Cyber Threat Weekly - #7
Kicking off a new week, last week we saw several interesting threats. Let’s start with a new variation of dynamic link library (DLL) search order hijacking technique. Next, social engineering through LinkedIn, this is a notable trend. Black Basta ransomware decryption tool released.
Possible Cisco ASA vulnerability for sale on dark net. Learning from the Russian cyber-attack on KyivStar. An update on the Apache OFBiz zero-day vulnerability. Critical bug in Ivanti's Endpoint Management (EPM). Legit remote management software used for malicious purposes, again.
Source code for Zepplin ransomware and cracked builder sold for $500. SilverRAT being sold by middle eastern developers. New North Korean macOS Backdoor, SpectralBlur. Attackers continue to target Apache RocketMQ servers.
Update to malware abusing Google OAuth API. AsyncRAT campaign targeting US infrastructure.
Broken Record Alert: Patch management prioritization is critical!!!
Known exploited vulnerabilities continue to be abused by threat actors. Every week we share vulnerabilities actively exploited, some are quite old, and still working. You can start with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is those with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
CISA Known Exploited Vulnerabilities for January 1st to January 7th:
CVE-2023-7101 – Spreadsheet::ParseExcel Remote Code Execution Vulnerability
This issue stems from the evaluation of Number format strings within the Excel parsing logic.
CVE-2023-7024 – Google Chromium WebRTC Heap Buffer Overflow Vulnerability
This vulnerability could impact web browsers using WebRTC, including but not limited to Google Chrome.
Stealthier Variant of DLL Search Order Hijacking
Researchers have found you can abuse executables in the trusted WinSxS folder, with the classic DLL search order hijacking technique. This minimizes or eliminates the need for elevated privileges when attempting to run malicious code. It’s a stealthier variation of the classic technique.
I’m not sure what is worse, researchers discovering and sharing these techniques with the world, including the adversary, or defenders finding out after an attack (patient zero) and having to deal with it.
https://thehackernews.com/2024/01/new-variant-of-dll-search-order.html
Using LinkedIn to Target a Nuclear Waste Company
Not the first time, won’t be the last time organizations are targeted through LinkedIn via social engineering. Something to keep an eye on, we’ll look for some trending data.
https://www.darkreading.com/ics-ot-security/cyberattackers-target-nuclear-waste-company-via-linkedin
Black Basta Buster Decryption Tool is Available
The tool was released by SR Labs but only works for those encrypted before the last week of December. Black Basta developers fixed the flaw encryption routine. There is a limitation, files smaller than 5KB won’t be recovered and files over 1GB only the first 5KB can be recovered.
The decryptor only works for files between 5KB and 1GB in size.
https://github.com/srlabs/black-basta-buster
Threat Actor Allegedly Selling Cisco ASA Vulnerability
A threat actor named “xc7d2f4” claims to have a remote code injection exists for all 55XX series Cisco ASA firewalls. The actor is selling an entire package for $1,000,000 on the dark web. If this is indeed a zero-day for sale, could be bad for those running Cisco ASA55XX firewalls.
https://thecyberexpress.com/cisco-remote-command-injection-vulnerability/
Thousands of Systems Wiped in KyivStar Attack by Russian Hackers
While this may not seem to apply to many, there are lessons to learn here. The Russians were in their systems for months. They wiped thousands of virtual servers and computers, destroying “the core” of the Telcom. This can happen to anyone. Business continuity and disaster recovery plans are a must. Not just a policy, but a complete understanding of bringing your systems online from scratch.
Exploitation Attempts Five Days Prior to Apache OFBiz Zero-day Disclosure
Unknown threat actors were probing prior to vulnerability release, happens more than we would like. This zero-day patch is a fix for a prior vulnerability CVE-2023-49070, that’s patch failed to fix the issue. Researchers and threat actors are scrutinizing patches, to see if something was missed.
Critical Remote Execution Flaw in Ivanti’s EPM software
No evidence of active exploitation. All supported Ivanti EPM versions are affected. An attacker with access to the internal network can exploit the vulnerability. The vulnerability is low complexity and doesn’t require privileges or user interaction. This allows attacker control over machines running the EPM agent.
The popular trend here is supply chain attacks providing access to thousands of devices. Big bang for the adversaries’ efforts.
https://www.ivanti.com/blog/security-update-for-ivanti-epm
Remcos Remote Administration Tool Now Stealthier
Legitimate remote access tools are consistently abused by attackers. Remcos is one such legitimate software tool, abused by attackers for years. In this version, researchers find a rarely used method of covert data transfer via unnamed pipes.
https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method
Fixed Version of Zepplin Ransomware Source Code Sold on Dark Web
KELA, a threat intelligence company, observed the announcement of a threat actor on a cyber crime forum. If indeed a legit copy, this leaves room for another Ransomware as a Service (RaaS) offering.
Destructive and Stealthy SilverRAT
SilverRAT v1 is a windows-based RAT builder that generates a payload with various available options. The payload size is a maximum of 50Kb. Developers have announced plans to launch a new version that can generate windows and android payloads.
Apple macOS Backdoor Called SpectralBlur Discovered
Threat actors appear to be increasingly targeting macOS, especially as market share continues to grow.
Hundreds of Hosts Scanning for RocketMQ Systems
Shadowserver is tracking scan data from hundreds of source IPs every day. It’s unclear if the data is potential attackers, exploitation efforts, or possible researchers looking for exposed endpoints.
Google Downplays Malware Restoring Authentication Cookies via OAuth API
Last we shared a report from CloudSek detailing the abuse of Google OAuth “MultiLogin” API. Google sees this abuse as just typical cookie theft. It appears Google believes the API is working as intended.
AsyncRAT Campaign Carefully Targeting Victims
Hundreds of samples have been discovered, it appears each victim gets a new loader version. The threat actor uses DGA domains changed weekly to stay stealthy. Ongoing registration of new domains show continued activity.
https://cybersecurity.att.com/blogs/labs-research/asyncrat-loader-obfuscation-dgas-decoys-and-govno
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
