Customer portal
Articles Tagged with

SOS Intelligence

"Inside
Opinion, SME Cybersecurity, Tips

Inside a Cyber Attack – Key Phases and Business Impact

The Far-Reaching Impact of Cyber Attacks and what are the phases?

In an era where digital connectivity underpins nearly every aspect of our personal and professional lives, the threat of cyber attacks is not going away. As you can probably imagine, it’s getting worse.

From personal data breaches to corporate espionage and national security threats, cyber attacks can have profound and far-reaching consequences. In this blog post, we’ll explore the various impacts of cyber attacks, including economic damage, operational disruption, reputational harm, and personal consequences. We will also outline the main phases of an attack.

One of the areas we try and focus on is providing as much education as possible for businesses and organisations. Here is an infographic we have recently developed which outlines the main phases inside a cyber attack.

You will see that the phases are distinct and each one has certain things which happen which then leads to the next phase. The critical part to understand is that if you have insight into a leak of credentials or a discussion of a vulnerability, you can take action and stop this chain of events.

You can download the PDF version here. (Opens in a new tab for you).

The key phases flow from one to another, often with alarming speed. If you don’t know what has happened or indeed, happening, you cannot act…

This is where SOS Intelligence comes in to give you the insight and information you need for your business or organisation.

So what is the business impact from a cyber attack?


Economic Damage: The Price of Vulnerability

One of the most immediate and tangible impacts of a cyber attack is its financial cost. Businesses and organisations may face:

  • Direct Financial Losses: This includes the immediate costs of response and remediation, such as hiring cybersecurity experts, paying for system repairs, and dealing with potential legal fees. Financial losses can soar into the millions of pounds.
  • Ransom Payments: In ransomware attacks, cybercriminals encrypt data and demand payment for its release. These payments can be substantial, and even if the ransom is paid, there’s no guarantee that the data will be recovered or that the organization won’t be targeted again.
  • Insurance Costs: Many organisations turn to cyber insurance to mitigate potential losses, but premiums can rise significantly after an attack, adding to the long-term financial burden.

Operational Disruption: Halting Business As Usual

Cyber attacks can cripple a businesses’ ability to operate effectively. The impact on operations can be severe:

  • Downtime: System outages or disruptions can halt business operations, affecting productivity and revenue. For some organisations, it can be critical infrastructure which is disrupted. For the recent NHS attacks in the UK, operations and appointments as well as medical testing were severely disrupted.
  • Data Loss: Losing access to critical data can impede decision-making processes, delay projects, and affect customer service. Restoring lost data can be time-consuming and costly.
  • Supply Chain Disruptions: Cyber attacks can ripple through supply chains, causing delays and impacting partners and customers. The 2020 SolarWinds attack, which compromised numerous organizations through a single software provider, is a prime example of how interconnected systems can be affected. SOS Intelligence can help you monitor your third parties as well as your own domains and keywords.

Reputational Harm: Eroding Trust

The damage to an organisation’s reputation can be long-lasting and challenging to repair:

  • Customer Trust: Data breaches that expose personal information can erode customer trust. Customers expect companies, large and small, to safeguard their data, and a breach can lead to loss of business and diminished customer loyalty. This would be especially so in the legal sector which is seeing a rise in cyber threats.
  • Public Perception: How an organisation responds to an attack can influence public perception. A poorly managed response can exacerbate reputational damage, while transparent and effective communication can help rebuild trust. Ideally, you don’t want to be ion this position in the first place!
  • Competitive Disadvantage: Competitors may capitalise on an organisation’s misfortune, attracting clients who are concerned about security. Additionally, the affected business may face increased scrutiny from regulators and stakeholders.

Personal Consequences: The Human Element

The impact of cyber attacks extends beyond businesses and can significantly affect individuals as well:

  • Identity Theft: Personal data breaches can lead to identity theft, where sensitive information is used fraudulently, potentially causing long-term financial and emotional distress for victims.
  • Privacy Invasion: Cyber attacks that expose private communications or personal data can lead to privacy violations, harassment, and psychological distress.
  • Loss of Confidence: Individuals who fall victim to cyber attacks may experience a loss of confidence in digital systems, leading to increased anxiety and reluctance to use online services.

The Path Forward: Enhancing Cyber Resilience

In light of these impacts, it’s crucial for businesses, organisations and individuals to improve their cyber defences AND adopt best practices to mitigate risks:

  • Invest in Cybersecurity: Regularly update and upgrade cybersecurity measures, including firewalls, anti-virus software, and encryption. If you have not seen what SOS Intelligence can do for you, please get in touch, we would be delighted to show you.
  • Educate and Train: Ensure that employees and individuals are aware of potential threats and know how to recognise phishing attempts and other cyber risks.
  • Develop Response Plans: Have a robust incident response plan in place to quickly address and mitigate the effects of a cyber attack.
  • Regular Backups: Maintain regular backups of critical data to ensure recovery in the event of data loss.

