Skip to content

Cyber Threat Weekly – #21

Derek Krein
4 min read

The week of April 8th through April 14th was light with 376 cyber security articles reviewed.  A less than average amount of cyber threat trend and adversarial behavior news to share.  Let’s start with QakBot, still signs of life.  Retailers targeted in multichannel attacks.

Trending, malware-initiated Internet scanning.  Discovered, 10-year-old cryptomining botnet.  The cloud, SaaS, and Muddled Libra.  Critical Rust and other programming languages bug in Windows.  Researchers share the realities of dealing with immature ransomware clowns.

A new Raspberry Robin campaign.  Researchers share risks of cloud malware.  Apple iPhone users targeted in 92 countries.  Deepfake CEO voice phishing attack failed.  Palo Alto networks zero-day exploited by suspected nation state threat actor.

FBI announcement, massive smishing scam.  North Korean threat actors abuse new behavior. 


Broken Record Alert:  Please Patch N-Day Flaws!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.


CISA Known Exploited Vulnerabilities for April 8th to April 14th:

CVE-2024-3273 – D-Link Multiple NAS Devices Command Injection Vulnerability

When combined with CVE-2024-3272, this can lead to remote, unauthorized code execution.


CVE-2024-3272 – D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability

Allows an attacker to conduct authenticated command injection, leading to remote, unauthorized code execution.


CVE-2024-3400 – Palo Alto Networks PAN-OS Command Injection Vulnerability

Allows an unauthenticated attacker to execute commands with root privileges on the firewall.


Still on the Prowl – QakBot

This newer variant employs a new persistence mechanism by abusing srtasks.exe to create a restore point. 

https://cybersecuritynews.com/new-qakbot-dll-windows-persistence/

https://www.binarydefense.com/resources/blog/qakbot-strikes-back-understanding-the-threat/


Multichannel Attacks Targeting Retailers Observed

Starting out with SMS phishing and taking victims through the MFA authorization flow attempting to collect credentials.  Account takeover is the main objective, followed by persistence and access to SSO portals.

https://www.proofpoint.com/us/blog/email-and-cloud-threats/evolving-threat-landscape-deep-dive-multichannel-attacks-targeting


Vulnerability Scanning from Malware is Trending Up

Researchers observing malware-initiated scanning from infected machines, some from benign networks.  Some interesting insights.

https://unit42.paloaltonetworks.com/malware-initiated-scanning-attacks/


Researchers Analyze 10-Year-Old Cryptomining Botnet

Recently discovered botnet named RUBYCARP.  Appears to have been active for at least 10 years.  Deploys several tools for monetization and payloads include cryptomining, phishing, and DDoS.

https://www.bleepingcomputer.com/news/security/rubycarp-hackers-linked-to-10-year-old-cryptomining-botnet/

https://sysdig.com/blog/rubycarp-romanian-botnet-group/


Researchers Discovered Muddled Libra Targeting CSP and SaaS

From extensive reconnaissance to identify and target administrative users to data exfiltration, the access methodology is shared.

https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/


Command Line Injection in Windows via Critical Rust Flaw

Windows systems can be exploited from a critical vulnerability in the Rust standard library.  Other program languages such as Go, Ruby, and more are vulnerable also.

https://www.bleepingcomputer.com/news/security/critical-rust-flaw-enables-windows-command-injection-attacks/

https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html


Immature Ransomware Operators – Beware

The simple reality is all ransomware clowns suck, it’s best not to pay the ransom, you get put on a list and become a bigger target.  That said, dealing with immature groups has even more consequences.

https://www.guidepointsecurity.com/blog/awkward-adolescence-increased-risks-among-immature-ransomware-operators/


Raspberry Robin is Back, Delivered Through WSF Files

Traditionally spread through removable drives, the cyber criminals have made a switch to Windows Script Files (WSF).  Often a precursor to ransomware, this is one we need to watch.

https://thehackernews.com/2024/04/raspberry-robin-returns-new-malware.html

https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/


Attacking the Cloud, OAuth Application Threats, and Cloud Malware

Researchers share the evolution of cloud malware and OAuth app threats from 2020 to present.  There is a trend of threat actors targeting the cloud more and more.

https://www.proofpoint.com/us/blog/cloud-security/revisiting-mact-malicious-applications-credible-cloud-tenants


Mercenary Spyware Attempting Remote Compromise of Apple iPhones

A relatively small number of users targeted in 92 countries.  Apple is sending warnings via email.

https://www.bleepingcomputer.com/news/security/apple-mercenary-spyware-attacks-target-iphone-users-in-92-countries/

https://support.apple.com/en-us/102174

https://www.documentcloud.org/documents/24539926-threat-notifications-email-april-10


Threat Actors Target LastPass Employee with Deepfake CEO Call

This will most likely become a more common occurrence.  We’ve been seeing the sporadic use of deepfakes by criminals and nations states.

https://www.bleepingcomputer.com/news/security/lastpass-hackers-targeted-employee-in-failed-deepfake-ceo-call/


Palo Alto Zero-day Exploited

Networks devices are a heavy target of nation state and criminal threat actors, Palo Alto didn’t escape exploitation.  We need to start considering zero trust network access and minimizing attack surface.

https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-pan-os-firewall-zero-day-used-in-attacks/

https://www.bleepingcomputer.com/news/security/palo-alto-networks-zero-day-exploited-since-march-to-backdoor-firewalls/

https://unit42.paloaltonetworks.com/cve-2024-3400/

https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/


Smishing Scam Using Debt for Toll Roads Lure FBI Warns

Ongoing smishing scam, over 2,000 complaints. 

https://www.bleepingcomputer.com/news/security/fbi-warns-of-massive-wave-of-road-toll-sms-phishing-attacks/

https://www.ic3.gov/Media/Y2024/PSA240412


Two New MITRE Sub Techniques, North Korea Threat Actors

One sub technique affects macOS – the manipulation of Transparency, Consent, and Control (TCC).  The other affects windows, a subset of dynamic link library (DLL) hijacking – “phantom” DLL hijacking. 

https://www.darkreading.com/vulnerabilities-threats/dprk-exploits-mitre-sub-techniques-phantom-dll-hijacking-tcc-abuse


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by