Skip to content

Cyber Threat Weekly - #5

Derek Krein
7 min read

Wishing you Happy Holidays, a Merry Christmas, a Happy New Year, all the things.  Kicking it off, over a 3-month period, Blackberry found there was a 70% increase in unique malware hashes from the previous reporting period, about 2.9 unique samples per minute. 

A Smishing gang has recently changed tactics, how they accomplish the connection is the most interesting piece of the puzzle.  Golang malware that can hit both macOS and windows.  A novel SMTP smuggling technique allowing spoofed messages to flow freely.

RDP honeypots exposed to the Internet, attacked roughly 4.4 billion times in 2023.  Chaining two vulnerabilities can create a zero-click remote code execution against outlook clients.  A possible emerging ransomware threat with Exchange 2013 with web access enabled.

A new PikaBot malvertising campaign has emerged.  Exploitation of Oracle WeLogic server vulnerability has been observed.  Another new malvertising campaign, this time delivering MetaStealer.  Lots of things are happening in the Ransomware landscape, this time it’s Play Ransomware. 

Threat actors abusing legitimate infrastructure is on the rise.  Several vendors are reporting QakBot sightings after the law enforcement takedown.  Social engineering abusing hotel staff, via malspam campaign.  Web injections are on the rise.

Instagram malspam campaign targets Backup codes.  Six-year-old Microsoft Office bug abused to spread Agent Tesla.  Palo Alto shares some campaigns that detail the malicious use of JavaScript.  Proofpoint identifies DarkBot and NetSupport being spread via malspam and fake browser update campaigns.

New Android malware bypasses Biometric authentication.  Actively exploited Chrome zero-day vulnerability.  Microsoft shares new backdoor implant called “FalseFont”.  Ransomware gangs and affiliates are deploying remote encryption to evade defenses.


Broken Record Alert:  Patch prioritization matters!!!

Roughly 5% of publicly available vulnerabilities are observed exploited in the wild.  Priority #1 should be to patch known exploited vulnerabilities.  You can use CISA’s known exploited vulnerability (KEV) catalog or other tools to prioritize patching exploited vulnerabilities. 

Right behind actively exploited vulnerabilities, a close priority #2 is those with proof of concept (PoC) code available.  Exploit chances are much higher with PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and PoC code available vulnerabilities. 

Exploited vulnerabilities continue to be abused by threat actors, every week we share known exploited vulnerabilities being abused by threat actors.  Diligent patching can prevent threat actors from exploiting your organization for their gains.


CISA Known Exploited Vulnerabilities for December 18thth to December 24th:

 CVE-2023-49897 – FXC AE1021, AE1021PE OS Command Injection Vulnerability
Authenticated users can execute commands via the network

 CVE-2023-47565 – QNAP VioStor NVR OS Command Injection Vulnerability
Authenticated users to execute commands via the network


Blackberry Global Threat Report – November 2023

Blackberry is seeing a few trends that don’t bode well for defenders.  Unique malware hashes were most prevalent in the US at 52%.  Financial organizations saw a substantial increase in attacks and there was an increase in unique binaries targeting healthcare organizations.

https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/bbcomv4/blackberry-com/en/solutions/threat-intelligence/2023/threat-intelligence-report-nov/Blackberry-Global-Threat-Intelligence-Report-November-2023.pdf


Smishing Triad Gang – New Tactics

Targeting has changed, but more interesting, the messages did not include sender information.  Several victims reported they had never received messages like that before.  Let’s hope this isn’t a new way to hide sender info that may become available in the criminal underground. 

https://www.resecurity.com/blog/article/cybercriminals-impersonate-uae-federal-authority-for-identity-and-citizenship-on-the-peak-of-holidays-season


JaskaGO Sophisticated Malware that Targets Mac and Windows

This malware is a great example of how the threat landscape is evolving.  Written in a cross-platform language, sophisticated anti-analysis techniques, currently a stealer, but could grow into much more.

https://cybersecurity.att.com/blogs/labs-research/behind-the-scenes-jaskagos-coordinated-strike-on-macos-and-windows


SMTP Smuggling Technique Affecting Millions of SMTP Servers

Currently known to affect email services from Microsoft, GMX, Cisco Secure Email Cloud Gateway and a few online email providers.  This novel technique could make it difficult to know if an incoming email is spoofed or not.

https://www.darkreading.com/cloud-security/novel-smtp-smuggling-technique-slips-past-dmarc-email-protections

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/


RDP Exposed to the Internet is a High Value Target for the Adversary

Insurer Coalition’s honeypots recorded 5.8 billion attacks so far in 2023.  That’s roughly 17 million a day, RDP was targeted in 76% of those attacks.  Attack surface management has become an absolute must.  We must start looking at Zero Trust Network Access (ZTNA) to reduce our attack surface and better control ingress traffic.

VPNs and exposing RDP are huge targets for threat actors.  Many ZTNA capabilities for remote access are cost effective today.

https://www.infosecurity-magazine.com/news/uk-honeypots-attacked-17-million/


Zero-Click Outlook RCE from Two Vulnerabilities Chained Together

Researchers found a way, for a second time, to abuse sound files, to create a zero-click remote code execution.  Patches are available for both vulnerabilities. 

https://thehackernews.com/2023/12/beware-experts-reveal-new-details-on.html

https://www.akamai.com/blog/security-research/chaining-vulnerabilities-to-achieve-rce-part-two


End of Life (EoL) Exchange Server 2013 and Ransomware

Kevin Beaumont has found a correlation between Exchange Server 2013 with Outlook Web Access enabled and ransomware incidents in the last few months.  Not sure what to make of it, we’ll keep an eye on this one, see what comes of it.