Conclusion

Cyber attacks are a pervasive and evolving threat with significant consequences. The economic impact, operational disruption, reputational damage, and personal consequences underscore the importance of proactive measures to enhance your cyber resilience.

EVERY business and organisation is at risk, in any country and in any vertical. It is not just large organisations… SMEs are just as much at risk, and often at more risk as they don’t have large teams and systems in place.

If you’d like to book a demo of what SOS Intelligence can do for you, click here now.

Read the next blog post in our SME Cyberecurity series.

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 02 September 2024

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 


 

1.  CVE-2024-38112

Windows MSHTML Platform Spoofing Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38112

 


 

2. CVE-2024-38021

Microsoft Outlook Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38021

 


 

3. CVE-2024-38074

Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38074

 


 

4. CVE-2024-38052

Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38052

 


 

5. CVE-2024-38140

Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38140

 


 

6. CVE-2024-38199

Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38199

 


 

7. CVE-2024-38080

Windows Hyper-V Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38080

 


 

8. CVE-2024-38125

Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38125

 


 

9. CVE-2024-38141

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38141

 


 

10. CVE-2024-38147

Microsoft DWM Core Library Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38147

 


"SOS
SOS Intelligence Weekly News Round Up

Weekly News Round Up

19 – 25 August 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Ransomware Top 5s

News Roundup

Emergence of New Stealer Malware: QWERTY & Styx

A new strain of malware, named “QWERTY Info Stealer,” has been identified as a significant threat to Windows systems, utilising advanced anti-debugging techniques and data exfiltration capabilities. Hosted on the domain mailservicess[.]com, the malware is designed to evade detection, making it particularly dangerous for both individuals and organisations. Discovered on a Linux-based server in Frankfurt, Germany, the malware is distributed via the URL hxxps://mailservicess[.]com/res/data/i.exe.

QWERTY Info Stealer employs multiple anti-debugging strategies, such as using Windows API functions like IsProcessorFeaturePresent() and IsDebuggerPresent(), and the lesser-known __CheckForDebuggerJustMyCode function. These techniques enable the malware to terminate if it detects a debugging environment, complicating efforts by security researchers to analyse its behaviour. After bypassing these checks, the malware begins collecting data, including system information and browser data, which it stores in specific directories on the infected system. It then communicates with Command and Control (C2) servers, downloading additional payloads and exfiltrating data using HTTP POST requests, underlining its sophistication and the ongoing threat it poses to cybersecurity.

Cybersecurity researchers at Check Point have uncovered a new malware strain called “Styx Stealer,” designed to steal browser and instant messenger data. Emerging in April 2024 and based on the Phemedrone Stealer, Styx Stealer enhances its predecessor’s capabilities with features like crypto-clipping, real-time clipboard monitoring, and auto-start functionality. It targets Chromium and Gecko-based browsers to extract sensitive information such as passwords, cookies, and cryptocurrency wallet data, while also compromising Telegram and Discord sessions. The malware resists analysis by antivirus programs and sandboxes, making it a formidable tool for cybercriminals.

Styx Stealer was developed by a Turkish hacker known as “Sty1x,” who marketed it via Telegram, charging between $75 per month and $350 for unlimited access. An operational security lapse exposed his identity and connections with a Nigerian cybercriminal linked to an Agent Tesla campaign. This revelation highlighted the broader network of cybercriminals involved in various illicit activities, including targeting Chinese firms. Despite Sty1x’s efforts, there are no confirmed victims beyond their own systems and a few security sandboxes, suggesting that their attempts to widely distribute Styx Stealer were largely unsuccessful.

New Phishing Attack Targets Android & iOS Users

A new phishing attack targeting both Android and iOS users has been discovered, combining traditional social engineering techniques with the use of Progressive Web Applications (PWAs) and WebAPKs. First identified in November 2023, the attack primarily targets clients of Czech banks, though cases have also been reported in Hungary and Georgia, indicating a wider spread. The attackers employ various delivery methods, such as automated voice calls, SMS messages, and social media ads, which often use official bank mascots and logos to lure victims to a phishing link mimicking a Google Play page. If accessed via a mobile device, the page prompts the installation of a phishing app disguised as a legitimate banking application.

