Skip to content

Cyber Threat Weekly – #43

Derek Krein
6 min read

The week of September 9th through September 15th was a bit heavier with 489 cyber news articles reviewed.  On the larger side of cyber threat trend and adversarial behavior news to share.  Let’s start with a recently patched Ivanti bug actively exploited.

Medusa ransomware operations include a daring online presence.  Oracle WebLogic servers targeted for new malware deployment.  Krebs uncovers the dark side harm groups, and a collective called ‘The Com’. 

Active exploitation of a What’sUp Gold bug 5 hours after PoC exploit code released.  Researchers share analysis of Scattered Spider and their cloud activities.  AppleCare+ Support malvertising with Google ads and fake pages hosted on GitHub.

Critical Gitlab bug allows an attacker to trigger pipelines.  The GRIT Ransomware Report August 2024.  Adobe Acrobat Reader zero-day fixed.  Researchers find that the 7777 botnet is quickly evolving tactics. 

RansomHub affiliates observed using new post exploitation tools.  Zero-Day exploited since 2018 fixed by Microsoft.  NoName ransomware threat actors deploying RansomHub tools.  Researchers analyze a newer ransomware group.

H1 2024 Malware and Vulnerability Trends Report.  Researchers share a threat assessment of North Korean threat groups. 


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for September 9th to September 15th:

CVE-2024-40766 – SonicWall SonicOS Improper Access Control Vulnerability:
Could lead to unauthorized resource access and, under certain conditions, may cause the firewall to crash.

CVE-2017-1000253 – Linux Kernel PIE Stack Buffer Corruption Vulnerability:
Allows a local attacker to escalate privileges.

CVE-2016-3714 – ImageMagick Improper Input Validation Vulnerability:
Allows a remote attacker to execute arbitrary code via shell metacharacters in a crafted image.

CVE-2024-38217 – Microsoft Windows Mark of the Web (MOTW) Protection Mechanism Failure Vulnerability:
Allows an attacker to bypass MOTW-based defenses. This can result in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.

CVE-2024-38014 – Microsoft Windows Installer Improper Privilege Management Vulnerability:
Allows an attacker to gain SYSTEM privileges.

CVE-2024-43491 – Microsoft Windows Update Use-After-Free Vulnerability:
Allows for remote code execution.

CVE-2024-38226 – Microsoft Publisher Protection Mechanism Failure Vulnerability:
Allows attacker to bypass Office macro policies used to block untrusted or malicious files.

CVE-2024-8190 – Ivanti Cloud Services Appliance OS Command Injection Vulnerability:
Allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.


Ivanti Cloud Service Appliance (CSA) Bug Exploited

Older version 4.6 of the CSA was patched this week.  Researcher disclosed technical details and exploit code, active exploitation began.  CISA added this bug to the KEV catalog.  The trend continues, exploitation quickly after proof-of-concept (PoC) code is released. 

https://www.csoonline.com/article/3520876/newly-patched-ivanti-csa-flaw-under-active-exploitation.html

https://www.bleepingcomputer.com/news/security/ivanti-fixes-maximum-severity-rce-bug-in-endpoint-management-software/


Medusa Operators Created an Online Presence Including Clear Web

Ransomware-as-a-Service (RaaS) is a preferred model for most ransomware operators.  Medusa not only operates with a dark web presence but is tied to a clear web presence including “X” and a website called “OSINT Without Borders”.

https://securityonline.info/medusa-exploits-fortinet-flaw-cve-2023-48788-for-stealthy-ransomware-attacks/

https://www.bitdefender.com/blog/businessinsights/medusa-ransomware-a-growing-threat-with-a-bold-online-presence


Threat Actors Targeting Oracle WebLogic Servers

A new Linux malware called Hadooken is being deployed which in turn drops and executes a cryptominer and DDoS tool.  The compromised servers can be used for ransomware attacks as well.  The treat actors clean up their tracks making discovery and analysis harder.

https://www.bleepingcomputer.com/news/security/new-linux-malware-hadooken-targets-oracle-weblogic-servers/

https://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/


‘The Com’ a Group of English Speaking Theat Actors have a Dark Side

Kreb’s exposes the ties between ransomware groups and ‘The Com’ as well as a more hideous side to this crime-focused social network.  The Com is best known for sim-swapping and social engineering.  But their dark side includes violence and harm groups.

https://krebsonsecurity.com/2024/09/the-dark-nexus-between-harm-groups-and-the-com/


Hours After PoC Code Released, What’sUp Gold Bug Exploited

Patching is hard, but with critical bugs, timeliness is a must.  Any flaw that has high potential for exploitation should be prioritized or at least watch for exploit code release.  Once PoC code is released it is often weaponized very quickly.  This continues to be a trend; time is not on your side.

