Cyber Threat Weekly – #38
The week of August 5th through August 11th was on the heavier side with 485 cyber news articles reviewed. It was Blackhat and DefCon week, so, some interesting research to share in addition to the typical threat trends and adversarial behavior.
Let’s start with 2.7 billion data records leaked. SinkClose bug affects AMD processors. High severity bug exposes NTLM hashes affecting Office 2016 and other versions. An ongoing malware campaign force-installs malicious browser extensions.
Researchers share H1 2024 ransomware leak site data. End of life Cisco IP phones have remote code execution (RCE) zero-days. Actively exploited Apache OFBiz RCE bug. Cisco Smart Software Manager (SSM) bug, an exploit has been released.
OpenVPN bugs discovered, leading to full control of systems. New report, effective subject lines for phishing attacks. Actively exploited 18-year-old bug allows security bypass in Chrome, Firefox, and Safari. New DeathGrip RaaS Operations Analyzed.
Royal ransomware rebrands to BlackSuit. Windows downgrade attack, zero-days to “unpatch” systems. Progress WhatsUp Gold RCE bug under active attack. Security best practices for ESXi systems. SharpRino remote access trojan (RAT) used to breach corporate networks.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for August 5th to August 11th:
CVE-2018-0824 – Microsoft COM for Windows Deserialization of Untrusted Data Vulnerability:
Allows for privilege escalation and remote code execution via a specially crafted file or script.
CVE-2024-32113 – Apache OFBiz Path Traversal Vulnerability:
Allows remote code execution.
CVE-2024-36971 – Android Kernel Remote Code Execution Vulnerability:
Allows for remote code execution. This vulnerability resides in Linux Kernel and could impact other products, including but not limited to Android OS.
Threat Actors Leak 2.7billion Records for FREE
An unencrypted file with plain test records containing name, mailing address, and social security number. Each person could have multiple records for each address you lived at. All the info may not be accurate.
AMD Processers are Susceptible to SinkClose Bug
While difficult to exploit, this flaw allows threat actors with kernel-level privilege to install malware that is very hard to detect and remove. This bug affects many generations of AMD processors.
https://ioactive.com/event/def-con-talk-amd-sinkclose-universal-ring-2-privilege-escalation/
Microsoft Office Bug Exposes NTLM Hashes
A high severity flaw tracked as CVE-2024-38200 impacts multiple Office versions. Although a fix has been pushed, a patch is coming in the August patch Tuesday release. Other mitigations are available as well.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38200
Malicious Browser Extensions Force-Installed by Malware
Chrome and Edge extension installers are spread via malvertising and fake websites. Removal is a manual process. The installer is signed and most stages of installation and related domains ae not detected as malicious.
https://reasonlabs.com/research/new-widespread-extension-trojan-malware-campaign
Ransomware Leak Site Data for H1 2024 Shared
Researchers monitor 53 dedicated leak sites and provide analysis of the data. Some interesting trends and rebrands. A slight 4.3% increase in victims yar over year. New groups are making up for law enforcement takedowns.
https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/
Multiple Critical RCE Zero-Days in Cisco IP Phones
Small business SPA 300 and SPA 500 IP phones are end-of-life with no patches or mitigations released. Technical debt is real and typically unnecessary attack surface. It can be tough on businesses but life cycle management matters and should be planned.
RCE Bug in Apache OFBiz Actively Exploited
As an older bug CVE-2024-32113 was added to the CISA known exploited vulnerability (KEV) catalog this week, there is a similar new flaw. Critical pre-authentication remote code execution (RCE) was revealed with several proof of concept (PoC) exploits released.
Cisco SSM Bug, an Exploit has been Published
Tracked as CVE-2024-20419, allowing admin password changes. So far, no evidence of exploitation, but with exploit code now available that may change.
Researchers Discover Multiple OpenVPN Flaws
Multiple medium vulnerabilities have been identified, when chained can lead to RCE and local privilege escalation (LPE). A successful attack chain can lead to full control over the targeted systems.
Q2 2024 Phishing Benchmark Report
Hacking the human hasn’t changed, exploit emotions and elicit a feeling of urgency, confusion, anxiety, etc. Getting a person to act before thinking is the key.
https://www.knowbe4.com/hubfs/2024-Phishing-by-Industry-Benchmarking-Report-EN_US.pdf
Security Bypass in Chrome, Firefox, and Safari Browsers Actively Exploited
An 18-year-old bug dubbed ‘0.0.0.0 Day’ affects Linux and macOS. This bug allows malicious websites to bypass browser security and interact with services on a local network. This can possibly lead to remote code execution amongst other negative impacts.
https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser
Another New RaaS Player, DeathGrip
The barrier to entry is nearly non-existent with so many builder tools available. This group hit the scene in June 2024 and is already making a name for itself. Small players can turn into bigger players quickly with some iteration.
CISA Joint Advisory on BlackSuit (Royal) Ransomware
An updated advisory with new tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) as well as the rebranding info.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a
Windows Downgrade Attacks, Zero-days to “Unpatch” Systems
Shared at BlackHat and DefCon, researchers discovered system components could be downgraded via windows updates to vulnerable versions and yet be reported as fully patched. (Full disclosure, I’m the Director of Security Services at SafeBreach).
https://msrc.microsoft.com/update-guide/advisory/ADV24216903
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21302
https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/
RCE Bug in WhatsUp Gold Under Active Attack
This is a network monitoring application; it shouldn’t be exposed to the Internet. That said, architecture and zero trust network access can allow remote access to the application. Also, even if internal, the exploit could be used for lateral movement, so minimize access.
Security Best Practices for ESXi Environments
While not a threat trend or adversarial behavior, this is good info on securing your ESXi systems. VMware ESXi is a huge target for threat actors, it’s worth a quick read.
https://news.sophos.com/en-us/2024/08/07/best-security-practices-for-esxi-environments/
Hunters International Targeting IT Workers with SharpRino RAT
The remote access trojan serves as initial access, persistence, executing powershell commands, and more. The use of fake legit admin utilities websites suggests IT worker targeting.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
