Cyber Threat Weekly – #48

The week of October 14^th through October 20^th was a bit light with 357 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the Internet Archive was breached again.

North Korean IT workers resort to extortion.  Deception at scale, Microsoft uses Azure Tenants.  An updated analysis of GHOSTPULSE malware.  Another exposed API token, another alleged data breach, this time a Cisco third-party environment.

Mandiant time-to-exploit trends 2023.  Brute force and credential access continue to be an issue.  New variations of the social engineering tactic “ClickFix”.  Researchers release the 2024 Mobile, IoT, and OT threat report.

EDRSilencer, red team tool gone rogue.  QR codes and quishing are still a prominent threat.  Researchers share their perspective on GenAI risks.  Threat trends including cybercrime gangs and nations states increasing collusion.

Broken Record Alert: Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities for October 14^th to October 20^th:

CVE-2024-28987 – SolarWinds Web Help Desk Hardcoded Credential Vulnerability:
Could allow a remote, unauthenticated user to access internal functionality and modify data.

CVE-2024-9680 – Mozilla Firefox Use-After-Free Vulnerability:
Allows code execution in the content process.

CVE-2024-30088 – Microsoft Windows Kernel TOCTOU Race Condition Vulnerability:
Could allow for privilege escalation.

CVE-2024-40711 – Veeam Backup and Replication Deserialization Vulnerability:
Allows an unauthenticated user to perform remote code execution.

Stolen Access Tokens Used to Breach the Internet Archive

A few lessons here.  One, legit credentials are all the rage for attackers, have been for a while now.  Being proactive looking for exposed credentials should be a top priority.  The fundamentals matter, we need to get back to hygiene and principle-based security.

https://www.bleepingcomputer.com/news/security/internet-archive-breached-again-through-stolen-access-tokens/

Data Theft and Extortion from North Korean IT Workers

False identities are used by these fraudulent workers, this is becoming a common story.  The twist is now monetization via extortion.  KnowBe4 was a victim of a fraudulent North Korean IT worker, it can happen to anyone.

https://thehackernews.com/2024/10/north-korean-it-workers-in-western.html

https://www.secureworks.com/blog/fraudulent-north-korean-it-worker-schemes

Microsoft uses Deception at Scale with Azure Tenants

In this case, a security researcher interacts with phishing sites and types in credentials for the honeypot tenants.  This allows researchers to gain actionable intelligence from real attackers.  You can also use deception technology as an early warning device.  We have a deception article coming out soon.

https://www.bleepingcomputer.com/news/security/microsoft-creates-fake-azure-tenants-to-pull-phishers-into-honeypots/

Evolving GHOSTPULSE Malware Analysis

Researchers uncovered the latest GHOSTPULSE malware evasion techniques.  This one is interesting, hiding the encrypted configuration and XOR key within images.  Keeping an eye on these threats and looking for commoditization is key here.

https://www.elastic.co/security-labs/tricks-and-treats

Cisco Third-Party Developer Environment Allegedly Breached

An exposed API token is the probable cause. The threat actor IntelBroker shared screenshots with BleepingComputer to prove he had access to the Cisco developer environment.  They in turn shared the screenshots and files with Cisco.  We’ll see how this plays out.

https://www.bleepingcomputer.com/news/security/cisco-takes-devhub-portal-offline-after-hacker-publishes-stolen-data/

Time-to-Exploit Trends 2023 – Mandiant

This is a cool report and worth reading.  Zero-day exploitation is on the rise, of the 138 exploited vulnerabilities analyzed, 70% were zero-days.  Average time to exploit n-days bugs, five days.  There are some other interesting stats as well.

https://cloud.google.com/blog/topics/threat-intelligence/time-to-exploit-trends-2023

Five Eyes Reports on Iranian Brute Force and Credential Access Activity

While Iran has been actively using these techniques, they are not the only threat actor.  This report details initial access, discovery, and other behavior used in the attacks.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a

Multiple Variations of the “ClickFix” Tactic

This social engineering tactic is increasing in popularity.  It’s likely hood to evade endpoint protection software and browser security is high currently.  It doesn’t rely on downloads, but on the user following instructions.  There are multiple lures in use.

https://thehackernews.com/2024/10/beware-fake-google-meet-pages-deliver.html

https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/

2024 Mobile, IoT, and OT Threat Report

No surprise, according to researchers, mobile and IoT threats are on the rise.  For mobile, it’s between fake apps, banking trojans, spyware, and QR codes.  Researchers are also seeing a rise in IoT malware transactions.

https://www.zscaler.com/blogs/security-research/new-threatlabz-report-mobile-remains-top-threat-vector-111-spyware-growth

https://www.zscaler.com/resources/industry-reports/threatlabz-mobile-iot-ot-report.pdf

Red Team Tool EDRSilencer Abused in Attacks

An open-source tool for red teamers is now being used in attack campaigns.  It works by using Windows Filtering Platform (WFP) to block EDR traffic from reaching the management console.  EDR killers are consistently created and abused.  Depending on EDR alone is not a good strategy.

https://www.csoonline.com/article/3567074/attackers-repurpose-edrsilencer-to-evade-detection.html

https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html

Quishing, the QR Code Threat

A quick walk-through of how QR codes are being used to perform credential phishing.  Services are available for criminals to automate most of their work.

https://news.sophos.com/en-us/2024/10/16/quishing/

GenAI Risks – Point of View

Researchers share their thoughts on GenAI, it’s an interesting perspective.

https://www.paloaltonetworks.com/resources/ebooks/unit42-threat-frontier.html

Researchers Share Threat Trends Spanning a Year

Nation states colluding with criminal gangs is on the rise.  Cybercrime and fraud remain a persistent threat.  This is an interesting report.

https://blogs.microsoft.com/on-the-issues/2024/10/15/escalating-cyber-threats-demand-stronger-global-defense-and-cooperation/

https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Microsoft%20Digital%20Defense%20Report%202024%20%281%29.pdf