Skip to content

Cyber Threat Weekly - #7

Derek Krein
5 min read

Kicking off a new week, last week we saw several interesting threats.  Let’s start with a new variation of dynamic link library (DLL) search order hijacking technique.  Next, social engineering through LinkedIn, this is a notable trend.  Black Basta ransomware decryption tool released.

Possible Cisco ASA vulnerability for sale on dark net.  Learning from the Russian cyber-attack on KyivStar.  An update on the Apache OFBiz zero-day vulnerability.  Critical bug in Ivanti's Endpoint Management (EPM).  Legit remote management software used for malicious purposes, again.

Source code for Zepplin ransomware and cracked builder sold for $500.  SilverRAT being sold by middle eastern developers.  New North Korean macOS Backdoor, SpectralBlur.  Attackers continue to target Apache RocketMQ servers.

Update to malware abusing Google OAuth API.  AsyncRAT campaign targeting US infrastructure.



Broken Record Alert:  Patch management prioritization is critical!!!

Known exploited vulnerabilities continue to be abused by threat actors.  Every week we share vulnerabilities actively exploited, some are quite old, and still working.  You can start with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is those with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.



CISA Known Exploited Vulnerabilities for January 1st to January 7th:

CVE-2023-7101 – Spreadsheet::ParseExcel Remote Code Execution Vulnerability

This issue stems from the evaluation of Number format strings within the Excel parsing logic.

CVE-2023-7024 – Google Chromium WebRTC Heap Buffer Overflow Vulnerability

This vulnerability could impact web browsers using WebRTC, including but not limited to Google Chrome.



Stealthier Variant of DLL Search Order Hijacking

Researchers have found you can abuse executables in the trusted WinSxS folder, with the classic DLL search order hijacking technique.  This minimizes or eliminates the need for elevated privileges when attempting to run malicious code.  It’s a stealthier variation of the classic technique.

I’m not sure what is worse, researchers discovering and sharing these techniques with the world, including the adversary, or defenders finding out after an attack (patient zero) and having to deal with it.

https://thehackernews.com/2024/01/new-variant-of-dll-search-order.html

https://www.securityjoes.com/post/hide-and-seek-in-windows-closet-unmasking-the-winsxs-hijacking-hideout



Using LinkedIn to Target a Nuclear Waste Company

Not the first time, won’t be the last time organizations are targeted through LinkedIn via social engineering.  Something to keep an eye on, we’ll look for some trending data.

https://www.darkreading.com/ics-ot-security/cyberattackers-target-nuclear-waste-company-via-linkedin



Black Basta Buster Decryption Tool is Available

The tool was released by SR Labs but only works for those encrypted before the last week of December.  Black Basta developers fixed the flaw encryption routine.  There is a limitation, files smaller than 5KB won’t be recovered and files over 1GB only the first 5KB can be recovered.

The decryptor only works for files between 5KB and 1GB in size.

https://www.scmagazine.com/brief/black-basta-ransomware-vulnerability-leveraged-by-new-decryption-tool

https://github.com/srlabs/black-basta-buster



Threat Actor Allegedly Selling Cisco ASA Vulnerability

A threat actor named “xc7d2f4” claims to have a remote code injection exists for all 55XX series Cisco ASA firewalls.  The actor is selling an entire package for $1,000,000 on the dark web.  If this is indeed a zero-day for sale, could be bad for those running Cisco ASA55XX firewalls.

https://thecyberexpress.com/cisco-remote-command-injection-vulnerability/



Thousands of Systems Wiped in KyivStar Attack by Russian Hackers

While this may not seem to apply to many, there are lessons to learn here.  The Russians were in their systems for months.  They wiped thousands of virtual servers and computers, destroying “the core” of the Telcom.  This can happen to anyone.  Business continuity and disaster recovery plans are a must.  Not just a policy, but a complete understanding of bringing your systems online from scratch.

https://www.darkreading.com/cyberattacks-data-breaches/russia-kyivstar-hack-should-alarm-west-ukraine-cyber-spy-warns

https://www.bleepingcomputer.com/news/security/russian-hackers-wiped-thousands-of-systems-in-kyivstar-attack/



Exploitation Attempts Five Days Prior to Apache OFBiz Zero-day Disclosure

Unknown threat actors were probing prior to vulnerability release, happens more than we would like.  This zero-day patch is a fix for a prior vulnerability CVE-2023-49070, that’s patch failed to fix the issue.  Researchers and threat actors are scrutinizing patches, to see if something was missed.

https://www.darkreading.com/vulnerabilities-threats/apache-erp-0day-underscores-dangers-of-incomplete-patches

https://www.darkreading.com/vulnerabilities-threats/apache-erp-0day-underscores-dangers-of-incomplete-patches



Critical Remote Execution Flaw in Ivanti’s EPM software

No evidence of active exploitation.  All supported Ivanti EPM versions are affected.  An attacker with access to the internal network can exploit the vulnerability.  The vulnerability is low complexity and doesn’t require privileges or user interaction.  This allows attacker control over machines running the EPM agent. 

