Skip to content

Cyber Threat Weekly - #6

Derek Krein
4 min read

First off, Happy New Year, and so it begins…  a new start to another year.  Got to remember to use 2024 instead of 2023.  Let’s begin with Carbanak is back and has been observed in ransomware attacks.  Poorly secured Linux SSH servers actively attacked. 

A new version of Medusa Stealer is released for Christmas.  Stealthy Android malware discovered, downloaded over 327,000 times.  Extremely sophisticated iPhone attack chain revealed.  Remote code vulnerability in Apache OFBiz being actively exploited.

Massive volumes of PII and compromised data leaked on Christmas Eve.  Researchers use chatbots to ‘jailbreak’ other chatbots.  New malware loader Rugmi daily detections surge.  Microsoft disables App Installer after threat actor abuses.

Since Lumma infostealer announced Google session hijacking via expired authentication cookies, several more infostealers now claim the feature.  Palo Alto shares a recap of threat intelligence released from October to December 2023.



Broken Record Alert:  Let’s talk about patch prioritization!!!

Known exploited vulnerabilities should be priority #1.  You can start with the CISA known exploited vulnerability (KEV) catalog.  I’m going to change how I talk about vulnerabilities with proof-of-concept (PoC) code available.  The new term will be weaponized PoC code. 

Every week we share known exploited vulnerabilities being abused by threat actors.  Some of these exploited vulnerabilities are quite old.  Diligent patching can prevent threat actors from abusing your organization for their gains.

Patch prioritization matters…  A picture says 1,000 words, according to Qualys, in 2023 less than 1% of vulnerabilities were considered high risk:

Vulnerability Threat Landscape 2023 - Vulnerability Prioritization
Vulnerability Threat Landscape 2023 - Vulnerability Prioritization


Carbanak Banking Malware Returns

While this comes from a bit older dataset, November 2023, we will be following this trend over time.  Carbanak is older, detected around 2014, and has been used by FIN7 in the past.  The fact it shows back up in ransomware attacks is interesting. 

https://thehackernews.com/2023/12/carbanak-banking-malware-resurfaces.html

https://www.nccgroup.com/us/newsroom/ncc-group-monthly-threat-pulse-november-2023/

https://insights.nccgroup.com/l/898251/2023-12-21/31hpg5k/898251/1703152881JC51D6Bs/Threat_Pulse_freemium_21122023.pdf

https://www.corvusinsurance.com/blog/another-record-breaking-month-for-ransomware-november-up-110-yoy



Linux SSH Servers are Targeted by Threat Actors with Dictionary Attack

We, as an industry, need to re-think our external attack surface and what we expose to the Internet.  There are better means of remote access such as Zero Trust Network Access (ZTNA) that minimizes exposed services.  This is an example of how threat actors are going after our external attack surface.

https://thehackernews.com/2023/12/warning-poorly-secured-linux-ssh.html

https://asec.ahnlab.com/en/59972/



Medusa Stealer gets Updated

On Christmas eve, the malware authors released an update to Medusa Stealer malware.  With promises of more upgrades to come in 2024.

https://www.resecurity.com/blog/article/new-version-of-medusa-stealer-released-in-dark-web



Android Backdoor Discovered in Numerous Apps

McAfee Mobile research team dubbed the malware Xamalicious, utilizes the Xamarin framework and accessibility permissions.

https://thehackernews.com/2023/12/new-sneaky-xamalicious-android-malware.html

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stealth-backdoor-android-xamalicious-actively-infecting-devices/



 iPhone Hack Exploitng Hidden Hardware Feature

Kaspersky discovered the campaign in early 2023 after being targeted.  The spyware leverages never-before-seen exploits targeting hardware-based security protections in Apple iOS devices.  It’s believed this campaign has been ongoing since 2019.

https://thehackernews.com/2023/12/most-sophisticated-iphone-hack-ever.html

https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/



Apache OFBiz Remote Code Execution Actively Exploited

Publicly available proof of concept code is being utilized to exploit Apache OFBiz.  ShadowServer has detected quite a few sans for the older CVE-2023-49070 which can be bypassed and a new CVE-2023-51467 has been assigned.  The fix for the bypass was released December 26th.

https://www.bleepingcomputer.com/news/security/apache-ofbiz-rce-flaw-exploited-to-find-vulnerable-confluence-servers/

https://blog.sonicwall.com/en-us/2023/12/sonicwall-discovers-critical-apache-ofbiz-zero-day-authbiz/



Massive Stolen Dataset Leaked on the Dark Web, ‘Free Leaksmas’

Cybercriminals don’t rest.  On Christmas Eve, over 50 million records were shared freely amongst cybercriminals on the dark web. 

https://securityaffairs.com/156560/deep-web/leaksmas-dark-web-data-leak.html

https://www.resecurity.com/blog/article/cybercriminals-launched-leaksmas-event-in-the-dark-web-exposing-massive-volumes-of-leaked-pii-and-compromised-data



Researchers Create a Chatbot to Generate ‘Jail Break’ Prompts

It seems large language models (LLMs) are all the rage.  Of course, security researchers work to find the security limits.  Creating a chatbot designed to create jail break prompts is interesting and we need to continue to see how LLMs can be attacked and affected by threat actors.

https://techxplore.com/news/2023-12-ai-chatbots-jailbreak.html



Malware Loader Rugmi Usage Rising Rapidly

The massive spike in usage is not good for defenders.  Distributing several infostealers after infection, this is one we’ll keep an eye on.

https://thehackernews.com/2023/12/new-rugmi-malware-loader-surges-with.html



Threat Actors Abusing Microsoft App Installer

Multiple threat actors have used the ms-appinstaller protocol to distribute malware.  This activity has been observed since mid-November.

https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html

https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/



Google OAuth Abuse Allows Account Token Restore

Several infostealers have jumped on the Google account token restore bandwagon.  Lumma stealer was the first, at least five more threat actors have announced the feature.  This one is worth the read; the sophistication of malware development is not good for defenders.

https://www.bleepingcomputer.com/news/security/malware-abuses-google-oauth-endpoint-to-revive-cookies-hijack-accounts/

https://www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking



Palo Alto Threat Intelligence Recap

A write up and threat intelligence shared during Q4 2023 on several malware families.  If you have a few minutes, this one is interesting, and provides a timeline of releases from Palo Alto Unit 42.

https://unit42.paloaltonetworks.com/unit42-threat-intelligence-roundup/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by