Skip to content

Cyber Threat Weekly – #50

Derek Krein
5 min read

The week of October 28th through November 3rd, another light week with 346 cyber news articles reviewed.  Still a decent amount of cyber threat trend and adversarial behavior news.  Let’s start with a newer ransomware group targeting FreeBSD servers.

Publicly disclosed exploit code used to exploit Microsoft SharePoint flaw.  Researchers share a threat actors toolkit.  Massive scam campaign utilizing fake support centers.  Careful what you expose to the Internet, weekly bug report.

Nation states and cybercriminal lines continue to blur.  Chinese threat actors going after network devices, a manufacturer shares their battle.  Quad7 botnet, compromised SOHO routers.  WordPress LiteSpeed Cache Plugin bug and WP some drama.

2024 State of Threat Intelligence Report.  State sponsored North Korean threat actors linked to Play ransomware.   Threat actors steal cloud credentials from Git config files.  Nearly 22,000 CyberPanel devices are encrypted via zero-day bugs.


Broken Record Alert: Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


Interlock Ransomware Targets FreeBSD Servers

Not much is known about this group yet.  They also have a Windows encryptor, chances are they’ll go after ESXi servers and virtual machines soon enough, like many other ransomware gangs.  Interlock has claimed six attacks starting October 2024.

https://www.bleepingcomputer.com/news/security/meet-interlock-the-new-ransomware-targeting-freebsd-servers/


Remote Code Execution (RCE) Flaw in SharePoint Exploited

Starting with a SharePoint server exposed to the Internet using publicly released proof-of-concept (PoC) code.  Installing Horoung Antivirus to disable security controls.  Using typical lateral movement tools to compromise the entire domain.

https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-rce-bug-exploited-to-breach-corporate-network/

https://www.rapid7.com/blog/post/2024/10/30/investigating-a-sharepoint-compromise-ir-tales-from-the-field/


Threat Actors Behavior and Toolkit Revealed

During an incident response, researchers find a roque device and are able to retrieve a portion of files on the system.  This leads down a path to discovering the possible identity of an attacker.  Some TTPs and tooling, including an EDR bypass tool are shared as well.

https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/


Massive Scam Campaign Started with LastPass

Scammers are leaving comments with a fake support number on the LastPass Chrome extension page.  The goal is to trick callers into providing remote access to the scammers.  The same phone number is being used for other companies such as Amazon, Hulu, PayPal, and more.

https://www.bleepingcomputer.com/news/security/lastpass-warns-of-fake-support-centers-trying-to-steal-customer-data/


Weekly IT Vulnerability Report

Researchers share a high number of impacted devices that are Internet exposed susceptible to several vulnerabilities, most are actively exploited.  They also share some dark web chatter on several more vulnerabilities.  Consider zero trust network access, architecture, and other means to not expose devices to the Internet.

https://cyble.com/blog/it-vulnerability-report-fortinet-sonicwall-grafana-exposures-top-1-million/


Nation States Abusing Cybercriminal Infrastructure

It only makes sense, just like cybercriminals adopting nation state tactics and techniques.  Using what works and making it a commodity makes attribution difficult.  Nation states have been using cybercriminal infrastructure for a while.  Now a couple of nation states are also using ransomware and selling access to help monetize their operations.

https://www.csoonline.com/article/3595792/nation-state-actors-increasingly-hide-behind-cybercriminal-tactics-and-malware.html

https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Microsoft%20Digital%20Defense%20Report%202024%20%281%29.pdf


Multiple Manufacturers Targeted by Chinese Threat Actors

This is a cool story of a network device vendor’s battle with nation state actors.  Targeting edge devices has been covered lately, but his goes back five years.  The sophistication of nation state threat actors never ceases to amaze.

https://www.bleepingcomputer.com/news/security/sophos-reveals-5-year-battle-with-chinese-hackers-attacking-network-devices/

https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/

https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/

https://news.sophos.com/en-us/2024/10/31/digital-detritus-the-engine-of-pacific-rim-and-a-call-to-the-industry-for-action/


Password-Spray Attacks Originate from Quad7 Botnet

The botnet is abused to steal credentials, believed to be used by several Chinese threat actors.  Researchers observe the threat actors are not aggressive with password spray operations.  It appears operations have not stopped, but compromised device fingerprints have been modified.

https://www.bleepingcomputer.com/news/security/microsoft-chinese-hackers-use-quad7-botnet-to-steal-credentials/

https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/


WordPress LiteSpeed Cache Plugin Bug

Installed on over six million sites, the bummer here the use and abuse of compromised legit WordPress sites for malicious activity.  There is some drama causing some WordPress users to abandon the WordPress.org repository.

https://thehackernews.com/2024/10/litespeed-cache-plugin-vulnerability.html

https://patchstack.com/articles/security-implications-of-wordpress-repository-access-restrictions-and-plugin-closures/


2024 State of Threat Intelligence Report

An interesting report based on a survey of over 550 cybersecurity executives, managers, and practitioners.  Keeping up with threat trends leads to better outcomes.  Threat informed risk management / defense moves you to a more proactive security program.

https://go.recordedfuture.com/hubfs/2024%20State%20of%20Threat%20Intelligence/Recorded%20Future%202024%20State%20of%20Threat%20Intelligence%20Report.pdf?hsLang=en


North Korean Threat Actors Linked to Play Ransomware

It appears an APT group is acting as an initial access broker (IAB) or ransomware affiliate.  Researchers observed initial access, persistence, and eventually Play ransomware.  This is a way to monetize their activities.

https://thehackernews.com/2024/10/north-korean-group-collaborates-with.html

https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/


Automated Tools Used to Steal Cloud Credentials

Exposed Git config files are the target, they may include auth tokens.  From there the threat actors use the tokens to download repositories and scan for more credentials.  The lesson, proactively look for auth tokens and credentials in your source code.

https://www.bleepingcomputer.com/news/security/hackers-steal-15-000-cloud-credentials-from-exposed-git-config-files/

https://sysdig.com/blog/emeraldwhale/


Two Zero-Days Lead to Ransomware of Nearly 22,000 Servers

CyberPanel servers were encrypted after a researcher shared proof-of-concept code and a demonstration of the bugs publicly.  The good news, even though the servers were encrypted with PSAUX ransomware, a decryptor is available.

https://www.csoonline.com/article/3595130/psaux-ransomware-takes-down-22000-cyberpanel-servers-in-massive-zero-day-attack.html

https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #52

The week of November 11th through November 17th, 332 cyber news articles were reviewed.  Quite a bit of cyber threat trend and adversarial behavior news to share.  Let’s start with increasing use of SVG attachments in email phishing. An undocumented Fortinet FortiClient bug used to steal VPN credentials.  Palo

Members Public

Cyber Threat Weekly – #51

The week of November 4th through November 10th, 330 cyber news articles were reviewed.  The feed list has been adjusted, so the number of articles should be mostly lower.  Let’s start with threat actors using Zip file concatenation technique. Cybercriminals abuse emergency data requests (EDRs) with compromised credentials.  AWS

Members Public

Cyber Threat Weekly – #49

The week of October 21st through October 27th around 361 cyber news articles were reviewed.  Just a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with ransomware affiliates abusing Sonic Wall VPNs. An update on the Windows downgrade attack.  Threat actors targeting exposed