
An interesting Sophos Active Adversary Report. Ivanti patches flaw allowing remote code execution (RCE) and CEO pledges security overhaul. Researchers share the possible fallout from the LockBit takedown. Microsoft still doesn’t know how threat actors stole MSA key.
An updated Rhadamanthys stealer campaign. Windows local privilege escalation (LPE) spotted on the dark web. Researchers share a PikaBot campaign using multiple techniques. New JSOutProx malware variant targeting financial organizations.
A somewhat new malware that may be replacing IcedID. Municipal governments are under attack. This week in ransomware, always a treat. New Red ransomware a$$ clown posse, surfaced March 2024. Threat actors targeting Healthcare IT help desks.
Broken Record Alert: Please Patch N-Day Flaws!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what is exposed to the Internet. Let’s remove some of the low hanging fruit threat actors continue to target.
CISA Known Exploited Vulnerabilities for April 1st to April 7th:
CVE-2024-29748 – Android Pixel Privilege Escalation Vulnerability
Allows an attacker to interrupt a factory reset triggered by a device admin app.
CVE-2024-29745 – Android Pixel Information Disclosure Vulnerability
Bug in the fastboot firmware used to support unlocking, flashing, and locking affected devices.
UNAPIMON – New Tool Hides Malware
Attributed to Winnti (APT 41) a Chinese sponsored threat group. The key here is a simple tool that unhooks API’s used by many security tools to track activity. Look for more tools of this nature, similar to bring you own vulnerable driver (BYOVD), once a nation state behavior, now common amongst threat actors.
https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html
https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive
Sophos Active Adversary Report 2024
This report covers Sophos X-Ops incident response for all of 2023. Couple of take aways, credentials represented 77% of initial access method and 56% of root cause. Another we see quite often; external remote access was a leading initial access method 65% of the time. Most likely, infostealers are a large contributor to this activity. We’ll look at several vendors for collaboration.
https://news.sophos.com/en-us/2024/04/03/active-adversary-report-1h-2024/
Ivanti, Fixes RCE & Other Bugs, What a Mess!!!
Nations states have taken advantage of all the flaws in Ivanti VPN appliances this year breaching Government and other organizations. The CEO is pledging a security overhaul.
https://thehackernews.com/2024/04/ivanti-rushes-patches-for-4-new-flaw-in.html
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement
https://therecord.media/ivanti-security-overhaul-ceo-jeff-abbott
LockBit Takedown, the Clowns Don’t Appear to be Bouncing Back
Based on current known evidence, the LockBit ransomware takedown appears to have had the desired effect.
https://www.darkreading.com/threat-intelligence/lockbit-ransomware-takedown-strikes-brand-viability
https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html
Microsoft 2023 Exchange Attack - Cyber Safety Review Board (CSRB) Report
Microsoft’s claim that the Azure signing key was stolen from an engineer’s laptop previously compromised at an acquired company, holds little weight. So far there is no evidence supporting that theory. The report pulls no punches.
Unique and Successful Rhadamanthys Stealer Campaign
This one targets the oil and gas sector but could easily affect many verticals. The lure is vehicle incidents. With many TTPs designed to evade defenses, this is one to keep an eye on.
https://thehackernews.com/2024/04/new-phishing-campaign-targets-oil-gas.html
Zero-Day Windows LPE Exploit for Sale on the Dark Web
We’ll see if this comes about, let’s hope its not a big deal.
https://cybersecuritynews.com/hackers-claiming-of-working-windows-0-day-lpe-exploit/
PikaBot Campaign Changes Distribution Behavior
Researchers share observations on multiple attack vectors over the span of a month. This is interesting, testing the waters maybe?
Financial Institutions Targeted by JSOutProx Variant
This campaign is currently targeting South and Southeast Asia, Middle East, and Africa, that can change. A remote access trojan with many tricks up its sleeve.
New-ish Latrodectus Malware Appears to be Replacing IcedID
Researchers observed two threat actors who previously used IcedID have increased usage of Latrodectus in phishing campaigns. This new ish malware may very well be used by more threat actors who previously distributed IcedID.
https://www.darkreading.com/threat-intelligence/new-loader-takes-over-where-qbot-left-off
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Ransomware Clowns Relentlessly Target US Municipal Governments
Ransomware attacks against municipal governments have plagued the US for a while now and the trend continues. With upwards of 25 successful attacks so far this year alone, it may be a bumpy ride as the ransomware clowns continue indiscriminate attacks.
https://therecord.media/new-york-city-government-smishing-attack
This Week in Ransomware – These Clowns Won’t Quit Until it’s no Longer Profitable
Quite a bit going on, this is a quick read and worth it to keep up on the ransomware front.
New Red CryptoApp (Red Ransomware Group)
Yet another group ripping organizations off and causing mayhem. These clowns humiliate their victims with a ‘wall of shame’, pressure is to pay to get their names removed.
https://www.hackread.com/red-ransomware-group-red-cryptoapp-wall-of-shame/
https://netenrich.com/blog/red-cryptoapp-ransomware-new-threat-group
Social Engineering Threat Against US Healthcare Help Desks
U.S. Dept of Health and Huiman Services (HHS) releases sector alert. Tactics and techniques such as MFA bombing, social engineering IT help desk employees, SIM swapping, and more. Reminiscent of Scattered Spider tactics, techniques, and procedures.
https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
