Skip to content

Cyber Threat Weekly – #38

Derek Krein
6 min read

The week of August 5th through August 11th was on the heavier side with 485 cyber news articles reviewed.  It was Blackhat and DefCon week, so, some interesting research to share in addition to the typical threat trends and adversarial behavior.

Let’s start with 2.7 billion data records leaked.  SinkClose bug affects AMD processors.  High severity bug exposes NTLM hashes affecting Office 2016 and other versions.  An ongoing malware campaign force-installs malicious browser extensions.

Researchers share H1 2024 ransomware leak site data.  End of life Cisco IP phones have remote code execution (RCE) zero-days.  Actively exploited Apache OFBiz RCE bug.  Cisco Smart Software Manager (SSM) bug, an exploit has been released.

OpenVPN bugs discovered, leading to full control of systems.  New report, effective subject lines for phishing attacks.  Actively exploited 18-year-old bug allows security bypass in Chrome, Firefox, and Safari.  New DeathGrip RaaS Operations Analyzed.

Royal ransomware rebrands to BlackSuit.  Windows downgrade attack, zero-days to “unpatch” systems.  Progress WhatsUp Gold RCE bug under active attack.  Security best practices for ESXi systems.  SharpRino remote access trojan (RAT) used to breach corporate networks. 


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for August 5th to August 11th:

CVE-2018-0824 – Microsoft COM for Windows Deserialization of Untrusted Data Vulnerability:
Allows for privilege escalation and remote code execution via a specially crafted file or script.

CVE-2024-32113 – Apache OFBiz Path Traversal Vulnerability:
Allows remote code execution.

CVE-2024-36971 – Android Kernel Remote Code Execution Vulnerability:
Allows for remote code execution. This vulnerability resides in Linux Kernel and could impact other products, including but not limited to Android OS.


Threat Actors Leak 2.7billion Records for FREE

An unencrypted file with plain test records containing name, mailing address, and social security number.  Each person could have multiple records for each address you lived at.  All the info may not be accurate. 

https://www.bleepingcomputer.com/news/security/hackers-leak-27-billion-data-records-with-social-security-numbers/


AMD Processers are Susceptible to SinkClose Bug

While difficult to exploit, this flaw allows threat actors with kernel-level privilege to install malware that is very hard to detect and remove.  This bug affects many generations of AMD processors.

https://www.bleepingcomputer.com/news/security/new-amd-sinkclose-flaw-helps-install-nearly-undetectable-malware/

https://ioactive.com/event/def-con-talk-amd-sinkclose-universal-ring-2-privilege-escalation/


Microsoft Office Bug Exposes NTLM Hashes

A high severity flaw tracked as CVE-2024-38200 impacts multiple Office versions.  Although a fix has been pushed, a patch is coming in the August patch Tuesday release.  Other mitigations are available as well. 

https://www.bleepingcomputer.com/news/security/microsoft-discloses-unpatched-office-flaw-that-exposes-ntlm-hashes/

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38200


Malicious Browser Extensions Force-Installed by Malware

Chrome and Edge extension installers are spread via malvertising and fake websites.  Removal is a manual process.  The installer is signed and most stages of installation and related domains ae not detected as malicious.

https://www.bleepingcomputer.com/news/security/malware-force-installs-chrome-extensions-on-300-000-browsers-patches-dlls/

https://reasonlabs.com/research/new-widespread-extension-trojan-malware-campaign


Ransomware Leak Site Data for H1 2024 Shared

Researchers monitor 53 dedicated leak sites and provide analysis of the data.  Some interesting trends and rebrands.  A slight 4.3% increase in victims yar over year.  New groups are making up for law enforcement takedowns.

https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/


Multiple Critical RCE Zero-Days in Cisco IP Phones

Small business SPA 300 and SPA 500 IP phones are end-of-life with no patches or mitigations released.  Technical debt is real and typically unnecessary attack surface.  It can be tough on businesses but life cycle management matters and should be planned.

https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-rce-zero-days-in-end-of-life-ip-phones/


RCE Bug in Apache OFBiz Actively Exploited

As an older bug CVE-2024-32113 was added to the CISA known exploited vulnerability (KEV) catalog this week, there is a similar new flaw.  Critical pre-authentication remote code execution (RCE) was revealed with several proof of concept (PoC) exploits released.

https://www.bleepingcomputer.com/news/security/cisa-warns-about-actively-exploited-apache-ofbiz-rce-flaw/

https://blog.sonicwall.com/en-us/2024/08/sonicwall-discovers-second-critical-apache-ofbiz-zero-day-vulnerability/


