Cyber Threat Weekly - #5
Wishing you Happy Holidays, a Merry Christmas, a Happy New Year, all the things. Kicking it off, over a 3-month period, Blackberry found there was a 70% increase in unique malware hashes from the previous reporting period, about 2.9 unique samples per minute.
A Smishing gang has recently changed tactics, how they accomplish the connection is the most interesting piece of the puzzle. Golang malware that can hit both macOS and windows. A novel SMTP smuggling technique allowing spoofed messages to flow freely.
RDP honeypots exposed to the Internet, attacked roughly 4.4 billion times in 2023. Chaining two vulnerabilities can create a zero-click remote code execution against outlook clients. A possible emerging ransomware threat with Exchange 2013 with web access enabled.
A new PikaBot malvertising campaign has emerged. Exploitation of Oracle WeLogic server vulnerability has been observed. Another new malvertising campaign, this time delivering MetaStealer. Lots of things are happening in the Ransomware landscape, this time it’s Play Ransomware.
Threat actors abusing legitimate infrastructure is on the rise. Several vendors are reporting QakBot sightings after the law enforcement takedown. Social engineering abusing hotel staff, via malspam campaign. Web injections are on the rise.
Instagram malspam campaign targets Backup codes. Six-year-old Microsoft Office bug abused to spread Agent Tesla. Palo Alto shares some campaigns that detail the malicious use of JavaScript. Proofpoint identifies DarkBot and NetSupport being spread via malspam and fake browser update campaigns.
New Android malware bypasses Biometric authentication. Actively exploited Chrome zero-day vulnerability. Microsoft shares new backdoor implant called “FalseFont”. Ransomware gangs and affiliates are deploying remote encryption to evade defenses.
Broken Record Alert: Patch prioritization matters!!!
Roughly 5% of publicly available vulnerabilities are observed exploited in the wild. Priority #1 should be to patch known exploited vulnerabilities. You can use CISA’s known exploited vulnerability (KEV) catalog or other tools to prioritize patching exploited vulnerabilities.
Right behind actively exploited vulnerabilities, a close priority #2 is those with proof of concept (PoC) code available. Exploit chances are much higher with PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and PoC code available vulnerabilities.
Exploited vulnerabilities continue to be abused by threat actors, every week we share known exploited vulnerabilities being abused by threat actors. Diligent patching can prevent threat actors from exploiting your organization for their gains.
CISA Known Exploited Vulnerabilities for December 18thth to December 24th:
CVE-2023-49897 – FXC AE1021, AE1021PE OS Command Injection Vulnerability
Authenticated users can execute commands via the network
CVE-2023-47565 – QNAP VioStor NVR OS Command Injection Vulnerability
Authenticated users to execute commands via the network
Blackberry Global Threat Report – November 2023
Blackberry is seeing a few trends that don’t bode well for defenders. Unique malware hashes were most prevalent in the US at 52%. Financial organizations saw a substantial increase in attacks and there was an increase in unique binaries targeting healthcare organizations.
Smishing Triad Gang – New Tactics
Targeting has changed, but more interesting, the messages did not include sender information. Several victims reported they had never received messages like that before. Let’s hope this isn’t a new way to hide sender info that may become available in the criminal underground.
JaskaGO Sophisticated Malware that Targets Mac and Windows
This malware is a great example of how the threat landscape is evolving. Written in a cross-platform language, sophisticated anti-analysis techniques, currently a stealer, but could grow into much more.
SMTP Smuggling Technique Affecting Millions of SMTP Servers
Currently known to affect email services from Microsoft, GMX, Cisco Secure Email Cloud Gateway and a few online email providers. This novel technique could make it difficult to know if an incoming email is spoofed or not.
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
RDP Exposed to the Internet is a High Value Target for the Adversary
Insurer Coalition’s honeypots recorded 5.8 billion attacks so far in 2023. That’s roughly 17 million a day, RDP was targeted in 76% of those attacks. Attack surface management has become an absolute must. We must start looking at Zero Trust Network Access (ZTNA) to reduce our attack surface and better control ingress traffic.
VPNs and exposing RDP are huge targets for threat actors. Many ZTNA capabilities for remote access are cost effective today.
https://www.infosecurity-magazine.com/news/uk-honeypots-attacked-17-million/
Zero-Click Outlook RCE from Two Vulnerabilities Chained Together
Researchers found a way, for a second time, to abuse sound files, to create a zero-click remote code execution. Patches are available for both vulnerabilities.
https://thehackernews.com/2023/12/beware-experts-reveal-new-details-on.html
https://www.akamai.com/blog/security-research/chaining-vulnerabilities-to-achieve-rce-part-two
End of Life (EoL) Exchange Server 2013 and Ransomware
Kevin Beaumont has found a correlation between Exchange Server 2013 with Outlook Web Access enabled and ransomware incidents in the last few months. Not sure what to make of it, we’ll keep an eye on this one, see what comes of it.
