Skip to content

Cyber Threat Weekly – #45

Derek Krein
3 min read

The week of September 23rd through September 29th was a bit light with 427 cyber news articles reviewed.  Not much cyber threat trend and adversarial behavior news to share.  Let’s start with more ransomware affiliates target hybrid cloud environments.

WhatsUp Gold high and critical vulnerabilities.  New SnipBot malware analyzed.  Nexe backdoor malware has interesting evasion techniques.  Hacktivists targeting water utilities.  Researchers analyze a so-called FREE Phishing-as-a-Service (PHaaS) provider.

Ivanti in the news again, exploited auth bypass flaw. 


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for September 23rd to September 29th:

CVE-2024-7593 – Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability:
Allows a remote, unauthenticated attacker to create a chosen administrator account.


Ransomware Threat Actors Target Hybrid Cloud Environments

Targeting hybrid could environments and going after cloud resources seems to be the new hotness for ransomware affiliates.  Threat actors tracked as Storm-0501 have been active since 2021.  They exploit weak credentials, and over privileged accounts gain access to cloud environments.

https://www.bleepingcomputer.com/news/security/embargo-ransomware-escalates-attacks-to-cloud-environments/

https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/


Critical and High Bugs in WhatsUp Gold

WhatsUp Gold is a threat actor favorite.  Earlier flaws were exploited after proof-of concept (PoC) code was released.  On the earlier bugs, a researchers released the PoC after two weeks.  Let’s hope they slow down a bit, two weeks is not enough time to patch for many organizations.

https://www.bleepingcomputer.com/news/security/progress-urges-admins-to-patch-critical-whatsup-gold-bugs-asap/


Researcher’s Share Analysis of SnipBot Malware

SnipBot, is a new variant of RomCom, a backdoor abused to deliver Cuba ransomware.  Several anti-sandboxing checks are run.  The main module is ‘single.dll’, it’s encrypted and stored in the registry.  It’s loaded into memory from its location. 

https://www.bleepingcomputer.com/news/security/new-romcom-malware-variant-snipbot-spotted-in-data-theft-attacks/

https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/


Researchers Share Nexe Backdoor Evasion Techniques

After DLL sideloading into the legit WerFaultSecure.exe.  This APT group uses memory patching to inject shellcode, minimizing the chance of triggering alerts.  Yesterday’s nation state attack is tomorrow’s commodity attack.  This is a technique to watch.

https://cyble.com/blog/nexe-backdoor-unleashed-patchwork-apt-groups-sophisticated-evasion-of-defenses/


Water Utilities Under Attack by Hacktivists

While it’s important that hacktivists are going after critical infrastructure, the lesson here is simple.  Don’t expose critical infrastructure to the Internet.  Simple hygiene and proper architecture would prevent most of these attacks.

https://cyble.com/blog/deluge-of-threats-to-water-utilities-plugging-the-leaks-in-operational-technology-security/

https://www.cisa.gov/sites/default/files/2024-05/defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity-508c.pdf


Free PHaaS Platform Sniper Dz Analyzed

Researchers found over 140,000 phishing websites tied to Sniper Dz.  They offer their PHaaS platform for FREE, but there is a catch.  The owners collect the victim credentials stolen by phishers using the platform. 

https://unit42.paloaltonetworks.com/phishing-platform-sniper-dz-unique-tactics/


Critical Ivanti Virtual Traffic Manager Flaw Exploited

Tracked as CVE-2024-7593, exploit code was available when the fix was released.  This week CISA added the flaw to the known exploited vulnerabilities (KEV) catalog.  Ivanti is a favorite for threat actors both criminal and nation state.

https://www.bleepingcomputer.com/news/security/critical-ivanti-vtm-auth-bypass-bug-now-exploited-in-attacks/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #56

The week of December 9th through December 15th, about 348 cyber news articles were reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with HeartCrypt – Packer-as-a-Service (PaaS). Citrix NetScaler / NetScaler Gateway under brute force attack.  Covert Linux multi-stage rootkit attack.  New

Members Public

Cyber Threat Weekly – #55

The week of December 2nd through December 8th there were 353 cyber news articles reviewed.  A relatively large amount of cyber threat trends and adversarial behavior news to share.  Let’s start with a twist on the fake video conferencing apps campaign. New Russian hacktivist group targeting energy systems.  Supply

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8