Cyber Threat Weekly – #57

The week of December 16^th through December 22^nd, around 326 cyber news articles were reviewed.  A moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with $2.2 billion in Cryptocurrency stolen in 2024.

New Phishing-as-a-Service (PHaaS) on the rise.  Obfuscating Malicious JavaScript using LLMs.  Critical bug in Beyond Trust Privileged Remote Access (PRA) and Remote Support (RS).  A social engineering campaign using the “Fix-It” technique.

Threat actors abusing .LNK files with SSH and PowerShell to evade detection.  LockBit is looking to make a comeback early next year.  Investigating the bring you own vulnerable driver (BYOVD) technique.  Nation State abusing Red Team RDP tool.

Dragos Industrial Ransomware Analysis: Q3 2024.  Researchers share LDAP enumeration tools, techniques, and detection strategies.  CISA orders mandatory secure practices for cloud services.  Apache Struts critical bug exploited to enumerate vulnerable systems.

Patched Windows Kernel flaw actively exploited.  Another campaign using the “ClickFix” technique via malvertising. 

Broken Record Alert: Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities for December 16^th to December 22^nd:

CVE-2024-35250 – Microsoft Windows Kernel-Mode Driver Untrusted Pointer Dereference Vulnerability:
Allows a local attacker to escalate privileges.

CVE-2024-20767 – Adobe ColdFusion Improper Access Control Vulnerability:
Could allow an attacker to access or modify restricted files via an internet-exposed admin panel.

CVE-2024-55956 – Cleo Multiple Products Unauthenticated File Upload Vulnerability:
Could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.  Affects Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products.

CVE-2021-40407 – Reolink RLC-410W IP Camera OS Command Injection Vulnerability:
Contains an authenticated OS command injection vulnerability in the device network settings functionality.

CVE-2019-11001 – Reolink Multiple IP Cameras OS Command Injection Vulnerability:
Allows an authenticated admin to use the "TestEmail" functionality to inject and run OS commands as root.

CVE-2022-23227 – NUUO NVRmini 2 Devices Missing Authentication Vulnerability:
Allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users.

CVE-2018-14933 – NUUO NVRmini Devices OS Command Injection Vulnerability:
Allows remote command execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.

CVE-2024-12356 – BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability:
Can allow an unauthenticated attacker to inject commands that are run as a site user.

Stolen Cryptocurrency in 2024 Totals $2.2 billion

While not relevant to everyone, something to keep in mind, stolen funds can finance many illicit programs.  North Korea for instance uses stolen crypto, ransomware, and even sells access to criminals to fund their cyber and WMD programs.

https://www.bleepingcomputer.com/news/security/north-korean-hackers-stole-13-billion-worth-of-crypto-this-year/

https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2025/

Rockstar2FA Falls, FlowerStorm PHaaS Rising

To early to tell what happened, but per usual in the cybercrime ecosystem, when one service goes away, another is there to fill the gap.  FlowerStorm appears similar, it's a credential harvesting and multi-factor authentication interception service.

https://www.bleepingcomputer.com/news/security/new-flowerstorm-microsoft-phishing-service-fills-void-left-by-rockstar2fa/

https://news.sophos.com/en-us/2024/12/19/phishing-platform-rockstar-2fa-trips-and-flowerstorm-picks-up-the-pieces/

Real World Abuse of LLMs to Obfuscate JavaScript

This one is interesting.  There has been a lot of hype around adversaries abusing AI for cyber-attacks.  So far, those predictions haven't been seen.  Currently, LLMs struggle to write novel malware.  Researchers used LLMs to obfuscate malicious JavaScript to a near zero detection rate.

https://unit42.paloaltonetworks.com/using-llms-obfuscate-malicious-javascript/

Beyond Trust Critical Command Injection Bug

This bug tracked as CVE-2024-12356 (CVSS Score: 9.8) and another bug tracked as CVE-2024-12686 (CVSS Score: 6.6) are already fixed in SaaS instances.  Fixes have been released for on-premises instances.

https://thehackernews.com/2024/12/cisa-adds-critical-flaw-in-beyondtrust.html

https://www.beyondtrust.com/remote-support-saas-service-security-investigation

Researchers Share Fix-It Social Engineering Campaign

This technique is a cunning way to evade defenses by tricking the victim into copying a PowerShell command and running it on their device.  Multiple lures are used, and many campaigns are being tracked by researchers. 

