Cyber Threat Weekly – #50
The week of October 28th through November 3rd, another light week with 346 cyber news articles reviewed. Still a decent amount of cyber threat trend and adversarial behavior news. Let’s start with a newer ransomware group targeting FreeBSD servers.
Publicly disclosed exploit code used to exploit Microsoft SharePoint flaw. Researchers share a threat actors toolkit. Massive scam campaign utilizing fake support centers. Careful what you expose to the Internet, weekly bug report.
Nation states and cybercriminal lines continue to blur. Chinese threat actors going after network devices, a manufacturer shares their battle. Quad7 botnet, compromised SOHO routers. WordPress LiteSpeed Cache Plugin bug and WP some drama.
2024 State of Threat Intelligence Report. State sponsored North Korean threat actors linked to Play ransomware. Threat actors steal cloud credentials from Git config files. Nearly 22,000 CyberPanel devices are encrypted via zero-day bugs.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
Interlock Ransomware Targets FreeBSD Servers
Not much is known about this group yet. They also have a Windows encryptor, chances are they’ll go after ESXi servers and virtual machines soon enough, like many other ransomware gangs. Interlock has claimed six attacks starting October 2024.
Remote Code Execution (RCE) Flaw in SharePoint Exploited
Starting with a SharePoint server exposed to the Internet using publicly released proof-of-concept (PoC) code. Installing Horoung Antivirus to disable security controls. Using typical lateral movement tools to compromise the entire domain.
Threat Actors Behavior and Toolkit Revealed
During an incident response, researchers find a roque device and are able to retrieve a portion of files on the system. This leads down a path to discovering the possible identity of an attacker. Some TTPs and tooling, including an EDR bypass tool are shared as well.
https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
Massive Scam Campaign Started with LastPass
Scammers are leaving comments with a fake support number on the LastPass Chrome extension page. The goal is to trick callers into providing remote access to the scammers. The same phone number is being used for other companies such as Amazon, Hulu, PayPal, and more.
Weekly IT Vulnerability Report
Researchers share a high number of impacted devices that are Internet exposed susceptible to several vulnerabilities, most are actively exploited. They also share some dark web chatter on several more vulnerabilities. Consider zero trust network access, architecture, and other means to not expose devices to the Internet.
https://cyble.com/blog/it-vulnerability-report-fortinet-sonicwall-grafana-exposures-top-1-million/
Nation States Abusing Cybercriminal Infrastructure
It only makes sense, just like cybercriminals adopting nation state tactics and techniques. Using what works and making it a commodity makes attribution difficult. Nation states have been using cybercriminal infrastructure for a while. Now a couple of nation states are also using ransomware and selling access to help monetize their operations.
Multiple Manufacturers Targeted by Chinese Threat Actors
This is a cool story of a network device vendor’s battle with nation state actors. Targeting edge devices has been covered lately, but his goes back five years. The sophistication of nation state threat actors never ceases to amaze.
https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/
https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/
Password-Spray Attacks Originate from Quad7 Botnet
The botnet is abused to steal credentials, believed to be used by several Chinese threat actors. Researchers observe the threat actors are not aggressive with password spray operations. It appears operations have not stopped, but compromised device fingerprints have been modified.
WordPress LiteSpeed Cache Plugin Bug
Installed on over six million sites, the bummer here the use and abuse of compromised legit WordPress sites for malicious activity. There is some drama causing some WordPress users to abandon the WordPress.org repository.
https://thehackernews.com/2024/10/litespeed-cache-plugin-vulnerability.html
2024 State of Threat Intelligence Report
An interesting report based on a survey of over 550 cybersecurity executives, managers, and practitioners. Keeping up with threat trends leads to better outcomes. Threat informed risk management / defense moves you to a more proactive security program.
North Korean Threat Actors Linked to Play Ransomware
It appears an APT group is acting as an initial access broker (IAB) or ransomware affiliate. Researchers observed initial access, persistence, and eventually Play ransomware. This is a way to monetize their activities.
https://thehackernews.com/2024/10/north-korean-group-collaborates-with.html
https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/
Automated Tools Used to Steal Cloud Credentials
Exposed Git config files are the target, they may include auth tokens. From there the threat actors use the tokens to download repositories and scan for more credentials. The lesson, proactively look for auth tokens and credentials in your source code.
https://sysdig.com/blog/emeraldwhale/
Two Zero-Days Lead to Ransomware of Nearly 22,000 Servers
CyberPanel servers were encrypted after a researcher shared proof-of-concept code and a demonstration of the bugs publicly. The good news, even though the servers were encrypted with PSAUX ransomware, a decryptor is available.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.