Cyber Threat Weekly – #58

The week of December 23^rd through December 29^th, roughly 148 cyber news articles were reviewed.  A light amount of cyber threat trends and adversarial behavior news to share.  Let’s start with a ninth US telecom breach linked to Chinese APT.

Palo Alto Networks (PAN) firewall denial of service (DoS) bug exploited.  Chrome browser extensions hijacked over the Christmas holiday.  Critical bugs fixed in Apache products.  Adobe ColdFusion critical flaw fixed.

Apache TomCat remote code execution bug fixed the second go around.  2024 top zero-day exploitation trends.  Top observed ransomware trends of 2024.

Broken Record Alert: Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities for December 23^rd to December 29^th:

CVE-2021-44207 – Acclaim Systems USAHERDS Use of Hard-Coded Credentials Vulnerability:
Could allow an attacker to achieve remote code execution on the system that runs the application. The MachineKey must be obtained via a separate vulnerability or other channel.

Chinese Threat Actors Linked to Ninth US Telcom Breach

This has been an ongoing saga that continues to grow in scope.  An interesting observation from the White House, ‘we still don’t see companies doing the basics’.  The more breaches that happen, the more regulation that will be put in place.  We as an industry have got to step up before the regulators step in and over-regulate.  It’s now or later and later always sucks worse.

https://www.bleepingcomputer.com/news/security/white-house-links-ninth-telecom-breach-to-chinese-hackers/

https://therecord.media/hipaa-cybersecurity-regulations-update

DoS Bug in PAN Firewalls Exploited

Exploiting CVE-2024-3393 forces a firewall reboot.  Repeatedly exploiting the bug causes the firewall to go into maintenance mode.  Affected devices require both a DNS or an Advanced DNS license applied, and DNS Security logging must be enabled. 

https://thehackernews.com/2024/12/palo-alto-releases-patch-for-pan-os-dos.html

https://security.paloaltonetworks.com/CVE-2024-3393

Cyber Firms Browser Extension Compromised Plus Other Extensions

Cyberhaven alerted its customers of a December 24^th breach, impacting its Google Chrome browser extension.  This appears to be part of an ongoing campaign.  Researchers have shared numerous related compromised extensions and malicious infrastructure.

https://www.bleepingcomputer.com/news/security/cybersecurity-firms-chrome-extension-hijacked-to-steal-users-data/

https://secureannex.com/blog/cyberhaven-extension-compromise/

https://www.linkedin.com/posts/jaimeblasco_regarding-the-cyberhaven-chrome-extension-activity-7278237969637941248-qBEj/

Apache Fixed Bugs in MINA, HughGragh-Server, and Traffic Control

Critical bugs were addressed fixing severe issues.  MINA requires a manual setting in addition to the latest version.  The MINA bug is rated a 10 and the Apache Traffic Control is rated a 9.9 severity.  Any Apache servers exposed to the Internet should be fixed ASAP.

https://www.bleepingcomputer.com/news/security/apache-warns-of-critical-flaws-in-mina-hugegraph-traffic-control/

Critical Adobe ColdFusion Flaw Addressed

An out-of-band security update was released for this critical bug.  Adobe is rating it a ‘priority 1 severity’ and proof-of-concept (PoC) exploit code is in circulation.  The flaw is tracked as CVE-2024-53961 with a CVSS 3.1 base score of 7.4.

https://thecyberexpress.com/adobe-coldfusion-vulnerability-cve-2024-53961/

https://helpx.adobe.com/security/products/coldfusion/apsb24-107.html

Second Time Apache Tomcat Remote Code Execution Bug Fixed

Tracked as CVE-2024-56337, it’s a complete mitigation for the critical remote code execution patch on December 17^th.  Also, some manual mitigation is required if you’re running older versions of Java. 

https://www.bleepingcomputer.com/news/security/apache-fixes-remote-code-execution-bypass-in-tomcat-web-server/

https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp

Top Zero-Day Exploitation Trends 2024

There was a marked increase in zero-day vulnerabilities used this year.  Network security edge devices were particularly abused.  The abuse of legit remote monitoring and management tools continues.   Managed file transfer systems continue to be a favorite target.

https://www.csoonline.com/article/3629815/top-7-zero-day-exploitation-trends-of-2024.html

Top Observed Ransomware Trends of 2024

The growth of ransomware-as-a-service (RaaS) services continues.  Data exfiltration is the standard, some groups even move to data exfiltration only for extortion.  Living off the land techniques are becoming more prevalent; procedures are the battle ground.

https://cyble.com/blog/top-10-ransomware-trends-observed-in-2024/