Skip to content

Cyber Threat Weekly – #21

Derek Krein
4 min read

The week of April 8th through April 14th was light with 376 cyber security articles reviewed.  A less than average amount of cyber threat trend and adversarial behavior news to share.  Let’s start with QakBot, still signs of life.  Retailers targeted in multichannel attacks.

Trending, malware-initiated Internet scanning.  Discovered, 10-year-old cryptomining botnet.  The cloud, SaaS, and Muddled Libra.  Critical Rust and other programming languages bug in Windows.  Researchers share the realities of dealing with immature ransomware clowns.

A new Raspberry Robin campaign.  Researchers share risks of cloud malware.  Apple iPhone users targeted in 92 countries.  Deepfake CEO voice phishing attack failed.  Palo Alto networks zero-day exploited by suspected nation state threat actor.

FBI announcement, massive smishing scam.  North Korean threat actors abuse new behavior. 


Broken Record Alert:  Please Patch N-Day Flaws!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.


CISA Known Exploited Vulnerabilities for April 8th to April 14th:

CVE-2024-3273 – D-Link Multiple NAS Devices Command Injection Vulnerability

When combined with CVE-2024-3272, this can lead to remote, unauthorized code execution.


CVE-2024-3272 – D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability

Allows an attacker to conduct authenticated command injection, leading to remote, unauthorized code execution.


CVE-2024-3400 – Palo Alto Networks PAN-OS Command Injection Vulnerability

Allows an unauthenticated attacker to execute commands with root privileges on the firewall.


Still on the Prowl – QakBot

This newer variant employs a new persistence mechanism by abusing srtasks.exe to create a restore point. 

https://cybersecuritynews.com/new-qakbot-dll-windows-persistence/

https://www.binarydefense.com/resources/blog/qakbot-strikes-back-understanding-the-threat/


Multichannel Attacks Targeting Retailers Observed

Starting out with SMS phishing and taking victims through the MFA authorization flow attempting to collect credentials.  Account takeover is the main objective, followed by persistence and access to SSO portals.

https://www.proofpoint.com/us/blog/email-and-cloud-threats/evolving-threat-landscape-deep-dive-multichannel-attacks-targeting


Vulnerability Scanning from Malware is Trending Up

Researchers observing malware-initiated scanning from infected machines, some from benign networks.  Some interesting insights.

https://unit42.paloaltonetworks.com/malware-initiated-scanning-attacks/


Researchers Analyze 10-Year-Old Cryptomining Botnet

Recently discovered botnet named RUBYCARP.  Appears to have been active for at least 10 years.  Deploys several tools for monetization and payloads include cryptomining, phishing, and DDoS.

https://www.bleepingcomputer.com/news/security/rubycarp-hackers-linked-to-10-year-old-cryptomining-botnet/

https://sysdig.com/blog/rubycarp-romanian-botnet-group/


Researchers Discovered Muddled Libra Targeting CSP and SaaS

From extensive reconnaissance to identify and target administrative users to data exfiltration, the access methodology is shared.

https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/


Command Line Injection in Windows via Critical Rust Flaw

Windows systems can be exploited from a critical vulnerability in the Rust standard library.  Other program languages such as Go, Ruby, and more are vulnerable also.

https://www.bleepingcomputer.com/news/security/critical-rust-flaw-enables-windows-command-injection-attacks/

https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html


Immature Ransomware Operators – Beware

The simple reality is all ransomware clowns suck, it’s best not to pay the ransom, you get put on a list and become a bigger target.  That said, dealing with immature groups has even more consequences.

https://www.guidepointsecurity.com/blog/awkward-adolescence-increased-risks-among-immature-ransomware-operators/


Raspberry Robin is Back, Delivered Through WSF Files

Traditionally spread through removable drives, the cyber criminals have made a switch to Windows Script Files (WSF).  Often a precursor to ransomware, this is one we need to watch.

https://thehackernews.com/2024/04/raspberry-robin-returns-new-malware.html

https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/


Attacking the Cloud, OAuth Application Threats, and Cloud Malware

Researchers share the evolution of cloud malware and OAuth app threats from 2020 to present.  There is a trend of threat actors targeting the cloud more and more.

https://www.proofpoint.com/us/blog/cloud-security/revisiting-mact-malicious-applications-credible-cloud-tenants


Mercenary Spyware Attempting Remote Compromise of Apple iPhones

A relatively small number of users targeted in 92 countries.  Apple is sending warnings via email.

https://www.bleepingcomputer.com/news/security/apple-mercenary-spyware-attacks-target-iphone-users-in-92-countries/

https://support.apple.com/en-us/102174

https://www.documentcloud.org/documents/24539926-threat-notifications-email-april-10


Threat Actors Target LastPass Employee with Deepfake CEO Call

This will most likely become a more common occurrence.  We’ve been seeing the sporadic use of deepfakes by criminals and nations states.

https://www.bleepingcomputer.com/news/security/lastpass-hackers-targeted-employee-in-failed-deepfake-ceo-call/


Palo Alto Zero-day Exploited

Networks devices are a heavy target of nation state and criminal threat actors, Palo Alto didn’t escape exploitation.  We need to start considering zero trust network access and minimizing attack surface.

https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-pan-os-firewall-zero-day-used-in-attacks/

https://www.bleepingcomputer.com/news/security/palo-alto-networks-zero-day-exploited-since-march-to-backdoor-firewalls/

https://unit42.paloaltonetworks.com/cve-2024-3400/

https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/


Smishing Scam Using Debt for Toll Roads Lure FBI Warns

Ongoing smishing scam, over 2,000 complaints. 

https://www.bleepingcomputer.com/news/security/fbi-warns-of-massive-wave-of-road-toll-sms-phishing-attacks/

https://www.ic3.gov/Media/Y2024/PSA240412


Two New MITRE Sub Techniques, North Korea Threat Actors

One sub technique affects macOS – the manipulation of Transparency, Consent, and Control (TCC).  The other affects windows, a subset of dynamic link library (DLL) hijacking – “phantom” DLL hijacking. 

https://www.darkreading.com/vulnerabilities-threats/dprk-exploits-mitre-sub-techniques-phantom-dll-hijacking-tcc-abuse


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #56

The week of December 9th through December 15th, about 348 cyber news articles were reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with HeartCrypt – Packer-as-a-Service (PaaS). Citrix NetScaler / NetScaler Gateway under brute force attack.  Covert Linux multi-stage rootkit attack.  New

Members Public

Cyber Threat Weekly – #55

The week of December 2nd through December 8th there were 353 cyber news articles reviewed.  A relatively large amount of cyber threat trends and adversarial behavior news to share.  Let’s start with a twist on the fake video conferencing apps campaign. New Russian hacktivist group targeting energy systems.  Supply

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8