https://medium.com/doublepulsar/the-ticking-time-bomb-of-microsoft-exchange-server-2013-d0850b80465b


PikaBot being Distributed via New Malvertising Campaign

This month we are seeing PikaBot being distributed via malvertising targeting users searching for legitimate software.  Last month saw Pikabot and DarkBot being distributed via malspam.  PikaBot is growing in popularity, but more importantly, we could be seeing a bigger malvertising trend here.

https://thehackernews.com/2023/12/new-malvertising-campaign-distributing.html


Active Exploitation of Older Oracle WebLogic Server Vulnerability

Older CVE-2020-14883 is being exploited via an attack chain.  Target selection looks to be opportunistic. 

https://thehackernews.com/2023/12/8220-gang-exploiting-oracle-weblogic.html


New MetaStealer Malvertising Campaign

Yet another malvertising campaign, and the trend continues.  Looks like MetaStealer developers are actively making improvements.

https://www.malwarebytes.com/blog/threat-intelligence/2023/12/new-metastealer-malvertising-campaigns


Play Ransomware RaaS Service

Play is relatively new on the scene, emerging in mid-2022.  CISA has released a Joint Advisory on Play ransomware estimating approximately 300 organization impacted so far.  Play, like many ransomware affiliates, use commodity tools and administrative utilities to conduct lateral movement and reach their goals.

https://thehackernews.com/2023/12/double-extortion-play-ransomware.html

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a


The Abuse of Public Services Like GitHub is on the Rise

Reversing Labs has uncovered two novel techniques abusing GitHub.  While abusing public services isn’t new, I wrote about it 5 years ago, these techniques are new to the scene according to Reversing Labs.  Also note, developers are becoming a prime target to support supply chain attacks.

https://www.reversinglabs.com/blog/malware-leveraging-public-infrastructure-like-github-on-the-rise


QakBot Still at it

Looks like we are seeing confirmation that the QakBot takedown only affected the command-and-control servers and not the spam delivery infrastructure.  This is not good news, QakBot is resilient, surviving since at least 2007.

https://www.darkreading.com/cyberattacks-data-breaches/new-qakbot-sightings-confirm-law-enforcement-takedown-was-temporary-setback


Social Engineering MalSpam Campaign

This one sucks, a two-step malspam campaign, designed to play on emotions using a couple of lures.  Enticing the hotel staff to reply to help out, once they reply, a link to a file is sent.  This technique can be used in many ways with many lures, it is one to watch.

https://news.sophos.com/en-us/2023/12/19/inhospitality-malspam-campaign-targets-hotel-industry/


Web Injections, Affecting 40+ Banks

A new malware campaign using JavaScript web injections was uncovered by IBM.  The campaign appears to be targeting popular banking applications to intercept user credentials, likely to access their banking information.  Not Cool!!! 

https://securityintelligence.com/posts/web-injections-back-on-rise-banks-affected-danabot-malware/


Instagram Phishing Campaign

Another spin on an Instagram “Copyright Infringement” campaign has surfaced.  Now targeting Instagram credentials, by obtaining backup codes, in an attempt to bypass Multi-Factor Authentication (MFA).  Backup codes allow you to log in to an account with an unknown device.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/instagram-phishing-targets-backup-codes/


Agent Tesla Spread via RCE Flaw from 2017

Excel Maldocs exploiting CVE-2017-11882 are used to deliver spyware.  Business related lures are utilized to entice victims to download malicious attachments.  The use of an older vulnerability along with complexity and evasion techniques, shows the attacker ability to adapt.

https://www.darkreading.com/cloud-security/attackers-exploit-microsoft-office-bug-spyware

https://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla


Case Studies Show How Malicious JavaScript Steals Secrets

Palo Alto shares several ways attackers use malicious JavaScript in unique ways to exfiltrate data, evade detection, and steal secrets.

https://unit42.paloaltonetworks.com/malicious-javascript-steals-sensitive-data/


Proofpoint Unveils New Cluster of Activity Called BattleRoyal

A new cluster of activity using multiple attack chains to deliver malware was observed.  The behavior observed aligns with a trend of cyber criminals adopting new and varied attack chains to deliver malware.

https://www.darkreading.com/cyberattacks-data-breaches/battleroyal-hackers-deliver-darkgate-rat

https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates


Android Banking Trojan Called Chameleon, Bypasses Biometrics

The velocity at which threat actors can evade detection and security controls is scary.  The latest version of this Android trojan uses device takeover techniques to bypass biometrics by transitioning to PIN authentication. 

https://thehackernews.com/2023/12/new-chameleon-android-banking-trojan.html

https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action


Google has Patched Exploited Zero-Day Chrome Vulnerability

The Google Threat Analysis Group (TAG) reported the vulnerability, a patch was released a day later.  An exploit exists in the wild, Google is aware.

https://securityaffairs.com/156231/security/google-addressed-a-new-actively-exploited-chrome-zero-day.html


Defense Industrial Base Targeted with FalseFont Backdoor

Microsoft shared latest Iranian threat actor implant, first observed in November 2023.  This is one to watch as Iran rachets up rhetoric and flexes its digital muscles.

https://thehackernews.com/2023/12/microsoft-warns-of-new-falsefont.html


New Tactics like Remote Encryption Keep Ransomware Gangs Moving Forward

A new trend is emerging that keeps ransomware evading security controls.  This is scary as Microsoft says 60% of hands-on keyboard attacks now use remote encryption with the system process performing the encryption.  This renders process-based remediation ineffective. 

https://thehackernews.com/2023/12/remote-encryption-attacks-surge-how-one.html

https://news.sophos.com/en-us/2023/12/20/cryptoguard-an-asymmetric-approach-to-the-ransomware-battle/



Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by