Cyber Threat Weekly – #37

The week of July 29^th through August 4^th, roughly 465 cyber news articles were reviewed.  Quite a bit of cyber threat trend and adversarial behavior news to share.  Let’s start with a rush of home users seeking help after ransomware infection.

Threat actors use adversary-in-the-middle (AitM) at the ISP level for initial access.  Researchers share how cybercriminals are abusing ‘TryCloudflare’ to blend in with legit traffic.  Dark Angles ransomware gang are changing the game.

Researchers discover new Windows backdoor with stealthy command-and-control (C2).  Domain Name System (DNS) weaknesses allow easily hijacked web domains.  Quality answers on StackExchange lead to malicious Python packages on PyPI.

The state of ransomware so far this year, it’s not pretty.  A new ransomware risk report surveyed 900 IT and security leaders.  Business Email Compromise (BEC) attacks are up 20% according to researchers.  Malvertising via Google ads continues.

Black Basta ransomware gang switching to custom malware.  Critical bugs in ServiceNow added to the CISA Known Exploited Vulnerability (KEV) catalog.  An open-source C2 framework uses Outlook for command-and-control.

VMware ESXi authentication bypass bug abused by ransomware affiliates.

Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities for July 29^th to August 4^th:

CVE-2023-45249 – Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability:
Allows an unauthenticated user to execute commands remotely due to the use of default passwords.

CVE-2024-5217 – ServiceNow Incomplete List of Disallowed Inputs Vulnerability:
ServiceNow Washington DC, Vancouver, and earlier Now Platform releases contain an incomplete list of disallowed inputs vulnerability in the GlideExpression script. An unauthenticated user could exploit this vulnerability to execute code remotely.

CVE-2024-4879 – ServiceNow Improper Input Validation Vulnerability:
ServiceNow Utah, Vancouver, and Washington DC Now releases contain a jelly template injection vulnerability in UI macros. An unauthenticated user could exploit this vulnerability to execute code remotely.

CVE-2024-37085 – VMware ESXi Authentication Bypass Vulnerability:
A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

Home Users Impacted by Magniber Ransomware

Like the early days of ransomware, before big game hunting, individual users are under attack.  Magniber typically targets individual users and has had spurts of activity over the years.  It appears software cracks and key generators maybe the entry point currently.

https://www.bleepingcomputer.com/news/security/surge-in-magniber-ransomware-attacks-impact-home-users-worldwide/

Adversary Compromises ISP for AitM Campaign via DNS Poisoning

Insecure automated software updates were the target.  Like defenders using DNS sink holing to redirect threat actor traffic to a benign IP address, DNS poisoning was used to redirect software update traffic to an attacker-controlled server. 

https://thecyberexpress.com/stormbamboos-dns-poisoning-attack/

https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/

Cloudflare Tunnels Abused to Obfuscate Malware Delivery

The abuse of legitimate infrastructure is not new, threat actors are working continually to hide their activities and blend in.  This is another example, no signup needed, only HTTP protocol, and a limit of 200 concurrent connections.  Still threat actors found a way to abuse it.

https://www.csoonline.com/article/3480886/attackers-leverage-cloudflare-tunnels-to-obscure-malware-distribution.html

https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats

https://www.esentire.com/blog/quartet-of-trouble-xworm-asyncrat-venomrat-and-purelogs-stealer-leverage-trycloudflare

Dark Angles Ransomware, Focused and Successful

Flipping the ransomware playbook on its head, Dark Angles pulled in a reported $75 million payment from a Fortune 50 company.  Targeting higher-value targets, staying under the radar, and exfiltrating terabytes of data to ask for higher payouts.  The group often does not encrypt data and systems so the victims can continue to operate. 

https://www.bleepingcomputer.com/news/security/dark-angels-ransomware-receives-record-breaking-75-million-ransom/

https://www.zscaler.com/resources/industry-reports/threatlabz-ransomware-report.pdf

