Skip to content

Cyber Threat Weekly – #25

Derek Krein
4 min read

The week of April 6th through April 12th was near average with 428 cyber news articles reviewed. A moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Tinyproxy critical remote code execution bug. 

Citrix fixes bug nearly identical to CitrixBleed, but not as severe.  Ransomware Summary Q1 2024.  MITRE shares more details on APT attack.  WordPress LiteSpeed Cache Bug exploited.  Microsoft is doubling down on security, be prepared.

A different view of the ransomware economy.  Researchers share an AsyncRAT campaign.  A new research report unveiled sharing the state of asset security across global enterprises.  An interesting report on the use of LLMs for influence operations.

Some ransomware clowns have no morals, no rules of engagement.  Bugs in F5 Networks Big-IP Next.  REMCOS RAT analysis part 4.  The Sophos State of Ransomware 2024 report.  Fifth Google Chrome zero-day this year is fixed.

A good write up on social engineering.  CISA releases AA24-131A – Black Basta Ransomware. 


Broken Record Alert:  Please Patch N-Day Bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  Abuse of N-day vulnerabilities is on the rise.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.


CISA Known Exploited Vulnerabilities for May 6th to May 12th:

CVE-2024-4671 - Google Chromium Visuals Use-After-Free Vulnerability:
Allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.


Critical Remote Code Execution Vulnerability in Tinyproxy

More than 50,000 devices exposed to the Internet are vulnerable, the majority in the US.  Why do we keep exposing services to the Internet that should not be exposed?

https://www.bleepingcomputer.com/news/security/over-50-000-tinyproxy-servers-vulnerable-to-critical-rce-flaw/


High Severity NetScaler ADC and Gateway Bug Fixed by Citrix

Citrix addressed the bug earlier this year in version 13.1-51.15 but did not assign a CVE identifier. 

https://www.darkreading.com/cyber-risk/citrix-addresses-high-severity-flaw-in-netscaler-adc-and-gateway

https://bishopfox.com/blog/netscaler-adc-and-gateway-advisory


Q1 2024 Ransomware Summary

A quick look at top stats for ransomware.  Worth the quick read.  Key stat, a record breaking Q1 with 192 disclosed ransomware attacks and 1,000 undisclosed.

https://www.blackfog.com/ransomware-roundup-q1-2024/


Five Unique Payloads Used Against MITRE

MITRE was hit before the initial disclosure of the Ivanti vulnerabilities.  Zero-day bugs allowed initial access.  MITRE provides a nice timeline of events.

https://www.darkreading.com/cloud-security/chinese-hackers-deployed-backdoor-quintet-to-down-mitre

https://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3


Threat Actors Targeting WordPress LiteSpeed Cache Plugin

Attackers creating administrator accounts abusing the plugin allowing for complete site take over.  The bummer, compromised WordPress sites are a favorite for threat actors to hide in plain sight.  The target opportunity is significant at over 1.8 million.  In addition, email Subscribers plugin is targeted too.

https://www.bleepingcomputer.com/news/security/hackers-exploit-litespeed-cache-flaw-to-create-wordpress-admins/

https://lab.wallarm.com/cve-2024-2876-wordpress-plug-in-threatens-90000-websites/


Get Ahead of Microsoft Security Changes

Legacy systems are on the chopping block, Microsoft is focusing on security after the scathing Cyber Safety Review Board report.

https://www.csoonline.com/article/2099054/how-to-future-proof-windows-networks-take-action-now-on-planned-phaseouts-and-changes.html

https://www.darkreading.com/application-security/microsoft-will-hold-executives-accountable-for-cybersecurity

https://www.dhs.gov/news/2024/04/02/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer


Researchers Share the Financial Side of Ransomware Disruptions

Chain analysis provides an interesting look at ransomware economics, the good news we are winning currently.  Less organizations are paying the ransom, and the average ransom is on the decline.

https://www.helpnetsecurity.com/2024/05/07/ransomware-payments-falling/?web_view=true

https://www.chainalysis.com/blog/ransomware-disruptions-impact/


Novel AsyncRAT Infection Chain Analysis

Researchers share the multifaceted infection chain lacking portable executables. 

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats/


runZero Research Report

With attack surfaces growing, this research provides a unique perspective into assets and the attack surface.

https://www.darkreading.com/threat-intelligence/runzero-research-explores-unexpected-exposures-in-enterprise-infrastructure

https://www.runzero.com/uploads/documents/reports/runzero-research-report-vol1-2024-05.pdf


Russian Threat Actors Using LLMs for Influence Operations

Threat actors are using generative AI to plagiarize mainstream media to support Russian objectives.

https://go.recordedfuture.com/hubfs/reports/cta-2024-0509.pdf


Psychological Attacks are the New Ransomware Clown Norm

You know it’s bad when extortionists go after victims and kids of execs. 

https://www.theregister.com/2024/05/07/ransomware_evolves_from_mere_extortion/


F5 Big-IP Next Flaws

Multiple vulnerabilities allow full takeover and hidden accounts.

https://www.darkreading.com/application-security/2-or-5-bugs-in-f5-asset-manager-allow-full-takeover-hidden-accounts

https://eclypsium.com/blog/big-vulnerabilities-in-next-gen-big-ip/


Analyzing REMCOS RAT Part 4

Detection and hunting are the focus of this analysis.

https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four


The State of Ransomware 2024

Researchers present the findings of 5,000 individuals surveyed.

https://www.helpnetsecurity.com/2024/05/08/ransomware-law-enforcement-help/?

https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2024-wp.pdf


Security Update for Fifth Google Chrome Zero-Day Exploited in 2024

An exploit exists in the wild, this is one to patch asap.

https://www.bleepingcomputer.com/news/security/google-fixes-fifth-chrome-zero-day-vulnerability-exploited-in-attacks-in-2024/

https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.html


Hacking the Human, Social Engineering

Social engineering is used quite often in attack campaigns, here is a nice refresher.

https://www.csoonline.com/article/571993/social-engineering-definition-examples-and-techniques.html


CISA AA24-131a – Black Basta Ransomware

Black Basta affiliates are a prolific threat, this advisory provides details to help defend your organization.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #56

The week of December 9th through December 15th, about 348 cyber news articles were reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with HeartCrypt – Packer-as-a-Service (PaaS). Citrix NetScaler / NetScaler Gateway under brute force attack.  Covert Linux multi-stage rootkit attack.  New

Members Public

Cyber Threat Weekly – #55

The week of December 2nd through December 8th there were 353 cyber news articles reviewed.  A relatively large amount of cyber threat trends and adversarial behavior news to share.  Let’s start with a twist on the fake video conferencing apps campaign. New Russian hacktivist group targeting energy systems.  Supply

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8