Cybersecurity Wiretap #10: From Cobalt Strike Exploits to Global Hacktivism with a Focus on Attacker Profiles (week of 06/24/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

Multiple vulnerabilities in TP-Link Omada system could lead to root access by @TalosSecurity

  • several vulnerabilities focusing on small subset of available devices, including EAP 115 and EAP 225 wireless access points, and ER7206 gigabit VPN router.

https://blog.talosintelligence.com/multiple-vulnerabilities-in-tp-link-omada-system/

MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems by #FORTIGUARD LABS

  • allows to execute malicious code via specially crafted documents
  • MerkSpy is designed to clandestinely monitor user activities, capture sensitive info & establish persistence

https://www.fortinet.com/blog/threat-research/merkspy-exploiting-cve-2021-40444-to-infiltrate-systems

The Growing Threat of Malware Concealed Behind Cloud Services by #FORTIGUARD LABS

  • botnets UNSTABLE & Condi leverage cloud storage & computing to distribute malware payloads & updates

https://www.fortinet.com/blog/threat-research/growing-threat-of-malware-concealed-behind-cloud-services

Kimsuky deploys TRANSLATEXT to target South Korean academia by @Threatlabz

  • Mar 2024: uploaded to GitHub repo
  • can bypass security measures for Gmail, Kakao & Naver to steal info (email addresses, usernames, passwords, cookies & take browser screenshots)

https://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia

‘Poseidon’ Mac stealer distributed via Google ads by @Malwarebytes

  • new campaign distributing stealer via malicious ads for Arc browser
  • 2nd time in past couple of months where Arc being used as a lure

https://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads

Malicious npm package targets AWS users by @ReversingLabs

  • legacyreact-aws-s3-typescript mimics popular legitimate npm package: react-aws-s3-typescript, designed for uploading of files to Amazon S3 Buckets directly using React typescript template

https://www.reversinglabs.com/blog/a-lurking-npm-package-makes-the-case-for-open-source-health-checks

Attackers Exploiting Public Cobalt Strike Profiles by #PaloAlto‘s #Unit42

  • post-exploitation payload Beacon uses text-based profiles called Malleable C2 to change the characteristics of Beacon’s web traffic in an attempt to avoid detection

https://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/

Global Revival of Hacktivism Requires Increased Vigilance from Defenders by @Mandiant

  • new generation of hacktivism has grown to encompass a more complex and often impactful fusion of tactics different actors leverage for their specific objectives.

https://cloud.google.com/blog/topics/threat-intelligence/global-revival-of-hacktivism

Examining Water Sigbin’s Infection Routine Leading to an XMRig Cryptominer by @TrendMicro

  • CVE-2017-3506 & CVE-2023-21839 to deploy  crypto miners via PowerShell
  • using DLL reflective & process injection to run in memory & avoid disk-based detection

https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html

ICO Scams Leverage 2024 Olympics to Lure Victims, Use AI for Fake Sites by @TrendMicro

  • use AI-generated pics for fake ICO websites
  • More ICO scams with AI-generated content is expected to max tool’s cost-and time-efficiency in creating convincing lures

https://www.trendmicro.com/en_us/research/24/f/ico-scams-leverage-2024-olympics-to-lure-victims-use-ai-for-fake.html

Attackers in Profile: menuPass and ALPHV/BlackCat by @TrendMicro

  • The structural complexities of menuPass/APT10 Umbrella points to one of the basic challenges of threat intelligence: threat actors are not always tidily defined or homogenous.

https://www.trendmicro.com/en_us/research/24/f/menupass-alphv-blackcat-threats.html

Lumma Stealer: Tactics, Impact, and Defense Strategies by @CyfirmaR

  • operating as malware-as-a-service since Aug 2022
  • written in C and targets wide range of data, including personal, financial & various apps

https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/

APT PROFILE – FANCY BEAR by @CyfirmaR

  • exploiting security flaw in MS Outlook & vulns in Windows Print Spooler service to gain elevated privileges on targeted systems
  • using Kubernetes clusters for brute-force attacks by exploiting weak passwords

https://www.cyfirma.com/research/apt-profile-fancy-bear/

Thanks a lot for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.