A Novel Newly Identified Windows Backdoor

Researchers share analysis of a new windows backdoor dubbed BITSLOTH that uses Background Intelligence Transfer Service (BITS) for C2.  Capable of discovery, enumeration, execution, collection, and more, this is a very capable malware.

https://thehackernews.com/2024/08/new-windows-backdoor-bitsloth-exploits.html

https://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth

Threat Actors Hijacking Domains via DNS Weakness

Tens of thousands of domains have been hijacked by threat actors.  The threat dubbed “Sitting Ducks” is really a weakness in how domains are administered.

https://www.bleepingcomputer.com/news/security/sitting-ducks-dns-attacks-let-hackers-hijack-over-35-000-domains/

https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/

https://eclypsium.com/blog/ducks-now-sitting-dns-internet-infrastructure-insecurity/

Threat Actors Abuse StackExchange to Deliver Malicious Python Packages

What’s important here is the behavior, quality answers to questions pointing to malicious python packages on PyPI.  This behavior can use different lures and legit sites for delivery, but chances are we’ll continue to see it, it works.

https://www.bleepingcomputer.com/news/security/stackexchange-abused-to-spread-malicious-pypi-packages-as-answers/

https://checkmarx.com/blog/stackexchange-abused-to-spread-malicious-python-package-that-drains-victims-crypto-wallets/

Researchers Share the State of Ransomware 2024 Report

So far, this year is not good news, a big jump attacks, the highest July ever.  A slight increase in average payments and too many unreported incidents.

https://www.blackfog.com/the-state-of-ransomware-2024/

2024 Ransomware Risk Report

The numbers suck but are food for thought.  Ransomware is a prolific threat that isn’t going away if we continue to feed the ransomware monster.  We must make attacks more expensive and starve this beast.

https://www.cybersecuritydive.com/news/ransomware-cyber-attack-security-payment/722856/

https://www.semperis.com/wp-content/uploads/resources-pdfs/ransomware-report-2024.pdf

AI is Adding to the BEC Nightmare

Researchers share email threat trends for Q2 2024.  Surprise, threat actors are using AI to help craft compelling messages. 

https://www.infosecurity-magazine.com/news/bec-attacks-surge-20-annually-ai/

https://vipre.com/wp-content/uploads/2024/07/vipre-q2-2024-email-threat-report.pdf

Google Duped by Google Ads Malvertising

Threat actors are pushing Google Authenticator ads via Google ads.  They have figured out how to look more legitimate, pass verification, bypass detection.

https://www.bleepingcomputer.com/news/security/google-ads-push-fake-google-authenticator-site-installing-malware/

Custom Tools Developed and Used by Black Basta Ransomware

Black Basta is a prolific ransomware gang, closed and selective of affiliate access.  They are making the switch from public tooling to custom tools developed in house.  Researchers share the latest analysis.

https://www.bleepingcomputer.com/news/security/black-basta-ransomware-switches-to-more-evasive-custom-malware/

https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight/

Active Exploitation of ServiceNow Bugs

Two critical flaws added to the CISA KEV catalog and a less critical flaw when chained together provide access to the ServiceNow database. 

https://www.csoonline.com/article/3478933/critical-servicenow-vulnerabilities-expose-businesses-to-data-breaches.html

https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploit

Open Source C2 Framework Leveraging Outlook

Specula, turning the Outlook email client into a beaconing C2 with a single registry change.  Let’s hope threat actors don’t adopt this one like other open-source projects. 

https://www.bleepingcomputer.com/news/security/new-specula-tool-uses-outlook-for-remote-code-execution-in-windows/

https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change

Domain Joined ESXi Hypervisors Abused by Ransomware Affiliates

VMware ESXi authentication bypass bug actively exploited.  Virtual machines are attractive targets, many virtual machines reside on a single server, making it easy for ransomware affiliates to encrypt many machines in one fell swoop. 

https://www.bleepingcomputer.com/news/microsoft/microsoft-ransomware-gangs-exploit-vmware-esxi-auth-bypass-in-attacks/

https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/