Skip to content

Cyber Threat Weekly - #8

Derek Krein
7 min read

It got busy last week, a bunch of news to cover.  Let’s start with a new extortion tactic by ransomware clown posse threat actors, cyber criminals suck.  A great piece on bullet proof hosting by Krebs.  Yet another means of extortion for ransomware victims, fake data deletion scam.

Honey pot catches threat actor targeting Hadoop YARN and Apache Flint.  Ivanti VPN actively exploited chaining two zero-day vulnerabilities.  Cisco releases fix for Unity Connection critical vulnerability, exploitation provides root privileges. 

PikaBot is an up-and-coming loader and possible QakBot replacement.  New Marai-based botnet slowly growing and dropping cryptominer on Linux servers.  Brute forcing poorly secured MSSQL servers leads to ransomware.  WordPress plugin putting upwards of 150,000 sites at risk.

Flying under the radar with legitimate services, this time GitHub.  Backup strategy is critical, Akira ransomware wiping NAS and tape backup devices.  Apache OFBiz vulnerability, proof-of-concept exploit released.  Medusa stepping up their ransomware game.

Microsoft Windows Defender SmartScreen vulnerability still being exploited; new campaign observed.  Active exploitation of Microsoft SharePoint flaw.  GitLab zero-click account hijacking vulnerability.  Juniper Critical RCE Flaw in its firewalls and switches, fix available.


Broken Record Alert:  Patch management prioritization is critical!!!

Known exploited vulnerabilities continue to be abused by threat actors.  Even this week we share vulnerabilities with patches available being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is those with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

Let’s remove some of the lower hanging fruit threat actors continue to target.


CISA Known Exploited Vulnerabilities for January 8th to January 14th:

CVE-2023-23752 – Joomla! Improper Access Control Vulnerability
An improper access control vulnerability that allows unauthorized access to webservice endpoints.

CVE-2016-20017 - D-Link DSL-2750B Devices Command Injection Vulnerability
A command injection vulnerability that allows remote, unauthenticated command injection via the login.cgi cli parameter.

CVE-2023 – 41990 - Apple Multiple Products Code Execution Vulnerability
Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability that allows for code execution when processing a font file.

CVE-2023-27524 – Apache Superset Insecure Default Initialization of Resource Vulnerability
Allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions.

CVE-2023-29300 – Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
A deserialization of untrusted data vulnerability that allows for code execution.

CVE-2023-38203 – Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
A deserialization of untrusted data vulnerability that allows for code execution.

CVE-2023-29357 – Microsoft SharePoint Server Privilege Escalation Vulnerability
This attack bypasses authentication, enabling the attacker to gain administrator privileges.

CVE-2023-46805 – Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.

CVE-2024-21887 – Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.


Ransomware Theat Actors Get Even More Evil with Latest Extortion Tactic

There is no end to what these evil clowns will do to get paid.  The latest tactic is threatening, in this case, health care patients with “swatting” in an attempt to pressure hospitals to pay.  We’ll probably see more of this tactic, especially if it works to receive the ransom demand.

https://www.darkreading.com/cyberattacks-data-breaches/swatting-latest-extortion-tactic-ransomware-attacks

https://www.theregister.com/2024/01/05/swatting_extorion_tactics/


Bullet Proof Hosting and Spam – Krebs on Security

In case you haven’t seen this one yet.  It’s interesting going into the story of two threat actors involved in massive Spam and Botnet activity.

https://krebsonsecurity.com/2024/01/meet-ika-sal-the-bulletproof-hosting-duo-from-hell/


Ransomware Victims Approached with Another Extortion Attempt

Let’s hope this doesn’t become another part of the multi-extortion package from ransomware clowns.  This one starts with a scammer offering to delete data and provide proof.  These cyber criminals are getting creative in how they try to get more money from victims.  This isn’t the first time we’ve seen additional attempts to make more money from victims.

https://www.bleepingcomputer.com/news/security/ransomware-victims-targeted-by-fake-hack-back-offers/

https://arcticwolf.com/resources/blog/follow-on-extortion-campaign-targeting-victims-of-akira-and-royal-ransomware/


Threat Actor Targets Hadoop YARN and Apache Flint to Drop Cryptominer

The use of evasive techniques such as rootkits, system config mods, packed ELF binaries, and directory content deletion makes this campaign interesting.  While a cryptominer is deployed in this campaign, the stealthiness of the campaign could lead to lateral movement.

https://www.darkreading.com/cyberattacks-data-breaches/attacker-targets-hadoop-yarn-flint-servers-in-stealthy-campaign

https://blog.aquasec.com/threat-alert-apache-applications-targeted-by-stealthy-attacker


Ivanti Connect Secure Actively Exploited with Zero-Days

Patches aren’t available yet, but there is a mitigation available.  The two zero-days allow MFA bypass and code execution, not good.  Currently less than 20 customers have been affected, up from less than 10 a few days ago.  Over 15,000 Connect Secure and Policy Secure gateways are exposed online currently.

