Skip to content

Cyber Threat Weekly - #4

Derek Krein
6 min read

As the Threat Landscape continues to evolve…  We continue to track the latest threat trends and adversary behavioral patterns. 

Kicking off this week, researchers uncover links between the Sandman threat group and the Chinese government.  Next, Lazarus Group (North Korea) is exploiting vulnerable Internet facing servers using Log4Shell (CVE-2021-44228) and dropping new Remote Access Trojans (RATs).

Fake LinkedIn profiles abused to target professionals at Saudi companies.  Threat actors use email to target recruiters directly.  Non-human access credentials are a threat actors goldmine.  Threat actors abuse non-human credentials using OAuth apps.

Examining the Target breach, a decade later.  Cybercriminals are abusing shell companies in the US to mask attack traffic.  Critical WordPress RCE flaw in backup plug-in, exposes sites to take over.  Apache Struts 2 RCE vulnerability discovered. 

Sophos end of life (EoL) firewalls patched against actively exploited vulnerability.  Long game social engineering tactics, definition, and defenses.  Threat actors use Google forms to increase credibility. 

New underground market operating on the clear web.  Ransomware gangs use PR to apply extra pressure to victims.  Phishing is still a huge attack vector.  Using SOHO network devices to proxy malicious traffic, not cool.

Open, free-to-use vulnerability scoring system could be interesting for defenders.  Rhadamanthys Stealer looks to be actively developed.  MongoDB disclosed a security incident resulting in exposure of customer meta data and contact info.

Qbot is back, distributing malware in a phishing campaign.


Broken Record Alert:  Patch prioritization is Critical!!!

Roughly 5% of publicly available vulnerabilities are observed exploited in the wild.  Priority #1 should be to patch known exploited vulnerabilities.  You can use CISA’s known exploited vulnerability (KEV) catalog or other tools to prioritize patching exploited vulnerabilities. 

Right behind actively exploited vulnerabilities, a close priority #2 is those with proof of concept (PoC) code available.  Exploit chances are much higher with PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and PoC code available vulnerabilities. 

Every week we share known exploited vulnerabilities being abused by threat actors.  Diligent patching can save you from a breach and prevent threat actors from exploiting your organization for their gains.


Possible Sandman APT Origins Discovered

This one is interesting, Microsoft, Sentinel One, and PWC collaborated to identify a newer APT as part of the Chinese APT threat landscape. 

https://www.darkreading.com/threat-intelligence/microsoft-mystery-group-targeting-telcos-chinese-apts

https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/


Lazurus Group Campaign Uncovered

North Korea is plenty capable.  This newest campaign uses Log4Shell exploits for initial access and drops three new RATs.  Defense evasion techniques include the RATs written in rarely observed Dlang language and the use of Telegram for a command-and-control channel.

https://therecord.media/north-korean-hackers-using-log

https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/

https://www.veracode.com/blog/research/state-log4j-vulnerabilities-how-much-did-log4shell-change


LinkedIn Continues to be Abused by Threat Actors

Cyber threat actors love to abuse LinkedIn and for good reason.  It’s the largest repository of work-related data on organizations and professionals.  Be on the lookout for phishing scams.

https://www.darkreading.com/cloud-security/convincing-linkedin-profiles-target-saudi-workers-information-leakage

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-growing-goldmine-your-linkedin-data-abused-for-cybercrime


TA4557 Targets Recruiters Directly with Benign Emails

The use of direct contact with benign emails is a newer technique.  The real attack comes if the target replies to the initial email.  The threat actor responds with a URL posing as the candidates resume or with a PDF or Word attachment. 

This technique can be abused in many ways with a multitude of lures, it’s one to watch.

https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email


Non-human Credential Attack Surface is Growing with Little Visibility

Non-human credentials include tokens, API keys, service accounts, and secrets.  Defenders often lack visibility into these various credentials and their usage.  The lack of governance is utopia for threat actors.

https://thehackernews.com/2023/12/non-human-access-is-path-of-least.html


Theat Actors use Highjacked Accounts to Create OAuth Applications

Keeping with the non-human credentials theme, here are some examples of how cyber criminals are abusing highjacked accounts to create OAuth apps for a multitude of malicious activity.

https://www.bleepingcomputer.com/news/security/microsoft-oauth-apps-used-to-automate-bec-and-cryptomining-attacks/


The 2013 Target Breach, a Look Back

This one interesting, coincidentally the Target Breach is what started me down the path of research to figure out why we, as an industry, were so insecure.  Reflection is important, have we gotten any better?

https://www.darkreading.com/vulnerabilities-threats/datas-perilous-journey-lessons-not-learned-target-breach


