Cyber Threat Weekly – #56
The week of December 9th through December 15th, about 348 cyber news articles were reviewed. Only a light amount of cyber threat trend and adversarial behavior news to share. Let’s start with HeartCrypt – Packer-as-a-Service (PaaS).
Citrix NetScaler / NetScaler Gateway under brute force attack. Covert Linux multi-stage rootkit attack. New custom malware IOCONTROL targets SCADA and Linux IoT devices. Zero-day remote code execution (RCE) bug in Cleo managed file transfer products.
Active Adversary Report 2024. Updated version of ZLoader malware analyzed. Social engineering continues to be a go-to technique. Visual Studio Code tunnels are abused for remote access. The 2024 Industry Threat Profile Report.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for December 9th to December 15th:
CVE-2024-49138 – Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability:
Allows a local attacker to escalate privileges.
CVE-2024-50623 – Cleo Multiple Products Unrestricted File Upload Vulnerability:
Can lead to remote code execution with elevated privileges, affects Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products.
Technical Analysis of HeartCrypt, Packer-as-a-Service
Packers obfuscate malware to minimize detection. This service costs $20 per file. Designed to be fully undetectable (FUD), and actively used by multiple threat actors. The service started advertising February 2024; development started approximately July 2023.
https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/
Password Spray Attacks Against NetScaler and NetScaler Gateway
Numerous widespread password spray attacks targeting edge network devices have occurred this year against multiple vendors. Citrix is the latest vendor under attack. Multi-factor authentication is the best defense against brute force attacks.
https://www.citrix.com/blogs/2024/12/13/password-spraying-attacks-netscaler-december-2024/
Analysis of PUMAKIT, a Multi-Stage Linux Rootkit
Designed to target Linux kernels prior to version 5.7 and activate under specific conditions. This sophisticated rootkit includes multiple stages consisting of a dropper, two -memory-resident executables, an LKM rootkit module, and a shared object (SO) userland rootkit.
https://www.elastic.co/security-labs/declawing-pumakit
IOCONTROL, Abused by Iranian APT, Targets Linux OT / IoT Devices
Iran linked Cyber Av3ngers use this custom malware to attack industrial control systems (ICS). This is the tenth malware family to specifically target ICS systems. Researchers analyze a sample of the malware and share insights.
https://thehackernews.com/2024/12/iran-linked-iocontrol-malware-targets.html
https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol
Cleo Managed File Transfer Zero-Day RCE Bug
The LexiCom, VLTrader, and Harmony products are under active exploitation. An insufficient patch of CVE-2024-50623 from October appears to be the culprit. The new CVE-2024-55956 is now fixed. File transfer software is a favorite threat actor target.
Active Adversary Report 1H 2024 – Sophos
Nice insights and patterns from multiple active adversary reports. Living off the land binaries (LOLbins), specifically abuse of unique LOLbins is up dramatically, and that’s just the first half of 2024. Remote desktop protocol (RDP) abuse is always sky high, although there is a slight decrease in this report. Dwell time and other trends are shared.
https://news.sophos.com/en-us/2024/12/12/active-adversary-report-2024-12/
Improved Version of ZLoader Malware Analyzed
The new malware gets some notable upgrades including an interactive shell, better anti-analysis methods, and custom DNS tunnel protocol for C2 comms. Researchers observed deployment of the malware using more targeted techniques.
https://thehackernews.com/2024/12/zloader-malware-returns-with-dns.html
https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-trick-dns-tunneling
Dubai Police Impersonated in Social Engineering Scheme
In a wide-scale scam, victims are called by fraudsters and asked to pay traffic tickets, parking fines, and the like. Getting creative, the campaign included SMS/iMessages and email messages with Dubai Police branding before phone calls were made.
Remote Access via Visual Studio Code (VSCode) Tunnels
Chinese threat actors abuse Microsoft’s Remote Development feature, a legit service allowing developers to securely access and work on remote systems. The tunnels use Microsoft Azure infrastructure and executables are signed by Microsoft. Look for this to possibly become a more popular technique.
2024 Industry Threat Profile Report – Optiv
Threat intelligence findings from October 1, 2023, to September 30, 2024, are covered in this report. Organized by industry, a threat heatmap for each industry split across geographies, and recommended CIS 18 controls for each industry.
https://www.optiv.com/sites/default/files/2024-12/threat-industry-report-2024_0.pdf
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
