Cyber Threat Weekly – #51

The week of November 4^th through November 10^th, 330 cyber news articles were reviewed.  The feed list has been adjusted, so the number of articles should be mostly lower.  Let’s start with threat actors using Zip file concatenation technique.

Cybercriminals abuse emergency data requests (EDRs) with compromised credentials.  AWS keys stolen at scale via Python Package Index (PyPI) typosquat.  Popular loader FakeBat is back.  Another ransomware threat actor abuses Veeam RCE flaw.

Androxgh0st botnet appears to get an upgrade.  Possible remote code execution (RCE) bug in PAN-OS.  North Korean threat actors targeting macOS and Cryptocurrency funds.  Researchers share observations of Interlock ransomware.

SANS 2024 State of ICS / OT Cybersecurity Report.  Attackers abuse Microsoft services for defense evasion.  Theat actors abusing legit infrastructure again, this time DocuSign APIs.  A red team test of a Microsoft environment.

Legitimate Linux virtual machine utilized for remote access. 

Broken Record Alert: Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities for November 4^th to November 10^th:

CVE-2024-8956 – PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability:
Allows a remote attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.

CVE-2024-8957 – PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability:
Allows a remote authenticated attacker to escalate privileges to root via a crafted payload with the ntp_addr parameter of the /cgi-bin/param.cgi CGI script.

CVE-2019-16278 – Nostromo nhttpd Directory Traversal Vulnerability:
Contains a directory traversal vulnerability in the http_verify() function in a non-chrooted nhttpd server allowing for remote code execution.

CVE-2024-51567 – CyberPanel Incorrect Default Permissions Vulnerability:
Allows a remote, unauthenticated attacker to execute commands as root.

CVE-2024-43093 – Android Framework Privilege Escalation Vulnerability:
Contains an unspecified vulnerability that allows for privilege escalation.

CVE-2024-5910 – Palo Alto Expedition Missing Authentication Vulnerability:
Allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data.

Defense Evasion via Zip File Concatenation Technique

Threat actors are always trying new things, ways to bypass defenses.  This one is a play on .zip files, using two or more .zip files and concatenating them into one file.  Popular ZIP apps see these files differently, potentially bypassing controls.

https://www.bleepingcomputer.com/news/security/hackers-now-use-zip-file-concatenation-to-evade-detection/

https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/

Compromised Police and Government Email Accounts Abused

Emergency Data Requests (EDR) postings are increasing on criminal forums.  The EDRs require little proof and often bypass official review.  Some of the cybercrime vendors even offer forged court-approved documents.  Social engineering shenanigans continue.

https://krebsonsecurity.com/2024/11/fbi-spike-in-hacked-police-emails-fake-subpoenas/

https://www.ic3.gov/CSA/2024/241104.pdf

Typosquat of Popular PyPI Library Exfils AWS Keys

Researchers find the popular SSH Python package ‘fabric’ has been typosquatted for years.  The malicious package ‘fabrice’ has been downloaded more than 37,000 times.  Both the Windows and Linux versions were analyzed. 

https://www.bleepingcomputer.com/news/security/malicious-pypi-package-with-37-000-downloads-steals-aws-keys/

https://socket.dev/blog/malicious-python-package-typosquats-fabric-ssh-library

FakeBat, a Popular Loader, is Back After Hiatus

Delivered via Google malvertising, researchers observe a new campaign.  Ultimately dropping LummaC2 Stealer to scarf legit credentials, cookies, and other secrets. 

https://www.malwarebytes.com/blog/news/2024/11/hello-again-fakebat-popular-loader-returns-after-months-long-hiatus

Ransomware Threat Actor Abuses Veeam RCE Flaw

Similar tactics and techniques were seen with the Akira and Fog ransomware affiliates.  This time along with VPN for initial access, the Veeam flaw was abused to create new accounts ‘point’ and ‘point2’.  A new ‘Frag’ ransomware was executed.

https://www.bleepingcomputer.com/news/security/critical-veeam-rce-bug-now-used-in-frag-ransomware-attacks/

https://news.sophos.com/en-us/2024/11/08/veeam-exploit-seen-used-again-with-a-new-ransomware-frag/

New Development and Upgrades for Androxgh0st Botnet

In addition to new exploitation capabilities, Androxg0st appears to have taken on Mozi payloads to target IoT devices.  These are significant upgrades, although mostly older bugs are used, they can still be very effective. 

https://www.csoonline.com/article/3601554/androxgh0st-botnet-integrates-mozi-payloads-to-target-iot-devices.html

https://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave

Palo Alto Issues Warning to Secure PAN-OS Management Interface

Although no additional information is available currently, Palo Alto Networks recommends securing the management interface of your devices.  Guidance is provided.  Even before there is an issue, you should secure the management interface of critical devices.

https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-potential-pan-os-rce-vulnerability/

https://security.paloaltonetworks.com/PAN-SA-2024-0015

DPRK Threat Actors Targeting Cryptocurrency

North Korean threat actors are targeting crypto-related companies to steal funds or deploy backdoors.  This has been ongoing, with more observations reported.  Researchers share campaign analysis and IoCs.

https://therecord.media/north-korea-bluenoroff-mac-malware-crypto-industry

https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/

Newer Interlock Ransomware Observations

Observations of an affiliate’s behavior and TTPs shared by researchers.  Interlock is a relatively big game hunting ransomware gang.  Unlike last week, the attacker stayed on target for approximately 17 days vs less than 1 day.

https://blog.talosintelligence.com/emerging-interlock-ransomware/

SANS 2024 State of ICS / OT Cybersecurity Report

This is a survey-based report based on over 530 respondents.  Understanding typical initial attack vectors is huge.  This is an interesting report, if you are responsible for ICS / OT in your organization, it’s worth a look. 

https://sansorg.egnyte.com/dl/5mD1Yxiybn

Microsoft SaaS Services Abused in Attack Campaign

Using legitimate SaaS for social engineering initial access via Teams, command and control via Azure VM / One-Drive, and quick assist among other tools.  This is a unique campaign very difficult to detect.

https://thehackernews.com/2024/11/veildrive-attack-exploits-microsoft.html

https://www.hunters.security/en/blog/veildrive-microsoft-services-malware-c2

Legit Looking Invoices at Scale from DocuSign

Threat actors are abusing DocuSign APIs to send legitimate looking invoices from DocuSign.  Instead of typical phishing emails mimicking well-known brands, they use DocuSign templates to lure victims.  Hard to tell it’s a phish coming straight from DocuSign.

https://www.csoonline.com/article/3599947/was-your-last-docusign-ed-bill-legitimate-check-again.html

https://lab.wallarm.com/attackers-abuse-docusign-api-to-send-authentic-looking-invoices-at-scale/

A Red Team Goes After Microsoft Global Admin in Entra ID

It’s always nice to understand how even best practices can be bypassed by an adversary.  This walk through provides some vendors’ best practices plus remediation and recommendations.  Red team assessments are a must.

https://cloud.google.com/blog/topics/threat-intelligence/abusing-intune-permissions-entra-id-environments/

Quick Emulator (QEMU) Used for Remote Access

Using phishing lures tricking victims into installing a Linux virtual machine (VM) with a backdoor pre-installed.  Again, using a legitimate tool that is digitally signed to evade defenses.  Earlier this year the same QEMU software was used to install a Linux VM to set up a covert communications channel.

https://www.bleepingcomputer.com/news/security/windows-infected-with-backdoored-linux-vms-in-new-phishing-attacks/

https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/

https://www.bleepingcomputer.com/news/security/hackers-abuse-qemu-to-covertly-tunnel-network-traffic-in-cyberattacks/