Skip to content

Cyber Threat Weekly – #33

Derek Krein
4 min read

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords.

HTTP File Server (HFS) Remote Code Execution (RCE) flaw, exploit code available.  Researchers observe an uptick in Microsoft SmartScreen bug exploitation.  Multiple bugs in Splunk fixed, including remote code execution (RCE) vulnerabilities.

Researchers dive into GootLoader, still an active threat.  Infostealer logs used for finding users of child sexual abuse material (CSAM) sites.  Unsecured API was abused to verify millions of Authy MFA phone numbers.

New ransomware group with a new extortion tactic.  Even passkeys can be bypassed with adversary-in-the-middle AitM attacks and a little site manipulation.  Researchers analyze prolific FakeBat Loader campaigns.

Zero-day bug in Cisco Nexus switches.  OpenSSH bug called RegreSSHion raises concerns. 


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for July 1st to July 7th:

CVE-2024-20399 – Cisco NX-OS Command Injection Vulnerability:
Allows an authenticated, local attacker to execute commands as root on the underlying operating system of an affected device.


Threat Actor Dumps Nearly 10billion Passwords

Legit credentials are all the rage, credential stuffing and brute force attacks dominate right now.  Snowflake customers without MFA are a perfect example.  Be prepared for the inevitable.

https://thecyberexpress.com/rockyou2024-10-billion-password-leak/


RCE Bug in HTTP File Server (HFS), Exploit Released

Affecting Linux, UNIX, and macOS running HFS version 3 prior to 0.52.10.  Tracked as CVE-2024-39943, proof-of-concept (PoC) exploit code is now available. 

https://cybersecuritynews.com/poc-exploit-http-file-server/


Active Spam Campaign Exploiting Microsoft SmartScreen

Threat actors are abusing CVE-2024-21412 kicking off a multi-stage infection chain.  The final payloads are information stealers such as Lumma and Medusa Stealer.  Legitimate tools and trusted files are abused along with DLL sideloading and IDATLoader for process injection.

https://cyble.com/blog/increase-in-the-exploitation-of-microsoft-smartscreen-vulnerability-cve-2024-21412/


Updates Available for Splunk Flaws Including RCEs

With hugely popular products comes threat actors wanting to take advantage of bugs.  Splunk released fixes for a slew of bugs.

https://thecyberexpress.com/updates-released-for-splunk-vulnerability/

https://advisory.splunk.com/advisories


Latest Version of GootLoader Analyzed

https://thehackernews.com/2024/07/gootloader-malware-delivers-new.html

https://www.cybereason.com/blog/i-am-goot-loader


CSAM Consumers Identified with Information Stealer Logs

Just like threat actors use info stealer logs and OSINT to attack organizations…  Researchers have done the same to identify roughly 3,300 unique credentials.  Then investigated three consumers who had used multiple child sexual abuse material sources.

https://www.bleepingcomputer.com/news/security/infostealer-malware-logs-used-to-identify-child-abuse-website-members/

https://go.recordedfuture.com/hubfs/reports/cta-2024-0702.pdf


Twilio Confirmed API Abused to Verify Authy MFA Phone Numbers

A threat actor leaked a claimed 33million phone numbers tied to the Authy service.  An unauthenticated API endpoint allowed threat actors to compile the list of phone numbers.  A massive list of phone numbers was fed into the API endpoint.  If valid, the endpoint would return account info.

https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/


New Ransomware Operator Volcano Demon

New gang with new encryptor malware dubbed ‘LukaLocker’, utilizing double extortion.  Not only do they exfiltrate data, but they cover their tracks well, and call the victim to negotiate a ransom.  No leak site for this gang.

https://www.darkreading.com/cyberattacks-data-breaches/ransomware-eruption-novel-locker-malware-flows-from-volcano-demon

https://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker


Downgrade Attacks can Bypass Passkey Authentication

Passkeys themselves are cryptographically strong and designed to protect against AitM attacks.  The issue is implementation and the availability of backup authentication capabilities, still weak and subject to AitM.

https://www.darkreading.com/cloud-security/passkey-redaction-attacks-subvert-github-microsoft-authentication

https://www.esentire.com/blog/securing-passkeys-thwarting-authentication-method-redaction-attacks


FakeBat Loader Campaigns and Infrastructure Analyzed

Researchers dig into FakeBat Loader drive-by download campaigns abusing malvertising and software impersonation.  These techniques are used by many threat actors to distribute several malware families.  Worth a look to keep up with the bad behavior.

https://thecyberexpress.com/fakebat-loader/?&web_view=true

https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/


Patches Available for Actively Exploited Cisco Zero-day

Cisco patches Nexus bug actively exploited.  Rated a CVSS 3.1 base score of 6.0, bugs don’t have to be critical or high for exploitation.  The principle of least privilege and architecture go a long way to minimizing impact.

https://www.csoonline.com/article/2512990/cisco-patches-actively-exploited-zero-day-flaw-in-nexus-switches.html

https://www.sygnia.co/threat-reports-and-advisories/china-nexus-threat-group-velvet-ant-exploits-cisco-0-day/

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cmd-injection-xD9OhyOP


RegreSSHion Flaw Thought Unlikely to be Mass Exploited

Researchers are saying mass exploitation is unlikely due to complexity and sheer volume of login attempts creating a lot of noise.  Patch if / when possible.

https://therecord.media/regresshion-bug-raises-alarms-qualys

https://www.wiz.io/blog/cve-2024-6387-critical-rce-openssh

https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by

Members Public

Cyber Threat Weekly – #30

The week of June 10th through June 16th was a bit heavier with 407 cyber news articles reviewed.  Quite a bit of cyber threat trend and adversarial behavior news to share.  Let’s start with a new Linux malware controlled through Discord emojis. Poisoning ML models via pickle files.  Black