Cyber Threat Weekly – #54

The Thanksgiving week of November 25^th through December 1^st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs.

Malicious Android SpyLoan apps installed 8 million times.  Malvertising continues to be a problem.  Yet another adversary-in-the-middle (AiTM) phishing service called Rockstar 2FA.  CATO CTRL Report Q3 2024.

New-ish Interlock ransomware group, what’s known so far.  ProjectSend bug actively exploited, then a webshell deployed.  Students create the first Linux UEFI bootkit proof of concept (PoC).  Researchers share an open-source tool called NachoVPN.

APT group unleashes a zero-day, zero-click attack chain.  Array Networks SSL VPN products critical flaw actively exploited.  Researchers analyze new GhostSpider malware used to pwn telcos.

Broken Record Alert: Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities for November 25^th to December 1^st:

CVE-2023-28461 – Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability:

Allows an attacker to read local files and execute code on the SSL VPN gateway.

Corrupted Word Documents Used in Novel Phishing Campaign

The goal and lures in this phishing campaign are not new, but the use of easily recoverable corrupted Word documents is novel.  Defense evasion is a constant evolution for threat actors.  This campaign shows the innovation attackers continue to pursue. 

https://www.bleepingcomputer.com/news/security/novel-phishing-campaign-uses-corrupted-word-documents-to-evade-security/

Over 8 million Android Malicious SpyLoan Apps Installed

Malware continues to find its way into app stores.  Targeting for these predatory loan apps was mostly South America, Southern Asia, and Africa, but that can change at any time.  The apps also ask for excessive permissions.

https://www.bleepingcomputer.com/news/security/spyloan-android-malware-on-google-play-installed-8-million-times/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spyloan-a-global-threat-exploiting-social-engineering/

Malvertising Leads to Printer Help Scam

There are a multitude of malvertising scams and even abuse of legit software that leads to malware.  In this case, the scam is to call tech support, the attackers ask for remote access to your machine leading to data theft and even fraud.

https://www.malwarebytes.com/blog/scams/2024/11/printer-problems-beware-the-bogus-help

New Phishing-as-a-Service (PHaaS) MFA Bypass

Rockstar 2FA is a new-ish phishing kit.  The criminals continue to commoditize services which lower the barrier to entry for those less technical and keep costs minimal.  Rockstar 2FA is just another example. 

https://www.bleepingcomputer.com/news/security/new-rockstar-2fa-phishing-service-targets-microsoft-365-accounts/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-a-driving-force-in-phishing-as-a-service-paas/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-phishing-as-a-service-paas-noteworthy-email-campaigns/

CATO CTRL Report Q3 2024

This quarterly SASE report from Cato Networks provides some insight into inbound, outbound and WAN bound traffic within organizations.  Some stats on how TLS traffic inspection reduces risk.  Also, some top security and network security trends are shared.

https://go.catonetworks.com/rs/245-RJK-441/images/CATO_CTRL_Report_Q3_2024.pdf

Quick Overview of Interlock Ransomware Group

Another double-extortion group, their leak site became public in early October 2024.  They currently have Windows and FeeBSD versions.  That will most likely change, nearly every group also has a VMware version.  This group is up and coming, we’ll see where they go.

https://www.fortinet.com/blog/threat-research/ransomware-roundup-interlock

Active Exploitation of ProjectSend Bug Leads to Webshell Backdoors

The flaw tracked as CVE-2024-11680 is rated CVSS 3.1 score of 9.8.  The bug was fixed in May 2023, but a CVE was not assigned until November 26^th, 2024.  Public exploits were released in September 2024, and since then activity has increased.

https://www.bleepingcomputer.com/news/security/hackers-exploit-projectsend-flaw-to-backdoor-exposed-servers/

https://vulncheck.com/blog/projectsend-exploited-itw

https://nvd.nist.gov/vuln/detail/CVE-2024-11680

The First Linux Based UEFI Bootkit Proof of Concept (PoC)

While this is a PoC with limited support, it’s only a matter of time before the real deal starts being abused by threat actors.  Students from Korea’s best of the best training program created this bootkit.  Yet another threat to watch for.

https://www.bleepingcomputer.com/news/security/researchers-discover-bootkitty-first-uefi-bootkit-malware-for-linux/

https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/

New Rogue VPN Attack Using NachoVPN

SonicWall and Palo Alto Networks have bugs that allow rogue VPN endpoints to perform various malicious activities.  Researchers share a tool and details to pwn these bugs.  It currently supports various popular VPN products.

https://www.bleepingcomputer.com/news/security/new-nachovpn-attack-uses-rogue-vpn-servers-to-install-malicious-updates/

https://blog.amberwolf.com/blog/2024/november/introducing-nachovpn---one-vpn-server-to-pwn-them-all/

https://github.com/AmberWolfCyber/presentations/blob/main/2024/Very%20Pwnable%20Networks%20-%20HackFest%20Hollywood%202024.pdf

https://github.com/AmberWolfCyber/NachoVPN

Researchers Discover a Zero-Day, Zero-Click APT Attack

Active exploitation of a zero-day bug in Mozilla products was discovered.  Additional analysis revealed another zero-day privilege escalation bug in Windows.  The resulting attack chain leads to a zero click RomCom backdoor malware installation.

https://www.darkreading.com/application-security/romcom-apt-zero-day-zero-click-browser-escapes-firefox-tor

https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/

Critical Flaw in Array Networks SSL VPN Products Exploited

The bug is tracked as CVE-2023-28461, rated a critical 9.8 CVSS score, and was fixed in March 2023.  The exploited systems simply aren’t patched nor mitigations in place.  The bug is added to the CISA known exploited vulnerability catalog.

https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-bug-in-array-networks-ssl-vpn-products/

https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdf

APT Salt Typhoon GhostSpider Malware Analyzed

This Chinese sponsored group pwned multiple telcos and other organizations in multiple countries including AT&T, Verizon, T-Mobile, and Lumen Technologies in the US.  Using several tools including the new GhostSpider malware. 

https://www.bleepingcomputer.com/news/security/salt-typhoon-hackers-backdoor-telcos-with-new-ghostspider-malware/

https://www.trendmicro.com/en_us/research/24/k/earth-estries.html