Cyber Threat Weekly - #8
It got busy last week, a bunch of news to cover. Let’s start with a new extortion tactic by ransomware clown posse threat actors, cyber criminals suck. A great piece on bullet proof hosting by Krebs. Yet another means of extortion for ransomware victims, fake data deletion scam.
Honey pot catches threat actor targeting Hadoop YARN and Apache Flint. Ivanti VPN actively exploited chaining two zero-day vulnerabilities. Cisco releases fix for Unity Connection critical vulnerability, exploitation provides root privileges.
PikaBot is an up-and-coming loader and possible QakBot replacement. New Marai-based botnet slowly growing and dropping cryptominer on Linux servers. Brute forcing poorly secured MSSQL servers leads to ransomware. WordPress plugin putting upwards of 150,000 sites at risk.
Flying under the radar with legitimate services, this time GitHub. Backup strategy is critical, Akira ransomware wiping NAS and tape backup devices. Apache OFBiz vulnerability, proof-of-concept exploit released. Medusa stepping up their ransomware game.
Microsoft Windows Defender SmartScreen vulnerability still being exploited; new campaign observed. Active exploitation of Microsoft SharePoint flaw. GitLab zero-click account hijacking vulnerability. Juniper Critical RCE Flaw in its firewalls and switches, fix available.
Broken Record Alert: Patch management prioritization is critical!!!
Known exploited vulnerabilities continue to be abused by threat actors. Even this week we share vulnerabilities with patches available being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is those with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
Let’s remove some of the lower hanging fruit threat actors continue to target.
CISA Known Exploited Vulnerabilities for January 8th to January 14th:
CVE-2023-23752 – Joomla! Improper Access Control Vulnerability
An improper access control vulnerability that allows unauthorized access to webservice endpoints.
CVE-2016-20017 - D-Link DSL-2750B Devices Command Injection Vulnerability
A command injection vulnerability that allows remote, unauthenticated command injection via the login.cgi cli parameter.
CVE-2023 – 41990 - Apple Multiple Products Code Execution Vulnerability
Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability that allows for code execution when processing a font file.
CVE-2023-27524 – Apache Superset Insecure Default Initialization of Resource Vulnerability
Allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions.
CVE-2023-29300 – Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
A deserialization of untrusted data vulnerability that allows for code execution.
CVE-2023-38203 – Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
A deserialization of untrusted data vulnerability that allows for code execution.
CVE-2023-29357 – Microsoft SharePoint Server Privilege Escalation Vulnerability
This attack bypasses authentication, enabling the attacker to gain administrator privileges.
CVE-2023-46805 – Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.
CVE-2024-21887 – Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.
Ransomware Theat Actors Get Even More Evil with Latest Extortion Tactic
There is no end to what these evil clowns will do to get paid. The latest tactic is threatening, in this case, health care patients with “swatting” in an attempt to pressure hospitals to pay. We’ll probably see more of this tactic, especially if it works to receive the ransom demand.
https://www.theregister.com/2024/01/05/swatting_extorion_tactics/
Bullet Proof Hosting and Spam – Krebs on Security
In case you haven’t seen this one yet. It’s interesting going into the story of two threat actors involved in massive Spam and Botnet activity.
https://krebsonsecurity.com/2024/01/meet-ika-sal-the-bulletproof-hosting-duo-from-hell/
Ransomware Victims Approached with Another Extortion Attempt
Let’s hope this doesn’t become another part of the multi-extortion package from ransomware clowns. This one starts with a scammer offering to delete data and provide proof. These cyber criminals are getting creative in how they try to get more money from victims. This isn’t the first time we’ve seen additional attempts to make more money from victims.
https://www.bleepingcomputer.com/news/security/ransomware-victims-targeted-by-fake-hack-back-offers/
Threat Actor Targets Hadoop YARN and Apache Flint to Drop Cryptominer
The use of evasive techniques such as rootkits, system config mods, packed ELF binaries, and directory content deletion makes this campaign interesting. While a cryptominer is deployed in this campaign, the stealthiness of the campaign could lead to lateral movement.
https://blog.aquasec.com/threat-alert-apache-applications-targeted-by-stealthy-attacker
Ivanti Connect Secure Actively Exploited with Zero-Days
Patches aren’t available yet, but there is a mitigation available. The two zero-days allow MFA bypass and code execution, not good. Currently less than 20 customers have been affected, up from less than 10 a few days ago. Over 15,000 Connect Secure and Policy Secure gateways are exposed online currently.
https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
Critical Unity Connection Vulnerability Allows Root Privileges
For starters, there is no evidence of proof-of-concept code or active exploitation. That said, we’ll keep an eye on this one.
