Cyber Threat Weekly – #55
The week of December 2nd through December 8th there were 353 cyber news articles reviewed. A relatively large amount of cyber threat trends and adversarial behavior news to share. Let’s start with a twist on the fake video conferencing apps campaign.
New Russian hacktivist group targeting energy systems. Supply chains continue to be targeted by miscreants. Researchers share technical details of new Termite ransomware. Clickless 0-day Windows bug uncovers NTLM credentials.
Black Basta ransomware actors continue an ongoing social engineering campaign. Researchers analyze two new malware tools from malware-as-a-service (MaaS) threat actor. Global Cyber Resilience Report 2024.
Difficult to detect JavaScript based Celestial Stealer. Manufacturing industry targeted with Lumma Stealer and Amadey Bot. Zero-day bug in Mitel MiCollab with proof-of-concept (PoC) code available. Salt Typhoon, scope still unknown.
A new Android malware DroidBot targets banking and crypto apps. Russia sponsored threat actors take over Pakistani APT cyber-attack infrastructure. Threat actors increasingly abuse Cloudflare’s developer domains.
Akira ransomware gang deep dive.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for December 2nd to December 8th:
CVE-2024-11667 – Zyxel Multiple Firewalls Path Traversal Vulnerability:
Contains a path traversal vulnerability in the web management interface that could allow an attacker to download or upload files via a crafted URL.
CVE-2024-11680 – ProjectSend Improper Authentication Vulnerability:
Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
CVE-2023-45727 – North Grid Proself Improper Restriction of XML External Entity (XXE) Reference Vulnerability:
Could allow a remote, unauthenticated attacker to conduct an XXE attack.
CVE-2024-51378 – CyberPanel Incorrect Default Permissions Vulnerability:
Allows an authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property.
Attackers Target Victims with Fake Video Conferencing Campaign
Web3 workers are being targeted, some in highly sophisticated ways. Threat actors use AI to create blog and product content as well as social media accounts. The fake company reaches out to targets to set up a video call, instead they get the Realst info stealer.
https://thehackernews.com/2024/12/hackers-using-fake-video-conferencing.html
https://www.cadosecurity.com/blog/meeten-malware-threat
Z-Pentest, a New Russian Hacktivist Group Targeting Energy
Apparently emerging in October, this group has already claimed 10 process control panel breaches. Each time posting videos of members tampering with system settings. Researchers have observed a general increase in threat activity targeting the energy sector.
https://thecyberexpress.com/russian-threat-group-z-pentest/
https://cyble.com/blog/russian-hacktivists-target-energy-and-water-infrastructure/
Ultralytics AI Library Supply Chain Compromise
The good news is that the malicious payload was only XMRig Miner, could have been much worse. The culprit appears to be a GitHub Actions Script with a cache poisoning technique. This is no small project, potential for a large blast radius.
https://www.reversinglabs.com/blog/compromised-ultralytics-pypi-package-delivers-crypto-coinminer
Technical Details of New Termite Ransomware
Researchers share some details of an examined Termite binary. It’s essentially a Babuk variant. Yet another double extortion ransomware group in the landscape.
https://cyble.com/blog/technical-look-at-termite-ransomware-blue-yonder/
NTLM Credentials Disclosed with Clickless 0-day Bug
A bug was discovered by researchers that allows threat actors to gain NTLM credentials by tricking victims to view a malicious file in Windows explorer. So far, no official fix has been released. The flaw forces an outbound NTLM connection to a remote share.
https://blog.0patch.com/2024/12/url-file-ntlm-hash-disclosure.html
Social Engineering is the Go to Tactic for Black Basta Ransomware
Since June 2024 Black Basta threat actors have been using lures via Microsoft Teams to trick victims to install remote management software. From there researchers observe them using the RMM tool to download and execute malicious payloads. The threat actors continue to update their tools and techniques.
https://cybersecuritynews.com/black-basta-ransomware-microsoft/
Venom Spider MaaS Threat Actor, New Tools Deep Dive
Researchers discover and analyze two new malicious tools RevC2 and Venom Loader. They cover the attack chain used in two campaigns, malware features, network communication protocols, and commands. MITRE techniques are also shared.
https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader
Cohesity - Global Cyber Resilience Report 2024
In this report 3,139 IT and security operations (SecOps) decision makers were surveyed, split about 50/50. According to this survey, cyber resilience is still an issue that needs to be addressed. 67% said their organizations were victims of ransomware in 2024.
Celestial Stealer, a JavaScript Based Infostealer
Delivered as MaaS and advertised on Telegram. This Windows 10 / 11 is packaged either as an electron application or NodeJS single application. The malware provider markets it as FUD (Fully Undetectable), periodic updates ensure it remains FUD.
https://cybersecuritynews.com/celestial-stealer-attacking-browsers/
https://www.trellix.com/blogs/research/anatomy-of-celestial-stealer-malware-as-a-service-revealed/
Lumma Stealer and Amadey Bot Abused Against Manufacturing
Researchers share a multi-stage attack chain including a deceptive LNK file, multiple living-off-the-land binaries (LOLBins), file injections, and other evasion techniques. Threat actors are increasing the sophistication of their campaigns.
https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/
PoC Exploit Available for Mitel MiCollab Zero-Day Bug
While investigating a previously discovered flaw, the latest zero-day was discovered. Researchers waited 100 days before releasing the details and PoC exploit. Keep an eye on this, there is a good chance it will be actively exploited.
Multiple Telcos Breached by Salt Typhoon – Joint Advisory
This one has been in the news a few times, but press releases this week reveal 8 telecom firms compromised, with only four revealed previously. A joint advisory provides hardening network security guidance. Also use encrypted voice and messaging apps.
A New MaaS Android Remote Access Trojan (RAT) DroidBot
Currently targeting banking and crypto apps in the UK, France, Italy, Spain and Portugal. Threat actors change Geo targeting often. Active since June 2024, the malware appears to be under active development. A few main features, SMS interception (OTP for banking apps) and keylogging.
https://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation
Pakistani APT Infrastructure Compromised by Russian APT
Russian sponsored threat actors abuse Pakistani servers to launch covert attacks. They used the infrastructure to access previously breached targets and deploy their own malware tools. They also laterally moved to Pakistani workstations gaining access to all their data and tools.
https://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/
Legit Cloudflare Developer Domains Abuse Rising
As reported repeatedly in this newsletter, the use of legit domains and infrastructure continues to grow. Adding legitimacy to threat actor campaigns is a key to higher conversation rates. This trend has been growing for years.
A Technical Deep Dive into Akira Ransomware Operations
Target regions and industries are shared based on their data leak site info. Akira is a ransomware-as-a -service (RaaS) utilizing double extortion. Typical observed behavior and tools are shared as well as IoC’s.
https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
