Cyber Threat Weekly – #41

The week of August 26^th through September 1^st was average with 462 cyber news articles gone through.  There’s a decent amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the new Cicada ransomware group, a possible BlackCat reboot.

Researchers share analysis on Jenkins remote code execution (RCE) bug.  Threat actors abusing GitHub comments to push info-stealer malware.  No surprise, criminals continue to abuse GenAI.  Researchers share analysis of RansomHub ransomware. 

Google Sheets abused by new Voldemort malware.  Researchers share Top Level Domains (TLD) analysis.  Malware disguised as legit Palo Alto GlobalProtect software.  Researchers share more Linux detection engineering.

EDR killer turned into EDR wiper.  Fortra FileCatalyst Workflow critical bug fixed.  Tenth Google Chrome zero-day exploited so far in 2024. 

Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities for August 26^th to September 1^st:

CVE-2024-7971 - Google Chromium V8 Type Confusion Vulnerability:
Allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

CVE-2024-38856 – Apache OFBiz Incorrect Authorization Vulnerability:
Allows remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker.

CVE-2024-7965 – Google Chromium V8 Inappropriate Implementation Vulnerability:
Allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

New Cicada3301 Ransomware Group

This new group is impersonating the legitimate Cicada 3301organization and has quickly racked up victims.  Beginning operations in early June 2024 and utilizing double extortion tactics.  There are overlaps between BlackCat and this Cicada3301.

https://www.bleepingcomputer.com/news/security/linux-version-of-new-cicada-ransomware-targets-vmware-esxi-servers/

https://www.truesec.com/hub/blog/dissecting-the-cicada

Jenkins RCE Bug Analysis and Exploit Code

Researchers analyze critical CVE-2024-43044 and share proof-of-concept (PoC) code.  This flaw is classified as an arbitrary file read bug but can lead to remote code execution. 

https://securityonline.info/cve-2024-43044-critical-jenkins-vulnerability-exposes-servers-to-rce-poc-exploit-published/

https://blog.convisoappsec.com/en/analysis-of-cve-2024-43044/

Information Stealing Malware Pushed though GitHub Comments

Threat actors are taking advantage of offering a helping hand via comments.  Sharing a fix via download link that leads to Lumma Stealer malware. 

https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-password-stealing-malware-masked-as-fixes/

Researchers Share Observations of GenAI Abuse

Criminals continue to abuse Gen AI to make their content more professional.  This is no surprise, but it is worth watching the trend.  As GenAI gets better, so will the content abused by threat actors.

https://www.csoonline.com/article/3499156/llms-fueling-a-genai-criminal-revolution-according-to-netcraft-report.html

https://www.netcraft.com/blog/llms-fueling-gen-ai-criminal-revolution/

RansomHub Ransomware Analysis and Mitigations

This group, while newer, are killing it.  They work on the Ransomware-as-a-Service (RaaS) model and utilize double extortion tactics.  We need to remember most RaaS services operate with affiliates, they are the real threat actors we need to track.

https://cyble.com/blog/critical-advisory-on-ransomhub-ransomware-a-comprehensive-analysis-and-mitigation-guide/

Command and Control, Stored Stolen Data via Google Sheets

New backdoor malware dubbed Voldemort spread through a malware campaign.  Researchers share details of an attack campaign impersonating agencies and abusing Google Sheets. 

https://www.bleepingcomputer.com/news/security/new-voldemort-malware-abuses-google-sheets-to-store-stolen-data/

https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort

TLD Analysis, over 1,000 Generic Top-Level Domains

Researchers analyzed 19 TLDs, domains such as ‘.zip’, that’s a great idea for a domain, NOT!!!  With so many generic domains, the chances for typo squatting and abuse skyrockets.  Several campaigns were observed.

https://unit42.paloaltonetworks.com/tracking-newly-released-top-level-domains/

Researchers Observe Malware Disguised as Palo Alto GlobalProtect

And the trend continues, we share several articles a week on the abuse of well-known legit software, websites, brands, etc.  This one is malware pretending to be a Palo Alto product.  Targeting is currently the Middle East, but that can change, it’s the behavior we need to look for.

https://www.bleepingcomputer.com/news/security/fake-palo-alto-globalprotect-used-as-lure-to-backdoor-enterprises/

https://www.trendmicro.com/en_us/research/24/h/threat-actors-target-middle-east-using-fake-tool.html

Linux Persistence Mechanisms and Detection Engineering

Part three of a Linux detection engineering series shared by researchers.  This is a deeper dive into Linux persistence mechanisms, log analysis, and detection opportunities.

https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms

Cybercriminals Turn EDR Killer Tool into EDR Wiper

PoorTry Windows driver, starting life as an EDR deactivator, has become an EDR wiper.   The aggressive nature of this change does not bode well for defenders.  Threat actors are willing to get extremely aggressive to get to their desired outcome.

https://www.bleepingcomputer.com/news/security/poortry-windows-driver-evolves-into-a-full-featured-edr-wiper/

https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/

Critical Bug in Fortra FileCatalyst Workflow Fixed

Tracked as CVE-2024-6633 and rated a 9.8 critical CVSS v3.1 score.  The issue is a hardcoded password anyone can use to access the HyperSQL database. 

https://www.bleepingcomputer.com/news/security/fortra-fixes-critical-filecatalyst-workflow-hardcoded-password-issue/

Tenth Actively Exploited Google Chrome Zero-Day This Year

Another exploited Google Chrome bug.  This seems to be the norm anymore, Chrome is a huge target, it happens when you own the majority of market share.

https://www.bleepingcomputer.com/news/security/google-tags-a-tenth-chrome-zero-day-as-exploited-this-year/