Cyber Threat Weekly – #31
The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed. Only a moderate amount of cyber threat trend and adversarial behavior news to share. Let’s start with the CDK Global IT outage caused by BlackSuit ransomware.
Outdated Android phones targeted by Rafel RAT. A novel infection technique abusing Microsoft management console. Researchers observe threat actors using customized malicious tools. Social engineering works with well-intentioned folks.
Ten Intel CPUs vulnerable to UEFI firmware bug. Open-source rootkits are used for defense evasion and lateral movement operations. SolarWinds Serv-U under active attack, exploit code available. Another information stealer, this one is rust based.
A likely rebrand, the new ONNX phishing-as-a-service platform. VMware bugs could lead to remote code execution (RCE). Researchers share how threat actors attempt to bypass MFA. Strategies explored for attack vectors into VM services in the cloud.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
The CDK Global Debacle, A Nightmare for Car Dealerships
In addition to dealing with the outage, threat actors are calling customers and posing as support attempting to gain access to their systems. This is a ransomware affiliate or group taking extortion to another level, in this case direct access to systems via a service provider relationship.
Open-Source Rafel RAT Android Malware Abused by Threat Actors
For the most part, hygiene comes into play here. Most observed infections were on an outdated OS. In addition, the typical social engineering vigilance factors come into play.
Initial Access and Evasion via Microsoft Management Console
Researchers analyze a novel code execution technique. Abusing MSC files to execute code is unique, at least it was until researchers observed it in the wild. As Microsoft tries to tighten the reins, threat actors continue to innovate at a rapid pace.
https://www.elastic.co/security-labs/grimresource
Customized Malicious Tools used by Theat Actors Dubbed Sneaky Chef
Researchers observed two infection chains used to deliver SpiceRAT. Also, a second tool called SugarGh0st. These campaigns appear to be tied to cyber espionage.
https://therecord.media/cyber-espionage-gh0st-rat-sneakychef-SugarGh0st
https://blog.talosintelligence.com/new-spicerat-sneakychef/
https://blog.talosintelligence.com/sneakychef-sugarghost-rat/
Users Duped While Thinking They’re Helping IT
Social engineering is rampant. The use of the clipboard and legitimate looking problems and clever solutions appear to users drop their guard. Researchers share a few techniques used by threat actors.
https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
UEFI Firmware Bug Affects Ten Intel CPUs
Tracked as CVE-2024-0762, it’s a buffer overflow flaw in the firmware’s TPM module configuration.
https://www.phoenix.com/security-notifications/cve-2024-0762/
Suspected Chinese Threat Actors Use Open-Source Root Kits
The use of open-source root kits to hide on VMWare ESXi virtual machines is very stealthy, like the attack on MITRE. Researchers provide analysis of the threat actors’ behavior. Look to these tactics to be adopted since the tools are readily available. Yesterday’s nation state attack is tomorrow commodity attack.
https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
Exploitation Underway on SolarWinds Serv-U
The flaw tracked as CVE-2024-28995 is high severity allowing threat actors to read arbitrary files. Exploit code and a bulk scanner have been released and a technical write up is available.
https://attackerkb.com/topics/2k7UrkHyl3/cve-2024-28995/rapid7-analysis
https://github.com/bigb0x/CVE-2024-28995
Multiple Attack Chains Deliver New Rust Based Information Stealer
Fickle Stealer, a new Rust based malware, with a variety of delivery methods. Researchers share some observations.
https://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain
ONNX Phishing-as-a-Service Platform Targeting Microsoft 365 Accounts
The platform features 2FA bypass capabilities and appears to be targeting financial institutions. That doesn’t mean that other verticals won’t become a target.
Two of Three VMware Flaws can Lead to RCE
VMware bugs are a threat actor favorite, you can cause a lot of damage in a short period of time taking out 100’s of virtual machines. Fixes have been released, it’s worth it to get ahead of these bugs and patch ASAP.
https://www.darkreading.com/cloud-security/critical-vmware-bugs-open-swaths-of-vms-to-rce-data-theft
MFA Bypass Technique Attempts Shared
It’s important to be aware of the various techniques threat actors use to get around MFA. Examples shared from incident response teams observations.
https://blog.talosintelligence.com/how-are-attackers-trying-to-bypass-mfa/
Virtual Machine Services in the Cloud, Possible Attack Paths
This is a great read on how threat actors manipulate infrastructure as a service cloud resources. The research includes mitigations.
https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
