Cyber Threat Weekly – #30
The week of June 10th through June 16th was a bit heavier with 407 cyber news articles reviewed. Quite a bit of cyber threat trend and adversarial behavior news to share. Let’s start with a new Linux malware controlled through Discord emojis.
Poisoning ML models via pickle files. Black Basta exploiting Windows bug. Notorious threat actors from Scattered Spider observed switching behavior. Patched in May, critical Ivanti bug proof of concept exploit released.
North Korea threat actors now distributing malicious code to public repositories. AI Chatbot is used to trick cybercriminals. Veeam Recovery Orchestrator authentication bypass bug, exploit released. Snowflake and the cloud’s shared responsibility model are tested.
GuidePoint security releases its GRIT Ransomware Report May 2024. A look at remote desktop web access abuse. It appears RansomHub is winning the ransomware affiliate recruiting game. Job seekers targeted by a new phishing campaign.
Recently patched PHP bug exploited by TellYouThePass ransomware threat actors. Researchers observe a new ValleyRAT campaign. Veeam Backup Enterprise Manager authentication bypass bug, exploit released.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for June 10th to June 16th:
CVE-2024-4577 – PHP-CGI OS Command Injection Vulnerability:
Allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823.
CVE-2024-4610 – Arm Mali GPU Kernel Driver Use-After-Free Vulnerability:
Allows a local, non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.
CVE-2024-4358 – Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability:
Allows an attacker to obtain unauthorized access.
CVE-2024-26169 – Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability:
Allows a local attacker with user permissions to gain SYSTEM privileges.
CVE-2024-32896 – Android Pixel Privilege Escalation Vulnerability:
An unspecified vulnerability in the firmware that allows for privilege escalation.
Discord Emojis Control a New Linux Malware
A new malware called DISGOMOJI uses a novel approach to passing commands to victim machines. The c2 appears to abuse an open-source project on GitHub. The use of emojis is interesting, not surprising that the c2 project came from a pen tester.
https://www.volexity.com/blog/2024/06/13/disgomoji-malware-used-to-target-indian-government/
https://github.com/bmdyy/discord-c2
Exploit ML Models, ‘Sleepy Pickle’ Attack
This process allows an attacker to subtly inject malicious bytecode into ML Programs. This process potentially allows malicious behavior to go unnoticed for longer periods of time.
https://www.darkreading.com/threat-intelligence/sleepy-pickle-exploit-subtly-poisons-ml-models
https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/
Windows Flaw Exploited in Black Basta Ransomware Attacks
CVE-2024-26169 has been added to the Known Exploited Vulnerabilities (KEV) catalog. Possibly abused as a zero-day by Black Basta affiliates.
SaaS Applications are New Target for Scattered Spider Threat Actors
English speaking, sim-swapping, social engineering threat actors going after cloud resources. This sucks, these kids are responsible for many large enterprise data breaches such as MGM and Caesars Palace. They target large enterprises and are suspected of breaching over 130 organizations.
https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications/
Ivanti Endpoint Manager Critical RCE Flaw Exploit Published
An attacker favorite with many bugs this year, CVE-2024-29824 remote code execution (RCE) bug now a prime target with exploit code released.
Moonstone Sleet, North Korean Threat Actors Poisoning Code Repositories
AI Chatbots Interact with Fraudsters, Scoring Killer Intel
What a cool experiment, using AI chatbots to obtain bank details from cybercriminals. Raising the cost sky high for the fraudsters to defend against it. Anytime we can exponentially increase attacker cost, we win.
https://www.darkreading.com/cyber-risk/ai-chatbot-fools-scammers-and-scores-money-laundering-intel
Exploit Released for Veeam Auth Bypass Bug
Proof-of-concept (PoC) exploit is now available for CVE-2024-29855. Certain conditions are required for exploitation.
https://summoning.team/blog/veeam-recovery-orchestrator-auth-bypass-cve-2024-29855/
Snowflake at the Center of the Cloud’s Shared Responsibility Model
There are a lot of opinions on this matter, mostly security folks stating the minimum standards need to be raised. I agree, most businesses are going to do the bare minimum when in comes to security. By raising the standards, it forces a more protected security posture right out the gate.
https://www.cybersecuritydive.com/news/snowflake-attacks-test-shared-responsibility/718850/
https://posts.specterops.io/mapping-snowflakes-access-landscape-3bf232251945
https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion
https://thehackernews.com/2024/06/snowflake-breach-exposes-165-customers.html
GRIT Ransomware Report May 2024 Released
A pretty good report showcasing trends and spotlighting threat actors, this month Hunters International.
https://www.guidepointsecurity.com/blog/grit-ransomware-report-may-2024/
Defending Against Remote Desktop (RD) Web Access Abuse
Researchers share some incident response and mitigations for RD web portal abuse. First, it’s a bad idea to expose anything to the Internet that doesn’t have multi-factor authentication (MFA). Second, we can use architecture and zero trust network access (ZTNA) to minimize exposure and still provide solid functionality.
https://news.sophos.com/en-us/2024/06/12/rd-web-access-abuse-fighting-back/
RansomHub Winning the Ransomware Recruitment Game
Currently seeing great success, RansomHub appears to have brought over top affiliate group Scattered Spider amongst others. Researchers’ breakdown Scattered Spider behaviors and observed tooling.
https://www.darkreading.com/threat-intelligence/ransomhub-brings-scattered-spider-into-its-raas-fold
New Phishing Campaign Targets Job Seekers
Lures mimic legit recruitment firms urging victims to click on an embedded link for job details. Upon clicking the link, a backdoor called WARMCOOKIE is delivered.
https://thehackernews.com/2024/06/new-phishing-campaign-deploys.html
https://www.elastic.co/security-labs/dipping-into-danger
Less than 48 Hours, TellYouThePass Ransomware Actors Exploit PHP Flaw
Researchers observe threat actors abusing CVE-2024-4577 to drop ransomware.
New ValleyRAT Campaign Spotted
Suspected Chinese threat actors unleash latest version of ValleyRAT with multi-stage attack chain. Researchers share technical analysis.
https://thecyberexpress.com/valleyrat-variant-links-to-chinese-hackers/
https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat
Another Veeam Auth Bypass Bug, Exploit Available
CVE-2024-29849 authentication bypass flaw in Veeam Backup Enterprise Manager, PoC exploit code released.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