This phishing app, installed as a PWA or WebAPK, is almost indistinguishable from the real banking app, leading victims to a fake login page that captures their banking credentials. The stolen information is then transmitted to the attackers’ Command and Control (C&C) servers, which are operated by two distinct groups—one using a Telegram bot for real-time logging, and the other using a traditional C&C server. The attackers have managed to evade detection by frequently changing domains and launching new campaigns. To mitigate the risk, users should be cautious when installing apps, verify the authenticity of downloads, and keep their devices updated with the latest security patches.

Linux Kernel Vulnerability

Researchers have identified a vulnerability in the Linux kernel’s dmam_free_coherent() function, caused by a race condition during the process of freeing DMA (Direct Memory Access) allocations and managing associated resources. This flaw can lead to system instabilities, as DMA is essential for allowing hardware devices to transfer data directly to and from system memory without CPU involvement. The vulnerability arises from an improper order of operations within the function, which could result in incorrect memory access, data corruption, or system crashes.

The vulnerability is particularly concerning because an attacker could exploit the race condition by timing their operations to coincide with the freeing and reallocation of DMA memory. If successful, this could cause the devres_destroy function to free the wrong memory entry, triggering a WARN_ON assertion in the dmam_match function, which is part of the DMA management subsystem. This issue occurs when a concurrent task allocates memory with the same virtual address before the original entry is removed from the tracking list, potentially leading to significant system errors.

To address this vulnerability, Greg Kroah-Hartman committed a patch (CVE-2024-43856) authored by Lance Richardson from Google, which modifies the dmam_free_coherent function. The patch swaps the order of the function calls, ensuring that the tracking data structure is destroyed before the DMA allocation is freed, thereby preventing the race condition. The patch has been tested on Google’s internal network encryption project and has been approved for inclusion in the mainline Linux kernel, mitigating the risk associated with this vulnerability. Exploiting this vulnerability to achieve arbitrary code execution would be complex and would likely require additional vulnerabilities or precise control over the target system.

Zero-day Vulnerability in Google Chrome

Google recently patched a high-severity zero-day vulnerability in its Chrome browser, CVE-2024-7971. This flaw, found in the V8 JavaScript engine, is a type confusion issue that can be exploited to execute arbitrary code. The vulnerability was reported by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) on August 19, 2024, and it is actively being exploited in the wild. In response, Google quickly released updates to mitigate the risk, urging users to update their browsers to the latest version.

The latest Chrome update, version 128.0.6613.84/.85, addresses a total of 38 security vulnerabilities, including several high-severity issues. Among these are CVE-2024-7964, a use-after-free vulnerability in the Passwords component; CVE-2024-7965, an inappropriate implementation in the V8 engine; and CVE-2024-7966, an out-of-bounds memory access flaw in the Skia graphics library. Each of these vulnerabilities could allow attackers to execute arbitrary code, leading to serious security breaches or system compromises.

Users are strongly advised to update to the latest version of Google Chrome to ensure protection against these vulnerabilities. While Chrome generally updates automatically, users can manually check for updates via Settings > About Chrome. Additionally, those using Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply the latest security updates as they become available. This patch highlights the need for vigilance and prompt action in the face of zero-day exploits in widely used software.

Chinese Hackers Exploiting Cisco Zero-day

A sophisticated cyber espionage group known as Velvet Ant, linked to China, has been found exploiting a zero-day vulnerability in Cisco NX-OS Software to deploy custom malware on network switches. The vulnerability, identified as CVE-2024-20399, was discovered by cybersecurity firm Sygnia during a forensic investigation and promptly reported to Cisco. This flaw, with a CVSS score of 6.0, allows an authenticated local attacker with administrative privileges to execute arbitrary commands as root on the affected devices due to insufficient validation of arguments passed to specific CLI commands.

Velvet Ant exploited this vulnerability to install a custom malware, dubbed VELVETSHELL, on compromised Cisco Nexus devices. The malware, which combines elements of the TinyShell Unix backdoor and the 3proxy tool, enables attackers to execute arbitrary commands, upload and download files, and create tunnels to proxy network traffic. Sygnia’s investigation revealed that Velvet Ant has been operating for approximately three years, targeting inadequately protected network appliances like outdated F5 BIG-IP systems to maintain long-term access and steal sensitive information.

Cisco has released software updates to patch the vulnerability and strongly advises customers to apply these updates immediately. Experts warn that network appliances, especially switches, are often under-monitored, with logs rarely forwarded to centralized logging systems, making it difficult to detect and investigate such malicious activities. To mitigate this threat, organizations are urged to apply Cisco’s updates, enhance monitoring of network appliances, regularly update administrator credentials, and adopt stringent security practices to prevent unauthorized access.

