Skip to content

Cyber Threat Weekly – #20

Derek Krein
5 min read

The week of April 1st through April 7th was light compared to previous weeks with only 391 cyber news articles reviewed.  That said, there was still a moderate amount of cyber threat trend and adversarial behavior news.  Let’s start with a new adversary tool designed to hide malware. 

An interesting Sophos Active Adversary Report.  Ivanti patches flaw allowing remote code execution (RCE) and CEO pledges security overhaul.  Researchers share the possible fallout from the LockBit takedown.  Microsoft still doesn’t know how threat actors stole MSA key.

An updated Rhadamanthys stealer campaign.  Windows local privilege escalation (LPE) spotted on the dark web.  Researchers share a PikaBot campaign using multiple techniques.  New JSOutProx malware variant targeting financial organizations.

A somewhat new malware that may be replacing IcedID.  Municipal governments are under attack.  This week in ransomware, always a treat.  New Red ransomware a$$ clown posse, surfaced March 2024.  Threat actors targeting Healthcare IT help desks.


Broken Record Alert:  Please Patch N-Day Flaws!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.


CISA Known Exploited Vulnerabilities for April 1st to April 7th:

CVE-2024-29748 – Android Pixel Privilege Escalation Vulnerability

Allows an attacker to interrupt a factory reset triggered by a device admin app.


CVE-2024-29745 – Android Pixel Information Disclosure Vulnerability

Bug in the fastboot firmware used to support unlocking, flashing, and locking affected devices.


UNAPIMON – New Tool Hides Malware

Attributed to Winnti (APT 41) a Chinese sponsored threat group.  The key here is a simple tool that unhooks API’s used by many security tools to track activity.  Look for more tools of this nature, similar to bring you own vulnerable driver (BYOVD), once a nation state behavior, now common amongst threat actors.

https://www.bleepingcomputer.com/news/security/winntis-new-unapimon-tool-hides-malware-from-security-software/

https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html

https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive


Sophos Active Adversary Report 2024

This report covers Sophos X-Ops incident response for all of 2023.  Couple of take aways, credentials represented 77% of initial access method and 56% of root cause.  Another we see quite often; external remote access was a leading initial access method 65% of the time.  Most likely, infostealers are a large contributor to this activity.  We’ll look at several vendors for collaboration.

https://news.sophos.com/en-us/2024/04/03/active-adversary-report-1h-2024/


Ivanti, Fixes RCE & Other Bugs, What a Mess!!!

Nations states have taken advantage of all the flaws in Ivanti VPN appliances this year breaching Government and other organizations.  The CEO is pledging a security overhaul. 

https://www.bleepingcomputer.com/news/security/ivanti-fixes-vpn-gateway-vulnerability-allowing-rce-dos-attacks/

https://thehackernews.com/2024/04/ivanti-rushes-patches-for-4-new-flaw-in.html

https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement

https://therecord.media/ivanti-security-overhaul-ceo-jeff-abbott


LockBit Takedown, the Clowns Don’t Appear to be Bouncing Back

Based on current known evidence, the LockBit ransomware takedown appears to have had the desired effect.

https://www.darkreading.com/threat-intelligence/lockbit-ransomware-takedown-strikes-brand-viability

https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html


Microsoft 2023 Exchange Attack - Cyber Safety Review Board (CSRB) Report

Microsoft’s claim that the Azure signing key was stolen from an engineer’s laptop previously compromised at an acquired company, holds little weight.  So far there is no evidence supporting that theory.  The report pulls no punches.

https://www.bleepingcomputer.com/news/security/microsoft-still-unsure-how-hackers-stole-msa-key-in-2023-exchange-attack/

https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf


Unique and Successful Rhadamanthys Stealer Campaign

This one targets the oil and gas sector but could easily affect many verticals.  The lure is vehicle incidents.  With many TTPs designed to evade defenses, this is one to keep an eye on.

https://thehackernews.com/2024/04/new-phishing-campaign-targets-oil-gas.html

https://cofense.com/blog/recently-updated-rhadamanthys-stealer-delivered-in-federal-bureau-of-transportation-campaign/


Zero-Day Windows LPE Exploit for Sale on the Dark Web

We’ll see if this comes about, let’s hope its not a big deal.

https://cybersecuritynews.com/hackers-claiming-of-working-windows-0-day-lpe-exploit/


PikaBot Campaign Changes Distribution Behavior

Researchers share observations on multiple attack vectors over the span of a month.  This is interesting, testing the waters maybe?

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/distinctive-campaign-evolution-of-pikabot-malware/


Financial Institutions Targeted by JSOutProx Variant

This campaign is currently targeting South and Southeast Asia, Middle East, and Africa, that can change.  A remote access trojan with many tricks up its sleeve.

https://www.bleepingcomputer.com/news/security/visa-warns-of-new-jsoutprox-malware-variant-targeting-financial-orgs/

https://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse


New-ish Latrodectus Malware Appears to be Replacing IcedID

Researchers observed two threat actors who previously used IcedID have increased usage of Latrodectus in phishing campaigns.  This new ish malware may very well be used by more threat actors who previously distributed IcedID.

https://www.bleepingcomputer.com/news/security/new-latrodectus-malware-replaces-icedid-in-network-breaches/

https://www.darkreading.com/threat-intelligence/new-loader-takes-over-where-qbot-left-off

https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice


Ransomware Clowns Relentlessly Target US Municipal Governments

Ransomware attacks against municipal governments have plagued the US for a while now and the trend continues.  With upwards of 25 successful attacks so far this year alone, it may be a bumpy ride as the ransomware clowns continue indiscriminate attacks.

https://therecord.media/new-york-city-government-smishing-attack


This Week in Ransomware – These Clowns Won’t Quit Until it’s no Longer Profitable

Quite a bit going on, this is a quick read and worth it to keep up on the ransomware front.

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-5th-2024-virtual-machines-under-attack/


New Red CryptoApp (Red Ransomware Group)

Yet another group ripping organizations off and causing mayhem.  These clowns humiliate their victims with a ‘wall of shame’, pressure is to pay to get their names removed.

https://www.hackread.com/red-ransomware-group-red-cryptoapp-wall-of-shame/

https://netenrich.com/blog/red-cryptoapp-ransomware-new-threat-group


Social Engineering Threat Against US Healthcare Help Desks

U.S. Dept of Health and Huiman Services (HHS) releases sector alert.  Tactics and techniques such as MFA bombing, social engineering IT help desk employees, SIM swapping, and more.  Reminiscent of Scattered Spider tactics, techniques, and procedures.

https://www.bleepingcomputer.com/news/security/us-health-dept-warns-hospitals-of-hackers-targeting-it-help-desks/

https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by