The popular trend here is supply chain attacks providing access to thousands of devices.  Big bang for the adversaries’ efforts.

https://www.bleepingcomputer.com/news/security/ivanti-warns-critical-epm-bug-lets-hackers-hijack-enrolled-devices/

https://www.ivanti.com/blog/security-update-for-ivanti-epm



Remcos Remote Administration Tool Now Stealthier

Legitimate remote access tools are consistently abused by attackers.  Remcos is one such legitimate software tool, abused by attackers for years.  In this version, researchers find a rarely used method of covert data transfer via unnamed pipes. 

https://www.darkreading.com/cyberattacks-data-breaches/threat-group-using-rare-data-transfer-tactic-in-new-remcosrat-campaign

https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method



Fixed Version of Zepplin Ransomware Source Code Sold on Dark Web

KELA, a threat intelligence company, observed the announcement of a threat actor on a cyber crime forum.  If indeed a legit copy, this leaves room for another Ransomware as a Service (RaaS) offering.

https://www.bleepingcomputer.com/news/security/zeppelin-ransomware-source-code-sold-for-500-on-hacking-forum/



Destructive and Stealthy SilverRAT

SilverRAT v1 is a windows-based RAT builder that generates a payload with various available options.  The payload size is a maximum of 50Kb.  Developers have announced plans to launch a new version that can generate windows and android payloads.

https://www.darkreading.com/cyberattacks-data-breaches/syrian-threat-group-peddles-destructive-silverrat

https://www.cyfirma.com/outofband/a-gamer-turned-malware-developer-diving-into-silverrat-and-its-syrian-roots/



Apple macOS Backdoor Called SpectralBlur Discovered

Threat actors appear to be increasingly targeting macOS, especially as market share continues to grow. 

https://www.darkreading.com/threat-intelligence/north-korea-debuts-spectralblur-malware-amid-macos-onslaught



Hundreds of Hosts Scanning for RocketMQ Systems

Shadowserver is tracking scan data from hundreds of source IPs every day.  It’s unclear if the data is potential attackers, exploitation efforts, or possible researchers looking for exposed endpoints.

https://www.bleepingcomputer.com/news/security/hackers-target-apache-rocketmq-servers-vulnerable-to-rce-attacks/

https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=honeypot&tag=rocketmq-scan&group_by=geo&style=stacked



Google Downplays Malware Restoring Authentication Cookies via OAuth API

Last we shared a report from CloudSek detailing the abuse of Google OAuth “MultiLogin” API.  Google sees this abuse as just typical cookie theft.  It appears Google believes the API is working as intended.

https://www.bleepingcomputer.com/news/security/google-malware-abusing-api-is-standard-token-theft-not-an-api-issue/



AsyncRAT Campaign Carefully Targeting Victims

Hundreds of samples have been discovered, it appears each victim gets a new loader version.  The threat actor uses DGA domains changed weekly to stay stealthy.  Ongoing registration of new domains show continued activity.

https://www.bleepingcomputer.com/news/security/stealthy-asyncrat-malware-attacks-targets-us-infrastructure-for-11-months/

https://cybersecurity.att.com/blogs/labs-research/asyncrat-loader-obfuscation-dgas-decoys-and-govno


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #56

The week of December 9th through December 15th, about 348 cyber news articles were reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with HeartCrypt – Packer-as-a-Service (PaaS). Citrix NetScaler / NetScaler Gateway under brute force attack.  Covert Linux multi-stage rootkit attack.  New

Members Public

Cyber Threat Weekly – #55

The week of December 2nd through December 8th there were 353 cyber news articles reviewed.  A relatively large amount of cyber threat trends and adversarial behavior news to share.  Let’s start with a twist on the fake video conferencing apps campaign. New Russian hacktivist group targeting energy systems.  Supply

Members Public

Cyber Threat Weekly – #54

The Thanksgiving week of November 25th through December 1st was light with only 263 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with a novel phishing campaign using corrupted Word docs. Malicious Android SpyLoan apps installed 8