Cyber Threat Weekly – #49
The week of October 21st through October 27th around 361 cyber news articles were reviewed. Just a light amount of cyber threat trend and adversarial behavior news to share. Let’s start with ransomware affiliates abusing Sonic Wall VPNs.
An update on the Windows downgrade attack. Threat actors targeting exposed Docker daemons. Black Basta ransomware operation shifting social engineering techniques. The notorious APT29 carries out a broad phishing campaign.
Scattered Spider teams up with RansomHub, not good. A new Qilin ransomware variant. Fortinet Fortimanager critical bug exploited. Researchers share incident response Q3 2024 trends. Windows server “WinReg” attack, exploit released.
Open-source phishing toolkit abused by threat actors.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for October 21st to October 27th:
CVE-2024-9537 – ScienceLogic SL1 Unspecified Vulnerability:
Affected by an unspecified vulnerability involving an unspecified third-party component.
CVE-2024-38094 – Microsoft SharePoint Deserialization Vulnerability:
Allows for remote code execution.
CVE-2024-47575 – Fortinet FortiManager Missing Authentication Vulnerability:
Allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.
CVE-2024-37383 – RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability:
Allows a remote attacker to run malicious JavaScript code.
CVE-2024-20481 – Cisco ASA and FTD Denial-of-Service Vulnerability:
Allows an unauthenticated, remote attacker to cause a denial-of-service (DoS) of the RAVPN service.
SonicWall VPNs Targeted in Ransomware Attacks
Researchers observe Fog and Akira ransomware affiliates possibly exploiting CVE-2024-40766 and legit credentials. Interestingly, the time on target ranged from 1.5 hours to 10 hours in most cases, before data encryption. Lack of MFA continues to be an issue.
Windows Downgrade Attack Update
A researcher shared the Downgrade attack at BlackHat and Defcon 2024. There is a tool available. This update walks through another method to bypass Driver Signature Enforcement (DSE) and target the kernel.
https://www.safebreach.com/blog/update-on-windows-downdate-downgrade-attacks/
Threat Actors Target Docker Environments for Cryptojacking
TeamTNT is preparing a new large-scale campaign. Using tools such as masscan and ZGrab scanning for unauthenticated and exposed Docker daemons. The group uses infected Docker endpoints for cryptojacking and selling the infrastructure on mining rental platforms.
https://thehackernews.com/2024/10/notorious-hacker-group-teamtnt-launches.html
https://www.aquasec.com/blog/threat-alert-teamtnts-docker-gatling-gun-campaign/
A Shift in Black Basta Social Engineering Techniques
Similar to before, they overwhelm users with benign emails, then contact them as help desk support. Instead of calling, they are now contacting users via teams. Same lure, a different way of contacting victims. Tricking users into installing AnyDesk or QuickAssist.
https://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/
Broad Phishing Campaign by APT29 Observed
Instead of the typical narrowly focused attack campaign, UA-CERT helped uncover a broad phishing campaign targeting a wide geography. Domains appearing to be associated with AWS were used. Malicious attachments triggered an outgoing RDP connection.
https://www.darkreading.com/cyberattacks-data-breaches/russias-apt29-aws-windows-credentials
https://aws.amazon.com/blogs/security/amazon-identified-internet-domains-abused-by-apt29/
Scattered Spider, Famous for Social Engineering, Plus RansomHub
Researchers observe a campaign where Scattered Spider socially engineered their way to admin credentials. The campaign start to finish, around 10 hours. Yet another ransomware group moving fast. This is a continuing trend, less than 24 hours from initial compromise to encryption. Gotta detect an attack quickly or suffer a breach.
https://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/
New Qilin.b Ransomware Variant Discovered
With improved crypto and evasion techniques, this variant is a step up. Written is Rust, this variant continuously clears security logs and even deletes itself. Ransomware groups continue to innovate and evolve.
https://thehackernews.com/2024/10/new-qilinb-ransomware-variant-emerges.html
https://www.halcyon.ai/blog/power-rankings-ransomware-malicious-quartile-q3-2024
Critical Bug in Fortinet’s FortiManager Actively Exploited
Tracked as CVE-2024-47575, the bug was dubbed FortiJump by researcher Kevin Beaumont. So, Fortinet didn’t publicly disclose right away and were called out. There is mitigation guidance, but more importantly, why are these managers publicly exposed?
https://censys.com/cve-2024-47575/
Talos Incident Response Quarterly Trends Q3 2024
A couple of highlights / trends, still massive threats abusing identity. Password spraying and brute force attacks are still on going. Weak or no MFA is a problem, phishing resistant MFA is a must have. Valid accounts still the number one initial access method. Infostealers are killing us.
https://blog.talosintelligence.com/incident-response-trends-q3-2024/
Windows Server “WinReg” NTLM Relay Attack, Exploit Published
This bug tracked as CVE-2024-43532 affects all servers 2008 to 2022. This is one to keep an eye on, exploit code is now available. NTLM relay attacks have been used by many threat actors.
https://www.nohat.it/talks#talks
https://github.com/akamai/akamai-security-research/tree/main/PoCs/cve-2024-43532
Researchers Discover Abuse of Open-Sourcce Tool Gophish
Yet another open-source tool abused by threat actors in two different infection chains. In this case a phishing toolkit. Using either maldocs or HTML-based infections, both require user interaction. The PowerRAT malware appears to be under active development.
https://thehackernews.com/2024/10/gophish-framework-used-in-phishing.html
https://blog.talosintelligence.com/gophish-powerrat-dcrat/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
