Cyber Threat Weekly #40
The week of August 19th through August 25th was about average with 440 cyber news articles in my feed. A moderate amount of cyber threat trend and adversarial behavior news to share. Let’s start with defense evading stealthy Linux malware.
A threat actors’ business model that enables cybercrime and automated attacks. Stealthy AppDomain injection used to execute malware. Critical WordPress bug affecting over five million sites. Nation state actors exploit network appliances.
Another critical bug in SolarWinds Web Help Desk. Researchers discover multi-stage memory-based dropper. Critical GitHub Enterprise Server flaw. What’s old can be used again, along with a legit service.
Ransomware threat actors abuse Group Policy Objects (GPOs). Researchers share analysis of common tools used in cloud attack campaigns. Ninth exploited Google Chrome zero-day this year. Researchers share new details on ‘MoonPeak’ attacker infrastructure.
Persistence mechanisms used on Linux, a detection engineering primer.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for August 19th to August 25th:
CVE-2024-23897 – Jenkins Command Line Interface (CLI) Path Traversal Vulnerability:
Allows attackers limited read access to certain files, which can lead to code execution.
CVE-2021-31196 – Microsoft Exchange Server Information Disclosure Vulnerability:
Allows remote code execution.
CVE-2022-0185 – Linux Kernel Heap-Based Buffer Overflow:
Allows an attacker to open a filesystem that does not support the Filesystem Context API and ultimately escalate privileges.
CVE-2021-33045 – Dahua IP Camera Authentication Bypass Vulnerability:
Contains an authentication bypass vulnerability when the loopback device is specified by the client during authentication.
CVE-2021-33044 – Dahua IP Camera Authentication Bypass Vulnerability:
Contains an authentication bypass vulnerability when the NetKeyboard type argument is specified by the client during authentication.
CVE-2024-39717 – Versa Director Dangerous File Type Upload Vulnerability:
Allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface. The “Change Favicon” (Favorite Icon) enables the upload of a .png file, which can be exploited to upload a malicious file with a .png extension disguised as an image.
Newly Discovered Stealthy Linux Malware Dubbed ‘sedexp’
This Linux based malware uses a novel persistence mechanism to stay hidden. The use of udev rules to keeps the malicious script running frequently. The malware includes a reverse shell for remote access.
https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
Cybercrime Enablement Business ‘Greasy Opal’
The flagship product, a bot-led CAPTCHA solver. Active going on two decades, this threat actor attempts to appear legitimate by paying taxes. Even has a website on the clear web promoting the CAPTCHA solver and other tools.
https://www.arkoselabs.com/resource/dossier-greasy-opal-greasing-skids-cybercrime/
AppDomainManager Injection Technique Used in a Swell of Attacks
An uncommon technique used to weaponize Microsoft .NET applications. A stealthier form of DLL injection utilizing a signed legit executable. This technique has been known since 2017, proof of concept applications have been released over the years.
Five Million+ WordPress Sites at Risk, Critical LiteSpeed Cache Bug
This bug allows unauthenticated privilege escalation, tracked as CVE-2024-28000, allowing attackers to gain administrator access. Issues with the security hash generator allows brute force of the hash.
https://blog.litespeedtech.com/2024/08/21/security-update-for-litespeed-cache/
China Backed Threat Actors Exploit Cisco Network Appliance
What’s important here is that network appliances are being targeted more and more because of their black box nature. Custom malware was used, memory resident, and masquerading as a known process. Yesterday’s nation state attack is tomorrow’s commodity attack.
https://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/
SolarWinds Web Help Desk Critical Flaw
Second, in two weeks, this one tracked as CVE-2024-28987, allows a remote unauthenticated attacker to modify data. The issue here is hard coded credentials.
New Multi-Stage Malware Tracked as ‘PEAKLIGHT’ Discovered
This one is interesting, there are a few variants to each stage of the attack chain. The campaign is similar to a few we covered in earlier newsletters. Using LNK files, mshta.exe, powershell, and CDN sites.
https://thehackernews.com/2024/08/new-peaklight-dropper-deployed-in.html
Single Sign-On Flaw in GitHub Enterprise Server Rated Critical
Three flaws released for GitHub enterprise server, one of which is critical. GitHub is a threat actor favorite, we’re tracking these to see if exploitation occurs, and if so, how quickly.
https://docs.github.com/en/enterprise-server@3.13/admin/release-notes
Researchers Discover Stream Service Abused and Simple Encryption
This is interesting research, finding threat actors using Stream to host command and control domains. Abusing legit services is nothing new, but his is a bit of a twist. In addition, using a substitution cypher to further obfuscate their domains.
https://www.hyas.com/blog/echoes-of-rome-leveraging-ancient-tactics-for-modern-malware
Researchers Observe Qilin Threat Actors Abusing GPOs
The interesting thing here is using GPOs to push a logon script for credential theft. The campaign here includes the use of VPN credentials for initial access, then post exploitation behavior. This technique has been used in multiple ways, monitoring GPO changes, especially when unexpected is key here.
https://thehackernews.com/2024/08/new-qilin-ransomware-attack-uses-vpn.html
Analysis of S3 Browser and WinSCP Often Used in Cloud Attacks
Researchers share how to detect the use of tools often abused in cloud attacks. Unfortunately, overly permissive credentials are the norm in cloud environments, threat actors are adapting to take advantage.
https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
Google Chrome Zero-Day Exploited, the Ninth this Year
An emergency update was released for this zero-day, tracked as CVE-2024-7971. An exploit does exist in the wild.
North Korean MoonPeak Malware Infrastructure
Researchers discovered interconnections between and the use of testing and staging infrastructure. The evolution of the malware is shared as well.
https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/
A Linux Based Detection Engineering Primer on Persistence
Researchers dig into various persistence maechanisms and detection opportunities. The ability to threat hunt Linux is important. This is a good starting point.
https://www.elastic.co/security-labs/primer-on-persistence-mechanisms
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
