Skip to content

Cyber Threat Weekly – #23

Derek Krein
6 min read

The week of April 22nd through April 28th was up with 405 cyber news articles reviewed.  There is an abundance of cyber threat trends and adversarial behavior news to share.  Let’s start with threat actors offer bulk Fortigate access on the dark web. 

Traffic distribution system (TDS) changes techniques.  Sucks for defenders, English speaking western ransomware affiliates.  Some interesting observations on ransomware from Q1 2020 to Q1 2024.  Malware hosting flaw affects GitLab too.

Russian threat actors abuse Windows Print Spooler bug.  Q1 2924 GRIT Ransomware Report.  Edge devices such as VPN and exposed RDP under attack.  Researchers observe APT group laterally moving and creating tunnels.

Theat Actors use an Adversary-in-the-Middle (AitM) technique to hijack updates.  Info-stealer malware pushed via CDN cache.  Researchers share an in-depth analysis of REMCOS.  CrushFTP cloud-based file transfer zero-day now patched.

Researchers observe and share Frozen#Shadow campaign.  SEO poisoning campaign discovered by researchers.  Cheated ransomware affiliates look to third party data leak services.  Theat actors exploit Cisco ASA zero-days.

New Android banking trojan discovered.  PlugX malware command and control server sinkholed by researchers.  Okta observing a massive credential stuffing attack targeting identity and access management (IAM) solutions. 


Broken Record Alert:  N-day bugs, please patch quickly!!!

Known exploited software flaws continue to be abused by threat actors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.


CISA Known Exploited Vulnerabilities for April 22nd to April 28th:

CVE-2022-38028 – Microsoft Windows Print Spooler Privilege Escalation Vulnerability:
An attacker may modify a JavaScript constraints file and execute it with SYSTEM-level permissions.

CVE-2024-4040 – CrushFTP VFS Sandbox Escape Vulnerability:
Allows a remote attacker to escape the CrushFTP virtual file system (VFS).

CVE-2024-20359 – Cisco ASA and FTD Privilege Escalation Vulnerability:
Allow local privilege escalation from Administrator to root.

CVE-2024-20353 – Cisco ASA and FTD Denial of Service Vulnerability:
An infinite loop vulnerability that can lead to remote denial of service condition.


Access to 3000 Fortigate SSL-VPN Gateways Offered on the Dark Web

The bulk sale of VPN access offered is not cool.  What’s unclear is how the access was gained.  There is a tremendous amount of credential stuffing happening, infostealer data, could be another zero-day, it’s anyone’s guess.

https://cybersecuritynews.com/hackers-offering-admin-access/


New Behavior for VexTrio TDS

The most notable behavior change, switching from client-side to server-side redirects.  There are several new domain names utilized as well. 

https://blog.sucuri.net/2024/04/javascript-malware-switches-to-server-side-redirects-dns-txt-records-tds.html


Western Threat Actors, English Speaking, Making Waves

As we continue to defend against ransomware threat actors, Western teenagers are joining the ranks via a group known as “The Com”.  Affiliate groups such as Lapsus$ and Scattered Spider have come from “The Com”.  These western teenagers use social engineering to facilitate SIM Swaps and go after help desk personnel to bypass MFA.

https://www.healthcareinfosecurity.com/rising-ransomware-issue-english-speaking-western-affiliates-a-24901

https://fr.sentinelone.com/wp-content/uploads/2024/01/Watchtower_2023_EOY_rd4.pdf


Researchers Share Ransomware Data From 2020 to Q1 2023

There is a lot of data in the article and report.  The graph of victims from 2020 to Q1 2024 shows how quickly the beginning of big game hunting took hold.  The success of a few big players has led many would-be criminals to enter the game and here we are.

https://thehackernews.com/2024/04/ransomware-double-dip-re-victimization.html#what-we-are-observing-in-the-cyx-threat-landscape

https://www4.orangecyberdefense.com/security-navigator-2024


CDN Flaw Affects GitLab Allowing Malware Hosting

Theat actors are abusing GitHub and GitLab abusing comments to push malware making the files seem legit.

https://www.bleepingcomputer.com/news/security/gitlab-affected-by-github-style-cdn-flaw-allowing-malware-hosting/


APT28 Abuses Print Spooler Flaw for Post Exploitation Activities

Russian threat actors have been abusing CVE-2022-38028 since at least June 2020.  Using a batch script to launch the GooseEgg executable, which can execute other payloads with system privileges.

