Cyber Threat Weekly – #29
The week of June 3rd through June 9th was about average with 379 cyber news articles reviewed. Only a light amount of cyber threat trend and adversarial behavior news to share. Let’s start with researchers sharing a deep analysis of Vidar Stealer.
Another Confluence flaw, this one is high severity. An older Oracle WebLogic Server bug under active exploitation. DarkGate malware is changing it up a bit. MacOS bug allows unauthorized root access. New Android Trojan Viper RAT is available.
Targeted attack on Snowflake customers. New ransomware variant called “Fog”. Threat actor targets and wipes GitHub repos. Commando Cat abusing Docker remote API servers. Exploitation attempts of Check Point bug surging.
Critical PHP remote code execution (RCE) bug impacts all versions for Windows.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for June 3rd to June 9th:
CVE-2017-3506 – Oracle WebLogic Server OS Command Injection Vulnerability:
Allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document.
Vidar Stealer Deep Dive Analysis
Researchers share a deep analysis of this stealer malware. Part of a Malware-as-a-Service (MaaS) capability sold on the dark web. Employs evasion techniques and uses social media platforms for command and control.
https://cybersecuritynews.com/vidar-stealer-employs-tactics/
High Severity Vulnerability in Atlassian Confluence
Confluence is a favorite for threat actors, both financially motivated and nation state sponsored. An authenticated threat actor can execute arbitrary code. A proof-of-concept (PoC) exploit has been released.
Oracle Bug Tracked as CVE-2017-3506 Under Active Exploitation
CISA added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of exploitation.
https://thehackernews.com/2024/06/oracle-weblogic-server-os-command.html
Changing Behavior in Latest Version of DarkGate Malware
A switch from AutoIT to AutoHotkey in latest attack campaigns. Threat actors continue to innovate and extend their efforts for defense evasion.
https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html
https://www.trellix.com/blogs/research/darkgate-again-but-improved/
https://blog.talosintelligence.com/darkgate-remote-template-injection/
Newly Identified MacOS Flaw, Allows Unauthorized Root Access
Tracked as CVE-2024-27822, this bug also has PoC exploit code released. Apple has not released a fix yet, so keep an eye on this one and patch as soon as a fix is released.
https://cybersecuritynews.com/macos-root-access-vulnerability/
https://khronokernel.com/macos/2024/06/03/CVE-2024-27822.html
Recently Advertised on the Dark Web, Android Viper RAT
This one is nasty with the ability to grab MFA codes, credentials, emails, and a key logging feature along with additional functionality.
https://thecyberexpress.com/viper-rat-goes-on-sale/
Targeted Attack Against Snowflake Customers
This one is interesting, there has been a massive uptick in legitimate credentials being used for initial access and data theft. That trend continues from 2023 into 2024. Snowflake customers are not immune, it appears legit creds from infostealer malware are being abused for data theft.
https://thehackernews.com/2024/06/snowflake-warns-targeted-credential.html
https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion
New Fog Ransomware Observed
Researchers share details of incident response to a new ransomware targeting education and recreation sectors. Using standard post exploitation behavior after initial access via stolen legit VPN credentials. Internet exposed devices with single factor authentication are getting pummeled week after week.
https://arcticwolf.com/resources/blog/lost-in-the-fog-a-new-ransomware-threat/
GitHub Repos Targeted and Wiped by Threat Actors
Nothing official yet, but it is very possible single factor authentication and stolen credentials are the attack mechanism. This is one to keep an eye on.
Exposed Docker Remote API Servers Targeted by Commando Cat
Cryptocurrency is the game here, but it could easily be worse. Threat actors have been abusing Docker containers for months. Be careful what is exposed to the Internet.
https://www.trendmicro.com/en_us/research/24/f/commando-cat-a-novel-cryptojacking-attack-.html
Check Point Flaw Exploitation Attempts Increasing
The recent CVE-2024-24919 bug exploitation attempt rapidly rising after proof-of-concept (PoC) exploit code released.
https://www.greynoise.io/blog/whats-going-on-with-checkpoint-cve-2024-24919
All PHP Versions for Windows Affected by Critical RCE Bug
A fix is available for CVE-2024-4577, active scanning is beginning.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
