Cyber Threat Weekly – #34
The week of July 8th through 14th was somewhat heavy with 457 cyber news articles reviewed. A large amount of cyber threat trend and adversarial behavior news to share. Let’s start with a campaign targeting the NuGet repository focused on defense evasion.
Threat actors utilize proof-of-concept (PoC) exploit code minutes after release. Critical Exim mail transfer agent (MTA) bug. Another GitLab critical flaw, second one in less than a month. Researchers dig into a DarkGate campaign abusing legitimate tools.
Data exfiltration in a couple of hours, Akira ransomware affiliate. An interesting social engineering tactic. EstateRansomware, a campaign walk-through and typical TTPs. The topic of security theater comes up often, thought I would share.
A new phishing kit called FishXProxy. A new threat actor dubbed CRYSTALRAY, stepping up their game. Chinese threat actors upping their game with new malware. CISA performs red team operations and shares lessons learned.
PHP bug exploited quickly after disclosure. New variant of info-stealer malware ViperSoftX. Microsoft zero-day abused for possibly 12+ months. Researchers share common ransomware attack chains and TTPs. It appears Fin7 is back and scaling up quickly.
Researchers share insights into HTML Smuggling campaigns. CISA and partners share APT40 tradecraft.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for July 8th to July 14th:
CVE-2024-23692 – Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability:
Allows a remote, unauthenticated attacker to execute commands on the affected system by sending a specially crafted HTTP request.
CVE-2024-38080 – Microsoft Windows Hyper-V Privilege Escalation Vulnerability:
Allows a local attacker with user permissions to gain SYSTEM privileges.
CVE-2024-38112 – Microsoft Windows MSHTML Platform Spoofing Vulnerability:
Contains a spoofing vulnerability that has a high impact to confidentiality, integrity, and availability.
Malicious Supply Chain Campaign Targeting NuGet
Abusing homoglyphs and IL weaving, this unique campaign looks to evade detection. Threat actors continue to get creative to avoid defenses and trick people into using malicious software.
https://thecyberexpress.com/homoglyphs-il-weaving-malicious-nuget-campaign/
PoC Exploit Code Abused within Minutes of Release
N-day bug abuse is nothing new, been seeing it since the early 2000’s. The speed at which the abuse happens is changing rapidly. What used to be a few weeks, turned into a few days, and now as quickly as 22 minutes. Other cool stats in the Cloudflare report too.
https://blog.cloudflare.com/application-security-report-2024-update
Critical Flaw in the Exim Mail Transfer Agent (MTA)
Quickly fixed by Exim developers… Although there is a PoC is available, let’s hope threat actors don’t start using it.
https://lists.exim.org/lurker/message/20240710.155945.8823670d.pt.html
Second Critical GitLab Bug in Less than a Month
Affecting both the community and Enterprise editions, CVE-2024-6385 gives threat actors the ability to run a pipeline in the context of an arbitrary user.
DarkGate Campaign and Malware Analyzed by Researchers
Keeping an eye on threat actor tradecraft helps us prepare for creative campaigns.
https://thehackernews.com/2024/07/darkgate-malware-exploits-samba-file.html
https://unit42.paloaltonetworks.com/darkgate-malware-uses-excel-files/
Akira Ransomware Affiliate Exfiltrates Data in 133 Minutes
This one is worth a look, threat actors quickly found a Veeam backup server. Exfil happened fast, legit tools like advanced IP scanner were abused, Windows Defender disabled, and AnyDesk installed. Very typical ransomware campaign behavior.
https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry
Deceptive Social Engineering to Deploy Malware: ClickFix
Threat actors are nasty, this technique isn’t entirely new, but a twist to get people to install malware.
EstateRansomware TTPs and Profile
This is a newer group. Initial access will change, but post exploitation behavior is the battle ground and worth paying attention to. Most threat actors are performing similar behaviors utilizing living off the land and fileless attack methodologies.
https://www.group-ib.com/blog/estate-ransomware/
Security Theater, it’s Time for a Change
This was an interesting read, I agree with Sen. Ron Wyden (D-Wash), CEOs should be held personally accountable for ineffective infosec. Regulators are stepping up and pushing hard for better security.
https://www.darkreading.com/cyber-risk/trade-the-comfort-of-security-theater-for-true-security
FishXProxy Phishing Kit
Designed to lower the barrier for cybercriminals to perform sophisticated phishing campaigns. Defense evasion is the goal with this kit.
https://www.darkreading.com/endpoint-security/fishxproxy-phishing-kit-cybercriminals-success
https://slashnext.com/blog/new-fishxproxy-phishing-kit-lowers-barriers-for-cybercriminals/
CRYSTALRAY Abusing Open-Source Tooling and killing it
We shared a report in February 2024 about a threat actor using SSH-Snake, an open-source tool for lateral movement. This now named threat actor has scaled operations 10x using open-source software.
https://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/
Researchers Link New Malware to Chinese APT41
Since Chinese nation backed threat actors share tooling, behavior, and infrastructure, this one is worth a look.
https://thehackernews.com/2024/07/chinese-apt41-upgrades-malware-arsenal.html
https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1
https://www.zscaler.com/blogs/security-research/moonwalk-deep-dive-updated-arsenal-apt41-part-2
AA24-193A: CISA Red Team Operations – Lessons Learned
This purple team event is worth the read. CISA red teamers exploit a federal executive branch organization, share TTPs, and lessons learned.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-193a
Critical PHP Flaw Exploited One Day After Disclosure
Multiple threat actors exploiting this bug to deliver malware, botnets, and miners. The key here is the time from disclosure and exploitation. The time frame is too short in some cases to patch quickly enough.
https://thehackernews.com/2024/07/php-vulnerability-exploited-to-spread.html
https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure
Researchers Breakdown Latest ViperSoftX Infection Flow
A trend that is on the uptick, the use of .LNK files to kick off the infection chain. The malware attempts to blend in and stay stealthy using AutoIT to kick off powershell commands.
InfoStealer Campaigns using Microsoft Zero-day
The recently patched MSHTML bug CVE-2024-38112 might have been abused for over a year.
Ransomware Tradecraft Shared by Researchers
Typical TTPs among 14 prolific ransomware gangs are shared in this research.
https://blog.talosintelligence.com/common-ransomware-actor-ttps-playbooks/
Krebs Shares Data Around Current Fin7 Operations
Researchers are tracking Fin7 activity, it certainly appears they are back in action.
https://krebsonsecurity.com/2024/07/the-stark-truth-behind-the-resurgence-of-russias-fin7/
HTML Smuggling and Evasion Techniques
Researchers dive into evasion techniques spammers use to fly under the radar.
AA24-190A – APT40 Tradecraft
CISA and partner nations share nation state tradecraft. This is important, yesterday’s nation state attack is tomorrow’s commodity attack. Keeping up with nation state behavior is like a crystal ball of what’s coming from criminals and other threat actors.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