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 26 August 2024

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 


 

1.  CVE-2023-45866

Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.

https://nvd.nist.gov/vuln/detail/CVE-2023-45866

 


 

2. CVE-2024-38112

Windows MSHTML Platform Spoofing Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38112

 


 

3. CVE-2024-38021

Microsoft Outlook Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38021

 


 

4. CVE-2024-38074

Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38074

 


 

5. CVE-2024-38052

Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38052

 


 

6. CVE-2024-38080

Windows Hyper-V Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38080

 


 

7. CVE-2024-38140

Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38140

 


 

8. CVE-2024-38199

Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38199

 


 

9. CVE-2022-44666

Windows Contacts Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2022-44666

 


 

10. CVE-2018-17144

Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

 


""/
SOS Intelligence Weekly News Round Up

Weekly News Round Up

12 – 18 August 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Ransomware Top 5s

News Roundup

Hackers’ Toolkit Exposed

Cybersecurity researchers have uncovered an extensive hacker toolkit, revealing a sophisticated set of tools designed for various stages of cyberattacks. The toolkit, discovered in an open directory in December 2023, comprises a range of batch scripts and malware targeting both Windows and Linux systems. These tools illustrate the hackers’ ability to execute a variety of malicious activities, from initial system compromise to long-term control and data exfiltration.

Among the most significant tools found were PoshC2 and Sliver, two command and control (C2) frameworks commonly used by penetration testers but repurposed for malicious purposes. The toolkit also included custom scripts designed for defence evasion and system manipulation, such as those for removing remote management agents, deleting system backups, and erasing event logs. These components reflect the attackers’ intent to maintain persistent access while covering their tracks.

The discovery of this toolkit highlights the advanced methods used by modern cybercriminals and emphasises the need for robust cybersecurity measures. Experts recommend that organisations adopt comprehensive security strategies, including regular updates, employee training, and advanced threat detection, to protect against these sophisticated attacks. The presence of tools aimed at stopping services, deleting backups, and disabling antivirus software suggests that the toolkit was likely used in ransomware activities.

Critical Vulnerabilities in AWS Identified

Researchers from Aqua identified critical vulnerabilities in six Amazon Web Services (AWS) offerings: CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar. These vulnerabilities, varying in severity, posed significant risks such as remote code execution, service user takeover, AI module manipulation, data exposure, exfiltration, and denial of service (DoS) attacks, potentially affecting any organisation globally that utilised these services. Aqua introduced two key attack vectors, “Shadow Resource” and “Bucket Monopoly,” which exploit automatically generated AWS resources, like S3 buckets, created without explicit user commands. These techniques could allow attackers to execute code, steal data, or take over user accounts.

The vulnerabilities were reported to AWS between February and March 2024, with AWS confirming fixes for most by June 2024. However, a subsequent report indicated that the CloudFormation fix left users vulnerable to a DoS attack, prompting AWS to announce further work on this issue. By August 2024, the vulnerabilities and fixes were publicly discussed at prominent cybersecurity conferences, Black Hat USA and DEF CON 32. AWS’s response included adding random sequences to bucket names if a name conflict arose and planning the deprecation of CodeStar, which had been vulnerable but would no longer allow new projects.

One of the most critical vulnerabilities was in AWS Glue, where attackers could exploit predictable S3 bucket naming to inject malicious code into Glue jobs, leading to remote code execution. To mitigate these risks, it is recommended that organisations implement scoped policies, verify bucket ownership, and avoid using predictable bucket names. While AWS has addressed these specific vulnerabilities, similar risks may exist in other services, underscoring the importance of following best practices and implementing robust security measures to protect against evolving threats.

0-Click Vulnerability leading to RCE found in Outlook

Morphisec researchers have identified a critical vulnerability in Microsoft Outlook, labelled as CVE-2024-30103, which allows remote code execution when a malicious email is opened. This flaw builds on a previously discovered vulnerability, CVE-2024-21378, that exposed Outlook to remote code execution via synchronized form objects. The new vulnerability exploits weaknesses in the allow-listing mechanism, which fails to properly validate form server properties, enabling attackers to instantiate unauthorized custom forms.

The vulnerability hinges on how the Windows API function RegCreateKeyExA handles registry paths. Specifically, the function removes trailing backslashes, allowing attackers to manipulate registry keys and bypass security checks. This manipulation can lead to the loading of malicious executables when a specially crafted email is opened in Outlook. By exploiting this behaviour, attackers can execute arbitrary code within the Outlook process, potentially leading to data breaches, unauthorized access, and other malicious activities.

