Skip to content

Cyber Threat Weekly – #29

Derek Krein
4 min read

The week of June 3rd through June 9th was about average with 379 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with researchers sharing a deep analysis of Vidar Stealer.

Another Confluence flaw, this one is high severity.  An older Oracle WebLogic Server bug under active exploitation.  DarkGate malware is changing it up a bit.  MacOS bug allows unauthorized root access.  New Android Trojan Viper RAT is available.

Targeted attack on Snowflake customers.  New ransomware variant called “Fog”.  Threat actor targets and wipes GitHub repos.  Commando Cat abusing Docker remote API servers.  Exploitation attempts of Check Point bug surging.

Critical PHP remote code execution (RCE) bug impacts all versions for Windows.


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for June 3rd to June 9th:

CVE-2017-3506 – Oracle WebLogic Server OS Command Injection Vulnerability:
Allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document.


Vidar Stealer Deep Dive Analysis

Researchers share a deep analysis of this stealer malware.  Part of a Malware-as-a-Service (MaaS) capability sold on the dark web.  Employs evasion techniques and uses social media platforms for command and control.

https://cybersecuritynews.com/vidar-stealer-employs-tactics/

https://www.cyfirma.com/research/vidar-stealer-an-in-depth-analysis-of-an-information-stealing-malware/


High Severity Vulnerability in Atlassian Confluence

Confluence is a favorite for threat actors, both financially motivated and nation state sponsored.  An authenticated threat actor can execute arbitrary code.  A proof-of-concept (PoC) exploit has been released.

https://www.darkreading.com/vulnerabilities-threats/atlassian-confluence-high-severity-bug-allows-code-execution


Oracle Bug Tracked as CVE-2017-3506 Under Active Exploitation

CISA added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of exploitation.

https://thehackernews.com/2024/06/oracle-weblogic-server-os-command.html


Changing Behavior in Latest Version of DarkGate Malware

A switch from AutoIT to AutoHotkey in latest attack campaigns.  Threat actors continue to innovate and extend their efforts for defense evasion.

https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html

https://www.trellix.com/blogs/research/darkgate-again-but-improved/

https://blog.talosintelligence.com/darkgate-remote-template-injection/


Newly Identified MacOS Flaw, Allows Unauthorized Root Access

Tracked as CVE-2024-27822, this bug also has PoC exploit code released.  Apple has not released a fix yet, so keep an eye on this one and patch as soon as a fix is released.

https://cybersecuritynews.com/macos-root-access-vulnerability/

https://khronokernel.com/macos/2024/06/03/CVE-2024-27822.html


Recently Advertised on the Dark Web, Android Viper RAT

This one is nasty with the ability to grab MFA codes, credentials, emails, and a key logging feature along with additional functionality.

https://thecyberexpress.com/viper-rat-goes-on-sale/


Targeted Attack Against Snowflake Customers

This one is interesting, there has been a massive uptick in legitimate credentials being used for initial access and data theft.  That trend continues from 2023 into 2024.  Snowflake customers are not immune, it appears legit creds from infostealer malware are being abused for data theft.

https://thehackernews.com/2024/06/snowflake-warns-targeted-credential.html

https://community.snowflake.com/s/question/0D5VI00000Emyl00AB/detecting-and-preventing-unauthorized-user-access

https://www.linkedin.com/posts/charlescarmakal_snowflake-community-activity-7202881429796466688-JUJl/

https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion


New Fog Ransomware Observed

Researchers share details of incident response to a new ransomware targeting education and recreation sectors.  Using standard post exploitation behavior after initial access via stolen legit VPN credentials.  Internet exposed devices with single factor authentication are getting pummeled week after week.

https://www.darkreading.com/threat-intelligence/fog-ransomware-rolls-in-to-target-education-recreation-sectors

https://arcticwolf.com/resources/blog/lost-in-the-fog-a-new-ransomware-threat/


GitHub Repos Targeted and Wiped by Threat Actors

Nothing official yet, but it is very possible single factor authentication and stolen credentials are the attack mechanism.  This is one to keep an eye on.

https://www.bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/


Exposed Docker Remote API Servers Targeted by Commando Cat

Cryptocurrency is the game here, but it could easily be worse.  Threat actors have been abusing Docker containers for months.  Be careful what is exposed to the Internet.

https://www.darkreading.com/cloud-security/-commando-cat-digs-its-claws-into-exposed-docker-containers

https://www.trendmicro.com/en_us/research/24/f/commando-cat-a-novel-cryptojacking-attack-.html


Check Point Flaw Exploitation Attempts Increasing

The recent CVE-2024-24919 bug exploitation attempt rapidly rising after proof-of-concept (PoC) exploit code released.

https://www.darkreading.com/cyberattacks-data-breaches/attacks-surge-on-check-points-recent-vpn-zero-day-flaw

https://www.greynoise.io/blog/whats-going-on-with-checkpoint-cve-2024-24919


All PHP Versions for Windows Affected by Critical RCE Bug

A fix is available for CVE-2024-4577, active scanning is beginning. 

https://www.bleepingcomputer.com/news/security/php-fixes-critical-rce-flaw-impacting-all-versions-for-windows/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by