Cyber Threat Weekly – #53
The week of November 18th through November 24th, 342 cyber news articles were reviewed. A moderate amount of cyber threat trend and adversarial behavior news to share. Let’s start with threat actors love the ‘bring your own vulnerable driver’ attack.
Threat actors use Wi-Fi to breach US organization from Russia. Chinese threat actors go after Linux. Researchers observe an increase in the ClickFix social engineering technique. Palo Alto Networks updates its threat advisory.
CISA updates BianLian ransomware advisory. Five local privilege escalation bugs in Ubuntu Linux. Red team assessment by CISA, lessons learned. MITRE releases the top 25 list of the most dangerous software weaknesses.
Apple fixes two actively exploited zero-day bugs. BlackSuit ransomware activity is on the rise. Researchers share what’s known about new-ish Helldown ransomware. FrostyGoop, an ICS-centric malware analyzed.
Two VMware vCenter flaws actively exploited.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for November 18th to November 24th:
CVE-2024-9474 – Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability:
Allows for privilege escalation through the web-based management interface for several PAN products, including firewalls and VPN concentrators.
CVE-2024-0012 – Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability:
An authentication bypass vulnerability in the web-based management interface for several PAN-OS products, including firewalls and VPN concentrators.
CVE-2024-1212 – Progress Kemp LoadMaster OS Command Injection Vulnerability:
Allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution.
CVE-2024-38813 – VMware vCenter Server Privilege Escalation Vulnerability:
Allows an attacker with network access to the vCenter Server to escalate privileges to root by sending a specially crafted packet.
CVE-2024-38812 – VMware vCenter Server Heap-Based Buffer Overflow Vulnerability:
Allows an attacker with network access to the vCenter Server to execute remote code by sending a specially crafted packet.
CVE-2024-21287 – Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability:
Successful exploitation of this vulnerability may result in unauthenticated file disclosure.
CVE-2024-44309 – Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability:
Apple products contain an unspecified vulnerability when processing maliciously crafted web content that may lead to a cross-site scripting (XSS) attack.
CVE-2024-44308 – Apple Multiple Products Code Execution Vulnerability:
Apple products contain an unspecified vulnerability when processing maliciously crafted web content that may lead to arbitrary code execution.
A Twist on the ‘Bring-Your-Own-Vulnerable-Driver’ (BYOVD) Attack
The malware is a variant of an EDR Killer not attributed to a specific family. It abuses an old vulnerable version of Avast's Anti-Rootkit kernel driver. There are 142 processes targeted for shutdown from several security vendors.
Russian APT uses Wi-Fi to Breach a US Organization from Russia
State sponsored operatives have been known to pull into a target organization’s parking lot and abuse their Wi-Fi. This one is interesting, using neighboring Wi-Fi to attack the target. Once again legit credentials were abused, but over Wi-Fi. Using certificates to authenticate machines and user creds for login would help here. Yesterday’s nation state attack is tomorrow’s commodity attack.
New Linux Malware Abused by Chinese Threat Actors
The first malware dubbed ‘WolfsBane’ features a dropper, launcher, and backdoor as well as a modified open-source rootkit. They also discovered a second malware called ‘FireWood’; it appears to be a shared tool amongst multiple Chinese groups.
An Increase in the ClickFix Social Engineering Technique Observed
Earlier this year, researchers spotted a ClickFix campaign and shared the details. There has been an uptick in ClickFix campaigns, and the lures are getting better. ClickFix tricks victims into copying, pasting, and running malicious content on their computers.
Two Actively Exploited Vulnerabilities Targeting Palo Alto Firewalls
Palo Alto has updated their threat brief, tracking continued exploitation, again asking to secure the management interfaces. Secondary is to patch your devices. Even though the Internet exposed is the current concern, threat actors inside the network can still abuse these bugs for post exploitation behavior. In addition, researchers claim over 2,000 compromised firewalls.
https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
CISA BianLian Advisory Updated
Several new tactics, techniques, and procedures are shared. BianLian is now a data extortion group, abandoning file encryption. This makes sense, as victims pay even without encryption, the overhead is a huge cost for ransomware gangs.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
Five Bugs in the ‘needrestart’ Utility in Ubuntu Linux, 10 Years Old
Researchers discovered the bugs tracked as CVE-2024-10224, CVE-2024-11003, CVE-2024-48990, CVE-2024-45991, and CVE-2024-48992. These are local privilege escalation vulnerabilities. A big factor, local access to the OS is required to exploit these bugs.
Lessons Learned from a CISA Red Team Assessment
These are a great read; they provide a view into the mindset of an attacker. This walk-through shares how the red team was able to pivot to gain access and laterally move through the environment. There are a lot of lessons learned that can be applied.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a
Top 25 Most Dangerous Software Weaknesses – MITRE
We continue to see more and more vulnerabilities found. This is a quality issue that needs to be addressed. Most of these vulnerabilities are preventable. MITRE has released a list of the most common and dangerous software weaknesses.
https://cwe.mitre.org/top25/index.html
Two Actively Exploited Zero-Day Bugs Fixed by Apple
The flaws affect iOS, macOS, iPadOS, visionOS, and the Safari web browser. Tracked as CVE-2024-44308 and CVE-2024-44309. The abuse of zero-days continues to rise, even after fixes are released, they remain targeted and abused.
https://www.darkreading.com/cyberattacks-data-breaches/apple-patches-actively-exploited-zero-days
https://support.apple.com/en-us/121753
Increased Activity by BlackSuit Ransomware Gang
It appears the ransomware gang maybe scaling operations. Researchers observed a rising trend in the number of victims shared on their leak site. The observed tactics, techniques, and procedures (TTPs) are shared.
https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-ignoble-scorpius/
Newcomer, Helldown Ransomware Gang Racking up Victims
In just a few short months, the Helldown gang has added 31 victims to their leak site. Yet another double extortion group exfiltrating data and executing encryption to increase the pressure on victims. Little is known about their TTPs, but a few are shared.
https://blog.sekoia.io/helldown-ransomware-an-overview-of-this-emerging-threat/
Researchers Analyze FrostyGoop ICS-Centric Malware
This is the first ICS-centric malware that communicates with the Modbus TCP protocol. It interacts directly with ICS/OT devices. Modbus TCP devices exposed to the Internet can be pwned directly. It’s compiled in the Go programming language.
https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/
Actively Exploited VMWare vCenter Flaws
Tracked as CVE-2024-38812 (CVSSv3 9.8) and CVE-3034-38813 (CVSSv3 7.5). These bugs affect products containing vCenter which includes VMware vSphere and VMware Cloud Foundation.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