US Shell Companies Used for Global Attacks

Cyber criminals are using nation state tactics such as creating shell companies, so they appear to be in the United States.  This is scary, and hopefully not a tend we will continue to see.  But with ransomware affiliates and gangs having the resources of nation states, it wouldn’t surprise me.

https://www.reuters.com/technology/cybersecurity/how-cybercriminals-are-using-wyoming-shell-companies-global-hacks-2023-12-12/


Critical WordPress Backup Plug-in Flaw Exposes Websites to Remote Code Execution

WordPress is a big target, this ‘backup migration’ plug-in has over 90,000 downloads.

https://www.darkreading.com/cloud-security/critical-wordpress-plugin-rce-bug-exposes-websites-takeover


Apache Struts 2 RCE Bug, Possible Exploit Activity

The good news, this is tougher to mass exploit.  The bad news, threat actors are trying, there are two proof of concepts exploit variants available currently.

https://www.darkreading.com/cloud-security/patch-exploit-activity-dangerous-apache-struts-bug


Older Sophos Firewalls Patched Against Exploited Vulnerability

Remember to consider technical debt.  You should have a solid life cycle management plan.  The cost of a breach is likely considerably higher than replacing end-of-life hardware that is no longer supported.

https://www.securityweek.com/sophos-patches-eol-firewalls-against-exploited-vulnerability/


How to Recognize Long Game Social Engineering

This is a great reminder of the depths threat actors will go to, to obtain their goals.  Remaining vigilant is key.

https://blog.knowbe4.com/fight-long-game-social-engineering


Cyber criminals Conduct BazarCall Attack Using Google Forms

The trend of using legitimate tools and websites for defense evasion and to be less obvious continues.  Threat actors will go to many links to get around our defenses appear legitimate.

https://abnormalsecurity.com/blog/bazarcall-attack-leverages-google-forms


OLVX Market Opens for Business on the Clear Web

This is a trend I didn’t have a bead on, I’ll be on the lookout now, underground marketplaces on the open web.

https://www.zerofox.com/blog/new-underground-market-comes-online-just-intime-for-the-holidays/


Using Public Relations, Ransomware Gangs are Stepping up Their Game

From opening communication channels with journalists to filing a complaint with the US Securities and Exchange Commission.  Ransomware gangs continue to evolve.

https://www.darkreading.com/threat-intelligence/ransomware-gangs-pr-charm-offensive-pressure-victims


Cyber Security Report Reveals Goods and Bads of Email Phishing

This is an interesting report, a large data set was utilized to extract the data.  This usually leads to more statistically accurate data.

https://blog.knowbe4.com/phishing-remains-common-attack-technique

https://www.hornetsecurity.com/downloads/Cyber_Security_Report_2024_US.pdf


Using SOHO Network Devices to Mask Attack Traffic Origination

Hiding in plain sight and concealing malicious traffic with residential IP addresses.  A simple, easier to compromise, and readily available source of attacks for China.

https://www.darkreading.com/cloud-security/volt-typhoon-soho-botnet-infects-us-govt-entities

https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/


Zoom Shares Vulnerability Impact Scoring System

An open free-to-use framework could be useful if it’s updated regularly and works as intended.  We’ll keep an eye on this one.

https://www.darkreading.com/cybersecurity-analytics/zoom-bug-scoring-system-prioritizes-riskiest-vulns


Rhadamanthys Stealer Malware Receives Updates

Two major versions of this malware have been released, including improvements to stealing functions, stealth, and the addition of a more modular framework. 

https://www.bleepingcomputer.com/news/security/rhadamanthys-stealer-malware-evolves-with-more-powerful-features/

https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/


MongoDB Investigating Security Breach

So far, customer information such as names, email addresses, and phone numbers and other customer metadata have been accessed. Investigation is still in progress.

https://thehackernews.com/2023/12/mongodb-suffers-security-breach.html

https://www.mongodb.com/alerts


The Return of Qbot, Hopefully Short Lived

Looks like a new campaign, there is an indication of continued development. 

https://www.bleepingcomputer.com/news/security/qbot-malware-returns-in-campaign-targeting-hospitality-industry/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #56

The week of December 9th through December 15th, about 348 cyber news articles were reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with HeartCrypt – Packer-as-a-Service (PaaS). Citrix NetScaler / NetScaler Gateway under brute force attack.  Covert Linux multi-stage rootkit attack.  New

Members Public

Cyber Threat Weekly – #55

The week of December 2nd through December 8th there were 353 cyber news articles reviewed.  A relatively large amount of cyber threat trends and adversarial behavior news to share.  Let’s start with a twist on the fake video conferencing apps campaign. New Russian hacktivist group targeting energy systems.  Supply

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8