PikaBot Mirrors QakBot in Several Ways
Discovered in early February 2023, PikaBot is a growing threat. Several vendors are tracking PikaBot activity, it’s a likely replacement for QakBot. We share a timeline of its rapid ascension.
https://31337infosec.com/is-pikabot-the-new-qakbot/
NoaBot Botnet Yet Another Mirai-Based Botnet
First observed in early 2023, growing and evolving. The NoaBot botnet has self-propagating functionality. Utilizing an SSH scanner and dictionary attacks to spread, dropping a cryptominer payload. Obfuscations and threat actor capabilities make this an interesting campaign.
https://therecord.media/mirai-based-botnet-spreading-akamai
https://www.akamai.com/blog/security-research/mirai-based-noabot-crypto-mining
Internet Facing MSSQL Servers Accessed via Brute Force = Ransomware
Simple hygiene and attack surface management will prevent this attack. Researchers observed a campaign targeting MSSQL servers, after initial access, exploiting the xp_cmdshell procedure. This procedure allows commands to run. A powershell command was executed leading to a Cobalt Strike payload. Post exploitation behavior from there.
POST SMTP WordPress Plugin is a Site Takeover Risk
WordPress is a highly utilized content management system. The POST SMPT plugin had two vulnerabilities allowing complete site takeover. An updated plugin is available, but upwards of 150,000 sites are still running older plugin versions.
https://wordpress.org/plugins/post-smtp/advanced/
GitHub Abused for Malicious Infrastructure Becoming More Frequent
Recorded Future shares a report detailing the growing trend of the abuse of GitHub as a ‘living-off-trusted-sites’ behavior by cyber criminals and nation states. The report analyzes how GitHub is used as malicious infrastructure and shares detection strategies.
https://thehackernews.com/2024/01/threat-actors-increasingly-abusing.html
https://go.recordedfuture.com/hubfs/reports/cta-2024-0111.pdf
Akira Ransomware Gang / Affiliates Target Backup Devices
Finland observing Akira ransomware targeting companies and wiping NAS and backup devices. Any backup system is a juicy target for ransomware affiliates, architecture and immutable backups are critical for disaster recovery after a ransomware event.
Proof of Concept Code Available for Apache OFBiz Vulnerability
This is one to continue to watch. Now with proof-of-concept code available, let’s hope there isn’t mass exploitation. Currently there is a low number of unique IP’s scanning for the vulnerability. Researchers claim arbitrary in memory code execution is possible.
https://thehackernews.com/2024/01/new-poc-exploit-for-apache-ofbiz.html
https://viz.greynoise.io/tag/apache-ofbiz-deserialization-rce-attempt?days=30
Medusa Ransomware Clowns Stepping it Up
These clowns have a new blog with payment options via tor and a public telegram channel. With no code of ethics, heavily targeting healthcare and schools, Medusa threat actors suck even more than the norm. Opportunistic in nature, Medusa is still a threat.
https://www.csoonline.com/article/1290677/medusa-group-steps-up-ransomware-activities.html
https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/
New Campaign – Microsoft Windows Defender SmartScreen Vulnerability Exploited
Researchers share details of a campaign with a previously unknown strain of Phemedrone Stealer malware. Using CVE-2023-36025 for defense evasion in a multi-step attack chain. Patch management is critical, prioritizing known exploited vulnerabilities.
Critical SharePoint Vulnerability Actively Exploited
Another patched vulnerability actively exploited; this is a recurring theme. Details of the in the wild exploitations are unknown, but CVE-2023-29357 bypasses SharePoint OAuth authentication. A second vulnerability CVE-2023-24955 allows insertion of arbitrary code, chained together, a potent combo.
GitLab Releases Updates for Two Critical Vulnerabilities
Max 10 out of 10 CVSS score, CVE-2023-7028 affects all user accounts with usernames and passwords including those with SSO. Even two-factor authentication (2FA) enabled accounts are vulnerable to password resets, but not account takeover. The flaw is in the password reset mechanism allowing a second email account for resets. A second flaw tracked as CVE-2023-5356 is also fixed.
https://www.securityweek.com/gitlab-patches-critical-password-reset-vulnerability/
Fix Available for Critical Juniper Bug Affecting All SRX and EX Series
Critical vulnerability CVE-2024-21591, with a 9.8 CVSS score, allows an attacker unauthenticated remote code execution and root privileges. These kinds of vulnerabilities are threat actor favorites, we need to keep a close eye on it.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