https://www.bleepingcomputer.com/news/security/hackers-targeting-whatsup-gold-with-public-exploit-since-august/

https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html


Scattered Spider is at it Again Going After Cloud Resources

This ransomware affiliate group is known for its social engineering techniques and more advanced tradecraft.  Researchers share some insights into some recent cloud-based activities and behavior that can lead to ransomware.

https://www.darkreading.com/cloud-security/socially-savvy-scattered-spider-traps-cloud-admins-in-web

https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries


Threat Actors Malvertize AppleCare+ Support on Google

Using GitHub repos to host fake AppleCare+ customer service web pages redirected from Google ads.  Multiple repos are used, and phone numbers rotate when discovered.  The abuse of legit services continues.

https://www.malwarebytes.com/blog/scams/2024/09/scammers-advertise-fake-applecare-service-via-github-repos


An Attacker can Trigger Pipelines in GitLab

As part of a multiple bug release, the most critical tracked as CVE-2024-6678 can allow an attacker to trigger pipelines as arbitrary users. 

https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-pipeline-execution-vulnerability/

https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/


Grit Ransomware Report August 2024

Researchers continue to share threat intelligence on ransomware groups.  This report helps us track changes in the ransomware landscape.

https://www.guidepointsecurity.com/blog/grit-ransomware-report-august-2024/


Zero-Day Bug in Adobe Acrobat Reader Fix Released

Adobe fixed the bug tracked as CVE-2024-41869 that can lead to remote code execution.  There is an in-the-wild proof-of-concept (PoC) exploit available.  The PoC is a work in progress. 

https://www.bleepingcomputer.com/news/security/adobe-fixes-acrobat-reader-zero-day-with-public-poc-exploit/

https://helpx.adobe.com/security/products/acrobat/apsb24-70.html


Multiple SOHO Routers and VPN Appliances Targeted by 7777 Botnet

These botnets are often used to hide malicious activities and attacker locations.  Several brands of SOHO routers and VPN appliances are being targeted.  It appears that the botnet operators are evolving their tradecraft.

https://thehackernews.com/2024/09/quad7-botnet-expands-to-target-soho.html

https://blog.sekoia.io/a-glimpse-into-the-quad7-operators-next-moves-and-associated-botnets/


RansomHub Affiliates Spotted Using New Tools

A legit tool from Kaspersky called TDSSKiller attempting to disable EDR and LaZange for credential dumping are being abused by RansomHub affiliates.  This is new tradecraft for these affiliates.

https://www.bleepingcomputer.com/news/security/ransomhub-ransomware-abuses-kaspersky-tdsskiller-to-disable-edr-software/

https://www.threatdown.com/blog/new-ransomhub-attack-uses-tdskiller-and-lazagne-disables-edr/


Exploited Since 2018, Smart App Control Zero-Day Fixed

Microsoft patched the bug now tracked as CVE-2024-38217 with evidence of exploitation since 2018.  Known as LNK stomping and disclosed last month by security researchers.

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-smart-app-control-zero-day-exploited-in-attacks-since-2018/

https://www.elastic.co/security-labs/dismantling-smart-app-control

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38217


NoName Ransomware Actors Trying to Build a Reputation

Using older flaws and an immature ransomware called ScRansom, these threat actors are hitting various SMBs around the world.  Researchers have observed the use of RansomHub tools, likely NoName has signed up as a RansomHub affiliate.

https://www.bleepingcomputer.com/news/security/noname-ransomware-gang-deploying-ransomhub-malware-in-recent-attacks/

https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/


Repellent Scorpius, New RaaS Group

Researchers share technical analysis and TTPs tied to the group.  It appears they emerged in May 2024 and distribute Cicada3301 ransomware.  Although newer, they are hiring initial access brokers and have set up an affiliate program.

https://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/


H1 2024 Malware and Vulnerability Trends Report

Researchers share the latest trending report, this is good stuff.

https://go.recordedfuture.com/hubfs/reports/cta-2024-0910.pdf


Researchers Share a Threat Assessment: North Korean Threat Groups

A deep dive into several nation state sponsored threat actors.

https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #52

The week of November 11th through November 17th, 332 cyber news articles were reviewed.  Quite a bit of cyber threat trend and adversarial behavior news to share.  Let’s start with increasing use of SVG attachments in email phishing. An undocumented Fortinet FortiClient bug used to steal VPN credentials.  Palo

Members Public

Cyber Threat Weekly – #51

The week of November 4th through November 10th, 330 cyber news articles were reviewed.  The feed list has been adjusted, so the number of articles should be mostly lower.  Let’s start with threat actors using Zip file concatenation technique. Cybercriminals abuse emergency data requests (EDRs) with compromised credentials.  AWS

Members Public

Cyber Threat Weekly – #50

The week of October 28th through November 3rd, another light week with 346 cyber news articles reviewed.  Still a decent amount of cyber threat trend and adversarial behavior news.  Let’s start with a newer ransomware group targeting FreeBSD servers. Publicly disclosed exploit code used to exploit Microsoft SharePoint flaw.