Cyber Threat Weekly – #59

The week of December 30^th through January 5^th, roughly 169 cyber news articles were reviewed.  A very light amount of cyber threat trends and adversarial behavior news to share.  Let’s start with a new Android malware called FireScam.

Phishing and SEO poisoning delivers PLAYFULGHOST.  Crash Windows servers with LDAPNightmare.  Faulty Tenable plugin update takes down Nessus agents.  Active campaign spreads Infostealers via fake game sites.  

Update on Google Chrome extension supply chain attack.  Third-party abused to attack access US Treasury and the Office of Foreign Assets Control (OFAC) plus the Office of the Treasury Secretary.

Broken Record Alert: Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities for December 30^th to January 5^th:

CVE-2024-3393 – Palo Alto Networks PAN-OS Malicious DNS Packet Vulnerability:
Allows an unauthenticated attacker to remotely reboot the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.

FireScam, New Android Malware Distributed via GitHub Site

What’s important here is the behavior, using legit infrastructure such as GitHub to add legitimacy.  More difficult for defenders to detect initially and for users to realize it’s a phish.  In this case it’s a Russian App Store being mimicked, but it could be anything.

https://www.bleepingcomputer.com/news/security/new-firescam-android-data-theft-malware-poses-as-telegram-premium-app/

https://www.cyfirma.com/research/inside-firescam-an-information-stealer-with-spyware-capabilities/

Researchers Analyze New Backdoor Malware PLAYFULGHOST

This malware shares similarities to Gh0st RAT, a remote access trojan whose source code was released in 2008.  Initial access includes search engine optimization (SEO) poisoning with a LetsVPN lure and phishing emails. 

https://thehackernews.com/2025/01/playfulghost-delivered-via-phishing-and.html

https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-PLAYFULGHOST-with-Google-Security/ba-p/850676

Reboot Windows Servers with LDAPNightmare Exploit

Researchers share details and proof of concept code for CVE-2024-49113.  The only prerequisite is the victim DC has Internet connectivity (a really bad idea), separation of duties is important.  Having DNS servers separate from your DC’s is good security.  There should be no reason for your domain controllers to have Internet access. 

https://www.csoonline.com/article/3631757/critical-windows-ldap-flaw-could-lead-to-crashed-servers-rce-attacks.html

https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49113/

Nessus Agents Offline by Defective Plugin Update – Tenable

The downside, manual updates are required to bring the agents back online.  Systems updated to Nessus Agent versions 10.8.0 and 10.8.1 are affected.  The issue is known and triggered by a differential plugin update.

https://www.bleepingcomputer.com/news/security/bad-tenable-plugin-updates-take-down-nessus-agents-worldwide/

https://status.tenable.com/incidents/9wjf0gnblhq7

Infostealer Malware Spread via Fake Game Sites

The lure usually comes from a direct message on a Discord server asking about beta testing a new game.  The message often comes from the developer themselves.  If interested, the victim receives a download link and password for the archive. 

https://www.malwarebytes.com/blog/news/2025/01/can-you-try-a-game-i-made-fake-game-sites-lead-to-information-stealers

Google Chrome Extension OAuth Phishing Attack Update

The supply chain is under constant attack.  Last week we shared how CyberHaven and many others were duped into allowing OAuth permissions to a third-party application.  The result was malicious extensions were uploaded to the Chrome Web Store.  CyberHaven shares preliminary analysis, and researchers continue to update affected extensions and IoC’s.

https://www.darkreading.com/application-security/chrome-extension-compromises-highlight-software-supply-challenges

https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension

https://secureannex.com/blog/cyberhaven-extension-compromise/

BeyondTrust API Key Used to Access US Treasury, OFAC, and More

Consider prioritizing your third-party risk management.  After compromising BeyondTrust for a Remote Support SaaS API key, certain Remote Support SaaS instances were affected.  One such instance was used to access Treasury workstations.  It appears the attackers were targeting the agencies OFAC department and breached the Treasury's Office of Financial Research. 

https://thehackernews.com/2024/12/chinese-apt-exploits-beyondtrust-api.html

https://www.bleepingcomputer.com/news/security/chinese-hackers-targeted-sanctions-office-in-treasury-attack/