https://www.bleepingcomputer.com/news/security/microsoft-russian-apt28-hackers-exploit-windows-flaw-reported-by-nsa-using-gooseegg-tool/

https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/


GRIT Ransomware Report Q1 2024

Researchers share ransomware observations and trends for Q1 2024. 

https://www.guidepointsecurity.com/wp-content/uploads/2024/04/2024_Q1_GRIT_Ransomware_Report_Quarterly.pdf


Edge Devices Such as VPN and Others Targeted

The downside to appliances, when a forensic image is needed, you must ask the vendor.  This lack of visibility is allowing threat actors to take advantage of edge devices. 

https://www.darkreading.com/endpoint-security/edge-vpns-firewalls-nonexistent-telemetry-apts

https://services.google.com/fh/files/misc/m-trends-2024.pdf


ToddyCat APT Laterally Moves and Creates Tunnels

Researchers share details of this APT group. Interestingly, many threat actors use several of these techniques, worth taking a look at and ensuring proper coverage.

https://therecord.media/data-theft-groups-goal-apac

https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/


GuptiMiner is Delivered via eScan Updates

Researchers observe malicious updates being delivered via an AitM position.  GuptiMiner is a sophisticated malware, capable of deploying multiple malicious payloads.

https://www.bleepingcomputer.com/news/security/hackers-hijack-antivirus-updates-to-drop-guptiminer-malware/

https://thehackernews.com/2024/04/escan-antivirus-update-mechanism.html

https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/


Suspected CoralRaider Campaign Abusing CDN Cache

Threat actors using content delivery network caches to deliver info-stealer malware.  Researchers believe the threat actors are financially motivated.

https://www.bleepingcomputer.com/news/security/coralraider-attacks-use-cdn-cache-to-push-info-stealer-malware/

https://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/


REMCOS Rat Deep Dive

Researchers dig into REMCOS after introducing the red teaming tool abused by threat actors consistently.  Used as a remote access trojan with a wide range of capabilities.

https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one


File Transfer System CrushFTP Zero-Day, Now Patched

Proof of concept code is available, CVE-2024-4040 is being actively targeted.  File transfer systems are a threat actor favorite, Cl0p wreaked havoc with the MOVEit vulnerability.

https://www.darkreading.com/cloud-security/patch-crushftp-zero-day-cloud-exploit-targets-us-orgs


Ongoing Multistage Attack Campaign Codename Frozen#Shadow

A phishing campaign delivering the SSLoad malware, deploying Cobalt Strike, and ScreenConnect remote management software. 

https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html

https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/


Researchers Share SEO Poisoning Campaign Distributing Malware

Malware laden websites are hosted on seemingly legitimate platforms to manipulate search engines.  Not targeted to a particular group, broad topic and interest coverage is utilized.  Evasion and obfuscation techniques are utilized to fly under the radar.

https://www.zscaler.com/blogs/security-research/black-hat-seo-leveraged-distribute-malware


Third Party Data Leak Services for Cheated Ransomware Affiliates

Researchers examine the creation and use of third-party ransomware leak sites. 

https://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/


Nation State Backed Actors Exploit Two Cisco ASA Zero-Days

The campaign called ArcaneDoor was discovered in January 2024.  Malware implants were deployed, the goal of hte4 campaign appears to be espionage. 

https://www.bleepingcomputer.com/news/security/arcanedoor-hackers-exploit-cisco-zero-days-to-breach-govt-networks/

https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/


Android Malware Delivered Through Fake Google Chrome Update

Dubbed Brokewell, this malware is under development and features device takeover and remote-control capabilities.  Delivered via fake Google Chrome updates.

https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-over-android-devices-steals-data/


Researchers Sinkhole PlugX Command and Control (C2) Server

This one is interesting, researchers sinkholing of the C2 IP address provided the scale of the malwares reach.  So far, 2,495,247 unique IPs as of April 25th, 2024.

https://www.bleepingcomputer.com/news/security/researchers-sinkhole-plugx-malware-server-with-25-million-unique-ips/


Okta Observing Spike in Credential Stuffing Attacks Against IAM Solutions

The attacks come from anonymization networks such as TOR and residential proxies.  Threat actors use these capabilities to hide the source of the traffic.  Using residential proxies makes the traffic look like it comes from legit users, tending to fly under the radar.

https://www.bleepingcomputer.com/news/security/okta-warns-of-unprecedented-credential-stuffing-attacks-on-customers/

https://sec.okta.com/blockanonymizers


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by