In response, Microsoft has issued a security update that revises the allow-listing matching algorithm to prevent such exploits. The update modifies how subkeys are matched by removing trailing backslashes before performing an exact match, enhancing system defences. Additionally, Microsoft has strengthened its denylist to block remote code execution attacks exploiting subkey manipulation. Despite these improvements, the evolving nature of security threats means organisations must remain vigilant, regularly updating and auditing their systems to protect against future vulnerabilities.

APT42 targeting US Presidential Election

The Iranian government-backed cyber group APT42 has launched a phishing campaign targeting high-profile individuals connected to the U.S. presidential election, according to Google’s Threat Analysis Group (TAG). This sophisticated threat actor, linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), has been focusing on individuals affiliated with both the Biden and Trump campaigns. The campaign is part of APT42’s broader efforts to support Iran’s political and military objectives through cyber espionage, with a notable focus on the U.S. and Israel, which together represent 60% of the group’s known targets.

APT42 employs a range of tactics in its phishing campaigns, including the use of malware, phishing pages, and malicious redirects, often hosted on popular services like Google Drive and OneDrive. The group is known for creating fake domains that closely resemble legitimate organizations, a tactic called typosquatting, to deceive their targets. Their phishing emails, often designed to seem credible, encourage recipients to enter credentials on fake landing pages, with the capability to bypass multi-factor authentication, making them particularly dangerous.

In response to these activities, Google has taken measures to secure compromised accounts and issued warnings to targeted individuals. They have also reported the malicious activities to law enforcement and are working with authorities to mitigate the threat. As the U.S. presidential election nears, the actions of APT42 highlight the ongoing risk of foreign interference, emphasizing the need for robust cybersecurity measures to protect democratic processes. High-risk individuals are advised to enhance their security, including enrolling in Google’s Advanced Protection Program.

Phishing Campaign masquerading as Google Safety Center

A sophisticated phishing campaign has been identified, where cybercriminals impersonate the Google Safety Centre to trick users into downloading a malicious file disguised as the Google Authenticator app. This attack threatens personal data by installing two types of malware, Latrodectus and ACR Stealer, on victims’ devices. Latrodectus allows attackers to remotely control the infected device, while ACR Stealer uses advanced techniques to obscure its command and control server, making it difficult for cybersecurity experts to trace and neutralize the threat.

What makes this campaign particularly concerning is the attackers’ use of advanced evasion techniques, which indicate a high level of sophistication and ongoing refinement of their methods. As cybercriminals continue to evolve, cybersecurity experts urge users to be cautious when receiving unsolicited emails or messages, especially those prompting software downloads. Verifying the authenticity of such communications and keeping software and security systems up to date are crucial steps in protecting against these increasingly sophisticated threats.

Photo by Kenny Eliason on Unsplash

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 19 August 2024

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 


 

1.  CVE-2022-22965

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

https://nvd.nist.gov/vuln/detail/CVE-2022-22965

 


 

2. CVE-2021-44228

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

 


 

3. CVE-2021-31805

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{…} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

https://nvd.nist.gov/vuln/detail/CVE-2021-31805

 


 

4. CVE-2022-22947

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

https://nvd.nist.gov/vuln/detail/CVE-2022-22947

 


 

5. CVE-2018-17144

Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

 


 

6. CVE-2022-30190

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
Please see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2022-30190

 


 

7. CVE-2023-34362

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

https://nvd.nist.gov/vuln/detail/CVE-2023-34362

 


 

8. CVE-2024-21887

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

https://nvd.nist.gov/vuln/detail/CVE-2024-21887

 


 

9. CVE-2024-38200

Microsoft Office Spoofing Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38200

 


 

10. CVE-2024-24974

The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service.

https://nvd.nist.gov/vuln/detail/CVE-2024-24974

 


"SOS
Ransomware

Ransomware – State of Play July 2024

Ransomware – State of Play

July 2024

SOS Intelligence is currently tracking 206 distinct ransomware groups, with data collection covering 424 relays and mirrors.

In the reporting period, SOS Intelligence has identified 388 instances of publicised ransomware attacks.  These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor.  While this data represents known and publicised data breaches and ransomware attacks, the nature and operation of these groups means that not every successful attack is published and made public, so true figures on the volume of attacks are likely to be higher.   Our analysis of available public data is presented below:

Threat Group Activity and Trends

Ransomware activity showed a 2% increase in July when compared to the previous month, and a 16% increase in activity when compared to the previous year.  Furthermore, the number of active groups has decreased to 34 from 37 the previous month.

