Cyber Threat Weekly - #4

As the Threat Landscape continues to evolve…  We continue to track the latest threat trends and adversary behavioral patterns. 

Kicking off this week, researchers uncover links between the Sandman threat group and the Chinese government.  Next, Lazarus Group (North Korea) is exploiting vulnerable Internet facing servers using Log4Shell (CVE-2021-44228) and dropping new Remote Access Trojans (RATs).

Fake LinkedIn profiles abused to target professionals at Saudi companies.  Threat actors use email to target recruiters directly.  Non-human access credentials are a threat actors goldmine.  Threat actors abuse non-human credentials using OAuth apps.

Examining the Target breach, a decade later.  Cybercriminals are abusing shell companies in the US to mask attack traffic.  Critical WordPress RCE flaw in backup plug-in, exposes sites to take over.  Apache Struts 2 RCE vulnerability discovered. 

Sophos end of life (EoL) firewalls patched against actively exploited vulnerability.  Long game social engineering tactics, definition, and defenses.  Threat actors use Google forms to increase credibility. 

New underground market operating on the clear web.  Ransomware gangs use PR to apply extra pressure to victims.  Phishing is still a huge attack vector.  Using SOHO network devices to proxy malicious traffic, not cool.

Open, free-to-use vulnerability scoring system could be interesting for defenders.  Rhadamanthys Stealer looks to be actively developed.  MongoDB disclosed a security incident resulting in exposure of customer meta data and contact info.

Qbot is back, distributing malware in a phishing campaign.

Broken Record Alert:  Patch prioritization is Critical!!!

Roughly 5% of publicly available vulnerabilities are observed exploited in the wild.  Priority #1 should be to patch known exploited vulnerabilities.  You can use CISA’s known exploited vulnerability (KEV) catalog or other tools to prioritize patching exploited vulnerabilities. 

Right behind actively exploited vulnerabilities, a close priority #2 is those with proof of concept (PoC) code available.  Exploit chances are much higher with PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and PoC code available vulnerabilities. 

Every week we share known exploited vulnerabilities being abused by threat actors.  Diligent patching can save you from a breach and prevent threat actors from exploiting your organization for their gains.

Possible Sandman APT Origins Discovered

This one is interesting, Microsoft, Sentinel One, and PWC collaborated to identify a newer APT as part of the Chinese APT threat landscape. 

https://www.darkreading.com/threat-intelligence/microsoft-mystery-group-targeting-telcos-chinese-apts

https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/

Lazurus Group Campaign Uncovered

North Korea is plenty capable.  This newest campaign uses Log4Shell exploits for initial access and drops three new RATs.  Defense evasion techniques include the RATs written in rarely observed Dlang language and the use of Telegram for a command-and-control channel.

https://therecord.media/north-korean-hackers-using-log

https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/

https://www.veracode.com/blog/research/state-log4j-vulnerabilities-how-much-did-log4shell-change

LinkedIn Continues to be Abused by Threat Actors

Cyber threat actors love to abuse LinkedIn and for good reason.  It’s the largest repository of work-related data on organizations and professionals.  Be on the lookout for phishing scams.

https://www.darkreading.com/cloud-security/convincing-linkedin-profiles-target-saudi-workers-information-leakage

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-growing-goldmine-your-linkedin-data-abused-for-cybercrime

TA4557 Targets Recruiters Directly with Benign Emails

The use of direct contact with benign emails is a newer technique.  The real attack comes if the target replies to the initial email.  The threat actor responds with a URL posing as the candidates resume or with a PDF or Word attachment. 

This technique can be abused in many ways with a multitude of lures, it’s one to watch.

https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email

Non-human Credential Attack Surface is Growing with Little Visibility

Non-human credentials include tokens, API keys, service accounts, and secrets.  Defenders often lack visibility into these various credentials and their usage.  The lack of governance is utopia for threat actors.

https://thehackernews.com/2023/12/non-human-access-is-path-of-least.html

Theat Actors use Highjacked Accounts to Create OAuth Applications

Keeping with the non-human credentials theme, here are some examples of how cyber criminals are abusing highjacked accounts to create OAuth apps for a multitude of malicious activity.

https://www.bleepingcomputer.com/news/security/microsoft-oauth-apps-used-to-automate-bec-and-cryptomining-attacks/