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-connect-secure-zero-days-exploited-in-attacks/

https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/

https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day


Critical Unity Connection Vulnerability Allows Root Privileges

For starters, there is no evidence of proof-of-concept code or active exploitation.  That said, we’ll keep an eye on this one.

https://www.bleepingcomputer.com/news/security/cisco-says-critical-unity-connection-bug-lets-attackers-get-root/

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuc-unauth-afu-FROYsCsD


PikaBot Mirrors QakBot in Several Ways

Discovered in early February 2023, PikaBot is a growing threat.  Several vendors are tracking PikaBot activity, it’s a likely replacement for QakBot.  We share a timeline of its rapid ascension.    

https://www.darkreading.com/cyberattacks-data-breaches/pikabot-malware-qakbot-replacement-black-basta-attacks

https://31337infosec.com/is-pikabot-the-new-qakbot/


NoaBot Botnet Yet Another Mirai-Based Botnet

First observed in early 2023, growing and evolving.  The NoaBot botnet has self-propagating functionality.  Utilizing an SSH scanner and dictionary attacks to spread, dropping a cryptominer payload.  Obfuscations and threat actor capabilities make this an interesting campaign.

https://therecord.media/mirai-based-botnet-spreading-akamai

https://www.akamai.com/blog/security-research/mirai-based-noabot-crypto-mining


Internet Facing MSSQL Servers Accessed via Brute Force = Ransomware

Simple hygiene and attack surface management will prevent this attack.  Researchers observed a campaign targeting MSSQL servers, after initial access, exploiting the xp_cmdshell procedure.  This procedure allows commands to run.  A powershell command was executed leading to a Cobalt Strike payload.  Post exploitation behavior from there.

https://www.csoonline.com/article/1289668/turkish-ransomware-campaign-hacks-into-weak-mssql-servers-report.html

https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/


POST SMTP WordPress Plugin is a Site Takeover Risk

WordPress is a highly utilized content management system.  The POST SMPT plugin had two vulnerabilities allowing complete site takeover.  An updated plugin is available, but upwards of 150,000 sites are still running older plugin versions.

https://www.bleepingcomputer.com/news/security/over-150k-wordpress-sites-at-takeover-risk-via-vulnerable-plugin/

https://wordpress.org/plugins/post-smtp/advanced/


GitHub Abused for Malicious Infrastructure Becoming More Frequent

Recorded Future shares a report detailing the growing trend of the abuse of GitHub as a ‘living-off-trusted-sites’ behavior by cyber criminals and nation states.  The report analyzes how GitHub is used as malicious infrastructure and shares detection strategies.

https://thehackernews.com/2024/01/threat-actors-increasingly-abusing.html

https://go.recordedfuture.com/hubfs/reports/cta-2024-0111.pdf


Akira Ransomware Gang / Affiliates Target Backup Devices

Finland observing Akira ransomware targeting companies and wiping NAS and backup devices.  Any backup system is a juicy target for ransomware affiliates, architecture and immutable backups are critical for disaster recovery after a ransomware event.

https://www.bleepingcomputer.com/news/security/finland-warns-of-akira-ransomware-wiping-nas-and-tape-backup-devices/


Proof of Concept Code Available for Apache OFBiz Vulnerability

This is one to continue to watch.  Now with proof-of-concept code available, let’s hope there isn’t mass exploitation.  Currently there is a low number of unique IP’s scanning for the vulnerability.  Researchers claim arbitrary in memory code execution is possible.

https://thehackernews.com/2024/01/new-poc-exploit-for-apache-ofbiz.html

https://viz.greynoise.io/tag/apache-ofbiz-deserialization-rce-attempt?days=30


Medusa Ransomware Clowns Stepping it Up

These clowns have a new blog with payment options via tor and a public telegram channel.  With no code of ethics, heavily targeting healthcare and schools, Medusa threat actors suck even more than the norm.  Opportunistic in nature, Medusa is still a threat.

https://www.csoonline.com/article/1290677/medusa-group-steps-up-ransomware-activities.html

https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/


New Campaign – Microsoft Windows Defender SmartScreen Vulnerability Exploited

Researchers share details of a campaign with a previously unknown strain of Phemedrone Stealer malware.  Using CVE-2023-36025 for defense evasion in a multi-step attack chain.  Patch management is critical, prioritizing known exploited vulnerabilities.

https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html


Critical SharePoint Vulnerability Actively Exploited

Another patched vulnerability actively exploited; this is a recurring theme.  Details of the in the wild exploitations are unknown, but CVE-2023-29357 bypasses SharePoint OAuth authentication.  A second vulnerability CVE-2023-24955 allows insertion of arbitrary code, chained together, a potent combo.

https://www.csoonline.com/article/1290538/cisa-adds-patched-ms-sharepoint-server-vulnerability-to-kev-catalog.html


GitLab Releases Updates for Two Critical Vulnerabilities

Max 10 out of 10 CVSS score, CVE-2023-7028 affects all user accounts with usernames and passwords including those with SSO.  Even two-factor authentication (2FA) enabled accounts are vulnerable to password resets, but not account takeover.  The flaw is in the password reset mechanism allowing a second email account for resets.  A second flaw tracked as CVE-2023-5356 is also fixed.

https://www.securityweek.com/gitlab-patches-critical-password-reset-vulnerability/


Fix Available for Critical Juniper Bug Affecting All SRX and EX Series

Critical vulnerability CVE-2024-21591, with a 9.8 CVSS score, allows an attacker unauthenticated remote code execution and root privileges.  These kinds of vulnerabilities are threat actor favorites, we need to keep a close eye on it.

https://www.bleepingcomputer.com/news/security/juniper-warns-of-critical-rce-bug-in-its-firewalls-and-switches/

https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Security-Vulnerability-in-J-web-allows-a-preAuth-Remote-Code-Execution-CVE-2024-21591?language=en_US


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #32

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug. Run pipelines as any user in GitLab, critical

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by