Skip to content

Cyber Threat Weekly – #36

Derek Krein
4 min read

The week of July 22nd through July 28th on the heavier side with 461 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with ‘PKfail’ a secure boot cryptographic management fail from the supply chain.

Malware-as-a-Service (MaaS) taken to a new level by Spanish-speaking cybercriminals.  Researchers share how to defend against common adversary behavior.  Phishing domains and the buzz around generative AI (GenAI).

Active exploitation of critical ServiceNow bug for credential theft.  Researchers share analysis of North Korean nation backed threat actors.  Researchers share incident response trends for Q2 2024.  Okta browser plugin bug.

Fake GitHub accounts drive malware distribution.  Docker critical authentication bypass bug.  A new hire turns out to be a North Korean threat actor.  Microsoft SmartScreen bug fixed in February is still being exploited.


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for July 22nd to July 28th:

CVE-2024-39891 – Twilio Authy Information Disclosure Vulnerability:
Allows an unauthenticated endpoint to accept a request containing a phone number and respond with information about whether the phone number was registered with Authy.

CVE-2012-4792 – Microsoft Internet Explorer Use-After-Free Vulnerability:
Allows a remote attacker to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object.


Poor Cryptographic Management Practices = PKfail

The Unified Extensible Firmware Interface (UEFI) specification is a secure boot function designed to be cryptographically secure until the OS takes over.  BIOS vendors are responsible for platform key creation and periodic rotation.  That didn’t happen here, an untrusted key was used in hundreds of devices from over 10 vendors.

https://www.csoonline.com/article/3478127/secure-boot-no-more-leaked-key-faulty-practices-put-900-pc-server-models-in-jeopardy.html

https://www.binarly.io/blog/pkfail-untrusted-platform-keys-undermine-secure-boot-on-uefi-ecosystem


Spanish-Speaking Cybercriminals Taking Phishing Kits up a few Notches

Cybercrime group dubbed GXC Team observed offering phishing kits using Android apps for one-time password (OTP) interception.  Using social engineering coaxing victims to download the Android app under the guise of preventing phishing attacks.

https://thehackernews.com/2024/07/spanish-hackers-bundle-phishing-kits.html

https://www.group-ib.com/blog/gxc-team-unmasked/


High-Level Security Controls Within Active Directory

Researchers share techniques abused while gaining an initial foothold into an environment.  Techniques such as SMB null sessions, username enumeration, password spraying, and abusing NTLM authentication are shared.  Mitigations are also shared with references.

https://www.guidepointsecurity.com/blog/how-to-make-adversaries-cry-part-1/


Researchers Share Domain Registrations with Terms Related to GenAI

The data is interesting including new registered domains (NRDs) with GenAI keywords and related DNS traffic.

https://unit42.paloaltonetworks.com/cybersquatting-using-genai-keywords/


ServiceNow Critical Bug Under Active Exploitation

Threat actors are abusing CVE-2024-4879 via publicly available exploit code.  In addition, attackers are chaining three bugs with publicly available exploits to achieve full database access.

https://www.bleepingcomputer.com/news/security/critical-servicenow-rce-flaws-actively-exploited-to-steal-credentials/

https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data


Nation State North Korean Threat Actors Shifting Operations

Researchers share the latest observations of APT45 as well as some history around the threat group. 

https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine/


Tracking Incident Response Trends Q2 2024

Top threats for Q2 were ransomware and business email compromise (BEC).  Initial access via legitimate credentials continues to trend, a lack of multifactor authentication fuels this trend.  Two newly observed ransomware groups this quarter, Mallox and Underground Team.  Typical behavior was observed like an increase in remote access software.

https://blog.talosintelligence.com/ir-trends-ransomware-on-the-rise-q2-2024/


Browser Plugin from Okta Vulnerable to Cross Site Scripting

The bug occurs if Okta personal is added enabling multi-account view. 

https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981/


GitHub Used as Malware Distribution Service

Theat actors known as ‘Stargazer Goblin’ have created a three-tiered system with thousands of ghost accounts.  These accounts star, subscribe, and fork malicious repositories to increase perceived legitimacy.

https://www.bleepingcomputer.com/news/security/over-3-000-github-accounts-used-by-malware-distribution-service/

https://research.checkpoint.com/2024/stargazers-ghost-network/


Docker Critical Authentication Bypass Bug

Rated a CVSS score of 10.0, CVE-2024-41110 allows an attacker to bypass authorization plugins (AuthZ).  The issue lies in specific Docker API requests.

https://www.bleepingcomputer.com/news/security/docker-fixes-critical-5-year-old-authentication-bypass-flaw/


North Korean Threat Actor Hired by KnowBe4

This one is interesting, AI was used to assist the threat actor in creating the profile picture and ensure it matches the face during four interviews.  The FBI has warned about North Korean threat actors posing as IT staff since 2023.

https://www.bleepingcomputer.com/news/security/knowbe4-mistakenly-hires-north-korean-hacker-faces-infostealer-attack/

https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us


Stealer Campaign Actively Exploiting Microsoft SmartScreen Bug

Fixed in February, CVE-2024-21412 is still being actively exploited to distribute infostealer malware. 

https://www.csoonline.com/article/3477067/microsoft-defender-smartscreen-bug-actively-used-in-stealer-campaign.html

https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #56

The week of December 9th through December 15th, about 348 cyber news articles were reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with HeartCrypt – Packer-as-a-Service (PaaS). Citrix NetScaler / NetScaler Gateway under brute force attack.  Covert Linux multi-stage rootkit attack.  New

Members Public

Cyber Threat Weekly – #55

The week of December 2nd through December 8th there were 353 cyber news articles reviewed.  A relatively large amount of cyber threat trends and adversarial behavior news to share.  Let’s start with a twist on the fake video conferencing apps campaign. New Russian hacktivist group targeting energy systems.  Supply

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8