Cyber Threat Weekly – #28

The week of May 27^th through June 2^nd was a bit light with only 381 cyber news articles reviewed.  Still a decent amount of cyber threat trend and adversarial behavior news to share.  Let’s start with new phishing tricks.  Threat actors advertising Pulse Connect Secure zero-day.

The use of legitimate software by threat actors continues.  Patched in February, exploit and technical deep dive for FortiSIEM flaw released.  New state sponsored North Korean threat actors discovered.  Check Point VPNs Targeted. 

Researchers analyze BlackSuit ransomware attack.  Credential stuffing attack against Okta’s CORS feature.  Windows Defender bypass tool shared on GitHub.  Previously unreported threat actor LilacSquid discovered. 

Researchers observe spike in activity against Internet exposed OT devices.  APT28 (aka BlueDelta) espionage campaign targets Europe.  Researchers are up in arms about Microsoft Copilot+ Recall feature.  Actively exploited Linux privilege escalation flaw.

Threat actors stole authentication tokens from AI platform Hugging Face.  BitRAT and Lumma Stealer delivered via fake browser updates.

Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities for May 27^th to June 2^nd:

CVE-2024-5274 – Google Chromium V8 Type Confusion Vulnerability:
Allows a remote attacker to execute code via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

CVE-2024-4978 – Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability:
Justice AV Solutions (JAVS) Viewer installer contains a malicious version of ffmpeg.exe, named fffmpeg.exe.  When run, this creates a backdoor connection to a malicious C2 server.

CVE-2024-1086 – Linux Kernel Use-After-Free Vulnerability:
Allows an attacker to achieve local privilege escalation.

CVE-2024-24919 – Check Point Quantum Security Gateways Information Disclosure Vulnerability:
Allows an attacker to access information on Gateways connected to the internet, with IPSec VPN, Remote Access VPN or Mobile Access enabled.

CVE-2017-3506 – Oracle WebLogic Server OS Command Injection Vulnerability:
Allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document.

Phishing Tricks, Threat Actor Innovation Continues

Researchers share several techniques recently used in phishing campaigns.  From adversary-in-the-middle (AitM) with Cloudflare Workers, HTML smuggling, phishing-as-a Service (PHaaS) tools like Greatness, to very large file sizes. 

https://thehackernews.com/2024/05/new-tricks-in-phishing-playbook.html

https://www.netskope.com/blog/phishing-with-cloudflare-workers-transparent-phishing-and-html-smuggling

https://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft

https://www.trellix.com/blogs/research/tale-of-greatness-journey-through-dark-roads/

https://www.trellix.com/blogs/research/supersize-me/

Ivanti Pulse Connect Secure Zero-Day for Sale

Researchers discover a remote code execution (RCE) zero-day exploit for sale on dark web forums.  With the assault on Ivanti the last several months, this is one to keep an eye on if you use Ivanti Pulse Connect Secure.

https://cybersecuritynews.com/hackers-advertising-pulse-connect/

Legit Remote Management Software Abuse by Russian Threat Actors

The trend continues, legitimate software used in attack campaigns.  It is the behavioral pattern that is interesting here.  A python clone of the video game Minesweeper led to legitimate SuperOps remote monitoring and management software installation.

https://thecyberexpress.com/remote-monitoring-software-to-spy-on-ukraine/

https://www.bleepingcomputer.com/news/security/hackers-phish-finance-orgs-using-trojanized-minesweeper-clone/

Patched FortiSIEM Remote Code Execution (RCE) Bug, Exploit Released

Researchers release proof of concept exploit code and technical deep dive for CVE-2024-23108.  The good news is that patches have been available for over 3 months.

https://www.bleepingcomputer.com/news/security/exploit-released-for-maximum-severity-fortinet-rce-bug-patch-now/

https://www.fortiguard.com/psirt/FG-IR-23-130

North Korean Threat Actors Financially and Espionage Motivated

Researchers detect new state backed threat actors focused on collecting intelligence and financial gain.  Some state backed hackers fund themselves through ransomware and other financial gain campaigns.  Time will tell.  Sometimes ransomware is deployed to cover tracks.

