Skip to content

Cyber Threat Weekly – #53

Derek Krein
6 min read

The week of November 18th through November 24th, 342 cyber news articles were reviewed.  A moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with threat actors love the ‘bring your own vulnerable driver’ attack.

Threat actors use Wi-Fi to breach US organization from Russia.  Chinese threat actors go after Linux.  Researchers observe an increase in the ClickFix social engineering technique.  Palo Alto Networks updates its threat advisory. 

CISA updates BianLian ransomware advisory.  Five local privilege escalation bugs in Ubuntu Linux.  Red team assessment by CISA, lessons learned.  MITRE releases the top 25 list of the most dangerous software weaknesses. 

Apple fixes two actively exploited zero-day bugs.  BlackSuit ransomware activity is on the rise.  Researchers share what’s known about new-ish Helldown ransomware.  FrostyGoop, an ICS-centric malware analyzed.

Two VMware vCenter flaws actively exploited.


Broken Record Alert: Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for November 18th to November 24th:

CVE-2024-9474 – Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability:
Allows for privilege escalation through the web-based management interface for several PAN products, including firewalls and VPN concentrators.

CVE-2024-0012 – Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability:
An authentication bypass vulnerability in the web-based management interface for several PAN-OS products, including firewalls and VPN concentrators.

CVE-2024-1212 – Progress Kemp LoadMaster OS Command Injection Vulnerability:
Allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution.

CVE-2024-38813 – VMware vCenter Server Privilege Escalation Vulnerability:
Allows an attacker with network access to the vCenter Server to escalate privileges to root by sending a specially crafted packet.

CVE-2024-38812 – VMware vCenter Server Heap-Based Buffer Overflow Vulnerability:
Allows an attacker with network access to the vCenter Server to execute remote code by sending a specially crafted packet.

CVE-2024-21287 – Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability:
Successful exploitation of this vulnerability may result in unauthenticated file disclosure.

CVE-2024-44309 – Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability:
Apple products contain an unspecified vulnerability when processing maliciously crafted web content that may lead to a cross-site scripting (XSS) attack.

CVE-2024-44308 – Apple Multiple Products Code Execution Vulnerability:
Apple products contain an unspecified vulnerability when processing maliciously crafted web content that may lead to arbitrary code execution.


A Twist on the ‘Bring-Your-Own-Vulnerable-Driver’ (BYOVD) Attack

The malware is a variant of an EDR Killer not attributed to a specific family.  It abuses an old vulnerable version of Avast's Anti-Rootkit kernel driver.  There are 142 processes targeted for shutdown from several security vendors.

https://www.bleepingcomputer.com/news/security/hackers-abuse-avast-anti-rootkit-driver-to-disable-defenses/

https://www.trellix.com/blogs/research/when-guardians-become-predators-how-malware-corrupts-the-protectors/


Russian APT uses Wi-Fi to Breach a US Organization from Russia

State sponsored operatives have been known to pull into a target organization’s parking lot and abuse their Wi-Fi.  This one is interesting, using neighboring Wi-Fi to attack the target.  Once again legit credentials were abused, but over Wi-Fi.  Using certificates to authenticate machines and user creds for login would help here.  Yesterday’s nation state attack is tomorrow’s commodity attack.

https://www.bleepingcomputer.com/news/security/hackers-breach-us-firm-over-wi-fi-from-russia-in-nearest-neighbor-attack/

https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/


New Linux Malware Abused by Chinese Threat Actors

The first malware dubbed ‘WolfsBane’ features a dropper, launcher, and backdoor as well as a modified open-source rootkit.  They also discovered a second malware called ‘FireWood’; it appears to be a shared tool amongst multiple Chinese groups. 

https://www.bleepingcomputer.com/news/security/chinese-gelsemium-hackers-use-new-wolfsbane-linux-malware/

https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/#Technical%20analysis


An Increase in the ClickFix Social Engineering Technique Observed

Earlier this year, researchers spotted a ClickFix campaign and shared the details.  There has been an uptick in ClickFix campaigns, and the lures are getting better.  ClickFix tricks victims into copying, pasting, and running malicious content on their computers. 

https://www.csoonline.com/article/3610611/rising-clickfix-malware-distribution-trick-puts-powershell-it-policies-on-notice.html

https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape


Two Actively Exploited Vulnerabilities Targeting Palo Alto Firewalls

Palo Alto has updated their threat brief, tracking continued exploitation, again asking to secure the management interfaces.  Secondary is to patch your devices.  Even though the Internet exposed is the current concern, threat actors inside the network can still abuse these bugs for post exploitation behavior.  In addition, researchers claim over 2,000 compromised firewalls.

