Skip to content

Cyber Threat Weekly – #42

Derek Krein
4 min read

The week of September 2nd through September 8th was a bit light with 406 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with researchers share Fin7 packer tool analysis.

Actively exploited SonicWall SSLVPN access control bug.  Typo squatting tricks work on GitHub actions.  GeoServer bug abused to deliver malware.  Chinese threat actors abuse Visual Studio Code’s reverse shell feature.

Researchers release the Detection Engineering Behavior Maturity Model (DEBMM).  Another WordPress LiteSpeed Cache flaw discovered.  Critical unauthenticated remote code execution (RCE) bug in Veeam backup and replication software.

Another Red Team tool appears to be abused by threat actors.  Palo Alto analyzes another threat actor spoofing their GlobalProtect VPN.


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for September 2nd to September 8th:

CVE-2024-7262 – Kingsoft WPS Office Path Traversal Vulnerability:
Allows an attacker to load an arbitrary Windows library.

CVE-2021-20124 – Draytek VigorConnect Path Traversal Vulnerability:
An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

CVE-2021-20123 – Draytek VigorConnect Path Traversal Vulnerability:
An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.


Fin7’s PackXOR Packing Tool Revealed

This is interesting, this packing tool is suspected of being used as part of Fin7’s EDR Killer package dubbed AvNuetralizer aka AuKill.  It appears to be used by other threat actors.  Packers are used to obscure analysis and evade detection.

https://securityonline.info/unmasking-packxor-the-fin7-packer-exposed/

https://harfanglab.io/insidethelab/unpacking-packxor/


Recently Fixed SonicWall Bug Also Affects SSLVPN

Researchers observe CVE-2024-40766 actively exploited against SonicWall SSLVPN.  Originally believed to only affect SonicWall SonicOS management access.  Careful what you expose to the internet, management interfaces should not be exposed, use architecture to protect management access.   Consider zero trust network access (ZTNA) instead VPN.

https://www.bleepingcomputer.com/news/security/sonicwall-sslvpn-access-control-flaw-is-now-exploited-in-attacks/

https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015


Typo Squatting GitHub Actions

The same trick applied slightly differently to GitHub actions.  Anyone can publish a GitHub action.  The technique requires an attacker to create organizations and repositories that closely resemble popular or widely used GitHub actions.  A misspell and the attacker’s action will be run.

https://thehackernews.com/2024/09/github-actions-vulnerable-to.html

https://orca.security/resources/blog/typosquatting-in-github-actions/


Actively Exploited GeoServer Bug

Multiple threat actors are abusing the bug to deliver various malware.  Researchers observed the flaw used to deliver GOREVERSE, a reverse proxy server for command-and-control (C2) to perform post exploitation activities.

https://thehackernews.com/2024/09/geoserver-vulnerability-targeted-by.html

https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401


Visual Studio Code’s Reverse Shell Feature Abused

Chinese nation state threat actors observed abusing Visual Studio Codes embedded reverse shell feature.  Discovered by a researcher, this may be the first observed abuse of this feature in the wild. 

https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/

https://medium.com/@truvis.thornton/visual-studio-code-embedded-reverse-shell-and-how-to-block-create-sentinel-detection-and-add-e864ebafaf6d


Detection Engineering Behavior Maturity Model

Designed to be complimented by other models and provide a structured approach for security teams to mature.  Consistent processes and behavior ensure high quality and consistent detection capabilities. 

https://www.elastic.co/security-labs/elastic-releases-debmm


WordPress LiteSpeed Cache Flaw Revealed

A new unauthenticated account takeover bug affecting over 6 million WordPress websites.  With so many users, this plugin is actively targeted by threat actors.

https://www.bleepingcomputer.com/news/security/litespeed-cache-bug-exposes-6-million-wordpress-sites-to-takeover-attacks/


Veeam Backup and Replication Software Critical RCE Bug

In addition to the critical bug, several other rated high bugs were fixed in this September security bulletin.  Veeam and most backup services are heavily targeted by ransomware actors to disrupt recovery after a ransomware attack.

https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-flaw-in-backup-and-replication-software/

https://www.veeam.com/kb4649


Researchers Discover Abuse of ‘MacroPack’, a Red Team Tool

Several documents uploaded to VirusTotal were analyzed that appear to be created with MacroPack.  The samples delivered malware such as Havoc, Brute Ratel, and Phantom Core.  We may need to be on the lookout for more activity with MacroPack.

https://www.bleepingcomputer.com/news/security/red-team-tool-macropack-abused-in-attacks-to-deploy-brute-ratel/

https://blog.talosintelligence.com/threat-actors-using-macropack/


A different Palo Alto GlobalProtect VPN Spoofing Campaign

Unit 42 discovered a WikiLoader variant spoofing GlobalProtect VPN and being delivered via SEO poisoning.  They share campaign behavior and analysis of the variant.

https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #46

The week of September 30th through October 6th was light with 369 cyber news articles reviewed.  A moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with US broadband providers breached. The art and science of DNS tunneling detection.  Adobe Commerce and Magneto online

Members Public

Cyber Threat Weekly – #45

The week of September 23rd through September 29th was a bit light with 427 cyber news articles reviewed.  Not much cyber threat trend and adversarial behavior news to share.  Let’s start with more ransomware affiliates target hybrid cloud environments. WhatsUp Gold high and critical vulnerabilities.  New SnipBot malware analyzed.

Members Public

Cyber Threat Weekly – #44

The week of September 16th through September 22nd was near average with 457 cyber news articles reviewed.  With a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a suspected Chinese APT abusing multi-stage attack chain. Researchers share BlackBasta tools, behavior, and analysis.