Cyber Threat Weekly – #45
The week of September 23rd through September 29th was a bit light with 427 cyber news articles reviewed. Not much cyber threat trend and adversarial behavior news to share. Let’s start with more ransomware affiliates target hybrid cloud environments.
WhatsUp Gold high and critical vulnerabilities. New SnipBot malware analyzed. Nexe backdoor malware has interesting evasion techniques. Hacktivists targeting water utilities. Researchers analyze a so-called FREE Phishing-as-a-Service (PHaaS) provider.
Ivanti in the news again, exploited auth bypass flaw.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for September 23rd to September 29th:
CVE-2024-7593 – Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability:
Allows a remote, unauthenticated attacker to create a chosen administrator account.
Ransomware Threat Actors Target Hybrid Cloud Environments
Targeting hybrid could environments and going after cloud resources seems to be the new hotness for ransomware affiliates. Threat actors tracked as Storm-0501 have been active since 2021. They exploit weak credentials, and over privileged accounts gain access to cloud environments.
Critical and High Bugs in WhatsUp Gold
WhatsUp Gold is a threat actor favorite. Earlier flaws were exploited after proof-of concept (PoC) code was released. On the earlier bugs, a researchers released the PoC after two weeks. Let’s hope they slow down a bit, two weeks is not enough time to patch for many organizations.
Researcher’s Share Analysis of SnipBot Malware
SnipBot, is a new variant of RomCom, a backdoor abused to deliver Cuba ransomware. Several anti-sandboxing checks are run. The main module is ‘single.dll’, it’s encrypted and stored in the registry. It’s loaded into memory from its location.
https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
Researchers Share Nexe Backdoor Evasion Techniques
After DLL sideloading into the legit WerFaultSecure.exe. This APT group uses memory patching to inject shellcode, minimizing the chance of triggering alerts. Yesterday’s nation state attack is tomorrow’s commodity attack. This is a technique to watch.
Water Utilities Under Attack by Hacktivists
While it’s important that hacktivists are going after critical infrastructure, the lesson here is simple. Don’t expose critical infrastructure to the Internet. Simple hygiene and proper architecture would prevent most of these attacks.
Free PHaaS Platform Sniper Dz Analyzed
Researchers found over 140,000 phishing websites tied to Sniper Dz. They offer their PHaaS platform for FREE, but there is a catch. The owners collect the victim credentials stolen by phishers using the platform.
https://unit42.paloaltonetworks.com/phishing-platform-sniper-dz-unique-tactics/
Critical Ivanti Virtual Traffic Manager Flaw Exploited
Tracked as CVE-2024-7593, exploit code was available when the fix was released. This week CISA added the flaw to the known exploited vulnerabilities (KEV) catalog. Ivanti is a favorite for threat actors both criminal and nation state.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
