Cyber Threat Weekly – #25

The week of April 6^th through April 12^th was near average with 428 cyber news articles reviewed. A moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Tinyproxy critical remote code execution bug. 

Citrix fixes bug nearly identical to CitrixBleed, but not as severe.  Ransomware Summary Q1 2024.  MITRE shares more details on APT attack.  WordPress LiteSpeed Cache Bug exploited.  Microsoft is doubling down on security, be prepared.

A different view of the ransomware economy.  Researchers share an AsyncRAT campaign.  A new research report unveiled sharing the state of asset security across global enterprises.  An interesting report on the use of LLMs for influence operations.

Some ransomware clowns have no morals, no rules of engagement.  Bugs in F5 Networks Big-IP Next.  REMCOS RAT analysis part 4.  The Sophos State of Ransomware 2024 report.  Fifth Google Chrome zero-day this year is fixed.

A good write up on social engineering.  CISA releases AA24-131A – Black Basta Ransomware. 

Broken Record Alert:  Please Patch N-Day Bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  Abuse of N-day vulnerabilities is on the rise.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.

CISA Known Exploited Vulnerabilities for May 6^th to May 12^th:

CVE-2024-4671 - Google Chromium Visuals Use-After-Free Vulnerability:
Allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Critical Remote Code Execution Vulnerability in Tinyproxy

More than 50,000 devices exposed to the Internet are vulnerable, the majority in the US.  Why do we keep exposing services to the Internet that should not be exposed?

https://www.bleepingcomputer.com/news/security/over-50-000-tinyproxy-servers-vulnerable-to-critical-rce-flaw/

High Severity NetScaler ADC and Gateway Bug Fixed by Citrix

Citrix addressed the bug earlier this year in version 13.1-51.15 but did not assign a CVE identifier. 

https://www.darkreading.com/cyber-risk/citrix-addresses-high-severity-flaw-in-netscaler-adc-and-gateway

https://bishopfox.com/blog/netscaler-adc-and-gateway-advisory

Q1 2024 Ransomware Summary

A quick look at top stats for ransomware.  Worth the quick read.  Key stat, a record breaking Q1 with 192 disclosed ransomware attacks and 1,000 undisclosed.

https://www.blackfog.com/ransomware-roundup-q1-2024/

Five Unique Payloads Used Against MITRE

MITRE was hit before the initial disclosure of the Ivanti vulnerabilities.  Zero-day bugs allowed initial access.  MITRE provides a nice timeline of events.

https://www.darkreading.com/cloud-security/chinese-hackers-deployed-backdoor-quintet-to-down-mitre

https://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3

Threat Actors Targeting WordPress LiteSpeed Cache Plugin

Attackers creating administrator accounts abusing the plugin allowing for complete site take over.  The bummer, compromised WordPress sites are a favorite for threat actors to hide in plain sight.  The target opportunity is significant at over 1.8 million.  In addition, email Subscribers plugin is targeted too.

https://www.bleepingcomputer.com/news/security/hackers-exploit-litespeed-cache-flaw-to-create-wordpress-admins/

https://lab.wallarm.com/cve-2024-2876-wordpress-plug-in-threatens-90000-websites/

Get Ahead of Microsoft Security Changes

Legacy systems are on the chopping block, Microsoft is focusing on security after the scathing Cyber Safety Review Board report.

https://www.csoonline.com/article/2099054/how-to-future-proof-windows-networks-take-action-now-on-planned-phaseouts-and-changes.html

https://www.darkreading.com/application-security/microsoft-will-hold-executives-accountable-for-cybersecurity

https://www.dhs.gov/news/2024/04/02/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer

Researchers Share the Financial Side of Ransomware Disruptions

Chain analysis provides an interesting look at ransomware economics, the good news we are winning currently.  Less organizations are paying the ransom, and the average ransom is on the decline.

https://www.helpnetsecurity.com/2024/05/07/ransomware-payments-falling/?web_view=true

https://www.chainalysis.com/blog/ransomware-disruptions-impact/

Novel AsyncRAT Infection Chain Analysis

Researchers share the multifaceted infection chain lacking portable executables. 

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats/

runZero Research Report

With attack surfaces growing, this research provides a unique perspective into assets and the attack surface.

https://www.darkreading.com/threat-intelligence/runzero-research-explores-unexpected-exposures-in-enterprise-infrastructure

https://www.runzero.com/uploads/documents/reports/runzero-research-report-vol1-2024-05.pdf

Russian Threat Actors Using LLMs for Influence Operations

Threat actors are using generative AI to plagiarize mainstream media to support Russian objectives.

https://go.recordedfuture.com/hubfs/reports/cta-2024-0509.pdf

Psychological Attacks are the New Ransomware Clown Norm

You know it’s bad when extortionists go after victims and kids of execs. 

https://www.theregister.com/2024/05/07/ransomware_evolves_from_mere_extortion/

F5 Big-IP Next Flaws

Multiple vulnerabilities allow full takeover and hidden accounts.

https://www.darkreading.com/application-security/2-or-5-bugs-in-f5-asset-manager-allow-full-takeover-hidden-accounts

https://eclypsium.com/blog/big-vulnerabilities-in-next-gen-big-ip/

Analyzing REMCOS RAT Part 4

Detection and hunting are the focus of this analysis.

https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four

The State of Ransomware 2024

Researchers present the findings of 5,000 individuals surveyed.

https://www.helpnetsecurity.com/2024/05/08/ransomware-law-enforcement-help/?

https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2024-wp.pdf

Security Update for Fifth Google Chrome Zero-Day Exploited in 2024

An exploit exists in the wild, this is one to patch asap.

https://www.bleepingcomputer.com/news/security/google-fixes-fifth-chrome-zero-day-vulnerability-exploited-in-attacks-in-2024/

https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.html

Hacking the Human, Social Engineering

Social engineering is used quite often in attack campaigns, here is a nice refresher.

https://www.csoonline.com/article/571993/social-engineering-definition-examples-and-techniques.html

CISA AA24-131a – Black Basta Ransomware

Black Basta affiliates are a prolific threat, this advisory provides details to help defend your organization.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a