Cyber Threat Weekly – #27

The week of May 20^th through May 26^th was close to last week with 449 cyber news articles reviewed.  A somewhat light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with self-hosted versions of GitHub SAML SSO bug.

Researchers observe threat actors abusing legit cloud storage services.  Critical authentication bypass flaw in Veeam Back Enterprise Manager (VBEM).  Researchers observe a campaign using vulnerable drivers to turn off security controls. 

Researchers discover Chinese threat actor abusing MSBuild for fileless malware.  Researchers share analysis of proxy networks called operational relay box (ORBs).  Researchers observe steady increase in ransomware affiliates targeting VMware ESXi.

Financially motivated gift card thieves behave similar to state sponsored actors.  Keeping up with the ransomware landscape.  Google fixes eighth actively exploited Chrome zero-day this year.  Cyber Criminals enjoying the AI assist.

BitLocker is used to encrypt files, new ShrinkLocker ransomware.  MITRE shares final blog post on their cyber-attack. 

Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws continue to be abused by threat actors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Let’s remove some of the low hanging fruit threat actors continue to target.

CISA Known Exploited Vulnerabilities for May 13^th to May 19^th:

CVE-2020-17519 – Apache Flink Improper Access Control Vulnerability:
Allows an attacker to read any file on the local filesystem of the JobManager through its REST interface.

GitHub SAML SSO Critical Bug, Self-Hosted Versions

Authentication bypass flaw fixed, a critical CVSS 4.0 10.0 score.  The vulnerability comes with the optional encrypted assertions feature.  The downside, lots of known issues with the fix.

https://www.bleepingcomputer.com/news/security/github-warns-of-saml-auth-bypass-flaw-in-enterprise-server/

Legit Cloud Services Abused for Malware Delivery

Researchers share analysis of a new attack campaign dubbed Cloud#Reverser.  The use of legitimate services has been trending for years, I first wrote about it in 2019.  Like living off the land and fileless attack methodologies, legitimate services are growing in use for malicious operations.

https://thehackernews.com/2024/05/malware-delivery-via-cloud-services.html

https://www.securonix.com/blog/analysis-and-detection-of-cloudreverser-an-attack-involving-threat-actors-compromising-systems-using-a-sophisticated-cloud-based-malware/

Veeam Critical Auth Bypass Bug

Not all Veeam environments are vulnerable, this critical and two high severity vulnerabilities affect Veeam Backup Enterprise Manager (VBEM).  The good news is that VBEM is not enabled by default. 

https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-backup-enterprise-manager-auth-bypass-bug/

Malware GhostEngine Abuses Vulnerable Drivers

The trend of using vulnerable drivers for defense evasion continues.  Although this campaign deploys cryptomining, its behavior could easily be abused for far worse.  The use of a powershell script kicks things off.

https://www.bleepingcomputer.com/news/security/ghostengine-mining-attacks-kill-edr-security-using-vulnerable-drivers/

https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine

MSBuild.exe Abused by Chinese Threat Actor

Researchers discovered this previously unknown suspected nation state sponsored threat actor.  The interesting thing is how they abuse MSBuild.exe to inject malware straight into memory.  This threat actor also uses multiple variants of GhostRAT.  The thing to keep an eye on, other threat actors abusing MSBuild in a similar fashion.

https://www.bleepingcomputer.com/news/security/unfading-sea-haze-hackers-hide-on-military-and-govt-networks-for-6-years/

https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/

https://blogapp.bitdefender.com/labs/content/files/2024/05/Bitdefender-Report-DeepDive-creat7721-en_EN.pdf

ORB Networks Growing in Use

These proxy networks are comprised of commercial virtual private servers and compromised devices.  We’ve been sharing the abuse of residential proxies by nation state and financially motivated threat actors for weeks.  This research digs deeper into these ORB networks.

https://www.bleepingcomputer.com/news/security/state-hackers-turn-to-massive-orb-proxy-networks-to-evade-detection/

https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks/

ESXi Consistently Targeted by Ransomware Actors

Researchers share common behavior in attacking virtual environments.  The behaviors used are simple.  Gone are the days of flat networks and simple identity and access management programs.  Hence the discussion and push of zero trust security.

https://www.sygnia.co/blog/esxi-ransomware-attacks/

Financially Motivated Threat Group Behaving Similar to State Sponsored Actors

Researchers observe financially motivated gift card thieves mimicking techniques similar to sophisticated threat actors.  Yesterday’s nation state attack is tomorrow’s commodity attack.  Financially motivated threat actors and following in nation state actors’ footsteps. 

https://www.bleepingcomputer.com/news/security/microsoft-spots-gift-card-thieves-using-cyber-espionage-tactics/

https://news.microsoft.com/wp-content/uploads/prod/sites/626/2024/05/Cyber_Signals_Issue_7_May_2024.pdf

Emerging Ransomware Groups, A Shift in the Ransomware Landscape

As Blackcat pulled an exit scam and LockBit has been hampered by law enforcement seizure, other groups are coming on strong.  Many smaller groups have been attracting affiliates.  Play ransomware came out on top in April.

https://www.csoonline.com/article/2121702/emerging-ransomware-groups-on-the-rise-who-they-are-how-they-operate.html

https://www.guidepointsecurity.com/blog/grit-ransomware-report-april-2024/

Another Chrome Zero-Day Fixed by Google, the Eighth this Year

The bummer about owning the majority of the market share, you’re a much bigger target.  Google is getting pummeled by zero-days this year. 

https://www.bleepingcomputer.com/news/security/google-fixes-eighth-actively-exploited-chrome-zero-day-this-year/

Researchers Share How AI is being Abused by Criminals

Observations by researchers for Q1 2024.  Many of the same trends are similar.

https://www.csoonline.com/article/2123595/kroll-cyber-threat-landscape-report-ai-assists-attackers.html

https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q1-2024-threat-landscape-report-insider-threat-phishing-evolve-under-ai

ShrinkLocker Ransomware Abuses BitLocker

By creating a new boot partition and denying BitLocker recovery options, with no extortion note, these attacks are possibly destructive.

https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/

https://securelist.com/ransomware-abuses-bitlocker/112643/

Nation State Attack on MITRE, Final Blog Post

The threat actors created rogue VMs that don’t appear in inventory.  This may be a new behavior threat actors mimic.  A very stealthy persistence technique.

https://medium.com/mitre-engenuity/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion-4ea647b83f5b