https://medium.com/doublepulsar/the-ticking-time-bomb-of-microsoft-exchange-server-2013-d0850b80465b
PikaBot being Distributed via New Malvertising Campaign
This month we are seeing PikaBot being distributed via malvertising targeting users searching for legitimate software. Last month saw Pikabot and DarkBot being distributed via malspam. PikaBot is growing in popularity, but more importantly, we could be seeing a bigger malvertising trend here.
https://thehackernews.com/2023/12/new-malvertising-campaign-distributing.html
Active Exploitation of Older Oracle WebLogic Server Vulnerability
Older CVE-2020-14883 is being exploited via an attack chain. Target selection looks to be opportunistic.
https://thehackernews.com/2023/12/8220-gang-exploiting-oracle-weblogic.html
New MetaStealer Malvertising Campaign
Yet another malvertising campaign, and the trend continues. Looks like MetaStealer developers are actively making improvements.
https://www.malwarebytes.com/blog/threat-intelligence/2023/12/new-metastealer-malvertising-campaigns
Play Ransomware RaaS Service
Play is relatively new on the scene, emerging in mid-2022. CISA has released a Joint Advisory on Play ransomware estimating approximately 300 organization impacted so far. Play, like many ransomware affiliates, use commodity tools and administrative utilities to conduct lateral movement and reach their goals.
https://thehackernews.com/2023/12/double-extortion-play-ransomware.html
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a
The Abuse of Public Services Like GitHub is on the Rise
Reversing Labs has uncovered two novel techniques abusing GitHub. While abusing public services isn’t new, I wrote about it 5 years ago, these techniques are new to the scene according to Reversing Labs. Also note, developers are becoming a prime target to support supply chain attacks.
https://www.reversinglabs.com/blog/malware-leveraging-public-infrastructure-like-github-on-the-rise
QakBot Still at it
Looks like we are seeing confirmation that the QakBot takedown only affected the command-and-control servers and not the spam delivery infrastructure. This is not good news, QakBot is resilient, surviving since at least 2007.
Social Engineering MalSpam Campaign
This one sucks, a two-step malspam campaign, designed to play on emotions using a couple of lures. Enticing the hotel staff to reply to help out, once they reply, a link to a file is sent. This technique can be used in many ways with many lures, it is one to watch.
https://news.sophos.com/en-us/2023/12/19/inhospitality-malspam-campaign-targets-hotel-industry/
Web Injections, Affecting 40+ Banks
A new malware campaign using JavaScript web injections was uncovered by IBM. The campaign appears to be targeting popular banking applications to intercept user credentials, likely to access their banking information. Not Cool!!!
https://securityintelligence.com/posts/web-injections-back-on-rise-banks-affected-danabot-malware/
Instagram Phishing Campaign
Another spin on an Instagram “Copyright Infringement” campaign has surfaced. Now targeting Instagram credentials, by obtaining backup codes, in an attempt to bypass Multi-Factor Authentication (MFA). Backup codes allow you to log in to an account with an unknown device.
Agent Tesla Spread via RCE Flaw from 2017
Excel Maldocs exploiting CVE-2017-11882 are used to deliver spyware. Business related lures are utilized to entice victims to download malicious attachments. The use of an older vulnerability along with complexity and evasion techniques, shows the attacker ability to adapt.
https://www.darkreading.com/cloud-security/attackers-exploit-microsoft-office-bug-spyware
Case Studies Show How Malicious JavaScript Steals Secrets
Palo Alto shares several ways attackers use malicious JavaScript in unique ways to exfiltrate data, evade detection, and steal secrets.
https://unit42.paloaltonetworks.com/malicious-javascript-steals-sensitive-data/
Proofpoint Unveils New Cluster of Activity Called BattleRoyal
A new cluster of activity using multiple attack chains to deliver malware was observed. The behavior observed aligns with a trend of cyber criminals adopting new and varied attack chains to deliver malware.
https://www.darkreading.com/cyberattacks-data-breaches/battleroyal-hackers-deliver-darkgate-rat
Android Banking Trojan Called Chameleon, Bypasses Biometrics
The velocity at which threat actors can evade detection and security controls is scary. The latest version of this Android trojan uses device takeover techniques to bypass biometrics by transitioning to PIN authentication.
https://thehackernews.com/2023/12/new-chameleon-android-banking-trojan.html
https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action
Google has Patched Exploited Zero-Day Chrome Vulnerability
The Google Threat Analysis Group (TAG) reported the vulnerability, a patch was released a day later. An exploit exists in the wild, Google is aware.
Defense Industrial Base Targeted with FalseFont Backdoor
Microsoft shared latest Iranian threat actor implant, first observed in November 2023. This is one to watch as Iran rachets up rhetoric and flexes its digital muscles.
https://thehackernews.com/2023/12/microsoft-warns-of-new-falsefont.html
New Tactics like Remote Encryption Keep Ransomware Gangs Moving Forward
A new trend is emerging that keeps ransomware evading security controls. This is scary as Microsoft says 60% of hands-on keyboard attacks now use remote encryption with the system process performing the encryption. This renders process-based remediation ineffective.
https://thehackernews.com/2023/12/remote-encryption-attacks-surge-how-one.html
https://news.sophos.com/en-us/2023/12/20/cryptoguard-an-asymmetric-approach-to-the-ransomware-battle/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.