Cyber Threat Weekly – #21
The week of April 8th through April 14th was light with 376 cyber security articles reviewed. A less than average amount of cyber threat trend and adversarial behavior news to share. Let’s start with QakBot, still signs of life. Retailers targeted in multichannel attacks.
Trending, malware-initiated Internet scanning. Discovered, 10-year-old cryptomining botnet. The cloud, SaaS, and Muddled Libra. Critical Rust and other programming languages bug in Windows. Researchers share the realities of dealing with immature ransomware clowns.
A new Raspberry Robin campaign. Researchers share risks of cloud malware. Apple iPhone users targeted in 92 countries. Deepfake CEO voice phishing attack failed. Palo Alto networks zero-day exploited by suspected nation state threat actor.
FBI announcement, massive smishing scam. North Korean threat actors abuse new behavior.
Broken Record Alert: Please Patch N-Day Flaws!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what is exposed to the Internet. Let’s remove some of the low hanging fruit threat actors continue to target.
CISA Known Exploited Vulnerabilities for April 8th to April 14th:
CVE-2024-3273 – D-Link Multiple NAS Devices Command Injection Vulnerability
When combined with CVE-2024-3272, this can lead to remote, unauthorized code execution.
CVE-2024-3272 – D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
Allows an attacker to conduct authenticated command injection, leading to remote, unauthorized code execution.
CVE-2024-3400 – Palo Alto Networks PAN-OS Command Injection Vulnerability
Allows an unauthenticated attacker to execute commands with root privileges on the firewall.
Still on the Prowl – QakBot
This newer variant employs a new persistence mechanism by abusing srtasks.exe to create a restore point.
https://cybersecuritynews.com/new-qakbot-dll-windows-persistence/
https://www.binarydefense.com/resources/blog/qakbot-strikes-back-understanding-the-threat/
Multichannel Attacks Targeting Retailers Observed
Starting out with SMS phishing and taking victims through the MFA authorization flow attempting to collect credentials. Account takeover is the main objective, followed by persistence and access to SSO portals.
Vulnerability Scanning from Malware is Trending Up
Researchers observing malware-initiated scanning from infected machines, some from benign networks. Some interesting insights.
https://unit42.paloaltonetworks.com/malware-initiated-scanning-attacks/
Researchers Analyze 10-Year-Old Cryptomining Botnet
Recently discovered botnet named RUBYCARP. Appears to have been active for at least 10 years. Deploys several tools for monetization and payloads include cryptomining, phishing, and DDoS.
https://sysdig.com/blog/rubycarp-romanian-botnet-group/
Researchers Discovered Muddled Libra Targeting CSP and SaaS
From extensive reconnaissance to identify and target administrative users to data exfiltration, the access methodology is shared.
https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/
Command Line Injection in Windows via Critical Rust Flaw
Windows systems can be exploited from a critical vulnerability in the Rust standard library. Other program languages such as Go, Ruby, and more are vulnerable also.
https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html
Immature Ransomware Operators – Beware
The simple reality is all ransomware clowns suck, it’s best not to pay the ransom, you get put on a list and become a bigger target. That said, dealing with immature groups has even more consequences.
Raspberry Robin is Back, Delivered Through WSF Files
Traditionally spread through removable drives, the cyber criminals have made a switch to Windows Script Files (WSF). Often a precursor to ransomware, this is one we need to watch.
https://thehackernews.com/2024/04/raspberry-robin-returns-new-malware.html
https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/
Attacking the Cloud, OAuth Application Threats, and Cloud Malware
Researchers share the evolution of cloud malware and OAuth app threats from 2020 to present. There is a trend of threat actors targeting the cloud more and more.
Mercenary Spyware Attempting Remote Compromise of Apple iPhones
A relatively small number of users targeted in 92 countries. Apple is sending warnings via email.
https://support.apple.com/en-us/102174
https://www.documentcloud.org/documents/24539926-threat-notifications-email-april-10
Threat Actors Target LastPass Employee with Deepfake CEO Call
This will most likely become a more common occurrence. We’ve been seeing the sporadic use of deepfakes by criminals and nations states.
Palo Alto Zero-day Exploited
Networks devices are a heavy target of nation state and criminal threat actors, Palo Alto didn’t escape exploitation. We need to start considering zero trust network access and minimizing attack surface.
https://unit42.paloaltonetworks.com/cve-2024-3400/
Smishing Scam Using Debt for Toll Roads Lure FBI Warns
Ongoing smishing scam, over 2,000 complaints.
https://www.ic3.gov/Media/Y2024/PSA240412
Two New MITRE Sub Techniques, North Korea Threat Actors
One sub technique affects macOS – the manipulation of Transparency, Consent, and Control (TCC). The other affects windows, a subset of dynamic link library (DLL) hijacking – “phantom” DLL hijacking.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