https://www.malwarebytes.com/blog/news/2024/12/fix-it-social-engineering-scheme-impersonates-several-brands

Stealthy Social Engineering with .LNK Files, SSH, and PowerShell

The goal, trick users into executing .LNK files often disguised as legit documents.  Once executed, SSH and PowerShell commands are used to initiate the attack chain using living-off-the-land binaries to evade defenses.

https://cyble.com/blog/a-stealthy-playbook-for-advanced-cyber-attacks/

Official LockBit 4.0 Ransomware-as-a-Service (RaaS)

Launching February 3^rd, 2025, LockBit is looking to make a comeback.  The ransomware landscape is diverse, RaaS services come and go.  This group took a significant hit from law enforcement and with that lost credibility.  Keep an eye on this one.

https://thecyberexpress.com/lockbit-ransomware-comeback-lockbit-4-0/

Researchers Dig into Vulnerable Driver Abuse

Threat actors like to use EDR killers that abuse the BYOVD technique.  Once a nation state evasion technique, it is now common amongst many threat actors.  Common classes of vulnerabilities in BYOVD campaigns are explored as well as examples.

https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/

Russian APT29 Abused PyRDP Red Team Tool

The PyRDP tool uses a man-in-the-middle (MitM) technique to intercept communications and effectively provide total control to all device resources.  Threat actors tricked victims to connect to a rogue RDP server via phishing emails.

https://www.bleepingcomputer.com/news/security/russian-hackers-use-rdp-proxies-to-steal-data-in-mitm-attacks/

https://www.bleepingcomputer.com/news/security/russian-hackers-use-rdp-proxies-to-steal-data-in-mitm-attacks/

Dragos Industrial Ransomware Analysis: Q3 2024

A substantial uptick in ransomware attacks on OT / ICS from Q2 2024 to Q3 2024.  More than 20 new ransomware groups newly observed impacting industrial organizations.  An interesting tidbit, IT dependencies created downtime and financial impact to OT networks.

https://www.csoonline.com/article/3627361/a-new-ransomware-regime-is-now-targeting-critical-systems-with-weaker-networks.html

https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q3-2024/

Digging into the World of LDAP Enumeration

Often abused during the discovery phase of an attack campaign, LDAP is for querying directory services, especially Active Directory.  Several tools are available to help with active directory queries as well as scripts to automate discovery.

https://unit42.paloaltonetworks.com/lightweight-directory-access-protocol-based-attacks/

Secure Configurations for Cloud Services Now Mandatory – CISA

While this applies to federal civilian agencies, everyone should take note.  Cloud services continue to attract threat actors, it’s important to secure you environments.  CISA provides a tool to assess your Microsoft Office 365 environment and secure configuration baselines.

https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-secure-microsoft-365-tenants/

https://www.cisa.gov/news-events/directives/bod-25-01-implementing-secure-practices-cloud-services

Vulnerable Systems Enumerated via Apache Struts Bug

Active exploitation appears to use or is inspired by publicly available exploit code.  The bug is tracked as CVE-2024-52677 (CVSS 4.0 score: 9.5) rated critical.  Apache Struts is an attacker favorite and usually heavily abused.

https://www.bleepingcomputer.com/news/security/new-critical-apache-struts-flaw-exploited-to-find-vulnerable-servers/

https://cwiki.apache.org/confluence/display/WW/S2-067

Actively Exploited Windows Kernel Flaw

The bug tracked as CVE-2024-35250 was patched June 2024.  Proof-of-concept (PoC) code was released four months later.  Successful exploitation gains SYSTEM privileges. 

https://www.bleepingcomputer.com/news/security/windows-kernel-bug-now-exploited-in-attacks-to-gain-system-privileges/

Malvertising and ClickFix via Fake CAPTCHA Pages

Lumma Stealer is distributed via a large-scale malvertising campaign, the operation is dubbed “Deception Ads”.  Moderation becomes complicated on some ad networks.  Legit tracking tools are used for cloaking malicious websites. 

https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-infostealer-via-fake-captcha-pages/

https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6