Skip to content

Cyber Threat Weekly – #35

Derek Krein
5 min read

The week of July 15th through July 21st was on the heavy side with 459 cyber news articles reviewed.  A medium amount of cyber threat trend and adversarial behavior news to share this week.  Let’s start with, surprise, threat actors targeting CrowdStrike customers with fake fixes.

A new report, the number of breach victims Q2 2024 rose over 1000% from Q2 2023 numbers.  Microsoft Azure outage adds to the CrowdStrike outage confusion.  Chinese nation state actors APT41 compromised multiple organizations in long term campaign.

SolarWinds fixes eight critical bugs and several rated high.  Cybercriminals have registered over 500,000 domains for malicious campaigns.  Fix released for critical flaw in Cisco Smart Software Manager (SSM). 

Researchers share an operational security (OPSEC) mistake by a threat actor.  Critical flaw in Cisco Security Email Gateways.  Rise in QR code and AI-generated phishing.  FIN7 threat actors selling EDR killer to other threat actors.

Scattered Spider has switched ransomware-as-a-service (RaaS) providers.  Jellyfish Loader, a new threat discovered by researchers. 


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for July 15th to July 21st:

CVE-2024-36401 – OSGeo GeoServer GeoTools Eval Injection Vulnerability:
Allows unauthenticated attackers to conduct remote code execution via specially crafted input.

CVE-2022-22948 – VMware vCenter Server Incorrect Default File Permissions Vulnerability:
Allows a remote, privileged attacker to gain access to sensitive information.

CVE-2024-28995 – SolarWinds Serv-U Path Traversal Vulnerability:
Allows an attacker access to read sensitive files on the host machine.

CVE-2024-34102 – Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability:
Allows for remote code execution.


CrowdStrike Customers Targeted with Fake Updates

Not surprisingly, threat actors are using all manner of social engineering to take advantage of a not-so-great situation.  So far various types of phishing messages enticing folks to install malware.

https://www.bleepingcomputer.com/news/security/fake-crowdstrike-fixes-target-companies-with-malware-data-wipers/


Not Cool, Breach Victims Rose 1,170% Q2 2024

These numbers are not good, compared to Q2 2023, several big breaches skyrocketed the numbers.  Even from H1 2023 to H1 2024, the number of victims is up 490%. 

https://www.malwarebytes.com/blog/news/2024/07/number-of-data-breach-victims-goes-up-1000

https://www.idtheftcenter.org/post/itrc-sees-third-most-data-breach-victims-in-quarter/


Confusion with Separate Azure Outage

Hours before the CrowdStrike update caused Windows outages around the world, Microsoft services tied to the Central US Region were affected by an outage.  The issue was still being resolved when the CrowdStrike outage occurred, hence the confusion.

https://www.bleepingcomputer.com/news/microsoft/major-microsoft-365-outage-caused-by-azure-configuration-change/

https://azure.status.microsoft/en-us/status/history/


APT41 Sustained Campaign with Numerous Victims

Researchers observe long term campaign compromising numerous victims since at least 2023.  Verticals include global shipping and logistics, media and entertainment, technology, and automotive sectors.  Compromised Google Workspace accounts were used for command and control.

https://thehackernews.com/2024/07/apt41-infiltrates-networks-in-italy.html

https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust


Critical Bugs Fixed Impacting SolarWinds Access Rights Manager (ARM)

The latest version of SolarWinds ARM fixed version 2024.3 fixes eight critical flaws rated CVSS 9.6 and five more rated high.

https://thehackernews.com/2024/07/solarwinds-patches-11-critical-flaws-in.html

https://www.solarwinds.com/trust-center/security-advisories


Cybercriminals Known as Revolver Rabbit Register over 500,000 Domains

As we need to categorize persistent threats, the same can be said for Domain Generation Algorithms (DGAs).  In this case, Revolve Rabbit uses Registered DGAs (RDGAs), the main difference is all domains are registered and remain with the threat actors, while DGAs are embedded with the malware and not all domains are registered.

https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/

https://blogs.infoblox.com/threat-intelligence/rdgas-the-next-chapter-in-domain-generation-algorithms/

https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about


Cisco Smart Software Manager (SSM) Critical Bug Fixed

The flaw is tracked as CVE-2024-20419 with a CVSS score of 10.0.  This flaw allows attackers to change any password including administrators. 

https://www.darkreading.com/vulnerabilities-threats/high-severity-cisco-bug-grants-attackers-password-access

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy


Threat Actor Operational Security (OPSEC) Mistake Shared by Researchers

This is a nice little walk through of how threat actors can inadvertently provide traces of their operations as well as credentials.

https://www.guidepointsecurity.com/blog/fraudsters-fumble-from-phish-to-failure/


Cisco Security Email Gateway Critical Flaw

This bug is tracked as CVE-2024-20401 and rated a CVSS score of 9.8.  A successful exploit allows an attacker to replace any file on the underlying system.  The attacker could then perform several actions including add users with root privileges, modify configurations, execute arbitrary code, or create a permanent denial of service condition.

https://www.bleepingcomputer.com/news/security/critical-cisco-bug-lets-hackers-add-root-users-on-seg-devices/

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-afw-bGG2UsjH


Report on the Rise of QR Code, AI-Generated, and Other Phishing Techniques

Researchers share several phishing techniques and the abuse of legitimate services like AWS Simple Notification Service (SNS) to automate malicious SMS texts.

https://www.recordedfuture.com/research/qr-code-and-ai-generated-phishing-proliferate

https://go.recordedfuture.com/hubfs/reports/cta-2024-0718.pdf


FIN7 Selling EDR Killer to Other Threat Actors

These threat actors are sophisticated and are notorious for sending USB drives to targets and hiring pen testers for ransomware operations under a fake security company.  They have created a tool called AVNeutralizer also known as AuKill and have been selling it on dark web forums.  Researchers share other Fin7 behaviors and tools.

https://www.bleepingcomputer.com/news/security/notorious-fin7-hackers-sell-edr-killer-to-other-threat-actors/

https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/


Scattered Spider Cybercrime Gang Changing It Up

Ransomware affiliates Scattered Spider (Octo Tempest) have moved to ransomware-as-a-service (RaaS) providers Ransomhub and Qilin.  This after BlackCat, their previous provider pulled an exit scam.

https://www.bleepingcomputer.com/news/security/microsoft-links-scattered-spider-hackers-to-qilin-ransomware-attacks/


A New Threat Dubbed Jellyfish Loader

Researchers analyze this .NET-based shellcode loader.  There are similarities to the 2018 Olympic Destroyer infrastructure and coding style of the PowerShell script.

https://thecyberexpress.com/cyble-research-decoding-jellyfish-loader/

https://cyble.com/blog/investigating-the-new-jellyfish-loader/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #56

The week of December 9th through December 15th, about 348 cyber news articles were reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with HeartCrypt – Packer-as-a-Service (PaaS). Citrix NetScaler / NetScaler Gateway under brute force attack.  Covert Linux multi-stage rootkit attack.  New

Members Public

Cyber Threat Weekly – #55

The week of December 2nd through December 8th there were 353 cyber news articles reviewed.  A relatively large amount of cyber threat trends and adversarial behavior news to share.  Let’s start with a twist on the fake video conferencing apps campaign. New Russian hacktivist group targeting energy systems.  Supply

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8