Skip to content

Cyber Threat Weekly – #44

Derek Krein
5 min read

The week of September 16th through September 22nd was near average with 457 cyber news articles reviewed.  With a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a suspected Chinese APT abusing multi-stage attack chain.

Researchers share BlackBasta tools, behavior, and analysis.  Threat actors vast infostealer campaign exposed.   Cyber criminals abuse HR related lures in a spear-phishing campaign.  Attackers use stolen credentials for LLMjacking.

Maximum Severity Authentication Bypass in GitLab.  Veeam, releases second patch for critical remote code execution (RCE) bug.  Ivanti Cloud Services Appliance (CSA) actively exploited.  Researchers have discovered a new red team tool. 

A large, multi-tiered botnet is disrupted.  Threat actors abusing Azure for data exfiltration.


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for September 16th to September 22nd:         

CVE-2024-6670 – Progress WhatsUp Gold SQL Injection Vulnerability:
Allows an unauthenticated attacker to retrieve the user's encrypted password if the application is configured with only a single user.

CVE-2024-43461 – Microsoft Windows MSHTML Platform Spoofing Vulnerability:
Allows an attacker to spoof a web page. This vulnerability was exploited in conjunction with CVE-2024-38112.

CVE-2014-0502 – Adobe Flash Player Double Free Vulnerability:
Allows a remote attacker to execute arbitrary code.

CVE-2013-0648 – Adobe Flash Player Code Execution Vulnerability:
Allows a remote attacker to execute arbitrary code via crafted SWF content.

CVE-2013-0643 – Adobe Flash Player Incorrect Default Permissions Vulnerability:
Allows a remote attacker to execute arbitrary code via crafted SWF content.

CVE-2014-0497 – Adobe Flash Player Integer Underflow Vulnerability:
Allows a remote attacker to execute arbitrary code.

CVE-2020-14644 – Oracle WebLogic Server Remote Code Execution Vulnerability:
Unauthenticated attackers with network access via T3 or IIOP can exploit this vulnerability to achieve remote code execution.

CVE-2022-21445 – Oracle ADF Faces Deserialization of Untrusted Data Vulnerability:
Contains a deserialization of untrusted data vulnerability leading to unauthenticated remote code execution.

CVE-2020-0618 – Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability:
An authenticated attacker can exploit this vulnerability to execute code in the context of the Report Server service account.

CVE-2024-27348 – Apache HugeGraph-Server Improper Access Control Vulnerability:
Allows a remote attacker to execute arbitrary code.

CVE-2024-8963 – Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability:
Allows a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance.


Multi-Stage Attack Chain Abused by Chinese Threat Actors

Spear-phishing and a GeoServer flaw to kick off the attack.  The interesting thing is the use of GrimResource, a cross-site scripting flaw and AppDomainManager injection to perform arbitrary code execution.  The latter is an older behavior that is not well known so expect to see its use increase.

https://www.darkreading.com/cyberattacks-data-breaches/china-earth-baxia-spies-geoserver-apac-orgs

https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html


BlackBasta Tools, Techniques, and Analysis Released

This group are prolific Ransomware-as-a-Service (RaaS) operators that appeared in April 2022.  Affiliates of this RaaS group use several tools and techniques to reach their goals.  Researchers share analysis.

https://securityonline.info/zerologon-to-nopac-vulnerability-black-basta-groups-exploit-arsenal-revealed/

https://blog.qualys.com/vulnerabilities-threat-research/2024/09/19/black-basta-ransomware-what-you-need-to-know


Researchers Reveal a Massive Infostealer Campaign

The lure is brand impersonation and even fake brands.  With a huge toolkit, the threat actors perform multi-vector attacks on multiple platforms.  Info-stealing malware campaigns have been on the rise and continue to flourish. 

