Skip to content

Cyber Threat Weekly – #52

Derek Krein
7 min read

The week of November 11th through November 17th, 332 cyber news articles were reviewed.  Quite a bit of cyber threat trend and adversarial behavior news to share.  Let’s start with increasing use of SVG attachments in email phishing.

An undocumented Fortinet FortiClient bug used to steal VPN credentials.  Palo Alto updates its firewall management interface advisory.  WezRat malware deployed by Iranian threat actors.  Snail mail is used to deliver malware.

Threat actor deploying PXA Stealer via phishing campaign.  PostgreSQL bug allows environment variable exploitation.  North Korean IT workers are changing tactics.  Two more critical bugs in Palo Alto’s Expedition migration tool.

New ‘Glove Stealer’ .NET malware.  Legit infrastructure continues to be abused by threat actors, hijacked domains.  Strela Stealer malware being served via phishing email.  Researchers report on the State of Cloud Ransomware in 2024.

Attackers use novel macOS extended file attributes technique.  Data aggregator leaks 122 million records.  A deep dive into the TTPs of North Korean remote work scheme.  The MOVEit vulnerability rears its head again.

LodaRAT, old malware with new tricks.  Researchers analyze a multi-stage PowerShell infection chain.  Another new-ish ransomware gang to keep an eye on, Ymir.


Broken Record Alert: Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for November 4th to November 10th:

CVE-2021-26086 – Atlassian Jira Server and Data Center Path Traversal Vulnerability:
Allows a remote attacker to read particular files in the /WEB-INF/web.xml endpoint.

CVE-2014-2120 – Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability:
Allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.

CVE-2021-41277 – Metabase GeoJSON API Local File Inclusion Vulnerability:
Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted data.

CVE-2024-43451 – Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability:
Could result in disclosing a user's NTLMv2 hash to an attacker via a file open operation. The attacker could then leverage this hash to impersonate that user.

CVE-2024-49039 – Microsoft Windows Task Scheduler Privilege Escalation Vulnerability:
Could allow an attacker-provided, local application to escalate privileges outside of its AppContainer, and access privileged RPC functions.

CVE-2024-9465 – Palo Alto Networks Expedition SQL Injection Vulnerability:
Allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

CVE-2024-9463 – Palo Alto Networks Expedition OS Command Injection Vulnerability:
Allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

CVE-2024-9474 – Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability:
Allows for privilege escalation through the web-based management interface for several PAN products, including firewalls and VPN concentrators.

CVE-2024-0012 – Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability:
An authentication bypass vulnerability in the web-based management interface for several PAN-OS products, including firewalls and VPN concentrators.

CVE-2024-1212 – Progress Kemp LoadMaster OS Command Injection Vulnerability:
Allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution.


Phishing with Scalable Vector Graphics (SVG) Attachments

While not new, SVG attachments are becoming more popular.  Theat actors can evade defenses and create login forms within the graphic for credential theft.  Like most things that work, we should expect to see commoditization and greater use.

https://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/


Fortinet FortiClient Bug Abused to Steal VPN Credentials

A threat actor is using a post-exploitation framework called DEEPDATA to abuse a zero-day bug to steal VPN credentials.  Researchers share details of a few malware families believed to be maintained by the threat actor.

https://thehackernews.com/2024/11/warning-deepdata-malware-exploiting.html

https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/


Palo Alto Firewalls Management Interface Zero-day Bug

The company has released a few IP addresses and is again urging customers to secure the management interfaces of their firewalls.  The principle of least privilege should be applied to critical devices such as firewalls management interfaces.

https://thehackernews.com/2024/11/pan-os-firewall-vulnerability-under.html

https://security.paloaltonetworks.com/PAN-SA-2024-0015

https://www.rapid7.com/blog/post/2024/11/15/etr-zero-day-exploitation-targeting-palo-alto-networks-firewall-management-interfaces/


Iranian State Sponsored Actors Deploy WezRat

Researchers observed a new campaign targeting Israeli organizations.  Keep an eye out for phishing lures similar to the one used in this campaign.  Iran is no slouch when it comes to attack operations. 

https://thehackernews.com/2024/11/iranian-hackers-deploy-wezrat-malware.html

https://research.checkpoint.com/2024/wezrat-malware-deep-dive/


Malicious QR Codes Delivered via Snail Mail

This is an interesting one, going old school-ish to deliver malicious QR codes that ultimately lead to Coper, a banking trojan.  Pay attention to the lure, it can be used and twisted in several different ways. 

https://www.malwarebytes.com/blog/news/2024/11/malicious-qr-codes-sent-in-the-mail-deliver-malware


PXA Stealer Deployed via Phishing Campaign

Currently targeting Europe and Asia, but that can change at any time.  Researchers observed the attacker selling Facebook and Zalo account credentials as well as SIM cards.  Stolen Facebook cookies are used to interact with Facebook Ads Manager and Graph API.

https://thehackernews.com/2024/11/vietnamese-hacker-group-deploys-new-pxa.html

https://blog.talosintelligence.com/new-pxa-stealer/


Researchers Discover PostgreSQL PL / Perl Bug

An unprivileged database user can modify sensitive environment variables leading to arbitrary code execution.  Tracked as CVE-2024-10979 and rated an 8.8 CVSS score.  Additional findings will be shared at a later date.

