Cyber Threat Weekly #39

The week of August 12^th through August 18^th there were 478 cyber news articles in my feed.  A moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with extortion-based threat actors use a fake update screen to hide data theft.

Threat actors continue to abuse legit services.  AI and influence operations targeting the US election.  Lazarus group exploited Windows zero-day bug gaining unauthorized access.  Threat actors exploiting critical SolarWinds flaw.

Researchers share year over year threat trends like interactive attacks.  Adversaries continue to introduce EDR killers into their toolkit.  Malvertisers impersonated Google’s entire product line.  Windows systems with IPv6 enabled zero-click remote code execution. 

Researchers share an ongoing social engineering campaign changing payloads.  AWS cloud security missteps lead to large-scale extortion campaign.  Ransomware report July 2024.  Credential hygiene is challenged on mostly public GitHub repositories. 

Critical bug in Ivanti Virtual Traffic Manager.  Zero-day Windows SmartScreen bypass exploited since March.

Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities for August 12^th to August 18^th:

CVE-2024-38107 – Microsoft Windows Power Dependency Coordinator Privilege Escalation Vulnerability:
Allows for privilege escalation, enabling a local attacker to obtain SYSTEM privileges.

CVE-2024-38106 – Microsoft Windows Kernel Privilege Escalation Vulnerability:
A local attacker to gain SYSTEM privileges. Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2024-38193 – Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability:
Allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges.

CVE-2024-38213 – Microsoft Windows SmartScreen Security Feature Bypass Vulnerability:
Allows an attacker to bypass the SmartScreen user experience via a malicious file.

CVE-2024-38178 – Microsoft Windows Scripting Engine Memory Corruption Vulnerability:
Allows unauthenticated attacker to initiate remote code execution via a specially crafted URL.

CVE-2024-38189 – Microsoft Project Remote Code Execution Vulnerability:
Allows for remote code execution via a malicious file.

CVE-2024-28986 – SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability:
Allows for remote code execution.

Fake Windows Update Screen Used to Hide Data Theft

New Mad Liberator extortion gang uses AnyDesk and hides data exfiltration behind a fake windows update screen.  A data leak site lists victim’s details and claims free access to the data if payment isn’t made.  It appears AnyDesk is the entry point and users must authorize the connection.

https://www.bleepingcomputer.com/news/security/new-mad-liberator-gang-uses-fake-windows-update-screen-to-hide-data-theft/

https://news.sophos.com/en-us/2024/08/13/dont-get-mad-get-wise/

Google Search and Azure Domains Used to Deliver Malware / Spam

The important bit here is the use of legit services such as Google Search and Azure domains to push an agenda.  This is a trend that continues to work well for threat actors. 

https://www.bleepingcomputer.com/news/security/azure-domains-and-google-abused-to-spread-disinformation-and-malware/

OpenAI Blocked Iranian Threat Actors Abusing ChatGPT

This isn’t the first and won’t be the last time generative AI is used for influence operations, spam, social engineering, etc.  While AI is a great tool it can be easily abused by threat actors to create more accurate phishing emails, articles, and other content for social engineering and more.

https://thehackernews.com/2024/08/openai-blocks-iranian-influence.html

https://openai.com/index/disrupting-a-covert-iranian-influence-operation/

Researchers Observe Lazarus Group Exploiting Windows Zero-Day

The nation backed threat actors have been abusing this zero-day to gain unauthorized access system resources most users and admins don’t have access to.  In addition, a rootkit called FudModule was also discovered.

https://www.pcmag.com/news/zero-day-windows-bug-linked-to-north-korean-hacking-group-lazarus

https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38193

Recently Patched SolarWinds Bug Actively Exploited

Remote code execution bug tracked as CVE-2024-28986 in SolarWinds Web Help Desk.  The trend is to exploit new bugs as fast as possible and within a day or so if weaponized exploit code is released.

