Skip to content

Cyber Threat Weekly – #34

Derek Krein
6 min read

The week of July 8th through 14th was somewhat heavy with 457 cyber news articles reviewed.  A large amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a campaign targeting the NuGet repository focused on defense evasion.

Threat actors utilize proof-of-concept (PoC) exploit code minutes after release.  Critical Exim mail transfer agent (MTA) bug.  Another GitLab critical flaw, second one in less than a month.  Researchers dig into a DarkGate campaign abusing legitimate tools.

Data exfiltration in a couple of hours, Akira ransomware affiliate.  An interesting social engineering tactic.  EstateRansomware, a campaign walk-through and typical TTPs.  The topic of security theater comes up often, thought I would share.

A new phishing kit called FishXProxy.  A new threat actor dubbed CRYSTALRAY, stepping up their game.  Chinese threat actors upping their game with new malware.  CISA performs red team operations and shares lessons learned.

PHP bug exploited quickly after disclosure.  New variant of info-stealer malware ViperSoftX.  Microsoft zero-day abused for possibly 12+ months.  Researchers share common ransomware attack chains and TTPs.  It appears Fin7 is back and scaling up quickly.

Researchers share insights into HTML Smuggling campaigns.  CISA and partners share APT40 tradecraft.


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for July 8th to July 14th:

CVE-2024-23692 – Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability:
Allows a remote, unauthenticated attacker to execute commands on the affected system by sending a specially crafted HTTP request.

CVE-2024-38080 – Microsoft Windows Hyper-V Privilege Escalation Vulnerability:
Allows a local attacker with user permissions to gain SYSTEM privileges.

CVE-2024-38112 – Microsoft Windows MSHTML Platform Spoofing Vulnerability:
Contains a spoofing vulnerability that has a high impact to confidentiality, integrity, and availability.


Malicious Supply Chain Campaign Targeting NuGet

Abusing homoglyphs and IL weaving, this unique campaign looks to evade detection.  Threat actors continue to get creative to avoid defenses and trick people into using malicious software. 

https://thecyberexpress.com/homoglyphs-il-weaving-malicious-nuget-campaign/

https://www.reversinglabs.com/blog/malicious-nuget-campaign-uses-homoglyphs-and-il-weaving-to-fool-devs


PoC Exploit Code Abused within Minutes of Release

N-day bug abuse is nothing new, been seeing it since the early 2000’s.  The speed at which the abuse happens is changing rapidly.  What used to be a few weeks, turned into a few days, and now as quickly as 22 minutes.  Other cool stats in the Cloudflare report too.

https://www.bleepingcomputer.com/news/security/hackers-use-poc-exploits-in-attacks-22-minutes-after-release/

https://blog.cloudflare.com/application-security-report-2024-update


Critical Flaw in the Exim Mail Transfer Agent (MTA)

Quickly fixed by Exim developers…  Although there is a PoC is available, let’s hope threat actors don’t start using it. 

https://www.bleepingcomputer.com/news/security/critical-exim-bug-bypasses-security-filters-on-15-million-mail-servers/

https://lists.exim.org/lurker/message/20240710.155945.8823670d.pt.html


Second Critical GitLab Bug in Less than a Month

Affecting both the community and Enterprise editions, CVE-2024-6385 gives threat actors the ability to run a pipeline in the context of an arbitrary user. 

https://www.darkreading.com/application-security/-gitlab-sends-users-scrambling-again-with-new-ci-cd-pipeline-takeover-vuln

https://about.gitlab.com/releases/2024/07/10/patch-release-gitlab-17-1-2-released/#an-attacker-can-run-pipeline-jobs-as-an-arbitrary-user


DarkGate Campaign and Malware Analyzed by Researchers

Keeping an eye on threat actor tradecraft helps us prepare for creative campaigns. 

https://thehackernews.com/2024/07/darkgate-malware-exploits-samba-file.html

https://unit42.paloaltonetworks.com/darkgate-malware-uses-excel-files/


Akira Ransomware Affiliate Exfiltrates Data in 133 Minutes

This one is worth a look, threat actors quickly found a Veeam backup server.  Exfil happened fast, legit tools like advanced IP scanner were abused, Windows Defender disabled, and AnyDesk installed.  Very typical ransomware campaign behavior.

https://www.darkreading.com/endpoint-security/akira-ransomware-lightning-fast-data-exfiltration-2-hours

https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry


Deceptive Social Engineering to Deploy Malware: ClickFix

Threat actors are nasty, this technique isn’t entirely new, but a twist to get people to install malware. 

