Cyber Threat Weekly - #3

We got quite a bit to cover this week…  Let’s start with malvertising to deploy DanaBot leading to CACTUS ransomware.  A botnet uncovered by Palo Alto is upping its game.  A Russian APT abusing CVE-2023-23397 and other vulnerabilities.  Proofpoint tracking similar behavior from nation state threat actor. 

To keep with the theme, Palo Alto is tracking a similar threat actor abusing the same vulnerability.  While WordPress specific, this behavior can be abused in numerous campaigns.  Microsoft Copilot is cool but keep an eye on your data.   More interesting large language model (LLM) abuses. 

Qualcomm chip vulnerabilities actively exploited.  Critical Atlassian flaws pose danger to organizations.  Ransomware affiliates are getting quicker.  New Spectre based side channel attack using Linear Address Masking called SLAM.  The industrial sector and OT are a massive target.

Hacking the human, a primary target for the adversary.  Considering the human element with cyber security.  Identity and access management with AWS STS.  Municipalities are an attractive target.  WSF Script used to distribute AsyncRAT.  Make phishing harder, use phishing resistant MFA.

Microsoft is tracking another threat actor increasing it's sophistication and stealthy evasion behavior.

Broken Record Alert:  Friendly Reminder!!! 

Roughly 5% of publicly available vulnerabilities are observed exploited in the wild.  Priority #1 should be to patch actively exploited vulnerabilities.  You can use CISA’s known exploited vulnerability (KEV) catalog or other tools to prioritize patching exploited vulnerabilities. 

Right behind actively exploited vulnerabilities, a close priority #2 is those with proof of concept (PoC) code available.  Exploit chances are much higher with PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and PoC code available vulnerabilities. 

Exploited vulnerabilities continue to be abused by threat actors, often using time as a weapon, exploits come fast, often before organization have time to patch.  Diligent patching can be the difference in preventing a data breach and / or ransomware attack.



CISA Known Exploited Vulnerabilities for December 4th^th to December 10^th:

CVE-2023-42917 – Apple Multiple Products WebKit Memory Corruption Vulnerability
Apple iOS, iPadOS, macOS, and Safari WebKit are affected.

CVE-2023-42916 – Apple Multiple Products WebKit Out-of-Bounds Read Vulnerability
Apple iOS, iPadOS, macOS, and Safari WebKit are affected.

CVE-2023-33107 – Qualcomm Multiple Chipsets Integer Overflow VulnerabilityMultiple Qualcomm chipsets are affected.

CVE-2023-33106 – Qualcomm Multiple Chipsets Use of Out-of-Range Pointer Offset Vulnerability
Multiple Qualcomm chipsets are affected.

CVE-2023-33063 – Qualcomm Multiple Chipsets Use-After-Free VulnerabilityMultiple Qualcomm chipsets are affected.

CVE-2022-22071 – Qualcomm Multiple Chipsets Use-After-Free VulnerabilityMultiple Qualcomm chipsets are affected.

CVE-2023-41266 – Qlik Sense Path Traversal Vulnerability

CVE-2023-41265 – Qlik Sense HTTP Tunneling Vulnerability

CVE-2023-6448 – Unitronics Vision PLC and HMI Insecure Default Password Vulnerability
Unitronics Vision Series PLCs and HMIs ship with an insecure default password, if left unchanged, attackers can execute remote commands.

From Malvertising to CATCTUS Ransomware via DanaBot

DanaBot infections are leading to CACTUS ransomware.  It appears a private version is being used, likely an initial access broker or ransomware affiliate.

https://thehackernews.com/2023/12/microsoft-warns-of-malvertising-scheme.html

New Variant of P2Pinfect Botnet

P2Pinfect, first discovered by Palo Alto, is upping its game targeting embedded devices with MIPS processors.  Similar to other botnets like Mirai.  This is one to keep an eye on.

https://www.cadosecurity.com/p2pinfect-new-variant-targets-mips-devices/

https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/



Microsoft Updates Russian APT’s Abuse of CVE-2023-23397 and other Vulnerabilities

The main point here is the update of the APT threat actor and the continued threat trend of threat actors abusing known exploited vulnerabilities.  In this case CVE-2023-23397 was a zero-day, now patched.  Proper patch management prioritization would mitigate this threat currently.

https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/



Proofpoint Tracking Similar APT Group to Microsoft

This is like the Microsoft tracked campaign, some commonalities, with extra details of the tracked campaign. 

https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week



Palo Alto is also Tracking Russian APT Threat Actors Abusing CVE-2023-23397

This is a decent breakdown of threat actor activity.  Similar to Microsoft and Proofpoint.  It’s nice to have some correlation between multiple vendors.

https://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/



Fake WordPress Security Advisory for Fictitious Flaw

Emails spoofed from WordPress urge users to update their site with a malicious plugin for mitigation.  This is a clever social engineering tactic.  Be on the lookout for similar campaigns with different lures.

https://www.bleepingcomputer.com/news/security/fake-wordpress-security-advisory-pushes-backdoor-plugin/



Stepping into the World of Generative AI with Microsoft Copilot?