https://www.bleepingcomputer.com/news/security/cisa-warns-critical-solarwinds-rce-bug-is-exploited-in-attacks/

https://support.solarwinds.com/SuccessCenter/s/article/WHD-12-8-3-Hotfix-1

Interactive Hands-on-Keyboard Attacks Up 55%

Researchers share threat trends from July 1, 2023, to June 30, 2024.  Correlating these trends with other reports will allow for more accurate trending.  Adversaries using RMM tools increased 70%.  Observed interactive intrusions continue to climb with 86% attributed to eCrime.

https://www.cybersecuritydive.com/news/manual-techniques-fuel-ransomware/724472/

https://go.crowdstrike.com/rs/281-OBQ-266/images/24-MA-099_2024-Threat-Hunting-Report_11.pdf

Another Bring Your Own Vunerable Driver (BYOVD) EDR Killer

Researchers observe ransomware affiliates using EDRKillShifter in attack campaigns.  The tool uses multiple stages with heavy obfuscation and multiple payloads. 

https://www.bleepingcomputer.com/news/security/ransomware-gang-deploys-new-malware-to-kill-security-software/

https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/

Malvertising Google Products Continues

This time it’s the Google product line and a fake Google home page to boot.  All this leads to tech support scams.  What these miscreants won’t stoop to. 

https://www.malwarebytes.com/blog/scams/2024/08/dozens-of-google-products-targeted-by-scammers-via-malicious-search-ads

Windows TCP/IP Zero-Click Remote Code Execution Bug

With increased likelihood of exploitation this is one to patch quickly.  Tracked as CVE-2024-38063 this bug allows for low complexity attacks.  All windows systems with IPv6 enabled are vulnerable, which is pretty much all systems.

https://www.bleepingcomputer.com/news/microsoft/zero-click-windows-tcp-ip-rce-impacts-all-systems-with-ipv6-enabled-patch-now/

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063

Shift in Payloads with an Ongoing Social Engineering Campaign

Researchers tracking ongoing campaign with the initial lure staying consistent.  The payloads delivered include SystemBC malware, Golang HTTP beacons, Socks proxy beacons, and a Cobalt Strike module converted to a standalone executable. 

https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/

Extortion Campaign Actors Abused Exposed AWS .env Files

Misconfigurations exposed the .env files to the Internet allowing threat actors exfiltrate data and extort victims.  Researchers share how this happened and what to do to minimize your impact from these types of events.

https://thehackernews.com/2024/08/attackers-exploit-public-env-files-to.html

https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/

Ransomware Report July 2024

Researchers share observations in the ransomware landscape.  New groups emerge, Lockbit is attempting a comeback.  Identity continues to fuel attacks with legitimate credentials typically from info-stealing malware leading the charge.

https://www.guidepointsecurity.com/blog/grit-ransomware-report-july-2024/

GitHub Actions Artifacts Lead to New Attack Vector on GitHub Repositories

Researchers share how they could potentially push malicious code through CI/CD pipelines or access secrets.  High profile projects were leaking authentication tokens.  Dubbed “ArtiPACKED”, the research was mainly focused on open-source projects. 

https://www.bleepingcomputer.com/news/security/github-actions-artifacts-found-leaking-auth-tokens-in-popular-projects/

https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/

Ivanti Virtual Traffic Manager Critical Bug

Exploiting this flaw could allow authentication bypass and creation of rogue admin users.  Exploit code is publicly available, but no evidence of exploitation yet.  Tracked as CVE 2024-7593 with a CVSS score of 9.8 out of 10.

https://thehackernews.com/2024/08/critical-flaw-in-ivanti-virtual-traffic.html

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593

Windows Zero-Day SmartScreen Bypass Bug Exploited

This one was patched June 2024, but Redmond forgot to add it to the advisory in June and July.  Exploited since March, DarkGate threat actors utilized copy and paste operations.

https://www.bleepingcomputer.com/news/microsoft/new-windows-smartscreen-bypass-exploited-as-zero-day-since-march/

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38213