This month has seen a significant increase in activity from Ransomhub, making a significant charge to fill the void left by LockBit.  Data for this strain may be skewed, however, by the group using multiple data leak sites to advertise and disseminate stolen data.

Significant activity has been noted from the Handala group, who have exclusively targeted Israel and Israel-based entities over the month.  Handala (Arabic: حنظلة) is a prominent national symbol and personification of the Palestinian people, so this activity is highly likely a response to the continued conflict in the Middle East.  Handala has been increasing activity against Israel throughout the year, including significant attacks against Zerto, and allegedly Israel’s Iron Dome air defence system.

Analysis of Geographic Targeting

Over the last month, targeting continues to follow financial lines, with the majority of attacks targeted at G7, EU and BRICS bloc countries.  Furthermore, a significant number of attacks have been directed towards Israel, with likely political motivations.

Compared to June, 4% more countries were targeted in July.  Our data is also showing interesting geographic targeting data.  We have observed emerging or developing strains targeting developing countries in Southeast Asia, Africa and South America, whereas more established variants focus more on North America, Western Europe and Australia.

Industry Targeting

Targeting has broadly increased across all victim sectors, however significant increases have been seen in the Manufacturing, Construction & Engineering and IT & Technology industries.

Notably, there appears to have been increased targeting against public-sector entities.  This is likely a result of many groups abandoning their affiliate rules on targeting of such victims.

Significant Events

Scattered Spider, a threat actor group known for its social engineering tactics and attacks on VMware ESXi servers, has recently incorporated new ransomware strains into its operations. The group has adopted RansomHub, a rebranded variant of Knight ransomware, and Qilin ransomware. Previously, Scattered Spider used the now-defunct BlackCat ransomware, but it has since shifted to deploying RansomHub in post-compromise scenarios, reflecting its evolving tactics and adaptation to new tools within the cybercriminal landscape.

A flaw in the cryptographic scheme of the DoNex ransomware family has been identified, enabling victims to recover their files for free using a newly released decryptor. This vulnerability, affecting all variants of DoNex, was revealed at a recent cybersecurity conference and involves issues with the encryption key generation and application of ChaCha20 and RSA-4096 algorithms. The decryptor, available through private channels since March 2024, was publicly released following the flaw’s disclosure. Victims are advised to use a large example file for decryption and to back up their encrypted data before proceeding.

Two Russian nationals have pleaded guilty to their involvement in LockBit ransomware attacks that targeted victims worldwide. As affiliates of LockBit’s ransomware-as-a-service operation, they breached vulnerable systems, stole data, and deployed ransomware to encrypt files. One of the individuals has been arrested and faces up to 25 years in prison, while the other has been sentenced to four years. Despite recent law enforcement actions that have seized LockBit’s infrastructure and decryption keys, the ransomware group remains active, continuing to target victims and release stolen data.

Threat Group Development

Change in threat group TTPs to target VMWare ESXi

Play ransomware has recently expanded its focus to target VMware ESXi environments, marking a significant shift in its operations toward broader Linux platform attacks. Utilizing a dedicated Linux locker, Play ransomware encrypts virtual machines (VMs) by first verifying the environment, then scanning for and shutting down active VMs before proceeding with encryption. This approach highlights the group’s advanced evasion techniques and adaptability in the ransomware landscape. The encryption process affects critical VM files, such as disks and configurations, with files receiving a .PLAY extension. Additionally, Play has started using URL-shortening services for its operations, further showcasing its sophistication.

Similarly, Eldorado ransomware, which initially targeted Windows systems, has expanded its scope to include VMware ESXi VMs since its emergence in March. This ransomware employs ChaCha20 encryption across both platforms, allowing affiliates to customise attacks. Meanwhile, the SEXi ransomware operation, rebranded as APT INC, has intensified its focus on VMware ESXi servers since February 2024, leveraging leaked Babuk and LockBit 3 encryptors. APT INC has gained notoriety with high-profile attacks, such as the one on Chilean hosting provider IxMetro Powerhost, with ransom demands reaching millions. The operation continues to use the same encrypted messaging application for negotiations, with no known weaknesses in its encryption for file recovery.

Evolution of BlackBasta

In 2024, Black Basta ransomware has shown significant evolution, adapting to challenges by shifting to custom malware and incorporating new tools after the disruption of its previous partner, QBot. The group now utilizes sophisticated malware like the SilentNight backdoor, memory-only droppers such as DawnCry and KnowTrap, and custom tunneling tools including PortYard and SystemBC. Additionally, it has integrated reconnaissance and execution utilities like CogScan and KnockTrock into its attack processes. These developments underscore Black Basta’s resilience and sophistication, as it continues to pose a formidable global threat by employing advanced tactics and exploiting zero-day vulnerabilities.