Cisco SSM Bug, an Exploit has been Published

Tracked as CVE-2024-20419, allowing admin password changes.  So far, no evidence of exploitation, but with exploit code now available that may change. 

https://www.bleepingcomputer.com/news/security/exploit-released-for-cisco-ssm-bug-allowing-admin-password-changes/


Researchers Discover Multiple OpenVPN Flaws

Multiple medium vulnerabilities have been identified, when chained can lead to RCE and local privilege escalation (LPE).  A successful attack chain can lead to full control over the targeted systems.

https://www.microsoft.com/en-us/security/blog/2024/08/08/chained-for-attack-openvpn-vulnerabilities-discovered-leading-to-rce-and-lpe/


Q2 2024 Phishing Benchmark Report

Hacking the human hasn’t changed, exploit emotions and elicit a feeling of urgency, confusion, anxiety, etc.  Getting a person to act before thinking is the key.

https://www.csoonline.com/article/3484775/phishers-have-figured-out-that-everyone-is-afraid-of-hr.html

https://www.knowbe4.com/hubfs/2024-Phishing-by-Industry-Benchmarking-Report-EN_US.pdf


Security Bypass in Chrome, Firefox, and Safari Browsers Actively Exploited

An 18-year-old bug dubbed ‘0.0.0.0 Day’ affects Linux and macOS.  This bug allows malicious websites to bypass browser security and interact with services on a local network.  This can possibly lead to remote code execution amongst other negative impacts.

https://www.bleepingcomputer.com/news/security/18-year-old-security-flaw-in-firefox-and-chrome-exploited-in-attacks/

https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser


Another New RaaS Player, DeathGrip

The barrier to entry is nearly non-existent with so many builder tools available.  This group hit the scene in June 2024 and is already making a name for itself.  Small players can turn into bigger players quickly with some iteration.

https://www.sentinelone.com/blog/deathgrip-raas-small-time-threat-actors-aim-high-with-lockbit-yashma-builders/


CISA Joint Advisory on BlackSuit (Royal) Ransomware

An updated advisory with new tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) as well as the rebranding info.

https://www.bleepingcomputer.com/news/security/fbi-blacksuit-ransomware-behind-over-500-million-in-ransom-demands/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a


Windows Downgrade Attacks, Zero-days to “Unpatch” Systems

Shared at BlackHat and DefCon, researchers discovered system components could be downgraded via windows updates to vulnerable versions and yet be reported as fully patched.  (Full disclosure, I’m the Director of Security Services at SafeBreach).

https://www.bleepingcomputer.com/news/microsoft/windows-update-downgrade-attack-unpatches-fully-updated-systems/

https://msrc.microsoft.com/update-guide/advisory/ADV24216903

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21302

https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/


RCE Bug in WhatsUp Gold Under Active Attack

This is a network monitoring application; it shouldn’t be exposed to the Internet.  That said, architecture and zero trust network access can allow remote access to the application.  Also, even if internal, the exploit could be used for lateral movement, so minimize access.

https://www.bleepingcomputer.com/news/security/critical-progress-whatsup-rce-flaw-now-under-active-exploitation/


Security Best Practices for ESXi Environments

While not a threat trend or adversarial behavior, this is good info on securing your ESXi systems.  VMware ESXi is a huge target for threat actors, it’s worth a quick read.

https://news.sophos.com/en-us/2024/08/07/best-security-practices-for-esxi-environments/


Hunters International Targeting IT Workers with SharpRino RAT

The remote access trojan serves as initial access, persistence, executing powershell commands, and more.  The use of fake legit admin utilities websites suggests IT worker targeting. 

https://www.bleepingcomputer.com/news/security/hunters-international-ransomware-gang-targets-it-workers-with-new-sharprhino-malware/

https://www.quorumcyber.com/insights/sharprhino-new-hunters-international-rat-identified-by-quorum-cyber/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8

Members Public

Cyber Threat Weekly – #53

The week of November 18th through November 24th, 342 cyber news articles were reviewed.  A moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with threat actors love the ‘bring your own vulnerable driver’ attack. Threat actors use Wi-Fi to breach US organization from

Members Public

Cyber Threat Weekly – #52

The week of November 11th through November 17th, 332 cyber news articles were reviewed.  Quite a bit of cyber threat trend and adversarial behavior news to share.  Let’s start with increasing use of SVG attachments in email phishing. An undocumented Fortinet FortiClient bug used to steal VPN credentials.  Palo