Cyber Threat Weekly – #22

The week of April 15^th through April 21^st was heavier than the last couple of weeks with 424 cyber news articles reviewed.  With a large amount of cyber threat trend and adversarial behavior news available, really got selective this week.  Let’s start with LockBit maybe trying to rebrand.

Third-party data breach, Cisco Duo warns.  A new LockBit variant can self-propagate.  An interesting point of view on identity threat exposures.  Exploit code available for Palo Alto zero-day, now patched.  Bug in PuTTY leaks private keys.

Botnets are still after small office home office (SOHO) routers.  Large scale brute force campaign against many VPN and SSH services on multiple vendors.  2024 Bad Bot Report from Imperva.  Critical bugs in Ivanti Avalanche MDM solution.

Criminals offer T-Mobile and Verizon employees money for sim-swaps.  Researchers share insights into junk ransomware.  More malvertising targeting IT folks.  Threat actors targeting Kubernetes.  MITRE breached via Ivanti zero-day flaws.

This week in ransomware April 19th.

Broken Record Alert:  Please Patch N-Day Flaws!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.

Is LockBit Now Dark Vault?

It appears LockBit may have screwed up their rebrand to Dark Vault and got caught. 

https://www.blackfog.com/new-ransomware-gangs-in-2024/#April

https://cybernews.com/news/lockbit-dark-vault-rebrand/

Warning from Cisco Duo, Third-Party Data Breach

Currently Cisco is saying 10% of its more than 100,000 customers are affected.  We know how these things can change quickly, worth keeping an eye on if you use Cisco Duo for MFA.

https://www.bleepingcomputer.com/news/security/cisco-duo-warns-third-party-data-breach-exposed-sms-mfa-logs/

https://app.securitymsp.cisco.com/e/es?e=2785&eid=opguvrs&elq=bd1c1886a59e40c09915b029a74be94e

In the Wild LockBit Variant Can Self-Spread

Let’s hope we don’t see more ransomware variants like this sample analyzed by researchers.

https://www.infosecurity-magazine.com/news/lockbit-variant-self-spreading/

https://securelist.com/lockbit-3-0-based-custom-targeted-ransomware/112375/

Identity Threats Revealed

Identity and access management is the foundation of zero-trust security and the new perimeter, this is an interesting report.  Continuous threat exposure management is being shared by Gartner; this is another use case to add.  Labeled Identity Threat Exposures (ITE’s), it’s another thing to think about.

https://thehackernews.com/2024/04/identity-in-shadows-shedding-light-on.html

https://4711332.fs1.hubspotusercontent-na1.net/hubfs/4711332/Reports/Silverfort_The_Identity_Underground_Report.pdf

Palo Alto N-Day Flaw, Exploit Code Released

Proof of concept code was released and detailed analysis of the bug shared a day after patches were released.  Are researchers trying to help the community or arm the adversaries? 

https://www.bleepingcomputer.com/news/security/exploit-released-for-palo-alto-pan-os-bug-used-in-attacks-patch-now/

https://thehackernews.com/2024/04/palo-alto-networks-discloses-more.html

https://www.bleepingcomputer.com/news/security/22-500-palo-alto-firewalls-possibly-vulnerable-to-ongoing-attacks/

https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/

SSH Client PuTTY Vulnerability Allows Private Key Recovery

Tracked as CVE-2024-31497, this flaw affects other software that utilizes PuTTY. 

https://www.bleepingcomputer.com/news/security/putty-ssh-client-flaw-allows-recovery-of-cryptographic-private-keys/

https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html

TP-Link Archer AX21 is Under Attack

As shared previously, both nation state and cyber criminal threat actors are targeting SOHO routers, it appears the same botnets are at it again.  Significant spikes in exploit attempts have been observed from Moobot and others.

https://www.bleepingcomputer.com/news/security/multiple-botnets-exploiting-one-year-old-tp-link-flaw-to-hack-routers/

https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread

Cisco Talos Reports on Massive Brute Force Campaign

Targeting vendors such as Cisco, Fortinet, CheckPoint, SonicWall and more.  The activity appears to be opportunistic in nature.   Cisco is observing a global increase in brute force attacks.

https://www.bleepingcomputer.com/news/security/cisco-warns-of-large-scale-brute-force-attacks-against-vpn-services/

https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/

Bad Bots Account for 32% of Internet Traffic

The 2024 Imperva Bad Bot Report provides detailed analysis of bad bot traffic.  Bad bot traffic from residential ISPs grew 26%, coincides with the continued threat intel on threat actors going after SOHO routers.

https://www.infosecurity-magazine.com/news/bad-bots-10-surge-account-takeover/?&web_view=true

https://www.imperva.com/resources/gated/reports/Imperva-2024-Bad-Bot-Report.pdf

Ivanti Released Fixes for 27 Flaws, Two Critical

Updates for their Avalanche mobile device management solution are available.  So far, there is no evidence of exploitation.

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-flaws-in-its-avalanche-mdm-solution/

https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US

$300 offered to T-Mobile and Verizon Employees for Sim Swaps

Multiple carrier’s employees are getting text messages with cash offers to facilitate sim swaps.  With so many organizations using SMS for multi-factor authentication, this can be bad.  It appears opportunistic in nature.

https://www.bleepingcomputer.com/news/security/t-mobile-verizon-workers-get-texts-offering-300-for-sim-swaps/

Junk Ransomware on the Dark Web

Researchers share 19 varieties of low-quality ransomware found across four forums. 

https://news.sophos.com/en-us/2024/04/17/junk-gun-ransomware-peashooters-can-still-pack-a-punch/

Researchers Expose New Backdoor Delivered via Malvertising

This is a similar campaign to some shared previously, only with several legitimate IP scanners and a previously unseen backdoor.  Researchers share detailed analysis.

https://thehackernews.com/2024/04/malicious-google-ads-pushing-fake-ip.html

https://www.zscaler.com/blogs/security-research/malvertising-campaign-targeting-it-teams-madmxshell

Kubernetes Workloads Targeted via OpenMetadata Bugs

Researchers shar analysis of an attack campaign.

https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/

Ivanti Zero-Day Bugs Lead to MITRE Breach

MITRE shares information on the breach into their unclassified research and development network.

https://www.bleepingcomputer.com/news/security/mitre-says-state-hackers-breached-its-network-via-ivanti-zero-days/

https://www.mitre.org/news-insights/news-release/mitre-response-cyber-attack-one-its-rd-networks

April 19^th, This Week in Ransomware

Ransomware attacks are starting to ramp up again. 

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-19th-2024-attacks-ramp-up/