Cyber Threat Weekly – #24
The week of April 29th through May 5th was light with only 369 cyber news articles reviewed. But a large amount of cyber threat trend and adversarial behavior news to share. Let’s start with threat actors took 29 days from IcedID infection to ransomware.
World Password Day Survey 2024. A new EDR bypass technique called HookChain. Zloader malware gets an update. Suspected Chinese threat actors manipulating DNS. Researchers reveal novel DarkGate infection chain.
Docker Hub abused by threat actors to appear legit. R programming language arbitrary code execution bug. New Latrodectus campaign discovered. The 2024 Data Breach Investigations Report (DBIR) is live.
Supposed pro-Russian hacktivists / possible APT44 targeting water facilities. Four fixes for HPE Aruba critical remote code execution bugs. SCCM exploitation to scarf network access accounts (NAA). QR code phishing massive spike observed.
Threat actors, both nation state and cybercriminal share an interest in proxy botnets. North Korean threat actors abusing weak DMARC email policies.
Broken Record Alert: Please Patch N-Day Flaws!!!
Known exploited software flaws are one of the top 5 initial access vectors. Abuse of N-day vulnerabilities is on the rise. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what is exposed to the Internet. Let’s remove some of the low hanging fruit threat actors continue to target.
CISA Known Exploited Vulnerabilities for April 29nd to May 5th:
CVE-2024-29988 – Microsoft SmartScreen Prompt Security Feature Bypass Vulnerability:
Allows an attacker to bypass the Mark of the Web (MotW) feature. This vulnerability can be chained with CVE-2023-38831 and CVE-2024-21412 to execute a malicious file.
CVE-2023-7028 – GitLab Community and Enterprise Editions Improper Access Control Vulnerability:
Allows an attacker to trigger password reset emails to be sent to an unverified email address to ultimately facilitate an account takeover.
Dragon Locker Ransomware Deployed 29 Days After IcedID
DFIRreports is amazing, their threat intel is the gold standard providing procedures used which helps when building detections. They walk through a now typical ransomware campaign. Ransomware affiliates are getting good at their trade craft, this playbook is pretty typical, are you ready for a living off the land / file attack?
https://cybersecuritynews.com/29-days-from-icedid-infection-to-dagon-locker-ransomware-deployment/
https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/
World Password Day Survey 2024
Bitwarden shares the password habits at work and at home of 2,400 individuals. While not all bad, there is plenty of room for improvement.
https://bitwarden.com/resources/world-password-day/
HookChain – A New EDR Bypass Technique
A couple of versions of this bypass technique work on 7 of 8 EDR’s tested. Interestingly, it didn’t work on Sentinel One.
https://cybersecuritynews.com/hookchain-edr-evasion-technique/
https://arxiv.org/pdf/2404.16856
Researchers Share Analysis of Latest Zloader Version
Zloader updates include domain generation algorithm, network communication, and obfuscation techniques.
https://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks
Manipulating DNS, Muddling Meerkat Threat Actors
Possible Chinese threat actors messing with DNS, no apparent goal, but sophisticated activity.
Novel DarkGate Infection Chain Discovered
Researchers share infection chains observed recently. DarkGate is a remote access trojan, it’s marketed as malware-as-a-service (MaaS) and has been around since at least 2018.
REMCOS RAT – In Depth Analysis Part 2
Researchers continue to analyze REMCOS RAT digging into its recording and command and control capabilities.
https://www.elastic.co/security-labs/dissecting-remcos-rat-part-two
Docker Hub Targeted by Threat Actors Planting Millions of ‘Imageless’ Containers
Multiple campaigns were uncovered, using 2.81 million repositories redirecting unsuspecting users to malicious websites. These types of campaigns show us how threat actors are taking advantage of legitimate resources, we must remain vigilant.
https://thehackernews.com/2024/04/millions-of-malicious-imageless.html
Remote Code Execution Flaw in R Programming Language
The vulnerability tracked as CVE-2024-27322 with a CVSS v3 score of 8.8. Specially crafted RDS and RDX files are required, there is a social engineering component to the attack vector.
https://hiddenlayer.com/research/r-bitrary-code-execution/
Legit Looking Themes Used in Latrodectus Malware Attack Campaign
A possible replacement for IcedID, researchers linked the two malwares via the same distribution and infrastructure. This campaign uses Microsoft Azure and Cloudflare themes to appear legitimate. Latrodectus is used for initial access and to drop other malware.
Verizon DBIR Released
These are always interesting, a record number of security incidents and confirmed breaches were analyzed, more than double from last year. Around 68% of breaches involved some sort of human error. The basics are still pwning us.
https://www.verizon.com/business/resources/reports/dbir/2024/summary-of-findings/
Pro-Russian Hacktivists Targeting Insecure Water Facilities to Create a Nuisance
US Government warns that Russian threat actors have been targeting insecure OT devices since 2022. Mainly using unsophisticated techniques to create a nuisance.
Four ArubaOS Critical Vulnerabilities Fixed
HPE Aruba fixes four critical flaws that can lead to remote code execution.
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt
Researchers Share SCCM Abuse to Snag Network Access Accounts (NAA)
Legacy NAA are still prevalent in many organizations. Multiple methods are shared to find and obtain these credentials for abuse. Mitigations are shared as well.
https://www.guidepointsecurity.com/blog/sccm-exploitation-compromising-network-access-accounts/
Nation State and Cybercriminal Threat Actors Share Interest in EdgeRouters
Researchers share trends in threat actors abusing residential routers and VPNs, establishing proxy botnets. Proxy anonymization and VPNs help hide true location and appear more legitimate. A win-win for threat actors.
https://www.trendmicro.com/en_us/research/24/e/router-roulette.html?&web_view=true
Weak DMARC Email Policies Exploited by North Korean State Actors
The bummer here, yesterday’s nation state attack is tomorrow’s commodity attack. Abusing weak DMARC policies to spoof spear phishing emails for legitimacy, could become a trend.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.