09 – 15 September 2024

CVE Discussion and Exploitation

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Noteworthy Exploitation of New CVEs by Threat Actors:

1. Cisco ASA SSL VPN Vulnerability (CVE-2024-40200): This RCE vulnerability is being exploited by Chinese and Russian state-sponsored APTs to gain unauthorized access to sensitive data transmitted over SSL VPNs. Targets include government agencies and critical infrastructure, particularly in APAC, making it a priority for patching.
2. Citrix Gateway RCE Vulnerability (CVE-2024-40321): Exploited by APT29 (Cozy Bear), this flaw allows unauthenticated remote code execution. The group has used it to gain persistent access to enterprise networks in attacks against multinational corporations and financial institutions, underscoring its rapid adoption by espionage actors.
3. Sophos XG Firewall Vulnerability (CVE-2024-41107): Iranian-linked threat actors have exploited this to bypass security controls and gain footholds in MENA-region networks. This is part of broader espionage activities targeting government and defense organizations.
4. Zimbra Collaboration Suite Vulnerability (CVE-2024-40998): APT28 (Fancy Bear) is actively exploiting this flaw to steal sensitive emails and credentials. Zimbra is widely used by universities and government agencies, making this CVE highly dangerous for academic and public sector institutions.

Key Takeaways:

• Cisco ASA SSL VPN and Citrix Gateway vulnerabilities are seeing heavy exploitation in cyber-espionage campaigns, with state-sponsored actors using these flaws to target critical infrastructure and government agencies.
• Sophos XG Firewalls and Zimbra Collaboration Suite vulnerabilities are being actively exploited by APT groups, focusing on data theft and long-term persistence within sensitive networks, particularly in the Middle East and academic sectors.

Ransomware Activity

Over the past week, we’ve captured 82 ransomware incidents, affecting victims in 23 countries across 24 industries.

Ransomware Top 5s

Advancements in Ransomware Tactics:

• Advanced EDR Evasion Techniques: Ransomware operators, particularly RansomHub, have been deploying sophisticated tools like Kaspersky’s TDSSKiller to bypass endpoint detection and response (EDR) systems. This reflects the growing use of Bring Your Own Vulnerable Driver (BYOVD) strategies, which are increasingly being employed to disable security measures before deploying ransomware.
• Targeting Virtualized Infrastructures: Groups such as Storm-0506 and Manatee Tempest have turned their attention toward VMware ESXi hypervisors, exploiting vulnerabilities like CVE-2024-37085. This allows them to rapidly encrypt multiple virtual machines, expanding their attack surface by compromising critical server environments.

Emerging Threat Actors:

• Helldown: A newly surfaced group, Helldown, made its mark by listing 17 victims on its leak site in a short period, indicating it may quickly become a more prominent player. Their focus has been on exploiting unpatched vulnerabilities to target a broad array of victims.
• Manatee Tempest: This relatively new group has been gaining attention for its focused exploitation of ESXi vulnerabilities, joining the ranks of emerging ransomware gangs that prioritize attacks on virtualization technologies.

Key Ransomware Incidents:

• Storm-0506 (Black Basta) Attack on Engineering Firm: Storm-0506 conducted a high-profile attack against a North American engineering firm, exploiting CVE-2023-28252 (a Windows CLFS vulnerability). The group leveraged advanced credential-stealing tools like Cobalt Strike and Pypykatz to compromise administrative accounts and encrypt virtual machines, causing widespread operational disruption.
• Meow Ransomware Group Resurgence: The Meow ransomware group has shifted its focus from Russian targets to U.S. entities, marking a resurgence in its activity. Using Conti’s leaked ransomware code, Meow has been increasingly active, showing adaptability in its targeting strategy and operational methods.

News Roundup

Payment Provider Breach Exposes Credit Card Data

On September 10th, 2024, payment provider Slim CD disclosed a significant data breach affecting 1.7 million users. The breach resulted in the exposure of sensitive credit card information, raising concerns about customer financial security. Slim CD reported the breach promptly, triggering investigations into how the attackers were able to bypass existing defences. The company is urging affected customers to monitor their financial statements closely for any suspicious activity and is working with cybersecurity experts to fortify its systems.