https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/

https://www.bleepingcomputer.com/news/security/over-2-000-palo-alto-firewalls-hacked-using-recently-patched-bugs/


CISA BianLian Advisory Updated

Several new tactics, techniques, and procedures are shared.  BianLian is now a data extortion group, abandoning file encryption.  This makes sense, as victims pay even without encryption, the overhead is a huge cost for ransomware gangs.

https://www.bleepingcomputer.com/news/security/cisa-says-bianlian-ransomware-now-focuses-only-on-data-theft/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a


Five Bugs in the ‘needrestart’ Utility in Ubuntu Linux, 10 Years Old

Researchers discovered the bugs tracked as CVE-2024-10224, CVE-2024-11003, CVE-2024-48990, CVE-2024-45991, and CVE-2024-48992.  These are local privilege escalation vulnerabilities.  A big factor, local access to the OS is required to exploit these bugs.

https://www.bleepingcomputer.com/news/security/ubuntu-linux-impacted-by-decade-old-needrestart-flaw-that-gives-root/


Lessons Learned from a CISA Red Team Assessment

These are a great read; they provide a view into the mindset of an attacker.  This walk-through shares how the red team was able to pivot to gain access and laterally move through the environment.  There are a lot of lessons learned that can be applied.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a


Top 25 Most Dangerous Software Weaknesses – MITRE

We continue to see more and more vulnerabilities found.  This is a quality issue that needs to be addressed.  Most of these vulnerabilities are preventable.  MITRE has released a list of the most common and dangerous software weaknesses.

https://www.bleepingcomputer.com/news/security/mitre-shares-2024s-top-25-most-dangerous-software-weaknesses/

https://cwe.mitre.org/top25/index.html


Two Actively Exploited Zero-Day Bugs Fixed by Apple

The flaws affect iOS, macOS, iPadOS, visionOS, and the Safari web browser.  Tracked as CVE-2024-44308 and CVE-2024-44309.  The abuse of zero-days continues to rise, even after fixes are released, they remain targeted and abused.

https://www.darkreading.com/cyberattacks-data-breaches/apple-patches-actively-exploited-zero-days

https://support.apple.com/en-us/121753


Increased Activity by BlackSuit Ransomware Gang

It appears the ransomware gang maybe scaling operations.  Researchers observed a rising trend in the number of victims shared on their leak site.  The observed tactics, techniques, and procedures (TTPs) are shared. 

https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-ignoble-scorpius/


Newcomer, Helldown Ransomware Gang Racking up Victims

In just a few short months, the Helldown gang has added 31 victims to their leak site.  Yet another double extortion group exfiltrating data and executing encryption to increase the pressure on victims.  Little is known about their TTPs, but a few are shared.

https://www.bleepingcomputer.com/news/security/helldown-ransomware-exploits-zyxel-vpn-flaw-to-breach-networks/

https://blog.sekoia.io/helldown-ransomware-an-overview-of-this-emerging-threat/


Researchers Analyze FrostyGoop ICS-Centric Malware

This is the first ICS-centric malware that communicates with the Modbus TCP protocol.  It interacts directly with ICS/OT devices.  Modbus TCP devices exposed to the Internet can be pwned directly.  It’s compiled in the Go programming language.

https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/


Actively Exploited VMWare vCenter Flaws

Tracked as CVE-2024-38812 (CVSSv3 9.8) and CVE-3034-38813 (CVSSv3 7.5).  These bugs affect products containing vCenter which includes VMware vSphere and VMware Cloud Foundation.

https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-vmware-vcenter-server-now-exploited-in-attacks/

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8

Members Public

Cyber Threat Weekly – #52

The week of November 11th through November 17th, 332 cyber news articles were reviewed.  Quite a bit of cyber threat trend and adversarial behavior news to share.  Let’s start with increasing use of SVG attachments in email phishing. An undocumented Fortinet FortiClient bug used to steal VPN credentials.  Palo

Members Public

Cyber Threat Weekly – #51

The week of November 4th through November 10th, 330 cyber news articles were reviewed.  The feed list has been adjusted, so the number of articles should be mostly lower.  Let’s start with threat actors using Zip file concatenation technique. Cybercriminals abuse emergency data requests (EDRs) with compromised credentials.  AWS