Cyber Threat Weekly – #33
The week of July 1st through July 7th was back down to 379 cyber news articles reviewed. A relatively light amount of cyber threat trend and adversarial behavior news to share. Let’s start with an unprecedented password dump, nearly 10 billion unique passwords.
HTTP File Server (HFS) Remote Code Execution (RCE) flaw, exploit code available. Researchers observe an uptick in Microsoft SmartScreen bug exploitation. Multiple bugs in Splunk fixed, including remote code execution (RCE) vulnerabilities.
Researchers dive into GootLoader, still an active threat. Infostealer logs used for finding users of child sexual abuse material (CSAM) sites. Unsecured API was abused to verify millions of Authy MFA phone numbers.
New ransomware group with a new extortion tactic. Even passkeys can be bypassed with adversary-in-the-middle AitM attacks and a little site manipulation. Researchers analyze prolific FakeBat Loader campaigns.
Zero-day bug in Cisco Nexus switches. OpenSSH bug called RegreSSHion raises concerns.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for July 1st to July 7th:
CVE-2024-20399 – Cisco NX-OS Command Injection Vulnerability:
Allows an authenticated, local attacker to execute commands as root on the underlying operating system of an affected device.
Threat Actor Dumps Nearly 10billion Passwords
Legit credentials are all the rage, credential stuffing and brute force attacks dominate right now. Snowflake customers without MFA are a perfect example. Be prepared for the inevitable.
https://thecyberexpress.com/rockyou2024-10-billion-password-leak/
RCE Bug in HTTP File Server (HFS), Exploit Released
Affecting Linux, UNIX, and macOS running HFS version 3 prior to 0.52.10. Tracked as CVE-2024-39943, proof-of-concept (PoC) exploit code is now available.
https://cybersecuritynews.com/poc-exploit-http-file-server/
Active Spam Campaign Exploiting Microsoft SmartScreen
Threat actors are abusing CVE-2024-21412 kicking off a multi-stage infection chain. The final payloads are information stealers such as Lumma and Medusa Stealer. Legitimate tools and trusted files are abused along with DLL sideloading and IDATLoader for process injection.
Updates Available for Splunk Flaws Including RCEs
With hugely popular products comes threat actors wanting to take advantage of bugs. Splunk released fixes for a slew of bugs.
https://thecyberexpress.com/updates-released-for-splunk-vulnerability/
https://advisory.splunk.com/advisories
Latest Version of GootLoader Analyzed
https://thehackernews.com/2024/07/gootloader-malware-delivers-new.html
https://www.cybereason.com/blog/i-am-goot-loader
CSAM Consumers Identified with Information Stealer Logs
Just like threat actors use info stealer logs and OSINT to attack organizations… Researchers have done the same to identify roughly 3,300 unique credentials. Then investigated three consumers who had used multiple child sexual abuse material sources.
https://go.recordedfuture.com/hubfs/reports/cta-2024-0702.pdf
Twilio Confirmed API Abused to Verify Authy MFA Phone Numbers
A threat actor leaked a claimed 33million phone numbers tied to the Authy service. An unauthenticated API endpoint allowed threat actors to compile the list of phone numbers. A massive list of phone numbers was fed into the API endpoint. If valid, the endpoint would return account info.
New Ransomware Operator Volcano Demon
New gang with new encryptor malware dubbed ‘LukaLocker’, utilizing double extortion. Not only do they exfiltrate data, but they cover their tracks well, and call the victim to negotiate a ransom. No leak site for this gang.
Downgrade Attacks can Bypass Passkey Authentication
Passkeys themselves are cryptographically strong and designed to protect against AitM attacks. The issue is implementation and the availability of backup authentication capabilities, still weak and subject to AitM.
https://www.esentire.com/blog/securing-passkeys-thwarting-authentication-method-redaction-attacks
FakeBat Loader Campaigns and Infrastructure Analyzed
Researchers dig into FakeBat Loader drive-by download campaigns abusing malvertising and software impersonation. These techniques are used by many threat actors to distribute several malware families. Worth a look to keep up with the bad behavior.
https://thecyberexpress.com/fakebat-loader/?&web_view=true
https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/
Patches Available for Actively Exploited Cisco Zero-day
Cisco patches Nexus bug actively exploited. Rated a CVSS 3.1 base score of 6.0, bugs don’t have to be critical or high for exploitation. The principle of least privilege and architecture go a long way to minimizing impact.
RegreSSHion Flaw Thought Unlikely to be Mass Exploited
Researchers are saying mass exploitation is unlikely due to complexity and sheer volume of login attempts creating a lot of noise. Patch if / when possible.
https://therecord.media/regresshion-bug-raises-alarms-qualys
https://www.wiz.io/blog/cve-2024-6387-critical-rce-openssh
https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
