Cyber Threat Weekly – #26
The week of May 13th through May 19th was a bit heavy with 459 cyber news articles reviewed. A relatively light amount of cyber threat trend and adversarial behavior news to share. Let’s start with LockBit ransomware emails sent from botnet.
Threat actors abusing DNS for tracking and discovery. Researchers share FIDO2 authentication weaknesses. Legit application lures abused to deliver Remcos RAT. Google Chrome zero-day fix, the 6th so far this year.
Threat actor selling Outlook remote code execution (RCE) zero-day. Novel social engineering campaign tied to Black Basta ransomware. Microsoft fixes zero-day abused by QakBot and other threat actors.
D-Link RCE zero-day, the DIR-X4860 router. The 7th actively exploited Google Chrome zero-day fixed. Researchers analyze malicious OneNote payload sample trends. Researchers spot the disrupted Grandoreiro returning in a large-scale attack campaign.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws continue to be abused by threat actors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what is exposed to the Internet. Let’s remove some of the low hanging fruit threat actors continue to target.
CISA Known Exploited Vulnerabilities for May 13th to May 19th:
CVE-2024-4671 – Google Chromium Visuals Use-After-Free Vulnerability:
Allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2024-30040 – Microsoft Windows MSHTML Platform Security Feature Bypass Vulnerability:
An unspecified vulnerability that allows for a security feature bypass.
CVE-2024-30051 – Microsoft DWM Core Library Privilege Escalation Vulnerability:
Allows an attacker to gain SYSTEM privileges.
CVE-2024-4761 – Google Chromium V8 Out-of-Bounds Memory Write Vulnerability:
Contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2021-40655 – D-Link DIR-605 Router Information Disclosure Vulnerability:
Allows attackers to obtain a username and password by forging a post request to the /getcfg.php page.
CVE-2014-100005 – D-Link DIR-600 Router Cross-Site Request Forgery (CSRF) Vulnerability:
Allows an attacker to change router configurations by hijacking an existing administrator session.
CVE-2024-4947 – Google Chromium V8 Type Confusion Vulnerability:
Allows a remote attacker to execute code via a crafted HTML page.
CVE-2023-43208 – NextGen Healthcare Mirth Connect Deserialization of Untrusted Data Vulnerability:
Allows for unauthenticated remote code execution via a specially crafted request.
Researchers Observe Millions of LockBit Laden Phishing Emails
This feels like a test, send a ton of phishing emails, see what happens. This tactic with ransomware hasn’t been seen since before 2020. Threat actors are innovating at an exhausting pace. Start with something and iterate. Some or most of this campaign could be minimized with geo location filtering.
https://www.cyber.nj.gov/Home/Components/News/News/1312/214?fsiteid=2&loadingmode=PreviewContent
Researchers Spot Threat Actors Using DNS Tunneling for Tracking and Scanning
Tracking email phishing performance via DNS tunneling is interesting. And discovery of network infrastructure, mainly targeting DNS resolvers. Again, with threat actor innovation.
https://unit42.paloaltonetworks.com/three-dns-tunneling-campaigns/
FIDO2 Authentication Weaknesses Shared by Researchers
Research shows that FIDO2 is still vulnerable to session hijacking and man in the middle attacks. It has to do with post authentication session tokens.
https://www.silverfort.com/blog/using-mitm-to-bypass-fido2/
Remcos RAT Delivered via Legit Application Lures
Nothing really new, the attack chain is interesting. LNK files, hidden files, and eventual Remcos RAT payload executed.
https://www.gdatasoftware.com/blog/2024/05/37906-gotomeeting-loads-remcos
The 6th Google Chrome Zero-day Patched this Year
Theat actors are going after Chrome this year, and an exploit exists in the wild.
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html
Outlook RCE Zero-day For Sale
This is crazy, $1.8 million for this possible zero-day. With the resources ransomware affiliates and nation states have, if true, this could be used for targeted or even mass exploitation.
https://cybersecuritynews.com/selling-outlook-rce-0-day/
Mass Spam Email Campaign Bombarding Targets Linked to Black Basta
This novel campaign overwhelms email protection, many of the emails are not malicious. Then threat actors call targets and attempt to socially engineer to provide remote access with legitimate remote access software.
Microsoft Zero-day Abused by QakBot Actors Patched
Privilege escalation bug leading to SYSTEM privileges. This one appears to be being abused by multiple threat actors.
https://securelist.com/cve-2024-30051/112618/
D-Link DIR-X4860 Router RCE Zero-day
The main thing here is both financially motived and nation state threat actors targeting residential routers for anonymity and to appear legitimate. This router could easily become part of their botnets and proof of concept exploit is released.
The 7th Actively Exploited Google Chrome Zero-day Fixed
An emergency fix was released for the third actively exploited zero-day in a week and 7th this year. Wow, zero-days so far this year are really getting abused. Hopefully this isn’t a sign of what’s to come.
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html
Researchers Share Trends of Malicious OneNote Payload Samples
Analyzing around 6,000 malicious samples provides some obvious trends to look for. Images are used 99.9% of the time. A few specific payload types are used.
https://unit42.paloaltonetworks.com/payloads-in-malicious-onenote-samples/
Large-Scale Phishing Campaign Distributing Grandoreiro Spotted
Apparently, the disruption in January 2024 didn’t slow the malware developers down. In addition, the malware has undergone updates. English speaking countries are under the crosshairs now. Threat actors change geo location targeting, it’s important to be prepared.
https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