Meta Scrapes User Data to Train AI

On September 12th, 2024, Meta (formerly Facebook) admitted to scraping user data, including images and posts, from Australian profiles to train its AI models. Worryingly, this data collection also included content from minors featured on adult profiles, prompting privacy concerns. Australian regulators and privacy advocates have voiced concerns about the scope of Meta’s data-gathering efforts and the lack of transparency. The incident has reignited debates on data privacy and the ethical use of personal information in AI training.

RansomHub: A New Threat in Ransomware

US authorities issued a joint advisory on the growing threat of RansomHub, a ransomware-as-a-service group that has gained prominence throughout 2024. Formerly known as Cyclops and Knight, the group has attacked over 200 organisations since February 2024, targeting critical sectors such as water, manufacturing, and government services. Authorities recommend organisations implement multi-factor authentication and enhance phishing detection to defend against this rapidly evolving threat​.

Zero-Day Vulnerabilities in Ivanti EPM

On September 11th, 2024, researchers revealed that critical vulnerabilities in Ivanti Endpoint Manager (EPM) were being actively exploited in the wild. These zero-day flaws, rated CVSS 10, allow remote attackers to take full control of affected systems. Ivanti has urged organisations to apply patches immediately to mitigate the risk of exploitation. The vulnerabilities have been leveraged by both criminal groups and nation-state actors, targeting critical industries such as healthcare, government, and energy​.

AppleCare+ Scam Exposed

A new scam surfaced on September 13th, 2024, where attackers used GitHub repositories to create fake AppleCare+ websites, tricking users into providing personal and financial information. The scam involved impersonating legitimate Apple services, offering fraudulent tech support and extended warranties. Security experts warn that this technique, leveraging trusted platforms like GitHub, represents an evolution in phishing tactics. Users are advised to verify the legitimacy of any unsolicited AppleCare+ communications and avoid clicking on suspicious links​.

Photo by FlyD on Unsplash

19 – 25 August 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Ransomware Top 5s

News Roundup

Emergence of New Stealer Malware: QWERTY & Styx

A new strain of malware, named “QWERTY Info Stealer,” has been identified as a significant threat to Windows systems, utilising advanced anti-debugging techniques and data exfiltration capabilities. Hosted on the domain mailservicess[.]com, the malware is designed to evade detection, making it particularly dangerous for both individuals and organisations. Discovered on a Linux-based server in Frankfurt, Germany, the malware is distributed via the URL hxxps://mailservicess[.]com/res/data/i.exe.

QWERTY Info Stealer employs multiple anti-debugging strategies, such as using Windows API functions like IsProcessorFeaturePresent() and IsDebuggerPresent(), and the lesser-known __CheckForDebuggerJustMyCode function. These techniques enable the malware to terminate if it detects a debugging environment, complicating efforts by security researchers to analyse its behaviour. After bypassing these checks, the malware begins collecting data, including system information and browser data, which it stores in specific directories on the infected system. It then communicates with Command and Control (C2) servers, downloading additional payloads and exfiltrating data using HTTP POST requests, underlining its sophistication and the ongoing threat it poses to cybersecurity.

Cybersecurity researchers at Check Point have uncovered a new malware strain called “Styx Stealer,” designed to steal browser and instant messenger data. Emerging in April 2024 and based on the Phemedrone Stealer, Styx Stealer enhances its predecessor’s capabilities with features like crypto-clipping, real-time clipboard monitoring, and auto-start functionality. It targets Chromium and Gecko-based browsers to extract sensitive information such as passwords, cookies, and cryptocurrency wallet data, while also compromising Telegram and Discord sessions. The malware resists analysis by antivirus programs and sandboxes, making it a formidable tool for cybercriminals.

