Skip to content

Cyber Threat Weekly – #34

Derek Krein
6 min read

The week of July 8th through 14th was somewhat heavy with 457 cyber news articles reviewed.  A large amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a campaign targeting the NuGet repository focused on defense evasion.

Threat actors utilize proof-of-concept (PoC) exploit code minutes after release.  Critical Exim mail transfer agent (MTA) bug.  Another GitLab critical flaw, second one in less than a month.  Researchers dig into a DarkGate campaign abusing legitimate tools.

Data exfiltration in a couple of hours, Akira ransomware affiliate.  An interesting social engineering tactic.  EstateRansomware, a campaign walk-through and typical TTPs.  The topic of security theater comes up often, thought I would share.

A new phishing kit called FishXProxy.  A new threat actor dubbed CRYSTALRAY, stepping up their game.  Chinese threat actors upping their game with new malware.  CISA performs red team operations and shares lessons learned.

PHP bug exploited quickly after disclosure.  New variant of info-stealer malware ViperSoftX.  Microsoft zero-day abused for possibly 12+ months.  Researchers share common ransomware attack chains and TTPs.  It appears Fin7 is back and scaling up quickly.

Researchers share insights into HTML Smuggling campaigns.  CISA and partners share APT40 tradecraft.


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for July 8th to July 14th:

CVE-2024-23692 – Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability:
Allows a remote, unauthenticated attacker to execute commands on the affected system by sending a specially crafted HTTP request.

CVE-2024-38080 – Microsoft Windows Hyper-V Privilege Escalation Vulnerability:
Allows a local attacker with user permissions to gain SYSTEM privileges.

CVE-2024-38112 – Microsoft Windows MSHTML Platform Spoofing Vulnerability:
Contains a spoofing vulnerability that has a high impact to confidentiality, integrity, and availability.


Malicious Supply Chain Campaign Targeting NuGet

Abusing homoglyphs and IL weaving, this unique campaign looks to evade detection.  Threat actors continue to get creative to avoid defenses and trick people into using malicious software. 

https://thecyberexpress.com/homoglyphs-il-weaving-malicious-nuget-campaign/

https://www.reversinglabs.com/blog/malicious-nuget-campaign-uses-homoglyphs-and-il-weaving-to-fool-devs


PoC Exploit Code Abused within Minutes of Release

N-day bug abuse is nothing new, been seeing it since the early 2000’s.  The speed at which the abuse happens is changing rapidly.  What used to be a few weeks, turned into a few days, and now as quickly as 22 minutes.  Other cool stats in the Cloudflare report too.

https://www.bleepingcomputer.com/news/security/hackers-use-poc-exploits-in-attacks-22-minutes-after-release/

https://blog.cloudflare.com/application-security-report-2024-update


Critical Flaw in the Exim Mail Transfer Agent (MTA)

Quickly fixed by Exim developers…  Although there is a PoC is available, let’s hope threat actors don’t start using it. 

https://www.bleepingcomputer.com/news/security/critical-exim-bug-bypasses-security-filters-on-15-million-mail-servers/

https://lists.exim.org/lurker/message/20240710.155945.8823670d.pt.html


Second Critical GitLab Bug in Less than a Month

Affecting both the community and Enterprise editions, CVE-2024-6385 gives threat actors the ability to run a pipeline in the context of an arbitrary user. 

https://www.darkreading.com/application-security/-gitlab-sends-users-scrambling-again-with-new-ci-cd-pipeline-takeover-vuln

https://about.gitlab.com/releases/2024/07/10/patch-release-gitlab-17-1-2-released/#an-attacker-can-run-pipeline-jobs-as-an-arbitrary-user


DarkGate Campaign and Malware Analyzed by Researchers

Keeping an eye on threat actor tradecraft helps us prepare for creative campaigns. 

https://thehackernews.com/2024/07/darkgate-malware-exploits-samba-file.html

https://unit42.paloaltonetworks.com/darkgate-malware-uses-excel-files/


Akira Ransomware Affiliate Exfiltrates Data in 133 Minutes

This one is worth a look, threat actors quickly found a Veeam backup server.  Exfil happened fast, legit tools like advanced IP scanner were abused, Windows Defender disabled, and AnyDesk installed.  Very typical ransomware campaign behavior.

https://www.darkreading.com/endpoint-security/akira-ransomware-lightning-fast-data-exfiltration-2-hours

https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry


Deceptive Social Engineering to Deploy Malware: ClickFix

Threat actors are nasty, this technique isn’t entirely new, but a twist to get people to install malware. 

