Cyber Threat Weekly – #42
The week of September 2nd through September 8th was a bit light with 406 cyber news articles reviewed. A relatively light amount of cyber threat trend and adversarial behavior news to share. Let’s start with researchers share Fin7 packer tool analysis.
Actively exploited SonicWall SSLVPN access control bug. Typo squatting tricks work on GitHub actions. GeoServer bug abused to deliver malware. Chinese threat actors abuse Visual Studio Code’s reverse shell feature.
Researchers release the Detection Engineering Behavior Maturity Model (DEBMM). Another WordPress LiteSpeed Cache flaw discovered. Critical unauthenticated remote code execution (RCE) bug in Veeam backup and replication software.
Another Red Team tool appears to be abused by threat actors. Palo Alto analyzes another threat actor spoofing their GlobalProtect VPN.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for September 2nd to September 8th:
CVE-2024-7262 – Kingsoft WPS Office Path Traversal Vulnerability:
Allows an attacker to load an arbitrary Windows library.
CVE-2021-20124 – Draytek VigorConnect Path Traversal Vulnerability:
An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
CVE-2021-20123 – Draytek VigorConnect Path Traversal Vulnerability:
An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Fin7’s PackXOR Packing Tool Revealed
This is interesting, this packing tool is suspected of being used as part of Fin7’s EDR Killer package dubbed AvNuetralizer aka AuKill. It appears to be used by other threat actors. Packers are used to obscure analysis and evade detection.
https://securityonline.info/unmasking-packxor-the-fin7-packer-exposed/
https://harfanglab.io/insidethelab/unpacking-packxor/
Recently Fixed SonicWall Bug Also Affects SSLVPN
Researchers observe CVE-2024-40766 actively exploited against SonicWall SSLVPN. Originally believed to only affect SonicWall SonicOS management access. Careful what you expose to the internet, management interfaces should not be exposed, use architecture to protect management access. Consider zero trust network access (ZTNA) instead VPN.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
Typo Squatting GitHub Actions
The same trick applied slightly differently to GitHub actions. Anyone can publish a GitHub action. The technique requires an attacker to create organizations and repositories that closely resemble popular or widely used GitHub actions. A misspell and the attacker’s action will be run.
https://thehackernews.com/2024/09/github-actions-vulnerable-to.html
https://orca.security/resources/blog/typosquatting-in-github-actions/
Actively Exploited GeoServer Bug
Multiple threat actors are abusing the bug to deliver various malware. Researchers observed the flaw used to deliver GOREVERSE, a reverse proxy server for command-and-control (C2) to perform post exploitation activities.
https://thehackernews.com/2024/09/geoserver-vulnerability-targeted-by.html
Visual Studio Code’s Reverse Shell Feature Abused
Chinese nation state threat actors observed abusing Visual Studio Codes embedded reverse shell feature. Discovered by a researcher, this may be the first observed abuse of this feature in the wild.
https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/
Detection Engineering Behavior Maturity Model
Designed to be complimented by other models and provide a structured approach for security teams to mature. Consistent processes and behavior ensure high quality and consistent detection capabilities.
https://www.elastic.co/security-labs/elastic-releases-debmm
WordPress LiteSpeed Cache Flaw Revealed
A new unauthenticated account takeover bug affecting over 6 million WordPress websites. With so many users, this plugin is actively targeted by threat actors.
Veeam Backup and Replication Software Critical RCE Bug
In addition to the critical bug, several other rated high bugs were fixed in this September security bulletin. Veeam and most backup services are heavily targeted by ransomware actors to disrupt recovery after a ransomware attack.
Researchers Discover Abuse of ‘MacroPack’, a Red Team Tool
Several documents uploaded to VirusTotal were analyzed that appear to be created with MacroPack. The samples delivered malware such as Havoc, Brute Ratel, and Phantom Core. We may need to be on the lookout for more activity with MacroPack.
https://blog.talosintelligence.com/threat-actors-using-macropack/
A different Palo Alto GlobalProtect VPN Spoofing Campaign
Unit 42 discovered a WikiLoader variant spoofing GlobalProtect VPN and being delivered via SEO poisoning. They share campaign behavior and analysis of the variant.
https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
