Skip to content

Cyber Threat Weekly – #26

Derek Krein
5 min read

The week of May 13th through May 19th was a bit heavy with 459 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with LockBit ransomware emails sent from botnet.

Threat actors abusing DNS for tracking and discovery.  Researchers share FIDO2 authentication weaknesses.  Legit application lures abused to deliver Remcos RAT.  Google Chrome zero-day fix, the 6th so far this year.

Threat actor selling Outlook remote code execution (RCE) zero-day.  Novel social engineering campaign tied to Black Basta ransomware.  Microsoft fixes zero-day abused by QakBot and other threat actors.

D-Link RCE zero-day, the DIR-X4860 router.  The 7th actively exploited Google Chrome zero-day fixed.  Researchers analyze malicious OneNote payload sample trends.  Researchers spot the disrupted Grandoreiro returning in a large-scale attack campaign.


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws continue to be abused by threat actors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.


CISA Known Exploited Vulnerabilities for May 13th to May 19th:

CVE-2024-4671 – Google Chromium Visuals Use-After-Free Vulnerability:
Allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

CVE-2024-30040 – Microsoft Windows MSHTML Platform Security Feature Bypass Vulnerability:
An unspecified vulnerability that allows for a security feature bypass.

CVE-2024-30051 – Microsoft DWM Core Library Privilege Escalation Vulnerability:
Allows an attacker to gain SYSTEM privileges.

CVE-2024-4761 – Google Chromium V8 Out-of-Bounds Memory Write Vulnerability:
Contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

CVE-2021-40655 – D-Link DIR-605 Router Information Disclosure Vulnerability:
Allows attackers to obtain a username and password by forging a post request to the /getcfg.php page.

CVE-2014-100005 – D-Link DIR-600 Router Cross-Site Request Forgery (CSRF) Vulnerability:
Allows an attacker to change router configurations by hijacking an existing administrator session.

CVE-2024-4947 – Google Chromium V8 Type Confusion Vulnerability:
Allows a remote attacker to execute code via a crafted HTML page.

CVE-2023-43208 – NextGen Healthcare Mirth Connect Deserialization of Untrusted Data Vulnerability:
Allows for unauthenticated remote code execution via a specially crafted request.


Researchers Observe Millions of LockBit Laden Phishing Emails

This feels like a test, send a ton of phishing emails, see what happens.  This tactic with ransomware hasn’t been seen since before 2020.  Threat actors are innovating at an exhausting pace.  Start with something and iterate.  Some or most of this campaign could be minimized with geo location filtering. 

https://www.bleepingcomputer.com/news/security/botnet-sent-millions-of-emails-in-lockbit-black-ransomware-campaign/

https://www.cyber.nj.gov/Home/Components/News/News/1312/214?fsiteid=2&loadingmode=PreviewContent

https://www.proofpoint.com/us/blog/threat-insight/security-brief-millions-messages-distribute-lockbit-black-ransomware


Researchers Spot Threat Actors Using DNS Tunneling for Tracking and Scanning

Tracking email phishing performance via DNS tunneling is interesting.  And discovery of network infrastructure, mainly targeting DNS resolvers.  Again, with threat actor innovation. 

https://www.bleepingcomputer.com/news/security/hackers-use-dns-tunneling-for-network-scanning-tracking-victims/

https://unit42.paloaltonetworks.com/three-dns-tunneling-campaigns/


FIDO2 Authentication Weaknesses Shared by Researchers

Research shows that FIDO2 is still vulnerable to session hijacking and man in the middle attacks.  It has to do with post authentication session tokens.

https://www.silverfort.com/blog/using-mitm-to-bypass-fido2/


Remcos RAT Delivered via Legit Application Lures

Nothing really new, the attack chain is interesting.  LNK files, hidden files, and eventual Remcos RAT payload executed.

https://www.gdatasoftware.com/blog/2024/05/37906-gotomeeting-loads-remcos


The 6th Google Chrome Zero-day Patched this Year

Theat actors are going after Chrome this year, and an exploit exists in the wild.

https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-6th-zero-day-exploited-in-2024/

https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html


Outlook RCE Zero-day For Sale

This is crazy, $1.8 million for this possible zero-day.  With the resources ransomware affiliates and nation states have, if true, this could be used for targeted or even mass exploitation.

https://cybersecuritynews.com/selling-outlook-rce-0-day/


Mass Spam Email Campaign Bombarding Targets Linked to Black Basta

This novel campaign overwhelms email protection, many of the emails are not malicious.  Then threat actors call targets and attempt to socially engineer to provide remote access with legitimate remote access software.

https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/

https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/

https://www.bleepingcomputer.com/news/security/windows-quick-assist-abused-in-black-basta-ransomware-attacks/


Microsoft Zero-day Abused by QakBot Actors Patched

Privilege escalation bug leading to SYSTEM privileges.  This one appears to be being abused by multiple threat actors. 

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-zero-day-exploited-in-qakbot-malware-attacks/

https://securelist.com/cve-2024-30051/112618/


D-Link DIR-X4860 Router RCE Zero-day

The main thing here is both financially motived and nation state threat actors targeting residential routers for anonymity and to appear legitimate.  This router could easily become part of their botnets and proof of concept exploit is released.

https://www.bleepingcomputer.com/news/security/poc-exploit-released-for-rce-zero-day-in-d-link-exo-ax4800-routers/


The 7th Actively Exploited Google Chrome Zero-day Fixed

An emergency fix was released for the third actively exploited zero-day in a week and 7th this year.  Wow, zero-days so far this year are really getting abused.  Hopefully this isn’t a sign of what’s to come.

https://www.bleepingcomputer.com/news/google/google-fixes-CVE-2024-4947-third-actively-exploited-chrome-zero-day-in-a-week/

https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html


Researchers Share Trends of Malicious OneNote Payload Samples

Analyzing around 6,000 malicious samples provides some obvious trends to look for.  Images are used 99.9% of the time.  A few specific payload types are used. 

https://unit42.paloaltonetworks.com/payloads-in-malicious-onenote-samples/


Large-Scale Phishing Campaign Distributing Grandoreiro Spotted

Apparently, the disruption in January 2024 didn’t slow the malware developers down.  In addition, the malware has undergone updates.  English speaking countries are under the crosshairs now.  Threat actors change geo location targeting, it’s important to be prepared.

https://www.bleepingcomputer.com/news/security/banking-malware-grandoreiro-returns-after-police-disruption/

https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #52

The week of November 11th through November 17th, 332 cyber news articles were reviewed.  Quite a bit of cyber threat trend and adversarial behavior news to share.  Let’s start with increasing use of SVG attachments in email phishing. An undocumented Fortinet FortiClient bug used to steal VPN credentials.  Palo

Members Public

Cyber Threat Weekly – #51

The week of November 4th through November 10th, 330 cyber news articles were reviewed.  The feed list has been adjusted, so the number of articles should be mostly lower.  Let’s start with threat actors using Zip file concatenation technique. Cybercriminals abuse emergency data requests (EDRs) with compromised credentials.  AWS

Members Public

Cyber Threat Weekly – #50

The week of October 28th through November 3rd, another light week with 346 cyber news articles reviewed.  Still a decent amount of cyber threat trend and adversarial behavior news.  Let’s start with a newer ransomware group targeting FreeBSD servers. Publicly disclosed exploit code used to exploit Microsoft SharePoint flaw.