New & Emerging Groups

MAD LIBERATOR is a newly emerged ransomware group that launched its leak site in July 2024. The group claims to offer services to help companies fix security issues and recover their files, demanding a fee for their assistance. If the payment is not made, MAD LIBERATOR threatens to publicly list the companies and publish their stolen data. They employ AES/RSA encryption for securing the files. As of the report’s writing, the group had already listed eight victims on its leak site, showcasing their active and ongoing operations.

Ransomcortex is a lesser-known ransomware group with limited information available. However, the group has claimed responsibility for three attacks, all targeting the healthcare sector in Brazil. Despite the lack of detailed information, the choice of victims within such a critical industry highlights the potentially serious impact of their activities.

Vanir Group is a new ransomware group that has quickly gained notoriety for its aggressive and professional tactics. They publicize their attacks via a data leak site and issue intimidating messages to CEOs and domain administrators of the affected companies. These messages warn that the companies’ internal infrastructure has been compromised, backups deleted or encrypted, and critical data stolen. The Vanir Group stresses the importance of cooperation to avoid further damage, threatening to sell or distribute the stolen data if demands are not met. Their website also features an interactive terminal for updates and invites potential affiliates to join their operations. Interestingly, their leak site bears a resemblance to that of Akira, another notorious ransomware group.

Vulnerabilities Observed in Use

"SOS
SOS Intelligence Webinar

Our next webinar – AMA with the team

Submit your questions and we look forward to answering them!

We often get asked questions from how SOS Intelligence is built, to the state of threats right now in the world and everything in between.

So we thought it would be a good idea to involve you as well in the form of an AMA Webinar…

If you have a question on anything to do with cyber threats, security, what we do at SOS Intelligence or perhaps what we are currently working on, then send your question to [email protected] with the subject line AMA Webinar.

Anything goes, so get your thinking caps on now 🙂

Join us on Wednesday 28th August at 4pm BST

Hosted by Jon Moss with SOS Intelligence Founder and CEO Amir Hadzipasic and Threat Analyst, Daniel Collyer.

Sign up to the webinar to receive a recording via email if you cannot attend on the day. By signing up you will also receive our newsletter for future events. You can always unsubscribe with one click.

Submit your question and then…

Join the webinar

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 12 August 2024

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 


 

1.  CVE-2024-6387

A security regression (CVE-2006-5051) was discovered in OpenSSH’s server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

https://nvd.nist.gov/vuln/detail/CVE-2024-6387

 


 

2. CVE-2024-37085

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD.

https://nvd.nist.gov/vuln/detail/CVE-2024-37085

 


 

3. CVE-2024-20069

In modem, there is a possible selection of less-secure algorithm during the VoWiFi IKE due to a missing DH downgrade check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01286330; Issue ID: MSV-1430.

https://nvd.nist.gov/vuln/detail/CVE-2024-20069

 


 

4. CVE-2024-22064

ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.

https://nvd.nist.gov/vuln/detail/CVE-2024-22064

 


 

5. CVE-2023-45249

Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132.

https://nvd.nist.gov/vuln/detail/CVE-2023-45249

 


 

6. CVE-2023-45312

In the mtproto_proxy (aka MTProto proxy) component through 0.7.2 for Erlang, a low-privileged remote attacker can access an improperly secured default installation without authenticating and achieve remote command execution ability.

https://nvd.nist.gov/vuln/detail/CVE-2023-45312

 


 

7. CVE-2024-5290

An issue was discovered in Ubuntu wpa_supplicant that resulted in loading of arbitrary shared objects, which allows a local unprivileged attacker to escalate privileges to the user that wpa_supplicant runs as (usually root).

Membership in the netdev group or access to the dbus interface of wpa_supplicant allow an unprivileged user to specify an arbitrary path to a module to be loaded by the wpa_supplicant process; other escalation paths might exist.

https://nvd.nist.gov/vuln/detail/CVE-2024-5290

 


 

8. CVE-2024-36971

In the Linux kernel, the following vulnerability has been resolved:

net: fix __dst_negative_advice() race

__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.

RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).

Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.

Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.

Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.

Many thanks to Clement Lecigne for tracking this issue.

This old bug became visible after the blamed commit, using UDP sockets.

https://nvd.nist.gov/vuln/detail/CVE-2024-36971

 


 

9. CVE-2024-38856

Incorrect Authorization vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: through 18.12.14.

Users are recommended to upgrade to version 18.12.15, which fixes the issue.

Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don’t explicitly check user’s permissions because they rely on the configuration of their endpoints).

https://nvd.nist.gov/vuln/detail/CVE-2024-38856

 


 

10. CVE-2024-21147

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

https://nvd.nist.gov/vuln/detail/CVE-2024-21147

 


"Compromised
SOS Intelligence Weekly News Round Up

Weekly News Round-up

29 July – 4 August 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

News Roundup

Linux Servers Exposed to Data Exfiltration from TgRat

The TgRat trojan, first discovered in 2022, is now targeting Linux servers to steal data. Controlled via a private Telegram group, it can download files, take screenshots, execute commands remotely, and upload files. TgRat verifies the computer name’s hash upon startup and establishes a network connection if it matches, using Telegram to communicate with its control server.

Due to Telegram’s popularity and the anonymity it provides, TgRat’s use of it as a control mechanism makes detection difficult. It executes commands via the bash interpreter, encrypted with RSA, and manages multiple bots using unique IDs.

This unique control mechanism complicates detection, as typical network traffic to Telegram servers can mask malicious activity. Installing antivirus software on all local network nodes is recommended to prevent infection.

Threat Actors Using Fake Authenticator Sites to Deliver Malware

Researchers from ANY RUN identified a malware campaign called DeerStealer, which uses fake websites mimicking legitimate Google Authenticator download pages to deceive users. The primary site, “authentificcatorgoolglte[.]com,” looks similar to the genuine Google page to trick users into downloading malware. Clicking the download button on this fake site transmits the visitor’s IP address and country to a Telegram bot and redirects users to a malicious file on GitHub, likely containing DeerStealer, which can steal sensitive data once executed.

The Delphi-based DeerStealer malware employs obfuscation techniques to hide its activities and runs directly in memory without leaving a persistent file. It initiates communication with a Command and Control (C2) server by sending a POST request with the device’s hardware ID to “paradiso4.fun.” Subsequent POST requests suggest data exfiltration.

Analysis revealed the use of single-byte XOR encryption for transmitted data, uncovering PKZip archives containing system information. Researchers also linked DeerStealer to the XFiles malware family, noting that both use fake software sites for distribution but differ in their communication methods.

Threat Actors Abusing TryCloudflare to Deliver Malware

Cybercriminals are increasingly using TryCloudflare Tunnel to deliver Remote Access Trojans (RATs) like Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos in financially motivated attacks. TryCloudflare allows developers to experiment with Cloudflare Tunnel without adding a site to Cloudflare’s DNS, which attackers exploit to create temporary infrastructures that bypass traditional security controls.

This tactic, initiated in February 2024, has intensified, posing a significant threat due to its rapid deployment and evasion capabilities. Recent campaigns often use URL links or attachments to download malicious files, which execute scripts to install RATs and other malware.

Campaigns frequently target global organisations, using high-volume email campaigns with lures in multiple languages, often exceeding the volume of other malware campaigns. Attackers dynamically adapt their attack chains and obfuscate scripts to evade defences, demonstrating a sophisticated and persistent threat.

By abusing TryCloudflare tunnels, attackers generate random subdomains on trycloudflare.com, routing traffic through Cloudflare to avoid detection. For example, on May 28, 2024, and July 11, 2024, targeted campaigns used tax-themed lures and order invoice themes, respectively, to deliver AsyncRAT and Xworm via malicious email attachments and PowerShell scripts, providing remote system access and data exfiltration capabilities.

Ransomware Threat Actors Exploiting VMWare ESXi

Microsoft researchers have identified a critical vulnerability in VMware’s ESXi hypervisors, CVE-2024-37085, which allows ransomware operators to gain full administrative permissions on domain-joined ESXi hypervisors. This flaw, associated with the “ESX Admins” group, enables any domain user who can create or rename groups to escalate their privileges, potentially gaining full control over the ESXi hypervisor. Exploiting this vulnerability can result in the encryption of the hypervisor’s file system, access to virtual machines, data exfiltration, and lateral movement within the network.

Ransomware groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have been observed exploiting this vulnerability, deploying ransomware like Akira and Black Basta to encrypt ESXi file systems.

A notable attack by Storm-0506 involved using Qakbot and exploiting a Windows vulnerability to elevate privileges, followed by deploying Black Basta ransomware. In response, VMware has released a security update to address CVE-2024-37085. Microsoft urges organisations to apply this update, validate and secure the “ESX Admins” group, deny access or change administrative group settings, use multifactor authentication for privileged accounts, and secure critical assets with the latest security updates and monitoring procedures.

Photo by Joshua Hoehne on Unsplash

1 2 4 5 6 7 8 25 26
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound