Cyber Threat Weekly – #47
The week of October 7th through October 13th was a bit light with 361 cyber news articles reviewed. A decent amount of cyber threat trends and adversarial behavior news to share. Let’s start with Iranian APT threat actors changing behavior.
Open AI releases an update to their threat report. Phishing using GitHub links and other tricks. Kerberoasting mitigation guide from Microsoft. Threat actors abusing F5 BIG-IP to enumerate internal network devices.
Researchers share an interesting analysis of a suspected APT targeting Ivanti bugs. GitLab bugs including a critical flaw that could allow arbitrary CI/CD pipeline execution. Critical Veeam bug previously patched, now abused by ransomware threat actors.
Firefox critical zero-day actively exploited. Researchers share analysis of Lynx ransomware. APT 29 targets unpatched older vulnerabilities for initial access and post exploitation activities. Fortinet remote code execution (RCE) bug actively exploited.
Palo Alto Networks Expedition solution multiple bugs revealed. Open-source scanner finds Linux / Unix servers with CUPS bug. A up and coming phishing-as-a-service (PHaaS) targeting Microsoft 365 accounts for MFA bypass.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for October 7th to October 13th:
CVE-2024-43573 – Microsoft Windows MSHTML Platform Spoofing Vulnerability:
Can lead to a loss of confidentiality.
CVE-2024-43572 – Microsoft Windows Management Console Remote Code Execution Vulnerability:
Allows for remote code execution.
CVE-2024-43047 – Qualcomm Multiple Chipsets Use-After-Free Vulnerability:
Multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services while maintaining memory maps of HLOS memory.
CVE-2024-9380 – Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability:
Can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.
CVE-2024-9379 – Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability:
Can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.
CVE-2024-23113 – Fortinet Multiple Products Format String Vulnerability:
Allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.
APT34 (OilRig) Threat Actors Changing Behavior
Iranian threat actors are abusing Microsoft CVE-2024-30088 for privilege escalation and Exchange servers for exfiltration. The start of the attack chain is vulnerable web servers and a web shell. There is proof-of-concept (PoC) code available for the Microsoft bug. We’ll keep an eye out and see if other threat actors start using similar techniques.
https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-30088
Open AI’s: “Influence and Cyber Operations: An Update”
Interestingly, while threat actors are abusing LLMs, so far, it’s mostly been for better phishing emails. There are a few cases where reconnaissance, vulnerability research, and other behaviors were observed. It appears that the abuse of LLMs thus far is more hype then reality. That will most likely change as AI technology gets better.
https://cybersecuritynews.com/openai-confirms-chatgpt-malware/
Phishing Emails with Legit GitHub Links
There is a bit more to this story, but the worrisome part is the legit GitHub links. By using trusted repositories with comments enabled, threat actors can upload a malicious file to a comment, delete the comment without saving it, and the malicious link is still available. Threat actors now use that link from a well-known GitHub repository for phishing emails.
https://thehackernews.com/2024/10/github-telegram-bots-and-qr-codes.html
https://cofense.com/blog/tax-extension-malware-campaign
Mitigating Kerberoasting Guidance from Microsoft
This is a threat and abused often by threat actors. So decided to add the guidance from Microsoft, it’s pretty good, worth a quick read.
F5 BIG-IP Cookies Abused to Map Internal Devices
Threat actors continue to find creative ways to abuse legit infrastructure. In this case, they are using unencrypted session cookies to map internal networks. This is done using the load-balancing Local Traffic Manager persistent cookies.
Ivanti Cloud Services Appliance Bugs Targeted by Suspected APT
Researchers share an incident response investigation of, at the time, zero-day flaws with Ivanti Cloud Services Appliance (CSA). This is an interesting walk-through with commands used and details rarely shared.
GitLab Critical that Allows CI/CD Pipeline Execution Patched
There are several bugs patched, the worst is CVE-2024-9164 with a CVSS score of 9.6. The other bugs include four high, two medium, and one low.
https://thehackernews.com/2024/10/new-critical-gitlab-vulnerability-could.html
https://about.gitlab.com/releases/2024/10/09/patch-release-gitlab-17-4-2-released/
Critical Veeam Remote Code Execution Bug Exploited
Ransomware threat actors are abusing CVE-2024-40711, a recently patched vulnerability. Veeam is a ransomware actor favorite, taking out backup and recovery capabilities presses victims to pay the ransom. Patching actively exploited and / or weaponized proof-of-concept (PoC) code available bugs should be a top priority.
https://infosec.exchange/@SophosXOps/113284564225476186
Critical Actively Exploited Zero-Day in Firefox Browser
This bug allows code execution, is tracked as CVE-2024-9680, and carries a CVSS score of 9.8 out of 10. Worse, low attack complexity makes this a high-risk flaw.
Lynx Ransomware Analysis Revealed
Researchers share analysis of Lynx ransomware and compare it to INC ransomware. Unfortunately, new ransomware gangs pop up often, others simply rebrand. INC ransomware code was up for sale early in 2024, Lynx could be a rebrand or a new group reusing code.
https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/
APT 29 Opportunistically Targeting Organizations
Using n-day vulnerabilities for initial access and post exploitation activities, this behavior underscores two things. Don’t expose services the Internet unless absolutely necessary and patch known exploited vulnerabilities. Using security focused architecture can mitigate much of this activity.
https://www.ic3.gov/Media/News/2024/241010.pdf
Month’s Old FortiOS RCE Bug Actively Exploited
CISA added CVE-2024-23113 to the known exploited vulnerability catalog. The bug impacts FortiOS 7.0 and later, FortiPAM 1.0 and higher, FortiProxy 7.0 and higher, and FortiWeb 7.4.
Multiple Bugs in Palo Alto Networks Expedition Solution
Multiple bugs revealed and PoC code is available for CVE-2024-5910 and CVE-2024-9464, when chained together allow arbitrary command execution.
https://security.paloaltonetworks.com/PAN-SA-2024-0010
Open-Source Scanner Finds Linux Servers with CUPS Bug
The CUPS bug centers around the Common Unix Printing System (CUPS) and a remote code execution flaw. If your Linux / Unix servers are exposed to the Internet, the CUPS bug could be used for a 600x amplification in distributed denial of service (DDoS) attacks. If local, can still be used for lateral movement.
Newer PHaaS Platform Called Mamba 2FA
Priced right at $250 / month, this platform is poised for fast growth. The platform offers an adversary-in-the-middle (AiTM) method to capture auth tokens and bypass MFA.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.