Skip to content

Cyber Threat Weekly – #47

Derek Krein
6 min read

The week of October 7th through October 13th was a bit light with 361 cyber news articles reviewed.  A decent amount of cyber threat trends and adversarial behavior news to share.  Let’s start with Iranian APT threat actors changing behavior.

Open AI releases an update to their threat report.  Phishing using GitHub links and other tricks.  Kerberoasting mitigation guide from Microsoft.  Threat actors abusing F5 BIG-IP to enumerate internal network devices. 

Researchers share an interesting analysis of a suspected APT targeting Ivanti bugs.  GitLab bugs including a critical flaw that could allow arbitrary CI/CD pipeline execution.  Critical Veeam bug previously patched, now abused by ransomware threat actors.

Firefox critical zero-day actively exploited.  Researchers share analysis of Lynx ransomware.  APT 29 targets unpatched older vulnerabilities for initial access and post exploitation activities.  Fortinet remote code execution (RCE) bug actively exploited.

Palo Alto Networks Expedition solution multiple bugs revealed.  Open-source scanner finds Linux / Unix servers with CUPS bug.  A up and coming phishing-as-a-service (PHaaS) targeting Microsoft 365 accounts for MFA bypass.


Broken Record Alert: Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for October 7th to October 13th:

CVE-2024-43573 – Microsoft Windows MSHTML Platform Spoofing Vulnerability:
Can lead to a loss of confidentiality.

CVE-2024-43572 – Microsoft Windows Management Console Remote Code Execution Vulnerability:
Allows for remote code execution.

CVE-2024-43047 – Qualcomm Multiple Chipsets Use-After-Free Vulnerability:
Multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services while maintaining memory maps of HLOS memory.

CVE-2024-9380 – Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability:
Can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.

CVE-2024-9379 – Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability:
Can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.

CVE-2024-23113 – Fortinet Multiple Products Format String Vulnerability:
Allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.


APT34 (OilRig) Threat Actors Changing Behavior

Iranian threat actors are abusing Microsoft CVE-2024-30088 for privilege escalation and Exchange servers for exfiltration.  The start of the attack chain is vulnerable web servers and a web shell.  There is proof-of-concept (PoC) code available for the Microsoft bug.  We’ll keep an eye out and see if other threat actors start using similar techniques.

https://www.bleepingcomputer.com/news/security/oilrig-hackers-now-exploit-windows-flaw-to-elevate-privileges/

https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-30088


Open AI’s: “Influence and Cyber Operations: An Update”

Interestingly, while threat actors are abusing LLMs, so far, it’s mostly been for better phishing emails.  There are a few cases where reconnaissance, vulnerability research, and other behaviors were observed.  It appears that the abuse of LLMs thus far is more hype then reality.  That will most likely change as AI technology gets better.

https://cybersecuritynews.com/openai-confirms-chatgpt-malware/

https://cdn.openai.com/threat-intelligence-reports/influence-and-cyber-operations-an-update_October-2024.pdf


Phishing Emails with Legit GitHub Links

There is a bit more to this story, but the worrisome part is the legit GitHub links.  By using trusted repositories with comments enabled, threat actors can upload a malicious file to a comment, delete the comment without saving it, and the malicious link is still available.  Threat actors now use that link from a well-known GitHub repository for phishing emails.

https://thehackernews.com/2024/10/github-telegram-bots-and-qr-codes.html

https://cofense.com/blog/tax-extension-malware-campaign


Mitigating Kerberoasting Guidance from Microsoft

This is a threat and abused often by threat actors.  So decided to add the guidance from Microsoft, it’s pretty good, worth a quick read.

https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidance-to-help-mitigate-kerberoasting/


F5 BIG-IP Cookies Abused to Map Internal Devices

Threat actors continue to find creative ways to abuse legit infrastructure.  In this case, they are using unencrypted session cookies to map internal networks.  This is done using the load-balancing Local Traffic Manager persistent cookies.

https://www.bleepingcomputer.com/news/security/cisa-hackers-abuse-f5-big-ip-cookies-to-map-internal-servers/

https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure-big-ip-ltm-systems-encrypt-http-persistence-cookies


Ivanti Cloud Services Appliance Bugs Targeted by Suspected APT

Researchers share an incident response investigation of, at the time, zero-day flaws with Ivanti Cloud Services Appliance (CSA).  This is an interesting walk-through with commands used and details rarely shared.