Styx Stealer was developed by a Turkish hacker known as “Sty1x,” who marketed it via Telegram, charging between $75 per month and $350 for unlimited access. An operational security lapse exposed his identity and connections with a Nigerian cybercriminal linked to an Agent Tesla campaign. This revelation highlighted the broader network of cybercriminals involved in various illicit activities, including targeting Chinese firms. Despite Sty1x’s efforts, there are no confirmed victims beyond their own systems and a few security sandboxes, suggesting that their attempts to widely distribute Styx Stealer were largely unsuccessful.

New Phishing Attack Targets Android & iOS Users

A new phishing attack targeting both Android and iOS users has been discovered, combining traditional social engineering techniques with the use of Progressive Web Applications (PWAs) and WebAPKs. First identified in November 2023, the attack primarily targets clients of Czech banks, though cases have also been reported in Hungary and Georgia, indicating a wider spread. The attackers employ various delivery methods, such as automated voice calls, SMS messages, and social media ads, which often use official bank mascots and logos to lure victims to a phishing link mimicking a Google Play page. If accessed via a mobile device, the page prompts the installation of a phishing app disguised as a legitimate banking application.

This phishing app, installed as a PWA or WebAPK, is almost indistinguishable from the real banking app, leading victims to a fake login page that captures their banking credentials. The stolen information is then transmitted to the attackers’ Command and Control (C&C) servers, which are operated by two distinct groups—one using a Telegram bot for real-time logging, and the other using a traditional C&C server. The attackers have managed to evade detection by frequently changing domains and launching new campaigns. To mitigate the risk, users should be cautious when installing apps, verify the authenticity of downloads, and keep their devices updated with the latest security patches.

Linux Kernel Vulnerability

Researchers have identified a vulnerability in the Linux kernel’s dmam_free_coherent() function, caused by a race condition during the process of freeing DMA (Direct Memory Access) allocations and managing associated resources. This flaw can lead to system instabilities, as DMA is essential for allowing hardware devices to transfer data directly to and from system memory without CPU involvement. The vulnerability arises from an improper order of operations within the function, which could result in incorrect memory access, data corruption, or system crashes.

The vulnerability is particularly concerning because an attacker could exploit the race condition by timing their operations to coincide with the freeing and reallocation of DMA memory. If successful, this could cause the devres_destroy function to free the wrong memory entry, triggering a WARN_ON assertion in the dmam_match function, which is part of the DMA management subsystem. This issue occurs when a concurrent task allocates memory with the same virtual address before the original entry is removed from the tracking list, potentially leading to significant system errors.

To address this vulnerability, Greg Kroah-Hartman committed a patch (CVE-2024-43856) authored by Lance Richardson from Google, which modifies the dmam_free_coherent function. The patch swaps the order of the function calls, ensuring that the tracking data structure is destroyed before the DMA allocation is freed, thereby preventing the race condition. The patch has been tested on Google’s internal network encryption project and has been approved for inclusion in the mainline Linux kernel, mitigating the risk associated with this vulnerability. Exploiting this vulnerability to achieve arbitrary code execution would be complex and would likely require additional vulnerabilities or precise control over the target system.

Zero-day Vulnerability in Google Chrome

Google recently patched a high-severity zero-day vulnerability in its Chrome browser, CVE-2024-7971. This flaw, found in the V8 JavaScript engine, is a type confusion issue that can be exploited to execute arbitrary code. The vulnerability was reported by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) on August 19, 2024, and it is actively being exploited in the wild. In response, Google quickly released updates to mitigate the risk, urging users to update their browsers to the latest version.

The latest Chrome update, version 128.0.6613.84/.85, addresses a total of 38 security vulnerabilities, including several high-severity issues. Among these are CVE-2024-7964, a use-after-free vulnerability in the Passwords component; CVE-2024-7965, an inappropriate implementation in the V8 engine; and CVE-2024-7966, an out-of-bounds memory access flaw in the Skia graphics library. Each of these vulnerabilities could allow attackers to execute arbitrary code, leading to serious security breaches or system compromises.

Users are strongly advised to update to the latest version of Google Chrome to ensure protection against these vulnerabilities. While Chrome generally updates automatically, users can manually check for updates via Settings > About Chrome. Additionally, those using Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply the latest security updates as they become available. This patch highlights the need for vigilance and prompt action in the face of zero-day exploits in widely used software.