https://thehackernews.com/2024/11/high-severity-flaw-in-postgresql-allows.html

https://www.varonis.com/blog/cve-postgresql-pl/perl

https://www.postgresql.org/support/security/CVE-2024-10979/


Researchers Dig into North Korean IT Worker Activities

Initially gaining employment to sustain their nation’s illicit activities, they are getting more aggressive.  Participating in insider threats and malware attacks.  Several researchers shared updated tactics, techniques, and procedures for the contagious interview campaign.  Imitating video conference websites to lure targets into installing BeaverTail malware. 

https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/


Two New Palo Alto Expedition Flaws Actively Exploited

The migration tool is under attack again.  Although not much data has been shared as of yet.  These flaws are unauthenticated command injection (CVE-2024-9463) and SQL injection (CVE-2024-9465) vulnerabilities. 

https://www.bleepingcomputer.com/news/security/cisa-warns-of-more-palo-alto-networks-bugs-exploited-in-attacks/

https://security.paloaltonetworks.com/PAN-SA-2024-0010


Researchers Discover New ‘Glove Stealer’ .NET Malware

This malware appears to be in its early stages of development.  Capable of stealing extracting cookies, cryptocurrency wallets, 2FA tokens, and more from FireFox and Chromium based browsers. 

https://www.bleepingcomputer.com/news/security/new-glove-infostealer-malware-bypasses-google-chromes-cookie-encryption/

https://www.gendigital.com/blog/insights/research/glove-stealer


Hijacked Domains Fuel Threat Actors Attack Campaigns

There is no end to threat actors abusing legit infrastructure.  Researchers share an attack technique called Sitting Ducks.  Very difficult for security tools to detect, just like residential routers.  Abused by several threat actors for various purposes.

https://thehackernews.com/2024/11/experts-uncover-70000-hijacked-domains.html

https://blogs.infoblox.com/threat-intelligence/dns-predators-hijack-domains-to-supply-their-attack-infrastructure/

https://insights.infoblox.com/resources-research-report/infoblox-research-report-dns-predators-attack-vipers-hawks-hijack-sitting-ducks-domains


New Strela Stealer Phishing Campaign Abuses Stolen Emails

A change in tactics from generic fake invoices to stolen emails from real entities.  While mainly targeting Europe currently, that can change quickly.  The Strela Stealer malware itself has changed little over the past two years.

https://therecord.media/cybercriminals-taget-spain-germany-ukraine-strela-stealer-malware

https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/


Researchers share the State of Cloud Ransomware in 2024

Common attacks today include targeting cloud storage, using cloud services for data exfiltration, and web application ransom attacks.  Cloud infrastructure is increasingly being targeted by threat actors, both cybercriminals and nation state backed.

https://www.sentinelone.com/blog/the-state-of-cloud-ransomware-in-2024/


RustyAttr Trojan Abuses macOS Extended Attributes for Deployment

A novel technique has been discovered to install a new trojan on macOS.  Malicious code is hidden in custom file attributes to evade defenses.  macOS extended attributes contain hidden metadata that is not directly visible with Finder or the terminal.

https://www.bleepingcomputer.com/news/security/hackers-use-macos-extended-file-attributes-to-hide-malicious-code/

https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/


Data Aggregator Leaks 122 million Records

DemandScience is the organization that didn’t turn off a system decommissioned two years ago.  Formerly known as Pure Incubation, they admitted this is data from their system.  The good news its business data without passwords.

https://www.bleepingcomputer.com/news/security/leaked-info-of-122-million-linked-to-b2b-data-aggregator-breach/

https://www.troyhunt.com/inside-the-demandscience-by-pure-incubation-data-breach/


North Korean Fraudulent Remote Work Scheme

Researchers dig into the behavior of North Koreans infiltrating organizations worldwide.  Based on public information, a strategy is shared to detect the operatives.  In addition to violating sanctions, these workers pose a threat to organizations through data exfiltration and extortion.

https://unit42.paloaltonetworks.com/north-korean-it-workers/


Dark Web Posts Bring Back MOVEit Leak Worries

A threat actor released employee data from 25 companies on a cybercriminal forum and is claiming 1,000 more releases. 

https://therecord.media/delta-amazon-vendor-breach-confirmed

https://www.infostealers.com/article/massive-moveit-vulnerability-breach-hacker-leaks-employee-data-from-amazon-mcdonalds-hsbc-hp-and-potentially-1000-other-companies/


New LodaRAT Campaign Observed

While an older malware, it still works very well.  A few updates have been observed, but overall remains largely the same. Researchers provide victimology and technical analysis.

https://www.rapid7.com/blog/post/2024/11/12/lodarat-established-malware-new-victim-patterns/


A multi-stage PowerShell Infection Chain Analyzed

Researchers dig into a sophisticated attack chain that starts with a LNK file.

https://cyble.com/blog/dissecting-a-multi-stage-powershell-campaign-using-chisel/


New-Ish Ymir Ransomware Strain Runs In-Memory

It appears Ymir ransomware is working with RustyStealer threat actors.

https://www.bleepingcomputer.com/news/security/new-ymir-ransomware-partners-with-rustystealer-in-attacks/

https://securelist.com/new-ymir-ransomware-found-in-colombia/114493/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8

Members Public

Cyber Threat Weekly – #53

The week of November 18th through November 24th, 342 cyber news articles were reviewed.  A moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with threat actors love the ‘bring your own vulnerable driver’ attack. Threat actors use Wi-Fi to breach US organization from

Members Public

Cyber Threat Weekly – #51

The week of November 4th through November 10th, 330 cyber news articles were reviewed.  The feed list has been adjusted, so the number of articles should be mostly lower.  Let’s start with threat actors using Zip file concatenation technique. Cybercriminals abuse emergency data requests (EDRs) with compromised credentials.  AWS