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/


EstateRansomware TTPs and Profile

This is a newer group.  Initial access will change, but post exploitation behavior is the battle ground and worth paying attention to.  Most threat actors are performing similar behaviors utilizing living off the land and fileless attack methodologies. 

https://www.csoonline.com/article/2516228/ransomware-attackers-exploit-year-old-backup-vulnerability.html

https://www.group-ib.com/blog/estate-ransomware/


Security Theater, it’s Time for a Change

This was an interesting read, I agree with Sen. Ron Wyden (D-Wash), CEOs should be held personally accountable for ineffective infosec.  Regulators are stepping up and pushing hard for better security.

https://www.darkreading.com/cyber-risk/trade-the-comfort-of-security-theater-for-true-security


FishXProxy Phishing Kit

Designed to lower the barrier for cybercriminals to perform sophisticated phishing campaigns.  Defense evasion is the goal with this kit.

https://www.darkreading.com/endpoint-security/fishxproxy-phishing-kit-cybercriminals-success

https://slashnext.com/blog/new-fishxproxy-phishing-kit-lowers-barriers-for-cybercriminals/


CRYSTALRAY Abusing Open-Source Tooling and killing it

We shared a report in February 2024 about a threat actor using SSH-Snake, an open-source tool for lateral movement.  This now named threat actor has scaled operations 10x using open-source software. 

https://www.bleepingcomputer.com/news/security/crystalray-hacker-expands-to-1-500-breached-systems-using-ssh-snake-tool/

https://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/


Researchers Link New Malware to Chinese APT41

Since Chinese nation backed threat actors share tooling, behavior, and infrastructure, this one is worth a look.

https://thehackernews.com/2024/07/chinese-apt41-upgrades-malware-arsenal.html

https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1

https://www.zscaler.com/blogs/security-research/moonwalk-deep-dive-updated-arsenal-apt41-part-2


AA24-193A: CISA Red Team Operations – Lessons Learned

This purple team event is worth the read.  CISA red teamers exploit a federal executive branch organization, share TTPs, and lessons learned. 

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-193a


Critical PHP Flaw Exploited One Day After Disclosure

Multiple threat actors exploiting this bug to deliver malware, botnets, and miners.  The key here is the time from disclosure and exploitation.  The time frame is too short in some cases to patch quickly enough.

https://thehackernews.com/2024/07/php-vulnerability-exploited-to-spread.html

https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure


Researchers Breakdown Latest ViperSoftX Infection Flow

A trend that is on the uptick, the use of .LNK files to kick off the infection chain.  The malware attempts to blend in and stay stealthy using AutoIT to kick off powershell commands.

https://www.bleepingcomputer.com/news/security/vipersoftx-malware-covertly-runs-powershell-using-autoit-scripting/

https://www.trellix.com/blogs/research/the-mechanics-of-vipersofts-exploiting-autoit-and-clr-for-stealthy-powershell-execution/


InfoStealer Campaigns using Microsoft Zero-day

The recently patched MSHTML bug CVE-2024-38112 might have been abused for over a year. 

https://www.bleepingcomputer.com/news/security/windows-mshtml-zero-day-used-in-malware-attacks-for-over-a-year/

https://www.darkreading.com/application-security/attackers-have-been-leveraging-microsoft-zero-day-for-18-months

https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/


Ransomware Tradecraft Shared by Researchers

Typical TTPs among 14 prolific ransomware gangs are shared in this research.

https://blog.talosintelligence.com/common-ransomware-actor-ttps-playbooks/


Krebs Shares Data Around Current Fin7 Operations

Researchers are tracking Fin7 activity, it certainly appears they are back in action.

https://krebsonsecurity.com/2024/07/the-stark-truth-behind-the-resurgence-of-russias-fin7/


HTML Smuggling and Evasion Techniques

Researchers dive into evasion techniques spammers use to fly under the radar. 

https://blog.talosintelligence.com/hidden-between-the-tags-insights-into-evasion-techniques-in-html-smuggling/


AA24-190A – APT40 Tradecraft

CISA and partner nations share nation state tradecraft.  This is important, yesterday’s nation state attack is tomorrow’s commodity attack.  Keeping up with nation state behavior is like a crystal ball of what’s coming from criminals and other threat actors.

https://www.bleepingcomputer.com/news/security/chinese-apt40-hackers-hijack-soho-routers-to-launch-attacks/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #56

The week of December 9th through December 15th, about 348 cyber news articles were reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with HeartCrypt – Packer-as-a-Service (PaaS). Citrix NetScaler / NetScaler Gateway under brute force attack.  Covert Linux multi-stage rootkit attack.  New

Members Public

Cyber Threat Weekly – #55

The week of December 2nd through December 8th there were 353 cyber news articles reviewed.  A relatively large amount of cyber threat trends and adversarial behavior news to share.  Let’s start with a twist on the fake video conferencing apps campaign. New Russian hacktivist group targeting energy systems.  Supply

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8