Cyber Threat Weekly – #36

The week of July 22^nd through July 28^th on the heavier side with 461 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with ‘PKfail’ a secure boot cryptographic management fail from the supply chain.

Malware-as-a-Service (MaaS) taken to a new level by Spanish-speaking cybercriminals.  Researchers share how to defend against common adversary behavior.  Phishing domains and the buzz around generative AI (GenAI).

Active exploitation of critical ServiceNow bug for credential theft.  Researchers share analysis of North Korean nation backed threat actors.  Researchers share incident response trends for Q2 2024.  Okta browser plugin bug.

Fake GitHub accounts drive malware distribution.  Docker critical authentication bypass bug.  A new hire turns out to be a North Korean threat actor.  Microsoft SmartScreen bug fixed in February is still being exploited.

Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities for July 22^nd to July 28^th:

CVE-2024-39891 – Twilio Authy Information Disclosure Vulnerability:
Allows an unauthenticated endpoint to accept a request containing a phone number and respond with information about whether the phone number was registered with Authy.

CVE-2012-4792 – Microsoft Internet Explorer Use-After-Free Vulnerability:
Allows a remote attacker to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object.

Poor Cryptographic Management Practices = PKfail

The Unified Extensible Firmware Interface (UEFI) specification is a secure boot function designed to be cryptographically secure until the OS takes over.  BIOS vendors are responsible for platform key creation and periodic rotation.  That didn’t happen here, an untrusted key was used in hundreds of devices from over 10 vendors.

https://www.csoonline.com/article/3478127/secure-boot-no-more-leaked-key-faulty-practices-put-900-pc-server-models-in-jeopardy.html

https://www.binarly.io/blog/pkfail-untrusted-platform-keys-undermine-secure-boot-on-uefi-ecosystem

Spanish-Speaking Cybercriminals Taking Phishing Kits up a few Notches

Cybercrime group dubbed GXC Team observed offering phishing kits using Android apps for one-time password (OTP) interception.  Using social engineering coaxing victims to download the Android app under the guise of preventing phishing attacks.

https://thehackernews.com/2024/07/spanish-hackers-bundle-phishing-kits.html

https://www.group-ib.com/blog/gxc-team-unmasked/

High-Level Security Controls Within Active Directory

Researchers share techniques abused while gaining an initial foothold into an environment.  Techniques such as SMB null sessions, username enumeration, password spraying, and abusing NTLM authentication are shared.  Mitigations are also shared with references.

https://www.guidepointsecurity.com/blog/how-to-make-adversaries-cry-part-1/

Researchers Share Domain Registrations with Terms Related to GenAI

The data is interesting including new registered domains (NRDs) with GenAI keywords and related DNS traffic.

https://unit42.paloaltonetworks.com/cybersquatting-using-genai-keywords/

ServiceNow Critical Bug Under Active Exploitation

Threat actors are abusing CVE-2024-4879 via publicly available exploit code.  In addition, attackers are chaining three bugs with publicly available exploits to achieve full database access.

https://www.bleepingcomputer.com/news/security/critical-servicenow-rce-flaws-actively-exploited-to-steal-credentials/

https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data

Nation State North Korean Threat Actors Shifting Operations

Researchers share the latest observations of APT45 as well as some history around the threat group. 

https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine/

Tracking Incident Response Trends Q2 2024

Top threats for Q2 were ransomware and business email compromise (BEC).  Initial access via legitimate credentials continues to trend, a lack of multifactor authentication fuels this trend.  Two newly observed ransomware groups this quarter, Mallox and Underground Team.  Typical behavior was observed like an increase in remote access software.

https://blog.talosintelligence.com/ir-trends-ransomware-on-the-rise-q2-2024/

Browser Plugin from Okta Vulnerable to Cross Site Scripting

The bug occurs if Okta personal is added enabling multi-account view. 

https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981/

GitHub Used as Malware Distribution Service

Theat actors known as ‘Stargazer Goblin’ have created a three-tiered system with thousands of ghost accounts.  These accounts star, subscribe, and fork malicious repositories to increase perceived legitimacy.

https://www.bleepingcomputer.com/news/security/over-3-000-github-accounts-used-by-malware-distribution-service/

https://research.checkpoint.com/2024/stargazers-ghost-network/

Docker Critical Authentication Bypass Bug

Rated a CVSS score of 10.0, CVE-2024-41110 allows an attacker to bypass authorization plugins (AuthZ).  The issue lies in specific Docker API requests.

https://www.bleepingcomputer.com/news/security/docker-fixes-critical-5-year-old-authentication-bypass-flaw/

North Korean Threat Actor Hired by KnowBe4

This one is interesting, AI was used to assist the threat actor in creating the profile picture and ensure it matches the face during four interviews.  The FBI has warned about North Korean threat actors posing as IT staff since 2023.

https://www.bleepingcomputer.com/news/security/knowbe4-mistakenly-hires-north-korean-hacker-faces-infostealer-attack/

https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us

Stealer Campaign Actively Exploiting Microsoft SmartScreen Bug

Fixed in February, CVE-2024-21412 is still being actively exploited to distribute infostealer malware. 

https://www.csoonline.com/article/3477067/microsoft-defender-smartscreen-bug-actively-used-in-stealer-campaign.html

https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed