Cyber Threat Weekly – #44
The week of September 16th through September 22nd was near average with 457 cyber news articles reviewed. With a moderate amount of cyber threat trend and adversarial behavior news to share. Let’s start with a suspected Chinese APT abusing multi-stage attack chain.
Researchers share BlackBasta tools, behavior, and analysis. Threat actors vast infostealer campaign exposed. Cyber criminals abuse HR related lures in a spear-phishing campaign. Attackers use stolen credentials for LLMjacking.
Maximum Severity Authentication Bypass in GitLab. Veeam, releases second patch for critical remote code execution (RCE) bug. Ivanti Cloud Services Appliance (CSA) actively exploited. Researchers have discovered a new red team tool.
A large, multi-tiered botnet is disrupted. Threat actors abusing Azure for data exfiltration.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for September 16th to September 22nd:
CVE-2024-6670 – Progress WhatsUp Gold SQL Injection Vulnerability:
Allows an unauthenticated attacker to retrieve the user's encrypted password if the application is configured with only a single user.
CVE-2024-43461 – Microsoft Windows MSHTML Platform Spoofing Vulnerability:
Allows an attacker to spoof a web page. This vulnerability was exploited in conjunction with CVE-2024-38112.
CVE-2014-0502 – Adobe Flash Player Double Free Vulnerability:
Allows a remote attacker to execute arbitrary code.
CVE-2013-0648 – Adobe Flash Player Code Execution Vulnerability:
Allows a remote attacker to execute arbitrary code via crafted SWF content.
CVE-2013-0643 – Adobe Flash Player Incorrect Default Permissions Vulnerability:
Allows a remote attacker to execute arbitrary code via crafted SWF content.
CVE-2014-0497 – Adobe Flash Player Integer Underflow Vulnerability:
Allows a remote attacker to execute arbitrary code.
CVE-2020-14644 – Oracle WebLogic Server Remote Code Execution Vulnerability:
Unauthenticated attackers with network access via T3 or IIOP can exploit this vulnerability to achieve remote code execution.
CVE-2022-21445 – Oracle ADF Faces Deserialization of Untrusted Data Vulnerability:
Contains a deserialization of untrusted data vulnerability leading to unauthenticated remote code execution.
CVE-2020-0618 – Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability:
An authenticated attacker can exploit this vulnerability to execute code in the context of the Report Server service account.
CVE-2024-27348 – Apache HugeGraph-Server Improper Access Control Vulnerability:
Allows a remote attacker to execute arbitrary code.
CVE-2024-8963 – Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability:
Allows a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance.
Multi-Stage Attack Chain Abused by Chinese Threat Actors
Spear-phishing and a GeoServer flaw to kick off the attack. The interesting thing is the use of GrimResource, a cross-site scripting flaw and AppDomainManager injection to perform arbitrary code execution. The latter is an older behavior that is not well known so expect to see its use increase.
https://www.darkreading.com/cyberattacks-data-breaches/china-earth-baxia-spies-geoserver-apac-orgs
https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html
BlackBasta Tools, Techniques, and Analysis Released
This group are prolific Ransomware-as-a-Service (RaaS) operators that appeared in April 2022. Affiliates of this RaaS group use several tools and techniques to reach their goals. Researchers share analysis.
Researchers Reveal a Massive Infostealer Campaign
The lure is brand impersonation and even fake brands. With a huge toolkit, the threat actors perform multi-vector attacks on multiple platforms. Info-stealing malware campaigns have been on the rise and continue to flourish.
https://go.recordedfuture.com/hubfs/reports/cta-2024-0917.pdf
HR Related Lures Trick Employees in Spear-Phishing Campaign
Threat actors are getting better at looking legitimate. From the tempting lures to professional language, to the fake login page that looks like the real thing except for the URL. By providing a sense of urgency people may act without thinking too much about it.
https://cofense.com/blog/threat-actors-continue-to-utilize-hr-related-phishing-tactics
LLMjacking, a New Theat Abusing Cloud Services and Credentials
The desire for LLM access without paying or limitations is so big, an entire ecosystem and market has been grown around access to LLMs. The current target is AWS Bedrock, that doesn’t mean we won’t see more of this activity on other cloud services.
https://sysdig.com/blog/growing-dangers-of-llmjacking/
GitLab Maximum Severity Auth Bypass Flaw
Affecting SAML-based authentication, this flaw is rated 10 CVSS score. It seems that to exploit this bug, the attacker would need to craft SAML assertions identical to each organization’s legit provider including key and value fields.
https://www.darkreading.com/application-security/gitlab-warns-max-severity-authentication-bypass-bug
Second Patch for Veeam’s Critical RCE Bug
It appears the second patch may have fully fixed CVE-2024-40711.
https://www.darkreading.com/application-security/poc-exploit-for-rce-flaw-but-patches-from-veeam
Actively Exploited, Another Critical Bug in Ivanti’s CSA
The admin bypass flaw tracked as CVE-2024-8963 chained with CVE-8190 leads to arbitrary command execution. Ivanti has several bugs exploited, even some zero-days over the last several months.
Researchers Reveal a Red Team Tool: Splinter
This newly discovered tool is designed for post-exploitation behavior. Splinter is written in Rust. While pen testing tools are great for legitimate purposes, they are often abused by threat actors.
https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/
Disrupted, Raptor Train, a Multi-Tiered Botnet
Likely Chinese, the threat actors ran a botnet of more than 260,000 devices. Several device types made up the botnet including SOHO routers, IP cameras, and NAS devices. The FBI disrupted the botnet and claimed as many as 1.2 million had been compromised over its lifespan.
https://blog.lumen.com/derailing-the-raptor-train/
Ransomware Affiliates Abusing Azure for Data Exfiltration
While it takes extra effort to get Azure Storage Explorer working, it appears to be worth it for these threat actors. This is another example of using legit services to accomplish attacker objectives.
https://www.modepush.com/blog/highway-blobbery-data-theft-using-azure-storage-explorer
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