https://www.bleepingcomputer.com/news/security/global-infostealer-malware-operation-targets-crypto-users-gamers/

https://go.recordedfuture.com/hubfs/reports/cta-2024-0917.pdf


HR Related Lures Trick Employees in Spear-Phishing Campaign

Threat actors are getting better at looking legitimate.  From the tempting lures to professional language, to the fake login page that looks like the real thing except for the URL.  By providing a sense of urgency people may act without thinking too much about it.

https://securityonline.info/threat-actors-exploit-hr-related-phishing-tactics-in-sophisticated-credential-stealing-campaigns/

https://cofense.com/blog/threat-actors-continue-to-utilize-hr-related-phishing-tactics


LLMjacking, a New Theat Abusing Cloud Services and Credentials

The desire for LLM access without paying or limitations is so big, an entire ecosystem and market has been grown around access to LLMs.  The current target is AWS Bedrock, that doesn’t mean we won’t see more of this activity on other cloud services.

https://www.csoonline.com/article/3535433/llmjacking-how-attackers-use-stolen-aws-credentials-to-enable-llms-and-rack-up-costs-for-victims.html

https://sysdig.com/blog/growing-dangers-of-llmjacking/


GitLab Maximum Severity Auth Bypass Flaw

Affecting SAML-based authentication, this flaw is rated 10 CVSS score.  It seems that to exploit this bug, the attacker would need to craft SAML assertions identical to each organization’s legit provider including key and value fields. 

https://www.darkreading.com/application-security/gitlab-warns-max-severity-authentication-bypass-bug


Second Patch for Veeam’s Critical RCE Bug

It appears the second patch may have fully fixed CVE-2024-40711. 

https://www.darkreading.com/application-security/poc-exploit-for-rce-flaw-but-patches-from-veeam

https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/


Actively Exploited, Another Critical Bug in Ivanti’s CSA

The admin bypass flaw tracked as CVE-2024-8963 chained with CVE-8190 leads to arbitrary command execution.  Ivanti has several bugs exploited, even some zero-days over the last several months.

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-another-critical-csa-flaw-exploited-in-attacks/


Researchers Reveal a Red Team Tool: Splinter

This newly discovered tool is designed for post-exploitation behavior.  Splinter is written in Rust.  While pen testing tools are great for legitimate purposes, they are often abused by threat actors. 

https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/


Disrupted, Raptor Train, a Multi-Tiered Botnet

Likely Chinese, the threat actors ran a botnet of more than 260,000 devices.  Several device types made up the botnet including SOHO routers, IP cameras, and NAS devices.  The FBI disrupted the botnet and claimed as many as 1.2 million had been compromised over its lifespan.

https://www.bleepingcomputer.com/news/security/flax-typhoon-hackers-infect-260-000-routers-ip-cameras-with-botnet-malware/

https://blog.lumen.com/derailing-the-raptor-train/


Ransomware Affiliates Abusing Azure for Data Exfiltration

While it takes extra effort to get Azure Storage Explorer working, it appears to be worth it for these threat actors.  This is another example of using legit services to accomplish attacker objectives. 

https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-abuse-microsoft-azure-tool-for-data-theft/

https://www.modepush.com/blog/highway-blobbery-data-theft-using-azure-storage-explorer


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #52

The week of November 11th through November 17th, 332 cyber news articles were reviewed.  Quite a bit of cyber threat trend and adversarial behavior news to share.  Let’s start with increasing use of SVG attachments in email phishing. An undocumented Fortinet FortiClient bug used to steal VPN credentials.  Palo

Members Public

Cyber Threat Weekly – #51

The week of November 4th through November 10th, 330 cyber news articles were reviewed.  The feed list has been adjusted, so the number of articles should be mostly lower.  Let’s start with threat actors using Zip file concatenation technique. Cybercriminals abuse emergency data requests (EDRs) with compromised credentials.  AWS

Members Public

Cyber Threat Weekly – #50

The week of October 28th through November 3rd, another light week with 346 cyber news articles reviewed.  Still a decent amount of cyber threat trend and adversarial behavior news.  Let’s start with a newer ransomware group targeting FreeBSD servers. Publicly disclosed exploit code used to exploit Microsoft SharePoint flaw.