Skip to content

Cyber Threat Weekly – #24

Derek Krein
5 min read

The week of April 29th through May 5th was light with only 369 cyber news articles reviewed.  But a large amount of cyber threat trend and adversarial behavior news to share.  Let’s start with threat actors took 29 days from IcedID infection to ransomware.

World Password Day Survey 2024.  A new EDR bypass technique called HookChain.  Zloader malware gets an update.  Suspected Chinese threat actors manipulating DNS.  Researchers reveal novel DarkGate infection chain.

Docker Hub abused by threat actors to appear legit.  R programming language arbitrary code execution bug.  New Latrodectus campaign discovered.  The 2024 Data Breach Investigations Report (DBIR) is live. 

Supposed pro-Russian hacktivists / possible APT44 targeting water facilities.  Four fixes for HPE Aruba critical remote code execution bugs.  SCCM exploitation to scarf network access accounts (NAA).  QR code phishing massive spike observed. 

Threat actors, both nation state and cybercriminal share an interest in proxy botnets.  North Korean threat actors abusing weak DMARC email policies.


Broken Record Alert:  Please Patch N-Day Flaws!!!

Known exploited software flaws are one of the top 5 initial access vectors.  Abuse of N-day vulnerabilities is on the rise.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.


CISA Known Exploited Vulnerabilities for April 29nd to May 5th:

CVE-2024-29988 – Microsoft SmartScreen Prompt Security Feature Bypass Vulnerability:
Allows an attacker to bypass the Mark of the Web (MotW) feature. This vulnerability can be chained with CVE-2023-38831 and CVE-2024-21412 to execute a malicious file.

CVE-2023-7028 – GitLab Community and Enterprise Editions Improper Access Control Vulnerability:
Allows an attacker to trigger password reset emails to be sent to an unverified email address to ultimately facilitate an account takeover.


Dragon Locker Ransomware Deployed 29 Days After IcedID

DFIRreports is amazing, their threat intel is the gold standard providing procedures used which helps when building detections.  They walk through a now typical ransomware campaign.  Ransomware affiliates are getting good at their trade craft, this playbook is pretty typical, are you ready for a living off the land / file attack?

https://cybersecuritynews.com/29-days-from-icedid-infection-to-dagon-locker-ransomware-deployment/

https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/


World Password Day Survey 2024

Bitwarden shares the password habits at work and at home of 2,400 individuals. While not all bad, there is plenty of room for improvement.

https://bitwarden.com/resources/world-password-day/


HookChain – A New EDR Bypass Technique

A couple of versions of this bypass technique work on 7 of 8 EDR’s tested.  Interestingly, it didn’t work on Sentinel One.

https://cybersecuritynews.com/hookchain-edr-evasion-technique/

https://arxiv.org/pdf/2404.16856


Researchers Share Analysis of Latest Zloader Version

Zloader updates include domain generation algorithm, network communication, and obfuscation techniques.

https://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks


Manipulating DNS, Muddling Meerkat Threat Actors

Possible Chinese threat actors messing with DNS, no apparent goal, but sophisticated activity.

https://www.bleepingcomputer.com/news/security/muddling-meerkat-hackers-manipulate-dns-using-chinas-great-firewall/

https://insights.infoblox.com/resources-report/infoblox-report-muddling-meerkat-the-great-firewall-manipulator


Novel DarkGate Infection Chain Discovered

Researchers share infection chains observed recently.  DarkGate is a remote access trojan, it’s marketed as malware-as-a-service (MaaS) and has been around since at least 2018.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen/


REMCOS RAT – In Depth Analysis Part 2

Researchers continue to analyze REMCOS RAT digging into its recording and command and control capabilities.

https://www.elastic.co/security-labs/dissecting-remcos-rat-part-two


Docker Hub Targeted by Threat Actors Planting Millions of ‘Imageless’ Containers

Multiple campaigns were uncovered, using 2.81 million repositories redirecting unsuspecting users to malicious websites.  These types of campaigns show us how threat actors are taking advantage of legitimate resources, we must remain vigilant.

https://thehackernews.com/2024/04/millions-of-malicious-imageless.html

https://jfrog.com/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/


Remote Code Execution Flaw in R Programming Language

The vulnerability tracked as CVE-2024-27322 with a CVSS v3 score of 8.8.  Specially crafted RDS and RDX files are required, there is a social engineering component to the attack vector.

https://www.bleepingcomputer.com/news/security/r-language-flaw-allows-code-execution-via-rds-rdx-files/

https://hiddenlayer.com/research/r-bitrary-code-execution/


Legit Looking Themes Used in Latrodectus Malware Attack Campaign

A possible replacement for IcedID, researchers linked the two malwares via the same distribution and infrastructure.  This campaign uses Microsoft Azure and Cloudflare themes to appear legitimate.  Latrodectus is used for initial access and to drop other malware. 

https://www.bleepingcomputer.com/news/security/new-latrodectus-malware-attacks-use-microsoft-cloudflare-themes/


Verizon DBIR Released

These are always interesting, a record number of security incidents and confirmed breaches were analyzed, more than double from last year.  Around 68% of breaches involved some sort of human error.  The basics are still pwning us.

https://www.darkreading.com/cyberattacks-data-breaches/verizon-dbir-basic-security-gaffes-underpin-bumper-crop-of-breaches

https://www.verizon.com/business/resources/reports/dbir/2024/summary-of-findings/


Pro-Russian Hacktivists Targeting Insecure Water Facilities to Create a Nuisance

US Government warns that Russian threat actors have been targeting insecure OT devices since 2022.  Mainly using unsophisticated techniques to create a nuisance.

https://www.bleepingcomputer.com/news/security/us-govt-warns-of-pro-russian-hacktivists-targeting-water-facilities/

https://www.cisa.gov/sites/default/files/2024-05/defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity-508c.pdf


Four ArubaOS Critical Vulnerabilities Fixed

HPE Aruba fixes four critical flaws that can lead to remote code execution.

https://www.bleepingcomputer.com/news/security/hpe-aruba-networking-fixes-four-critical-rce-flaws-in-arubaos/

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt


Researchers Share SCCM Abuse to Snag Network Access Accounts (NAA)

Legacy NAA are still prevalent in many organizations.  Multiple methods are shared to find and obtain these credentials for abuse.  Mitigations are shared as well.

https://www.guidepointsecurity.com/blog/sccm-exploitation-compromising-network-access-accounts/


Nation State and Cybercriminal Threat Actors Share Interest in EdgeRouters

Researchers share trends in threat actors abusing residential routers and VPNs, establishing proxy botnets.  Proxy anonymization and VPNs help hide true location and appear more legitimate.  A win-win for threat actors.

https://www.trendmicro.com/en_us/research/24/e/router-roulette.html?&web_view=true


Weak DMARC Email Policies Exploited by North Korean State Actors

The bummer here, yesterday’s nation state attack is tomorrow’s commodity attack.  Abusing weak DMARC policies to spoof spear phishing emails for legitimacy, could become a trend.

https://www.bleepingcomputer.com/news/security/nsa-warns-of-north-korean-hackers-exploiting-weak-dmarc-email-policies/

https://media.defense.gov/2024/May/02/2003455483/-1/-1/0/CSA-NORTH-KOREAN-ACTORS-EXPLOIT-WEAK-DMARC.PDF


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by