Chinese Hackers Exploiting Cisco Zero-day

A sophisticated cyber espionage group known as Velvet Ant, linked to China, has been found exploiting a zero-day vulnerability in Cisco NX-OS Software to deploy custom malware on network switches. The vulnerability, identified as CVE-2024-20399, was discovered by cybersecurity firm Sygnia during a forensic investigation and promptly reported to Cisco. This flaw, with a CVSS score of 6.0, allows an authenticated local attacker with administrative privileges to execute arbitrary commands as root on the affected devices due to insufficient validation of arguments passed to specific CLI commands.

Velvet Ant exploited this vulnerability to install a custom malware, dubbed VELVETSHELL, on compromised Cisco Nexus devices. The malware, which combines elements of the TinyShell Unix backdoor and the 3proxy tool, enables attackers to execute arbitrary commands, upload and download files, and create tunnels to proxy network traffic. Sygnia’s investigation revealed that Velvet Ant has been operating for approximately three years, targeting inadequately protected network appliances like outdated F5 BIG-IP systems to maintain long-term access and steal sensitive information.

Cisco has released software updates to patch the vulnerability and strongly advises customers to apply these updates immediately. Experts warn that network appliances, especially switches, are often under-monitored, with logs rarely forwarded to centralized logging systems, making it difficult to detect and investigate such malicious activities. To mitigate this threat, organizations are urged to apply Cisco’s updates, enhance monitoring of network appliances, regularly update administrator credentials, and adopt stringent security practices to prevent unauthorized access.

12 – 18 August 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Ransomware Top 5s

News Roundup

Hackers’ Toolkit Exposed

Cybersecurity researchers have uncovered an extensive hacker toolkit, revealing a sophisticated set of tools designed for various stages of cyberattacks. The toolkit, discovered in an open directory in December 2023, comprises a range of batch scripts and malware targeting both Windows and Linux systems. These tools illustrate the hackers’ ability to execute a variety of malicious activities, from initial system compromise to long-term control and data exfiltration.

Among the most significant tools found were PoshC2 and Sliver, two command and control (C2) frameworks commonly used by penetration testers but repurposed for malicious purposes. The toolkit also included custom scripts designed for defence evasion and system manipulation, such as those for removing remote management agents, deleting system backups, and erasing event logs. These components reflect the attackers’ intent to maintain persistent access while covering their tracks.

The discovery of this toolkit highlights the advanced methods used by modern cybercriminals and emphasises the need for robust cybersecurity measures. Experts recommend that organisations adopt comprehensive security strategies, including regular updates, employee training, and advanced threat detection, to protect against these sophisticated attacks. The presence of tools aimed at stopping services, deleting backups, and disabling antivirus software suggests that the toolkit was likely used in ransomware activities.

Critical Vulnerabilities in AWS Identified

Researchers from Aqua identified critical vulnerabilities in six Amazon Web Services (AWS) offerings: CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar. These vulnerabilities, varying in severity, posed significant risks such as remote code execution, service user takeover, AI module manipulation, data exposure, exfiltration, and denial of service (DoS) attacks, potentially affecting any organisation globally that utilised these services. Aqua introduced two key attack vectors, “Shadow Resource” and “Bucket Monopoly,” which exploit automatically generated AWS resources, like S3 buckets, created without explicit user commands. These techniques could allow attackers to execute code, steal data, or take over user accounts.

The vulnerabilities were reported to AWS between February and March 2024, with AWS confirming fixes for most by June 2024. However, a subsequent report indicated that the CloudFormation fix left users vulnerable to a DoS attack, prompting AWS to announce further work on this issue. By August 2024, the vulnerabilities and fixes were publicly discussed at prominent cybersecurity conferences, Black Hat USA and DEF CON 32. AWS’s response included adding random sequences to bucket names if a name conflict arose and planning the deprecation of CodeStar, which had been vulnerable but would no longer allow new projects.

