Cyber Threat Weekly – #23
The week of April 22nd through April 28th was up with 405 cyber news articles reviewed. There is an abundance of cyber threat trends and adversarial behavior news to share. Let’s start with threat actors offer bulk Fortigate access on the dark web.
Traffic distribution system (TDS) changes techniques. Sucks for defenders, English speaking western ransomware affiliates. Some interesting observations on ransomware from Q1 2020 to Q1 2024. Malware hosting flaw affects GitLab too.
Russian threat actors abuse Windows Print Spooler bug. Q1 2924 GRIT Ransomware Report. Edge devices such as VPN and exposed RDP under attack. Researchers observe APT group laterally moving and creating tunnels.
Theat Actors use an Adversary-in-the-Middle (AitM) technique to hijack updates. Info-stealer malware pushed via CDN cache. Researchers share an in-depth analysis of REMCOS. CrushFTP cloud-based file transfer zero-day now patched.
Researchers observe and share Frozen#Shadow campaign. SEO poisoning campaign discovered by researchers. Cheated ransomware affiliates look to third party data leak services. Theat actors exploit Cisco ASA zero-days.
New Android banking trojan discovered. PlugX malware command and control server sinkholed by researchers. Okta observing a massive credential stuffing attack targeting identity and access management (IAM) solutions.
Broken Record Alert: N-day bugs, please patch quickly!!!
Known exploited software flaws continue to be abused by threat actors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what is exposed to the Internet. Let’s remove some of the low hanging fruit threat actors continue to target.
CISA Known Exploited Vulnerabilities for April 22nd to April 28th:
CVE-2022-38028 – Microsoft Windows Print Spooler Privilege Escalation Vulnerability:
An attacker may modify a JavaScript constraints file and execute it with SYSTEM-level permissions.
CVE-2024-4040 – CrushFTP VFS Sandbox Escape Vulnerability:
Allows a remote attacker to escape the CrushFTP virtual file system (VFS).
CVE-2024-20359 – Cisco ASA and FTD Privilege Escalation Vulnerability:
Allow local privilege escalation from Administrator to root.
CVE-2024-20353 – Cisco ASA and FTD Denial of Service Vulnerability:
An infinite loop vulnerability that can lead to remote denial of service condition.
Access to 3000 Fortigate SSL-VPN Gateways Offered on the Dark Web
The bulk sale of VPN access offered is not cool. What’s unclear is how the access was gained. There is a tremendous amount of credential stuffing happening, infostealer data, could be another zero-day, it’s anyone’s guess.
https://cybersecuritynews.com/hackers-offering-admin-access/
New Behavior for VexTrio TDS
The most notable behavior change, switching from client-side to server-side redirects. There are several new domain names utilized as well.
Western Threat Actors, English Speaking, Making Waves
As we continue to defend against ransomware threat actors, Western teenagers are joining the ranks via a group known as “The Com”. Affiliate groups such as Lapsus$ and Scattered Spider have come from “The Com”. These western teenagers use social engineering to facilitate SIM Swaps and go after help desk personnel to bypass MFA.
https://fr.sentinelone.com/wp-content/uploads/2024/01/Watchtower_2023_EOY_rd4.pdf
Researchers Share Ransomware Data From 2020 to Q1 2023
There is a lot of data in the article and report. The graph of victims from 2020 to Q1 2024 shows how quickly the beginning of big game hunting took hold. The success of a few big players has led many would-be criminals to enter the game and here we are.
https://www4.orangecyberdefense.com/security-navigator-2024
CDN Flaw Affects GitLab Allowing Malware Hosting
Theat actors are abusing GitHub and GitLab abusing comments to push malware making the files seem legit.
APT28 Abuses Print Spooler Flaw for Post Exploitation Activities
Russian threat actors have been abusing CVE-2022-38028 since at least June 2020. Using a batch script to launch the GooseEgg executable, which can execute other payloads with system privileges.
GRIT Ransomware Report Q1 2024
Researchers share ransomware observations and trends for Q1 2024.
Edge Devices Such as VPN and Others Targeted
The downside to appliances, when a forensic image is needed, you must ask the vendor. This lack of visibility is allowing threat actors to take advantage of edge devices.
https://www.darkreading.com/endpoint-security/edge-vpns-firewalls-nonexistent-telemetry-apts
https://services.google.com/fh/files/misc/m-trends-2024.pdf
ToddyCat APT Laterally Moves and Creates Tunnels
Researchers share details of this APT group. Interestingly, many threat actors use several of these techniques, worth taking a look at and ensuring proper coverage.
https://therecord.media/data-theft-groups-goal-apac
https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/
GuptiMiner is Delivered via eScan Updates
Researchers observe malicious updates being delivered via an AitM position. GuptiMiner is a sophisticated malware, capable of deploying multiple malicious payloads.
https://thehackernews.com/2024/04/escan-antivirus-update-mechanism.html
Suspected CoralRaider Campaign Abusing CDN Cache
Threat actors using content delivery network caches to deliver info-stealer malware. Researchers believe the threat actors are financially motivated.
REMCOS Rat Deep Dive
Researchers dig into REMCOS after introducing the red teaming tool abused by threat actors consistently. Used as a remote access trojan with a wide range of capabilities.
https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one
File Transfer System CrushFTP Zero-Day, Now Patched
Proof of concept code is available, CVE-2024-4040 is being actively targeted. File transfer systems are a threat actor favorite, Cl0p wreaked havoc with the MOVEit vulnerability.
https://www.darkreading.com/cloud-security/patch-crushftp-zero-day-cloud-exploit-targets-us-orgs
Ongoing Multistage Attack Campaign Codename Frozen#Shadow
A phishing campaign delivering the SSLoad malware, deploying Cobalt Strike, and ScreenConnect remote management software.
https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html
Researchers Share SEO Poisoning Campaign Distributing Malware
Malware laden websites are hosted on seemingly legitimate platforms to manipulate search engines. Not targeted to a particular group, broad topic and interest coverage is utilized. Evasion and obfuscation techniques are utilized to fly under the radar.
https://www.zscaler.com/blogs/security-research/black-hat-seo-leveraged-distribute-malware
Third Party Data Leak Services for Cheated Ransomware Affiliates
Researchers examine the creation and use of third-party ransomware leak sites.
Nation State Backed Actors Exploit Two Cisco ASA Zero-Days
The campaign called ArcaneDoor was discovered in January 2024. Malware implants were deployed, the goal of hte4 campaign appears to be espionage.
Android Malware Delivered Through Fake Google Chrome Update
Dubbed Brokewell, this malware is under development and features device takeover and remote-control capabilities. Delivered via fake Google Chrome updates.
Researchers Sinkhole PlugX Command and Control (C2) Server
This one is interesting, researchers sinkholing of the C2 IP address provided the scale of the malwares reach. So far, 2,495,247 unique IPs as of April 25th, 2024.
Okta Observing Spike in Credential Stuffing Attacks Against IAM Solutions
The attacks come from anonymization networks such as TOR and residential proxies. Threat actors use these capabilities to hide the source of the traffic. Using residential proxies makes the traffic look like it comes from legit users, tending to fly under the radar.
https://sec.okta.com/blockanonymizers
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
