Cybersecurity Wiretap #11: From ScreenConnect’s AsyncRAT Deployment to OpenSSH RegreSSHion with a Focus on SmokeLoader History (week of 07/01/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

CVE-2024-29510 – Exploiting Ghostscript using format strings by @CodeanIO

  • impact on web-apps & other services offering doc conversion & preview that use Ghostscript under the hood
  • can be exploited to bypass the -dSAFER sandbox & gain code execution

https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/

Exploring the Infection Chain: ScreenConnect’s Link to AsyncRAT Deployment by @esthreat

  • by deceiving users into downloading ScreenConnect via misleading websites, attackers gained remote access & deployed AsyncRAT

https://www.esentire.com/blog/exploring-the-infection-chain-screenconnects-link-to-asyncrat-deployment

A Brief History of SmokeLoader, P2 by @Threatlabz

  • overview of SmokeLoader’s development from 2015 to 2022, where the malware continued to update its algorithms and improve anti-analysis techniques

https://www.zscaler.com/blogs/security-research/brief-history-smokeloader-part-2

Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability by #PaloAlto‘s #Unit42

  • critical signal handler race condition vulnerability in sshd on glibc-based Linux systems
  • this vuln can result in unauthenticated RCE with root privileges

https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/

Turning Jenkins Into a Cryptomining Machine From an Attacker’s Perspective by @TrendMicro

  • exploit Jenkins vulns to run scripts that can download & execute miner binary and maintain persistence using cron jobs and systemd-run utilities

https://www.trendmicro.com/en_us/research/24/g/turning-jenkins-into-a-cryptomining-machine-from-an-attackers-pe.html

Mekotio Banking Trojan Threatens Financial Systems in Latin America by @TrendMicro

  • typically arrives via emails from tax agencies alleging that the user has unpaid tax obligations
  • upon execution it gathers system info & establishes connection with C&C

https://www.trendmicro.com/en_us/research/24/g/mekotio-banking-trojan.html

Kematian-Stealer : A Deep Dive into a New Information Stealer by @CyfirmaR

  • newly emerging info stealer actively developed on GitHub and disseminated as open-source
  • downloads and executes additional scripts and payloads directly into memory.

https://www.cyfirma.com/research/kematian-stealer-a-deep-dive-into-a-new-information-stealer/

Thanks a lot for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.