One of the most critical vulnerabilities was in AWS Glue, where attackers could exploit predictable S3 bucket naming to inject malicious code into Glue jobs, leading to remote code execution. To mitigate these risks, it is recommended that organisations implement scoped policies, verify bucket ownership, and avoid using predictable bucket names. While AWS has addressed these specific vulnerabilities, similar risks may exist in other services, underscoring the importance of following best practices and implementing robust security measures to protect against evolving threats.

0-Click Vulnerability leading to RCE found in Outlook

Morphisec researchers have identified a critical vulnerability in Microsoft Outlook, labelled as CVE-2024-30103, which allows remote code execution when a malicious email is opened. This flaw builds on a previously discovered vulnerability, CVE-2024-21378, that exposed Outlook to remote code execution via synchronized form objects. The new vulnerability exploits weaknesses in the allow-listing mechanism, which fails to properly validate form server properties, enabling attackers to instantiate unauthorized custom forms.

The vulnerability hinges on how the Windows API function RegCreateKeyExA handles registry paths. Specifically, the function removes trailing backslashes, allowing attackers to manipulate registry keys and bypass security checks. This manipulation can lead to the loading of malicious executables when a specially crafted email is opened in Outlook. By exploiting this behaviour, attackers can execute arbitrary code within the Outlook process, potentially leading to data breaches, unauthorized access, and other malicious activities.

In response, Microsoft has issued a security update that revises the allow-listing matching algorithm to prevent such exploits. The update modifies how subkeys are matched by removing trailing backslashes before performing an exact match, enhancing system defences. Additionally, Microsoft has strengthened its denylist to block remote code execution attacks exploiting subkey manipulation. Despite these improvements, the evolving nature of security threats means organisations must remain vigilant, regularly updating and auditing their systems to protect against future vulnerabilities.

APT42 targeting US Presidential Election

The Iranian government-backed cyber group APT42 has launched a phishing campaign targeting high-profile individuals connected to the U.S. presidential election, according to Google’s Threat Analysis Group (TAG). This sophisticated threat actor, linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), has been focusing on individuals affiliated with both the Biden and Trump campaigns. The campaign is part of APT42’s broader efforts to support Iran’s political and military objectives through cyber espionage, with a notable focus on the U.S. and Israel, which together represent 60% of the group’s known targets.

APT42 employs a range of tactics in its phishing campaigns, including the use of malware, phishing pages, and malicious redirects, often hosted on popular services like Google Drive and OneDrive. The group is known for creating fake domains that closely resemble legitimate organizations, a tactic called typosquatting, to deceive their targets. Their phishing emails, often designed to seem credible, encourage recipients to enter credentials on fake landing pages, with the capability to bypass multi-factor authentication, making them particularly dangerous.

In response to these activities, Google has taken measures to secure compromised accounts and issued warnings to targeted individuals. They have also reported the malicious activities to law enforcement and are working with authorities to mitigate the threat. As the U.S. presidential election nears, the actions of APT42 highlight the ongoing risk of foreign interference, emphasizing the need for robust cybersecurity measures to protect democratic processes. High-risk individuals are advised to enhance their security, including enrolling in Google’s Advanced Protection Program.

Phishing Campaign masquerading as Google Safety Center

A sophisticated phishing campaign has been identified, where cybercriminals impersonate the Google Safety Centre to trick users into downloading a malicious file disguised as the Google Authenticator app. This attack threatens personal data by installing two types of malware, Latrodectus and ACR Stealer, on victims’ devices. Latrodectus allows attackers to remotely control the infected device, while ACR Stealer uses advanced techniques to obscure its command and control server, making it difficult for cybersecurity experts to trace and neutralize the threat.

What makes this campaign particularly concerning is the attackers’ use of advanced evasion techniques, which indicate a high level of sophistication and ongoing refinement of their methods. As cybercriminals continue to evolve, cybersecurity experts urge users to be cautious when receiving unsolicited emails or messages, especially those prompting software downloads. Verifying the authenticity of such communications and keeping software and security systems up to date are crucial steps in protecting against these increasingly sophisticated threats.

Photo by Kenny Eliason on Unsplash