Cyber Threat Weekly – #35
The week of July 15th through July 21st was on the heavy side with 459 cyber news articles reviewed. A medium amount of cyber threat trend and adversarial behavior news to share this week. Let’s start with, surprise, threat actors targeting CrowdStrike customers with fake fixes.
A new report, the number of breach victims Q2 2024 rose over 1000% from Q2 2023 numbers. Microsoft Azure outage adds to the CrowdStrike outage confusion. Chinese nation state actors APT41 compromised multiple organizations in long term campaign.
SolarWinds fixes eight critical bugs and several rated high. Cybercriminals have registered over 500,000 domains for malicious campaigns. Fix released for critical flaw in Cisco Smart Software Manager (SSM).
Researchers share an operational security (OPSEC) mistake by a threat actor. Critical flaw in Cisco Security Email Gateways. Rise in QR code and AI-generated phishing. FIN7 threat actors selling EDR killer to other threat actors.
Scattered Spider has switched ransomware-as-a-service (RaaS) providers. Jellyfish Loader, a new threat discovered by researchers.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for July 15th to July 21st:
CVE-2024-36401 – OSGeo GeoServer GeoTools Eval Injection Vulnerability:
Allows unauthenticated attackers to conduct remote code execution via specially crafted input.
CVE-2022-22948 – VMware vCenter Server Incorrect Default File Permissions Vulnerability:
Allows a remote, privileged attacker to gain access to sensitive information.
CVE-2024-28995 – SolarWinds Serv-U Path Traversal Vulnerability:
Allows an attacker access to read sensitive files on the host machine.
CVE-2024-34102 – Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability:
Allows for remote code execution.
CrowdStrike Customers Targeted with Fake Updates
Not surprisingly, threat actors are using all manner of social engineering to take advantage of a not-so-great situation. So far various types of phishing messages enticing folks to install malware.
Not Cool, Breach Victims Rose 1,170% Q2 2024
These numbers are not good, compared to Q2 2023, several big breaches skyrocketed the numbers. Even from H1 2023 to H1 2024, the number of victims is up 490%.
https://www.malwarebytes.com/blog/news/2024/07/number-of-data-breach-victims-goes-up-1000
https://www.idtheftcenter.org/post/itrc-sees-third-most-data-breach-victims-in-quarter/
Confusion with Separate Azure Outage
Hours before the CrowdStrike update caused Windows outages around the world, Microsoft services tied to the Central US Region were affected by an outage. The issue was still being resolved when the CrowdStrike outage occurred, hence the confusion.
https://azure.status.microsoft/en-us/status/history/
APT41 Sustained Campaign with Numerous Victims
Researchers observe long term campaign compromising numerous victims since at least 2023. Verticals include global shipping and logistics, media and entertainment, technology, and automotive sectors. Compromised Google Workspace accounts were used for command and control.
https://thehackernews.com/2024/07/apt41-infiltrates-networks-in-italy.html
https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust
Critical Bugs Fixed Impacting SolarWinds Access Rights Manager (ARM)
The latest version of SolarWinds ARM fixed version 2024.3 fixes eight critical flaws rated CVSS 9.6 and five more rated high.
https://thehackernews.com/2024/07/solarwinds-patches-11-critical-flaws-in.html
https://www.solarwinds.com/trust-center/security-advisories
Cybercriminals Known as Revolver Rabbit Register over 500,000 Domains
As we need to categorize persistent threats, the same can be said for Domain Generation Algorithms (DGAs). In this case, Revolve Rabbit uses Registered DGAs (RDGAs), the main difference is all domains are registered and remain with the threat actors, while DGAs are embedded with the malware and not all domains are registered.
Cisco Smart Software Manager (SSM) Critical Bug Fixed
The flaw is tracked as CVE-2024-20419 with a CVSS score of 10.0. This flaw allows attackers to change any password including administrators.
Threat Actor Operational Security (OPSEC) Mistake Shared by Researchers
This is a nice little walk through of how threat actors can inadvertently provide traces of their operations as well as credentials.
https://www.guidepointsecurity.com/blog/fraudsters-fumble-from-phish-to-failure/
Cisco Security Email Gateway Critical Flaw
This bug is tracked as CVE-2024-20401 and rated a CVSS score of 9.8. A successful exploit allows an attacker to replace any file on the underlying system. The attacker could then perform several actions including add users with root privileges, modify configurations, execute arbitrary code, or create a permanent denial of service condition.
Report on the Rise of QR Code, AI-Generated, and Other Phishing Techniques
Researchers share several phishing techniques and the abuse of legitimate services like AWS Simple Notification Service (SNS) to automate malicious SMS texts.
https://www.recordedfuture.com/research/qr-code-and-ai-generated-phishing-proliferate
https://go.recordedfuture.com/hubfs/reports/cta-2024-0718.pdf
FIN7 Selling EDR Killer to Other Threat Actors
These threat actors are sophisticated and are notorious for sending USB drives to targets and hiring pen testers for ransomware operations under a fake security company. They have created a tool called AVNeutralizer also known as AuKill and have been selling it on dark web forums. Researchers share other Fin7 behaviors and tools.
Scattered Spider Cybercrime Gang Changing It Up
Ransomware affiliates Scattered Spider (Octo Tempest) have moved to ransomware-as-a-service (RaaS) providers Ransomhub and Qilin. This after BlackCat, their previous provider pulled an exit scam.
A New Threat Dubbed Jellyfish Loader
Researchers analyze this .NET-based shellcode loader. There are similarities to the 2018 Olympic Destroyer infrastructure and coding style of the PowerShell script.
https://thecyberexpress.com/cyble-research-decoding-jellyfish-loader/
https://cyble.com/blog/investigating-the-new-jellyfish-loader/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
