Cyber Threat Weekly – #46

The week of September 30^th through October 6^th was light with 369 cyber news articles reviewed.  A moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with US broadband providers breached.

The art and science of DNS tunneling detection.  Adobe Commerce and Magneto online stores targeted.  Linux malware “perfctl” targeting Linux systems for years.  Threat actor observed deploying new MedusaLocker variant.

DrayTek Routers, multiple bugs, including two critical.  Zimbra remote code execution (RCE) bug actively exploited.  Ivanti again, EPM bug actively exploited.  FIN7 is at it again, with deepfake nude generator web sites. 

Researchers detect vulnerability scanning from dark web tools.  The 2024 Elastic Global Threat Report.

Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities for September 30^th to October 7^th:

CVE-2019-0344 – SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability:
Allows code injection.

CVE-2021-4043 – Motion Spell GPAC Null Pointer Dereference Vulnerability:
Could allow a local attacker to cause a denial-of-service (DoS) condition.

CVE-2020-15415 – DrayTek Multiple Vigor Routers OS Command Injection Vulnerability:
Allows for remote code execution via shell metacharacters in a filename when the text/x-python-script content type is used.

CVE-2023-25280 – D-Link DIR-820 Router OS Command Injection Vulnerability:
Allows a remote, unauthenticated attacker to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp.

CVE-2024-29824 – Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability:
Allows an unauthenticated attacker within the same network to execute arbitrary code.

CVE-2024-45519 – Synacor Zimbra Collaboration Command Execution Vulnerability:
May allow an unauthenticated user to execute commands.

Chinese Threat Actors Breach Multiple US Broadband Providers

Appearing to target US wire tapping infrastructure, the threat actors may have been present on systems for months or longer.  Providers such as Verizon, AT&T, and Lumen were among those breached.

https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b

Detecting DNS Tunneling Campaigns

Researchers find some common of attributes of DNS tunneling and dig into them to find new campaigns.  This works while threat actors are lazy, eventually as campaigns stop working, they’ll change their behavior to make their campaigns more difficult to find.

https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/

CosmicSting Campaigns Target Adobe Commerce and Magneto

When CVE-2024-34102 is chained with CVE-2024-2961, remote code execution is possible.  So far, 1000’s of stores have been hacked, only 5% of all stores exposed.  Multiple groups are abusing this attack chain.

https://www.bleepingcomputer.com/news/security/over-4-000-adobe-commerce-magento-shops-hacked-in-cosmicsting-attacks/

https://sansec.io/research/cosmicsting-fallout

Multi-Year “perfctl” Malware Campaign Targeting Linux Servers

It appears the primary purpose is cryptomining, but the use of rootkits and other tools could easily be abused for more nefarious activities.  That is the scary part often not thought about.  Wouldn’t take much to shift operations to something more sinister.

https://www.bleepingcomputer.com/news/security/linux-malware-perfctl-behind-years-long-cryptomining-campaign/

https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/

MedusaLocker Variant Called BabyLockerKz

A threat actor active since late 2022 has been recently spotted deploying BabyLockerKz.  Researchers share behavior, tools, and IoCs recently observed. 

https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/

Multiple Bugs Including Critical RCE in DrayTek Routers

Although these bugs haven’t been exploited yet, there are several earlier flaws in DrayTek routers that have been actively exploited.  A flaw from 2020 was added to the CISA KEV catalog this week, CVE-2020-15415.  These routers are targeted.

https://www.bleepingcomputer.com/news/security/draytek-fixed-critical-flaws-in-over-700-000-exposed-routers/

Critical RCE Bug in Zimbra Actively Exploited

Zimbra is a popular target with threat actors, multiple flaws are in the CISA known exploited vulnerabilities (KEV) catalog.  Exploitation of CVE-2024-45519 started after researchers shared proof-of-concept (PoC) code. 

https://cyble.com/blog/zimbra-remote-code-execution-vulnerability-under-active-attack/

https://blog.projectdiscovery.io/zimbra-remote-code-execution/

Ivanti EPM Bug Actively Exploited, 4^th Ivanti Flaw Exploited in a Month

The patch for CVE-2024-29824 was released May 2024.  Researchers shared PoC code in June.  Ivanti confirms exploitation and a limited number of customers targeted.  That could easily ramp up quickly as observed in the recent past.

https://thehackernews.com/2024/10/ivanti-endpoint-manager-flaw-actively.html

FIN7 Spreading InfoStealer Malware via Deepnude Generator Sites

Not a new lure for spreading info-stealing malware, but this one has an AI twist.  The network operates under the “AI Nude” brand, all the sites have a similar design, promising deepnude images from uploaded photos. 

https://www.bleepingcomputer.com/news/security/fin7-hackers-launch-deepfake-nude-generator-sites-to-spread-malware/

https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/

Swiss Army Suite (S.A.S) Scanning Tool Discovered

Using machine learning, researchers discover underground scanning tool.  Unusual patterns were detected, appeared to be SQL injection.  Further search result analysis found 100,000 of results in Google for a particular string.  Digging into underground forums, the tool was found.

https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/

The 2024 Elastic Global Threat Report

A few key takeaways from the blog post.  They are not worried about Gen AI providing an overwhelming advantage to threat actors.  Credentials are still the go to for threat actors, this trend continues to grow.  There are more details in the report linked below.

https://www.elastic.co/blog/elastic-global-threat-report-2024

https://www.elastic.co/pdf/elastic-global-threat-report-2024