Cyber Threat Weekly – #47

The week of October 7^th through October 13^th was a bit light with 361 cyber news articles reviewed.  A decent amount of cyber threat trends and adversarial behavior news to share.  Let’s start with Iranian APT threat actors changing behavior.

Open AI releases an update to their threat report.  Phishing using GitHub links and other tricks.  Kerberoasting mitigation guide from Microsoft.  Threat actors abusing F5 BIG-IP to enumerate internal network devices. 

Researchers share an interesting analysis of a suspected APT targeting Ivanti bugs.  GitLab bugs including a critical flaw that could allow arbitrary CI/CD pipeline execution.  Critical Veeam bug previously patched, now abused by ransomware threat actors.

Firefox critical zero-day actively exploited.  Researchers share analysis of Lynx ransomware.  APT 29 targets unpatched older vulnerabilities for initial access and post exploitation activities.  Fortinet remote code execution (RCE) bug actively exploited.

Palo Alto Networks Expedition solution multiple bugs revealed.  Open-source scanner finds Linux / Unix servers with CUPS bug.  A up and coming phishing-as-a-service (PHaaS) targeting Microsoft 365 accounts for MFA bypass.

Broken Record Alert: Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities for October 7^th to October 13^th:

CVE-2024-43573 – Microsoft Windows MSHTML Platform Spoofing Vulnerability:
Can lead to a loss of confidentiality.

CVE-2024-43572 – Microsoft Windows Management Console Remote Code Execution Vulnerability:
Allows for remote code execution.

CVE-2024-43047 – Qualcomm Multiple Chipsets Use-After-Free Vulnerability:
Multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services while maintaining memory maps of HLOS memory.

CVE-2024-9380 – Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability:
Can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.

CVE-2024-9379 – Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability:
Can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.

CVE-2024-23113 – Fortinet Multiple Products Format String Vulnerability:
Allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

APT34 (OilRig) Threat Actors Changing Behavior

Iranian threat actors are abusing Microsoft CVE-2024-30088 for privilege escalation and Exchange servers for exfiltration.  The start of the attack chain is vulnerable web servers and a web shell.  There is proof-of-concept (PoC) code available for the Microsoft bug.  We’ll keep an eye out and see if other threat actors start using similar techniques.

https://www.bleepingcomputer.com/news/security/oilrig-hackers-now-exploit-windows-flaw-to-elevate-privileges/

https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-30088

Open AI’s: “Influence and Cyber Operations: An Update”

Interestingly, while threat actors are abusing LLMs, so far, it’s mostly been for better phishing emails.  There are a few cases where reconnaissance, vulnerability research, and other behaviors were observed.  It appears that the abuse of LLMs thus far is more hype then reality.  That will most likely change as AI technology gets better.

https://cybersecuritynews.com/openai-confirms-chatgpt-malware/

https://cdn.openai.com/threat-intelligence-reports/influence-and-cyber-operations-an-update_October-2024.pdf

Phishing Emails with Legit GitHub Links

There is a bit more to this story, but the worrisome part is the legit GitHub links.  By using trusted repositories with comments enabled, threat actors can upload a malicious file to a comment, delete the comment without saving it, and the malicious link is still available.  Threat actors now use that link from a well-known GitHub repository for phishing emails.

https://thehackernews.com/2024/10/github-telegram-bots-and-qr-codes.html

https://cofense.com/blog/tax-extension-malware-campaign

Mitigating Kerberoasting Guidance from Microsoft

This is a threat and abused often by threat actors.  So decided to add the guidance from Microsoft, it’s pretty good, worth a quick read.

https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidance-to-help-mitigate-kerberoasting/

F5 BIG-IP Cookies Abused to Map Internal Devices

Threat actors continue to find creative ways to abuse legit infrastructure.  In this case, they are using unencrypted session cookies to map internal networks.  This is done using the load-balancing Local Traffic Manager persistent cookies.

https://www.bleepingcomputer.com/news/security/cisa-hackers-abuse-f5-big-ip-cookies-to-map-internal-servers/

https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure-big-ip-ltm-systems-encrypt-http-persistence-cookies

Ivanti Cloud Services Appliance Bugs Targeted by Suspected APT

Researchers share an incident response investigation of, at the time, zero-day flaws with Ivanti Cloud Services Appliance (CSA).  This is an interesting walk-through with commands used and details rarely shared.

https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa

GitLab Critical that Allows CI/CD Pipeline Execution Patched

There are several bugs patched, the worst is CVE-2024-9164 with a CVSS score of 9.6.  The other bugs include four high, two medium, and one low. 

https://thehackernews.com/2024/10/new-critical-gitlab-vulnerability-could.html

https://about.gitlab.com/releases/2024/10/09/patch-release-gitlab-17-4-2-released/

Critical Veeam Remote Code Execution Bug Exploited

Ransomware threat actors are abusing CVE-2024-40711, a recently patched vulnerability.  Veeam is a ransomware actor favorite, taking out backup and recovery capabilities presses victims to pay the ransom.  Patching actively exploited and / or weaponized proof-of-concept (PoC) code available bugs should be a top priority.

https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now-exploiting-critical-veeam-rce-flaw/

https://infosec.exchange/@SophosXOps/113284564225476186

Critical Actively Exploited Zero-Day in Firefox Browser

This bug allows code execution, is tracked as CVE-2024-9680, and carries a CVSS score of 9.8 out of 10.  Worse, low attack complexity makes this a high-risk flaw. 

https://www.darkreading.com/cyberattacks-data-breaches/critical-mozilla-firefox-zero-day-code-execution

Lynx Ransomware Analysis Revealed

Researchers share analysis of Lynx ransomware and compare it to INC ransomware.  Unfortunately, new ransomware gangs pop up often, others simply rebrand.  INC ransomware code was up for sale early in 2024, Lynx could be a rebrand or a new group reusing code.

https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/

APT 29 Opportunistically Targeting Organizations

Using n-day vulnerabilities for initial access and post exploitation activities, this behavior underscores two things.  Don’t expose services the Internet unless absolutely necessary and patch known exploited vulnerabilities.  Using security focused architecture can mitigate much of this activity.

https://www.bleepingcomputer.com/news/security/us-uk-warn-of-russian-apt29-hackers-targeting-zimbra-teamcity-servers/

https://www.ic3.gov/Media/News/2024/241010.pdf

Month’s Old FortiOS RCE Bug Actively Exploited

CISA added CVE-2024-23113 to the known exploited vulnerability catalog.  The bug impacts FortiOS 7.0 and later, FortiPAM 1.0 and higher, FortiProxy 7.0 and higher, and FortiWeb 7.4.

https://www.bleepingcomputer.com/news/security/cisa-says-critical-fortinet-rce-flaw-now-exploited-in-attacks/

Multiple Bugs in Palo Alto Networks Expedition Solution

Multiple bugs revealed and PoC code is available for CVE-2024-5910 and CVE-2024-9464, when chained together allow arbitrary command execution. 

https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-firewall-hijack-bugs-with-public-exploit/

https://security.paloaltonetworks.com/PAN-SA-2024-0010

Open-Source Scanner Finds Linux Servers with CUPS Bug

The CUPS bug centers around the Common Unix Printing System (CUPS) and a remote code execution flaw.  If your Linux / Unix servers are exposed to the Internet, the CUPS bug could be used for a 600x amplification in distributed denial of service (DDoS) attacks.  If local, can still be used for lateral movement.

https://www.bleepingcomputer.com/news/software/new-scanner-finds-linux-unix-servers-exposed-to-cups-rce-attacks/

Newer PHaaS Platform Called Mamba 2FA

Priced right at $250 / month, this platform is poised for fast growth.  The platform offers an adversary-in-the-middle (AiTM) method to capture auth tokens and bypass MFA.   

https://www.bleepingcomputer.com/news/security/new-mamba-2fa-bypass-service-targets-microsoft-365-accounts/