Something to think about, Copilot has access to all sensitive data a user has rights to access, which is typically too much.  Think about a security strategy as you move forward with generative AI tools.

https://thehackernews.com/2023/12/generative-ai-security-preventing.html



Using Images and Audio to Abuse LLMs

Interesting research, worth keeping an eye on. We haven't seen the end of clever ways to hack LLMs, if man can make it, man can break it!

https://www.darkreading.com/vulnerabilities-threats/llms-open-manipulation-using-doctored-images-audio



Targeted Attacks Utilizing Qualcomm Chip Vulnerabilities

Little is known of the threat actors abusing these vulnerabilities, but they are added to the CISA KEV catalog.  Please patch all actively and known exploited vulnerabilities ASAP.

https://thehackernews.com/2023/12/qualcomm-releases-details-on-chip.html



Let’s Hope History Doesn’t Repeat, Critical Atlassian Bugs

While not exploited yet, Atlassian is a huge target for threat actors, these might be worth prioritizing similar to known exploited.  There is a good chance they will be exploited soon.

https://www.darkreading.com/application-security/patch-now-critical-atlassian-bugs-endanger-enterprise-apps



Ransomware Affiliates Move Fast

A new report from Secure Works shows dwell time on target for ransomware affiliates is a day or less in most cases.  These threat actors are getting good at their trade craft.

https://blog.knowbe4.com/ransomware-threat-report-2023



SLAM Attack Discovered, Worth Watching

Since the leaking of root passwords is possible, keep an eye on this one.  Not sure it’s a big deal, but you never know.  We’ll keep you updated if anything crazy happens.

https://www.bleepingcomputer.com/news/security/new-slam-attack-steals-sensitive-data-from-amd-future-intel-cpus/



Defending the Industrial Sector and OT Environments

Because of criticality and minimal appetite for down time, OT environments are a huge target.  They often pay the ransom to minimize downtime.
 
https://www.darkreading.com/ics-ot-security/strategy-harmony-research-triaging-priorities-for-ot-cybersecurity

https://www.darkreading.com/ics-ot-security/ransomware-data-breaches-inundate-ot-industrial-sector



Exploiting the Human via Social Engineering

As we have seen in recent ransomware attack campaigns, social engineering is still a main means to infiltrate mature organizations.  When getting around security controls is too time consuming, threat actors go after the human firewall.

https://thehackernews.com/2023/12/hacking-human-mind-exploiting.html



Exploring the Human Side of Cybersecurity

With so much emphasis on process and policy, it’s often forgotten that humans must operate and adopt the security practices and technology.  Is it any wonder why operators and users try to bypass security to get their jobs done and minimize friction?

https://www.darkreading.com/cybersecurity-operations/human-centric-security-model-meets-people-where-they-are



Leveraging Tokens to Infiltrate AWS

This is an interesting take on abusing legitimate services for token reuse and abuse.  It’s important we understand how threat actors abuse our systems.

https://thehackernews.com/2023/12/alert-threat-actors-can-leverage-aws.html



Municipalities are Easy Prey for Ransomware Affiliates

It seems like every day another local, county, or city government has been hit with ransomware.  They are known to pay and continue to be targeted.

https://www.darkreading.com/cybersecurity-operations/as-ransomware-attacks-abound-municipalities-face-a-constant-battle



Recently Observed, AsyncRAT Deployed via WSF Script

Keeping up with distribution methods of various initial access type capabilities, we’ll keep an eye on this one.

https://asec.ahnlab.com/en/59573/



Not a Silver Bullet, but Definitely helps…  Phishing Resistant MFA

To minimize MitM attacks on MFA and other social engineering attacks, phishing resistant MFA helps.  While it won’t stop everything, it’s certainly a way to minimize the impact of an attack on an organization.

https://blog.knowbe4.com/phishing-resistant-mfa-not-stop-attacks



Microsoft Tracks Threat Actor Refining Their TTPs  

Tracking certain nation state threat actors gives insight into what is most likely to come.  Criminals are adopting nation state behavior at an alarming rate.  Yesterday’s nation state attack is tomorrow’s commodity attack.

https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/