Skip to content

Cyber Threat Weekly – #30

Derek Krein
5 min read

The week of June 10th through June 16th was a bit heavier with 407 cyber news articles reviewed.  Quite a bit of cyber threat trend and adversarial behavior news to share.  Let’s start with a new Linux malware controlled through Discord emojis.

Poisoning ML models via pickle files.  Black Basta exploiting Windows bug.  Notorious threat actors from Scattered Spider observed switching behavior.  Patched in May, critical Ivanti bug proof of concept exploit released.

North Korea threat actors now distributing malicious code to public repositories.  AI Chatbot is used to trick cybercriminals.  Veeam Recovery Orchestrator authentication bypass bug, exploit released.  Snowflake and the cloud’s shared responsibility model are tested.

GuidePoint security releases its GRIT Ransomware Report May 2024.  A look at remote desktop web access abuse.  It appears RansomHub is winning the ransomware affiliate recruiting game.  Job seekers targeted by a new phishing campaign.

Recently patched PHP bug exploited by TellYouThePass ransomware threat actors.  Researchers observe a new ValleyRAT campaign.  Veeam Backup Enterprise Manager authentication bypass bug, exploit released.


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for June 10th to June 16th:

CVE-2024-4577
– PHP-CGI OS Command Injection Vulnerability:
Allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823.

CVE-2024-4610 – Arm Mali GPU Kernel Driver Use-After-Free Vulnerability:
Allows a local, non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.

CVE-2024-4358 – Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability:
Allows an attacker to obtain unauthorized access.

CVE-2024-26169 – Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability:
Allows a local attacker with user permissions to gain SYSTEM privileges.

CVE-2024-32896 – Android Pixel Privilege Escalation Vulnerability:
An unspecified vulnerability in the firmware that allows for privilege escalation.


Discord Emojis Control a New Linux Malware

A new malware called DISGOMOJI uses a novel approach to passing commands to victim machines.  The c2 appears to abuse an open-source project on GitHub.  The use of emojis is interesting, not surprising that the c2 project came from a pen tester.

https://www.bleepingcomputer.com/news/security/new-linux-malware-is-controlled-through-emojis-sent-from-discord/

https://www.volexity.com/blog/2024/06/13/disgomoji-malware-used-to-target-indian-government/

https://github.com/bmdyy/discord-c2


Exploit ML Models, ‘Sleepy Pickle’ Attack

This process allows an attacker to subtly inject malicious bytecode into ML Programs.  This process potentially allows malicious behavior to go unnoticed for longer periods of time.

https://www.darkreading.com/threat-intelligence/sleepy-pickle-exploit-subtly-poisons-ml-models

https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/


Windows Flaw Exploited in Black Basta Ransomware Attacks

CVE-2024-26169 has been added to the Known Exploited Vulnerabilities (KEV) catalog.  Possibly abused as a zero-day by Black Basta affiliates. 

https://www.bleepingcomputer.com/news/security/cisa-warns-of-windows-bug-exploited-in-ransomware-attacks/

https://www.bleepingcomputer.com/news/security/black-basta-ransomware-gang-linked-to-windows-zero-day-attacks/


SaaS Applications are New Target for Scattered Spider Threat Actors

English speaking, sim-swapping, social engineering threat actors going after cloud resources.  This sucks, these kids are responsible for many large enterprise data breaches such as MGM and Caesars Palace.  They target large enterprises and are suspected of breaching over 130 organizations.

https://www.bleepingcomputer.com/news/security/scattered-spider-hackers-switch-focus-to-cloud-apps-for-data-theft/

https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications/


Ivanti Endpoint Manager Critical RCE Flaw Exploit Published

An attacker favorite with many bugs this year, CVE-2024-29824 remote code execution (RCE) bug now a prime target with exploit code released. 

https://www.darkreading.com/application-security/poc-exploit-critical-rce-bug-ivanti-endpoint-manager

https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/


Moonstone Sleet, North Korean Threat Actors Poisoning Code Repositories

https://www.darkreading.com/cyberattacks-data-breaches/north-koreas-moonstone-sleet-widens-distribution-of-malicious-code-packages


AI Chatbots Interact with Fraudsters, Scoring Killer Intel

What a cool experiment, using AI chatbots to obtain bank details from cybercriminals.  Raising the cost sky high for the fraudsters to defend against it.  Anytime we can exponentially increase attacker cost, we win.