The 2013 Target Breach, a Look Back

This one interesting, coincidentally the Target Breach is what started me down the path of research to figure out why we, as an industry, were so insecure.  Reflection is important, have we gotten any better?

https://www.darkreading.com/vulnerabilities-threats/datas-perilous-journey-lessons-not-learned-target-breach

US Shell Companies Used for Global Attacks

Cyber criminals are using nation state tactics such as creating shell companies, so they appear to be in the United States.  This is scary, and hopefully not a tend we will continue to see.  But with ransomware affiliates and gangs having the resources of nation states, it wouldn’t surprise me.

https://www.reuters.com/technology/cybersecurity/how-cybercriminals-are-using-wyoming-shell-companies-global-hacks-2023-12-12/

Critical WordPress Backup Plug-in Flaw Exposes Websites to Remote Code Execution

WordPress is a big target, this ‘backup migration’ plug-in has over 90,000 downloads.

https://www.darkreading.com/cloud-security/critical-wordpress-plugin-rce-bug-exposes-websites-takeover

Apache Struts 2 RCE Bug, Possible Exploit Activity

The good news, this is tougher to mass exploit.  The bad news, threat actors are trying, there are two proof of concepts exploit variants available currently.

https://www.darkreading.com/cloud-security/patch-exploit-activity-dangerous-apache-struts-bug

Older Sophos Firewalls Patched Against Exploited Vulnerability

Remember to consider technical debt.  You should have a solid life cycle management plan.  The cost of a breach is likely considerably higher than replacing end-of-life hardware that is no longer supported.

https://www.securityweek.com/sophos-patches-eol-firewalls-against-exploited-vulnerability/

How to Recognize Long Game Social Engineering

This is a great reminder of the depths threat actors will go to, to obtain their goals.  Remaining vigilant is key.

https://blog.knowbe4.com/fight-long-game-social-engineering

Cyber criminals Conduct BazarCall Attack Using Google Forms

The trend of using legitimate tools and websites for defense evasion and to be less obvious continues.  Threat actors will go to many links to get around our defenses appear legitimate.

https://abnormalsecurity.com/blog/bazarcall-attack-leverages-google-forms

OLVX Market Opens for Business on the Clear Web

This is a trend I didn’t have a bead on, I’ll be on the lookout now, underground marketplaces on the open web.

https://www.zerofox.com/blog/new-underground-market-comes-online-just-intime-for-the-holidays/

Using Public Relations, Ransomware Gangs are Stepping up Their Game

From opening communication channels with journalists to filing a complaint with the US Securities and Exchange Commission.  Ransomware gangs continue to evolve.

https://www.darkreading.com/threat-intelligence/ransomware-gangs-pr-charm-offensive-pressure-victims

Cyber Security Report Reveals Goods and Bads of Email Phishing

This is an interesting report, a large data set was utilized to extract the data.  This usually leads to more statistically accurate data.

https://blog.knowbe4.com/phishing-remains-common-attack-technique

https://www.hornetsecurity.com/downloads/Cyber_Security_Report_2024_US.pdf

Using SOHO Network Devices to Mask Attack Traffic Origination

Hiding in plain sight and concealing malicious traffic with residential IP addresses.  A simple, easier to compromise, and readily available source of attacks for China.

https://www.darkreading.com/cloud-security/volt-typhoon-soho-botnet-infects-us-govt-entities

https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/

Zoom Shares Vulnerability Impact Scoring System

An open free-to-use framework could be useful if it’s updated regularly and works as intended.  We’ll keep an eye on this one.

https://www.darkreading.com/cybersecurity-analytics/zoom-bug-scoring-system-prioritizes-riskiest-vulns

Rhadamanthys Stealer Malware Receives Updates

Two major versions of this malware have been released, including improvements to stealing functions, stealth, and the addition of a more modular framework. 

https://www.bleepingcomputer.com/news/security/rhadamanthys-stealer-malware-evolves-with-more-powerful-features/

https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/

MongoDB Investigating Security Breach

So far, customer information such as names, email addresses, and phone numbers and other customer metadata have been accessed. Investigation is still in progress.

https://thehackernews.com/2023/12/mongodb-suffers-security-breach.html

https://www.mongodb.com/alerts

The Return of Qbot, Hopefully Short Lived

Looks like a new campaign, there is an indication of continued development. 

https://www.bleepingcomputer.com/news/security/qbot-malware-returns-in-campaign-targeting-hospitality-industry/