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/


EstateRansomware TTPs and Profile

This is a newer group.  Initial access will change, but post exploitation behavior is the battle ground and worth paying attention to.  Most threat actors are performing similar behaviors utilizing living off the land and fileless attack methodologies. 

https://www.csoonline.com/article/2516228/ransomware-attackers-exploit-year-old-backup-vulnerability.html

https://www.group-ib.com/blog/estate-ransomware/


Security Theater, it’s Time for a Change

This was an interesting read, I agree with Sen. Ron Wyden (D-Wash), CEOs should be held personally accountable for ineffective infosec.  Regulators are stepping up and pushing hard for better security.

https://www.darkreading.com/cyber-risk/trade-the-comfort-of-security-theater-for-true-security


FishXProxy Phishing Kit

Designed to lower the barrier for cybercriminals to perform sophisticated phishing campaigns.  Defense evasion is the goal with this kit.

https://www.darkreading.com/endpoint-security/fishxproxy-phishing-kit-cybercriminals-success

https://slashnext.com/blog/new-fishxproxy-phishing-kit-lowers-barriers-for-cybercriminals/


CRYSTALRAY Abusing Open-Source Tooling and killing it

We shared a report in February 2024 about a threat actor using SSH-Snake, an open-source tool for lateral movement.  This now named threat actor has scaled operations 10x using open-source software. 

https://www.bleepingcomputer.com/news/security/crystalray-hacker-expands-to-1-500-breached-systems-using-ssh-snake-tool/

https://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/


Researchers Link New Malware to Chinese APT41

Since Chinese nation backed threat actors share tooling, behavior, and infrastructure, this one is worth a look.

https://thehackernews.com/2024/07/chinese-apt41-upgrades-malware-arsenal.html

https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1

https://www.zscaler.com/blogs/security-research/moonwalk-deep-dive-updated-arsenal-apt41-part-2


AA24-193A: CISA Red Team Operations – Lessons Learned

This purple team event is worth the read.  CISA red teamers exploit a federal executive branch organization, share TTPs, and lessons learned. 

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-193a


Critical PHP Flaw Exploited One Day After Disclosure

Multiple threat actors exploiting this bug to deliver malware, botnets, and miners.  The key here is the time from disclosure and exploitation.  The time frame is too short in some cases to patch quickly enough.

https://thehackernews.com/2024/07/php-vulnerability-exploited-to-spread.html

https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure


Researchers Breakdown Latest ViperSoftX Infection Flow

A trend that is on the uptick, the use of .LNK files to kick off the infection chain.  The malware attempts to blend in and stay stealthy using AutoIT to kick off powershell commands.

https://www.bleepingcomputer.com/news/security/vipersoftx-malware-covertly-runs-powershell-using-autoit-scripting/

https://www.trellix.com/blogs/research/the-mechanics-of-vipersofts-exploiting-autoit-and-clr-for-stealthy-powershell-execution/


InfoStealer Campaigns using Microsoft Zero-day

The recently patched MSHTML bug CVE-2024-38112 might have been abused for over a year. 

https://www.bleepingcomputer.com/news/security/windows-mshtml-zero-day-used-in-malware-attacks-for-over-a-year/

https://www.darkreading.com/application-security/attackers-have-been-leveraging-microsoft-zero-day-for-18-months

https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/


Ransomware Tradecraft Shared by Researchers

Typical TTPs among 14 prolific ransomware gangs are shared in this research.

https://blog.talosintelligence.com/common-ransomware-actor-ttps-playbooks/


Krebs Shares Data Around Current Fin7 Operations

Researchers are tracking Fin7 activity, it certainly appears they are back in action.

https://krebsonsecurity.com/2024/07/the-stark-truth-behind-the-resurgence-of-russias-fin7/


HTML Smuggling and Evasion Techniques

Researchers dive into evasion techniques spammers use to fly under the radar. 

https://blog.talosintelligence.com/hidden-between-the-tags-insights-into-evasion-techniques-in-html-smuggling/


AA24-190A – APT40 Tradecraft

CISA and partner nations share nation state tradecraft.  This is important, yesterday’s nation state attack is tomorrow’s commodity attack.  Keeping up with nation state behavior is like a crystal ball of what’s coming from criminals and other threat actors.

https://www.bleepingcomputer.com/news/security/chinese-apt40-hackers-hijack-soho-routers-to-launch-attacks/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #47

The week of October 7th through October 13th was a bit light with 361 cyber news articles reviewed.  A decent amount of cyber threat trends and adversarial behavior news to share.  Let’s start with Iranian APT threat actors changing behavior. Open AI releases an update to their threat report.

Members Public

Cyber Threat Weekly – #46

The week of September 30th through October 6th was light with 369 cyber news articles reviewed.  A moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with US broadband providers breached. The art and science of DNS tunneling detection.  Adobe Commerce and Magneto online

Members Public

Cyber Threat Weekly – #45

The week of September 23rd through September 29th was a bit light with 427 cyber news articles reviewed.  Not much cyber threat trend and adversarial behavior news to share.  Let’s start with more ransomware affiliates target hybrid cloud environments. WhatsUp Gold high and critical vulnerabilities.  New SnipBot malware analyzed.