https://www.darkreading.com/cyber-risk/ai-chatbot-fools-scammers-and-scores-money-laundering-intel


Exploit Released for Veeam Auth Bypass Bug

Proof-of-concept (PoC) exploit is now available for CVE-2024-29855.  Certain conditions are required for exploitation.

https://www.bleepingcomputer.com/news/security/exploit-for-veeam-recovery-orchestrator-auth-bypass-available-patch-now/

https://www.veeam.com/kb4585

https://summoning.team/blog/veeam-recovery-orchestrator-auth-bypass-cve-2024-29855/


Snowflake at the Center of the Cloud’s Shared Responsibility Model

There are a lot of opinions on this matter, mostly security folks stating the minimum standards need to be raised.  I agree, most businesses are going to do the bare minimum when in comes to security.  By raising the standards, it forces a more protected security posture right out the gate.

https://www.cybersecuritydive.com/news/snowflake-attacks-test-shared-responsibility/718850/

https://posts.specterops.io/mapping-snowflakes-access-landscape-3bf232251945

https://medium.com/anton-on-security/no-snow-no-flakes-pondering-cloud-security-shared-responsibility-again-10b51e4ebba3

https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion

https://thehackernews.com/2024/06/snowflake-breach-exposes-165-customers.html


GRIT Ransomware Report May 2024 Released

A pretty good report showcasing trends and spotlighting threat actors, this month Hunters International.

https://www.guidepointsecurity.com/blog/grit-ransomware-report-may-2024/


Defending Against Remote Desktop (RD) Web Access Abuse

Researchers share some incident response and mitigations for RD web portal abuse.  First, it’s a bad idea to expose anything to the Internet that doesn’t have multi-factor authentication (MFA).  Second, we can use architecture and zero trust network access (ZTNA) to minimize exposure and still provide solid functionality. 

https://news.sophos.com/en-us/2024/06/12/rd-web-access-abuse-fighting-back/


RansomHub Winning the Ransomware Recruitment Game

Currently seeing great success, RansomHub appears to have brought over top affiliate group Scattered Spider amongst others.  Researchers’ breakdown Scattered Spider behaviors and observed tooling.

https://www.darkreading.com/threat-intelligence/ransomhub-brings-scattered-spider-into-its-raas-fold

https://www.guidepointsecurity.com/blog/worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider/


New Phishing Campaign Targets Job Seekers

Lures mimic legit recruitment firms urging victims to click on an embedded link for job details.  Upon clicking the link, a backdoor called WARMCOOKIE is delivered. 

https://thehackernews.com/2024/06/new-phishing-campaign-deploys.html

https://www.elastic.co/security-labs/dipping-into-danger


Less than 48 Hours, TellYouThePass Ransomware Actors Exploit PHP Flaw

Researchers observe threat actors abusing CVE-2024-4577 to drop ransomware.

https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-exploits-recent-php-rce-flaw-to-breach-servers/

https://www.imperva.com/blog/update-cve-2024-4577-quickly-weaponized-to-distribute-tellyouthepass-ransomware/


New ValleyRAT Campaign Spotted

Suspected Chinese threat actors unleash latest version of ValleyRAT with multi-stage attack chain.  Researchers share technical analysis.

https://thecyberexpress.com/valleyrat-variant-links-to-chinese-hackers/

https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat


Another Veeam Auth Bypass Bug, Exploit Available

CVE-2024-29849 authentication bypass flaw in Veeam Backup Enterprise Manager, PoC exploit code released.

https://www.bleepingcomputer.com/news/security/exploit-for-critical-veeam-auth-bypass-available-patch-now/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #56

The week of December 9th through December 15th, about 348 cyber news articles were reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with HeartCrypt – Packer-as-a-Service (PaaS). Citrix NetScaler / NetScaler Gateway under brute force attack.  Covert Linux multi-stage rootkit attack.  New

Members Public

Cyber Threat Weekly – #55

The week of December 2nd through December 8th there were 353 cyber news articles reviewed.  A relatively large amount of cyber threat trends and adversarial behavior news to share.  Let’s start with a twist on the fake video conferencing apps campaign. New Russian hacktivist group targeting energy systems.  Supply

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8