Skip to content

Cyber Threat Weekly – #31

Derek Krein
4 min read

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware.

Outdated Android phones targeted by Rafel RAT.  A novel infection technique abusing Microsoft management console.  Researchers observe threat actors using customized malicious tools.  Social engineering works with well-intentioned folks.

Ten Intel CPUs vulnerable to UEFI firmware bug.  Open-source rootkits are used for defense evasion and lateral movement operations.  SolarWinds Serv-U under active attack, exploit code available.  Another information stealer, this one is rust based.

A likely rebrand, the new ONNX phishing-as-a-service platform.  VMware bugs could lead to remote code execution (RCE).  Researchers share how threat actors attempt to bypass MFA.  Strategies explored for attack vectors into VM services in the cloud.


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


The CDK Global Debacle, A Nightmare for Car Dealerships

In addition to dealing with the outage, threat actors are calling customers and posing as support attempting to gain access to their systems.  This is a ransomware affiliate or group taking extortion to another level, in this case direct access to systems via a service provider relationship. 

https://www.bleepingcomputer.com/news/security/cdk-global-outage-caused-by-blacksuit-ransomware-attack/

https://www.bleepingcomputer.com/news/security/cdk-warns-threat-actors-are-calling-customers-posing-as-support/

https://www.bleepingcomputer.com/news/security/cdk-global-hacked-again-while-recovering-from-first-cyberattack/

https://www.bleepingcomputer.com/news/security/cdk-global-cyberattack-impacts-thousands-of-us-car-dealerships/


Open-Source Rafel RAT Android Malware Abused by Threat Actors

For the most part, hygiene comes into play here.  Most observed infections were on an outdated OS.  In addition, the typical social engineering vigilance factors come into play.

https://www.bleepingcomputer.com/news/security/ratel-rat-targets-outdated-android-phones-in-ransomware-attacks/

https://research.checkpoint.com/2024/rafel-rat-android-malware-from-espionage-to-ransomware-operations/


Initial Access and Evasion via Microsoft Management Console

Researchers analyze a novel code execution technique.  Abusing MSC files to execute code is unique, at least it was until researchers observed it in the wild.  As Microsoft tries to tighten the reins, threat actors continue to innovate at a rapid pace.

https://www.elastic.co/security-labs/grimresource


Customized Malicious Tools used by Theat Actors Dubbed Sneaky Chef

Researchers observed two infection chains used to deliver SpiceRAT.  Also, a second tool called SugarGh0st.  These campaigns appear to be tied to cyber espionage. 

https://therecord.media/cyber-espionage-gh0st-rat-sneakychef-SugarGh0st

https://blog.talosintelligence.com/new-spicerat-sneakychef/

https://blog.talosintelligence.com/sneakychef-sugarghost-rat/


Users Duped While Thinking They’re Helping IT

Social engineering is rampant.  The use of the clipboard and legitimate looking problems and clever solutions appear to users drop their guard.  Researchers share a few techniques used by threat actors.

https://www.csoonline.com/article/2455156/beware-powershell-too-helpful-users-tricked-into-fixing-their-machines-with-malware.html

https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn


UEFI Firmware Bug Affects Ten Intel CPUs

Tracked as CVE-2024-0762, it’s a buffer overflow flaw in the firmware’s TPM module configuration.

https://www.bleepingcomputer.com/news/security/phoenix-uefi-vulnerability-impacts-hundreds-of-intel-pc-models/

https://www.phoenix.com/security-notifications/cve-2024-0762/

https://eclypsium.com/blog/ueficanhazbufferoverflow-widespread-impact-from-vulnerability-in-popular-pc-and-server-firmware/


Suspected Chinese Threat Actors Use Open-Source Root Kits

The use of open-source root kits to hide on VMWare ESXi virtual machines is very stealthy, like the attack on MITRE.  Researchers provide analysis of the threat actors’ behavior.  Look to these tactics to be adopted since the tools are readily available.  Yesterday’s nation state attack is tomorrow commodity attack.

https://www.bleepingcomputer.com/news/security/unc3886-hackers-use-linux-rootkits-to-hide-on-vmware-esxi-vms/

https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations


Exploitation Underway on SolarWinds Serv-U

The flaw tracked as CVE-2024-28995 is high severity allowing threat actors to read arbitrary files.  Exploit code and a bulk scanner have been released and a technical write up is available. 

https://www.bleepingcomputer.com/news/security/solarwinds-serv-u-path-traversal-flaw-actively-exploited-in-attacks/

https://attackerkb.com/topics/2k7UrkHyl3/cve-2024-28995/rapid7-analysis

https://github.com/bigb0x/CVE-2024-28995


Multiple Attack Chains Deliver New Rust Based Information Stealer

Fickle Stealer, a new Rust based malware, with a variety of delivery methods.  Researchers share some observations.

https://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain


ONNX Phishing-as-a-Service Platform Targeting Microsoft 365 Accounts

The platform features 2FA bypass capabilities and appears to be targeting financial institutions.  That doesn’t mean that other verticals won’t become a target.

https://www.bleepingcomputer.com/news/security/onnx-phishing-service-targets-microsoft-365-accounts-at-financial-firms/


Two of Three VMware Flaws can Lead to RCE

VMware bugs are a threat actor favorite, you can cause a lot of damage in a short period of time taking out 100’s of virtual machines.  Fixes have been released, it’s worth it to get ahead of these bugs and patch ASAP.

https://www.darkreading.com/cloud-security/critical-vmware-bugs-open-swaths-of-vms-to-rce-data-theft

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453


MFA Bypass Technique Attempts Shared

It’s important to be aware of the various techniques threat actors use to get around MFA.  Examples shared from incident response teams observations.

https://blog.talosintelligence.com/how-are-attackers-trying-to-bypass-mfa/


Virtual Machine Services in the Cloud, Possible Attack Paths

This is a great read on how threat actors manipulate infrastructure as a service cloud resources.  The research includes mitigations.

https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #30

The week of June 10th through June 16th was a bit heavier with 407 cyber news articles reviewed.  Quite a bit of cyber threat trend and adversarial behavior news to share.  Let’s start with a new Linux malware controlled through Discord emojis. Poisoning ML models via pickle files.  Black