https://www.bleepingcomputer.com/news/microsoft/microsoft-links-moonstone-sleet-north-korean-hackers-to-new-fakepenny-ransomware/

https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/

Threat Actors Going After Check Point VPNs with Zero-Day Flaw

The trend continues, threat actors targeting VPNs and remote access capabilities.  Originally Check Point thought the weakness was in local accounts that are password only.  Turns out there is a zero-day bug, emergency hot fix released.

https://www.bleepingcomputer.com/news/security/check-point-releases-emergency-fix-for-vpn-zero-day-exploited-in-attacks/

https://www.bleepingcomputer.com/news/security/check-point-vpn-zero-day-exploited-in-attacks-since-april-30/

https://www.mnemonic.io/resources/blog/advisory-check-point-remote-access-vpn-vulnerability-cve-2024-24919/

https://support.checkpoint.com/results/sk/sk182336

Researchers Analyze BlackSuit Ransomware TTPs

Consistent use of commodity TTPs and the high success rate indicates the challenge in defending against them.  With similarities between “Royal” and its reported successor “Conti”, BlackSuit appears to be technically proficient and experienced. 

https://www.darkreading.com/cyberattacks-data-breaches/blacksuit-dozens-victims-curated-ransomware

https://www.reliaquest.com/blog/blacksuit-attack-analysis/

Customers Targeted in Credential Stuffing Attacks Against Okta’s CORS Feature

Okta shares recommended actions against ongoing credential stuffing attacks.

https://www.bleepingcomputer.com/news/security/okta-warns-of-credential-stuffing-attacks-targeting-its-cors-feature/

https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks

Researcher Shares Windows Defender Bypass Tool

The good ish news is that it requires admin privileges to run the tool.  The bad news, if a researcher can do it, so can threat actors.  The researcher reverse engineered an undocumented API using Avast and its wsc_proxy.exe service.

https://thecyberexpress.com/windows-defender-bypass-tool-github/

LilacSquid Espionage Threat Actor Discovered

Researchers share analysis of suspected advanced persistent threat actor LilacSquid.  Appearing to be active since at least 2021. 

https://thehackernews.com/2024/05/cyber-espionage-alert-lilacsquid.html

https://blog.talosintelligence.com/lilacsquid/

Spike Observed in Internet Exposed OT Device Activity

Researchers observe increased attacks focused on poorly secured OT devices exposed to the Internet.  The lesson here is that we need to stop exposing unnecessary devices to the Internet.  Architecture and zero trust network access would solve some of these challenges.

https://www.microsoft.com/en-us/security/blog/2024/05/30/exposed-and-vulnerable-recent-attacks-highlight-critical-need-to-protect-internet-exposed-ot-devices/

Europe Targeted by APT28 Espionage Campaigns

Multiphase campaigns targeting Ukraine and allies observed, researchers share analysis.

https://thehackernews.com/2024/05/russian-hackers-target-europe-with.html

https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf

Copilot+ Recall Feature, a Security Nightmare

To be fair, vendors are rushing to take advantage of AI.  Looking at functionality only, it’s cool to find anything you’ve ever looked at quickly.  When we look at security, a genuinely personal experience is open to prying eyes and researchers have already proven infostealers can steal all the data.  This is a boon for threat actors, far more data than a typical info grab.

https://thecyberexpress.com/copilot-recall-cybersecurity/

https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e

Actively Exploited Linux Privilege Escalation Bug

CISA added CVE-2024-1086 to the Known Exploited Vulnerabilities (KEV) catalog.  A proof of concept (PoC) exploit and detailed write up has been released.

https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-linux-privilege-elevation-flaw/

Secrets Stolen from AI Platform Hugging Face Spaces

Hugging Face detected unauthorized access to their Spaces platform allowing threat actors to access authentication tokens. 

https://www.bleepingcomputer.com/news/security/ai-platform-hugging-face-says-hackers-stole-auth-tokens-from-spaces/

https://huggingface.co/blog/space-secrets-disclosure

Researchers Analyze Fake Browser Updates Delivering Malware

BitRAT and Lumma Stealer are being delivered via fake browser updates.  Researchers share analysis.

https://thehackernews.com/2024/06/beware-fake-browser-updates-deliver.html

https://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer