Skip to content

Cyber Threat Weekly #40

Derek Krein
5 min read

The week of August 19th through August 25th was about average with 440 cyber news articles in my feed.  A moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with defense evading stealthy Linux malware.

A threat actors’ business model that enables cybercrime and automated attacks.  Stealthy AppDomain injection used to execute malware.  Critical WordPress bug affecting over five million sites.  Nation state actors exploit network appliances. 

Another critical bug in SolarWinds Web Help Desk.  Researchers discover multi-stage memory-based dropper.  Critical GitHub Enterprise Server flaw.  What’s old can be used again, along with a legit service. 

Ransomware threat actors abuse Group Policy Objects (GPOs).  Researchers share analysis of common tools used in cloud attack campaigns.  Ninth exploited Google Chrome zero-day this year.  Researchers share new details on ‘MoonPeak’ attacker infrastructure.

Persistence mechanisms used on Linux, a detection engineering primer. 


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for August 19th to August 25th:

CVE-2024-23897 – Jenkins Command Line Interface (CLI) Path Traversal Vulnerability:
Allows attackers limited read access to certain files, which can lead to code execution.

CVE-2021-31196 – Microsoft Exchange Server Information Disclosure Vulnerability:
Allows remote code execution.

CVE-2022-0185 – Linux Kernel Heap-Based Buffer Overflow:
Allows an attacker to open a filesystem that does not support the Filesystem Context API and ultimately escalate privileges.

CVE-2021-33045 – Dahua IP Camera Authentication Bypass Vulnerability:
Contains an authentication bypass vulnerability when the loopback device is specified by the client during authentication.

CVE-2021-33044 – Dahua IP Camera Authentication Bypass Vulnerability:
Contains an authentication bypass vulnerability when the NetKeyboard type argument is specified by the client during authentication.

CVE-2024-39717 – Versa Director Dangerous File Type Upload Vulnerability:
Allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface. The “Change Favicon” (Favorite Icon) enables the upload of a .png file, which can be exploited to upload a malicious file with a .png extension disguised as an image.


Newly Discovered Stealthy Linux Malware Dubbed ‘sedexp’

This Linux based malware uses a novel persistence mechanism to stay hidden.  The use of udev rules to keeps the malicious script running frequently.  The malware includes a reverse shell for remote access.

https://www.bleepingcomputer.com/news/security/stealthy-sedexp-linux-malware-evaded-detection-for-two-years/

https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp


Cybercrime Enablement Business ‘Greasy Opal’

The flagship product, a bot-led CAPTCHA solver.  Active going on two decades, this threat actor attempts to appear legitimate by paying taxes.  Even has a website on the clear web promoting the CAPTCHA solver and other tools.

https://www.bleepingcomputer.com/news/security/greasy-opals-captcha-solver-still-serving-cybercrime-after-16-years/

https://www.arkoselabs.com/resource/dossier-greasy-opal-greasing-skids-cybercrime/


AppDomainManager Injection Technique Used in a Swell of Attacks

An uncommon technique used to weaponize Microsoft .NET applications.  A stealthier form of DLL injection utilizing a signed legit executable.  This technique has been known since 2017, proof of concept applications have been released over the years. 

https://www.bleepingcomputer.com/news/security/hackers-now-use-appdomain-injection-to-drop-cobaltstrike-beacons/


Five Million+ WordPress Sites at Risk, Critical LiteSpeed Cache Bug

This bug allows unauthenticated privilege escalation, tracked as CVE-2024-28000, allowing attackers to gain administrator access.  Issues with the security hash generator allows brute force of the hash.

https://www.csoonline.com/article/3493387/wordpress-users-not-on-windows-urged-to-update-due-to-critical-litespeed-cache-flaw.html

https://patchstack.com/articles/critical-privilege-escalation-in-litespeed-cache-plugin-affecting-5-million-sites/

https://blog.litespeedtech.com/2024/08/21/security-update-for-litespeed-cache/


China Backed Threat Actors Exploit Cisco Network Appliance

What’s important here is that network appliances are being targeted more and more because of their black box nature.  Custom malware was used, memory resident, and masquerading as a known process.  Yesterday’s nation state attack is tomorrow’s commodity attack.

https://www.csoonline.com/article/3493381/chinese-apt-group-velvet-ant-deployed-custom-backdoor-on-cisco-nexus-switches.html

https://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/


SolarWinds Web Help Desk Critical Flaw

Second, in two weeks, this one tracked as CVE-2024-28987, allows a remote unauthenticated attacker to modify data.  The issue here is hard coded credentials.

https://www.darkreading.com/remote-workforce/patch-now-second-solarwinds-critical-bug-in-web-help-desk


New Multi-Stage Malware Tracked as ‘PEAKLIGHT’ Discovered

This one is interesting, there are a few variants to each stage of the attack chain.  The campaign is similar to a few we covered in earlier newsletters.  Using LNK files, mshta.exe, powershell, and CDN sites. 

https://thehackernews.com/2024/08/new-peaklight-dropper-deployed-in.html

https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/


Single Sign-On Flaw in GitHub Enterprise Server Rated Critical

Three flaws released for GitHub enterprise server, one of which is critical.  GitHub is a threat actor favorite, we’re tracking these to see if exploitation occurs, and if so, how quickly.

https://www.csoonline.com/article/3493136/github-fixes-critical-enterprise-server-bug-granting-admin-privileges.html

https://docs.github.com/en/enterprise-server@3.13/admin/release-notes


Researchers Discover Stream Service Abused and Simple Encryption

This is interesting research, finding threat actors using Stream to host command and control domains.  Abusing legit services is nothing new, but his is a bit of a twist.  In addition, using a substitution cypher to further obfuscate their domains.

https://www.hyas.com/blog/echoes-of-rome-leveraging-ancient-tactics-for-modern-malware


Researchers Observe Qilin Threat Actors Abusing GPOs

The interesting thing here is using GPOs to push a logon script for credential theft.  The campaign here includes the use of VPN credentials for initial access, then post exploitation behavior.  This technique has been used in multiple ways, monitoring GPO changes, especially when unexpected is key here. 

https://thehackernews.com/2024/08/new-qilin-ransomware-attack-uses-vpn.html

https://news.sophos.com/en-us/2024/08/22/qilin-ransomware-caught-stealing-credentials-stored-in-google-chrome/


Analysis of S3 Browser and WinSCP Often Used in Cloud Attacks

Researchers share how to detect the use of tools often abused in cloud attacks.  Unfortunately, overly permissive credentials are the norm in cloud environments, threat actors are adapting to take advantage.

https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/


Google Chrome Zero-Day Exploited, the Ninth this Year

An emergency update was released for this zero-day, tracked as CVE-2024-7971.  An exploit does exist in the wild. 

https://www.bleepingcomputer.com/news/security/google-fixes-ninth-actively-exploited-chrome-zero-day-in-2024/


North Korean MoonPeak Malware Infrastructure

Researchers discovered interconnections between and the use of testing and staging infrastructure.  The evolution of the malware is shared as well.

https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/


A Linux Based Detection Engineering Primer on Persistence

Researchers dig into various persistence maechanisms and detection opportunities.  The ability to threat hunt Linux is important.  This is a good starting point.

https://www.elastic.co/security-labs/primer-on-persistence-mechanisms


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #56

The week of December 9th through December 15th, about 348 cyber news articles were reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with HeartCrypt – Packer-as-a-Service (PaaS). Citrix NetScaler / NetScaler Gateway under brute force attack.  Covert Linux multi-stage rootkit attack.  New

Members Public

Cyber Threat Weekly – #55

The week of December 2nd through December 8th there were 353 cyber news articles reviewed.  A relatively large amount of cyber threat trends and adversarial behavior news to share.  Let’s start with a twist on the fake video conferencing apps campaign. New Russian hacktivist group targeting energy systems.  Supply

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8