https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa


GitLab Critical that Allows CI/CD Pipeline Execution Patched

There are several bugs patched, the worst is CVE-2024-9164 with a CVSS score of 9.6.  The other bugs include four high, two medium, and one low. 

https://thehackernews.com/2024/10/new-critical-gitlab-vulnerability-could.html

https://about.gitlab.com/releases/2024/10/09/patch-release-gitlab-17-4-2-released/


Critical Veeam Remote Code Execution Bug Exploited

Ransomware threat actors are abusing CVE-2024-40711, a recently patched vulnerability.  Veeam is a ransomware actor favorite, taking out backup and recovery capabilities presses victims to pay the ransom.  Patching actively exploited and / or weaponized proof-of-concept (PoC) code available bugs should be a top priority.

https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now-exploiting-critical-veeam-rce-flaw/

https://infosec.exchange/@SophosXOps/113284564225476186


Critical Actively Exploited Zero-Day in Firefox Browser

This bug allows code execution, is tracked as CVE-2024-9680, and carries a CVSS score of 9.8 out of 10.  Worse, low attack complexity makes this a high-risk flaw. 

https://www.darkreading.com/cyberattacks-data-breaches/critical-mozilla-firefox-zero-day-code-execution


Lynx Ransomware Analysis Revealed

Researchers share analysis of Lynx ransomware and compare it to INC ransomware.  Unfortunately, new ransomware gangs pop up often, others simply rebrand.  INC ransomware code was up for sale early in 2024, Lynx could be a rebrand or a new group reusing code.

https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/


APT 29 Opportunistically Targeting Organizations

Using n-day vulnerabilities for initial access and post exploitation activities, this behavior underscores two things.  Don’t expose services the Internet unless absolutely necessary and patch known exploited vulnerabilities.  Using security focused architecture can mitigate much of this activity.

https://www.bleepingcomputer.com/news/security/us-uk-warn-of-russian-apt29-hackers-targeting-zimbra-teamcity-servers/

https://www.ic3.gov/Media/News/2024/241010.pdf


Month’s Old FortiOS RCE Bug Actively Exploited

CISA added CVE-2024-23113 to the known exploited vulnerability catalog.  The bug impacts FortiOS 7.0 and later, FortiPAM 1.0 and higher, FortiProxy 7.0 and higher, and FortiWeb 7.4.

https://www.bleepingcomputer.com/news/security/cisa-says-critical-fortinet-rce-flaw-now-exploited-in-attacks/


Multiple Bugs in Palo Alto Networks Expedition Solution

Multiple bugs revealed and PoC code is available for CVE-2024-5910 and CVE-2024-9464, when chained together allow arbitrary command execution. 

https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-firewall-hijack-bugs-with-public-exploit/

https://security.paloaltonetworks.com/PAN-SA-2024-0010


Open-Source Scanner Finds Linux Servers with CUPS Bug

The CUPS bug centers around the Common Unix Printing System (CUPS) and a remote code execution flaw.  If your Linux / Unix servers are exposed to the Internet, the CUPS bug could be used for a 600x amplification in distributed denial of service (DDoS) attacks.  If local, can still be used for lateral movement.

https://www.bleepingcomputer.com/news/software/new-scanner-finds-linux-unix-servers-exposed-to-cups-rce-attacks/


Newer PHaaS Platform Called Mamba 2FA

Priced right at $250 / month, this platform is poised for fast growth.  The platform offers an adversary-in-the-middle (AiTM) method to capture auth tokens and bypass MFA.   

https://www.bleepingcomputer.com/news/security/new-mamba-2fa-bypass-service-targets-microsoft-365-accounts/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #56

The week of December 9th through December 15th, about 348 cyber news articles were reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with HeartCrypt – Packer-as-a-Service (PaaS). Citrix NetScaler / NetScaler Gateway under brute force attack.  Covert Linux multi-stage rootkit attack.  New

Members Public

Cyber Threat Weekly – #55

The week of December 2nd through December 8th there were 353 cyber news articles reviewed.  A relatively large amount of cyber threat trends and adversarial behavior news to share.  Let’s start with a twist on the fake video conferencing apps campaign. New Russian hacktivist group targeting energy systems.  Supply

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8