Cybersecurity Wiretap #13: From CrowdStrike Falcon Sensor Update to OpenSSH Vulnerabilities with Focus on Hunting Lazarus (week of 07/15/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1. CrowdStrike Falcon Sensor Update: Worldwide Blue Screen of Death (BSOD) Incident by @CyfirmaR

  • disrupted businesses, airports, train stations, banks, broadcasters & healthcare •cybercriminals started phishing orgs via malicious domains with issue fixes

https://www.cyfirma.com/research/crowdstrike-falcon-sensor-update-worldwide-blue-screen-of-death-bsod-incident/

2.The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409 by @TrendMicro

  • does not pose a widespread threat to the internet due to its exploitation complexity and existing mitigations

https://www.trendmicro.com/en_us/research/24/g/cve-2024-6387-and-cve-2024-6409.html

3.Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma by @TrendMicro

  • it has successfully evaded security measures •appears to be using the services and infrastructure peddled by the Prolific Puma group

https://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html

4.CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks by @TrendMicro

  • 0day to access & execute files via disabled IE using MSHTML •example of how unsupported Windows relics are overlooked attack surface

https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html

5.HotPage: Story of a signed, vulnerable, ad-injecting driver by @ESETresearch

  • kernel component with large set of techniques to manipulate processes & went through requirements imposed by Microsoft to obtain code-signing certificate for driver component

https://www.welivesecurity.com/en/eset-research/hotpage-story-signed-vulnerable-ad-injecting-driver/

6. APT41 Has Arisen From the DUST by @Mandiant

  • used ANTSWORD & BLUEBEAM web shells for execution of DUSTPAN to execute BEACON backdoor C2
  • used publicly available tools SQLULDR2 for copying data from dbs and PINEGROVE to exfiltrate data to MS OneDrive

https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust

7. Beware of BadPack: One Weird Trick Being Used Against Android Devices by #PaloAlto‘s #Unit42

•APK file intentionally packaged in malicious way. This means attacker has maliciously altered header information used in compressed file format for APK files.

https://unit42.paloaltonetworks.com/apk-badpack-malware-tampered-headers/

8.Container Breakouts: Escape Techniques in Cloud Environments by #PaloAlto‘s #Unit42

  • external attacker who has gained low-privilege access to container will attempt to escape it through variety of methods that include exploiting misconfigs and vulns

https://unit42.paloaltonetworks.com/container-escape-techniques/

9.The Gatekeeper’s Secrets: DarkGate Malware Analysis by @esthreat

  • loading multiple malware, including Danabot & SocGholish. Previously utilized AutoIt for loading and has abused CVE-2024-21412, an Internet Shortcut File (LNK) security feature bypass vuln

https://www.esentire.com/blog/the-gatekeepers-secrets-darkgate-malware-analysis

10. Dark Web Shows Cybercriminals Ready for Olympics. Are You? by #FORTIGUARD LABS

  • significant increase in resources being gathered for Paris Olympic Games, targeting French-speaking users, French gov agencies & businesses & French infra providers

https://www.fortinet.com/blog/threat-research/dark-web-shows-cybercriminals-ready-for-olympics

11.NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI by @LabsSentinel

  • targets AI- and gaming-focused entities
  • targets the software supply chain by weaponizing code in publicly available repositories on GitHub and Hugging Face

https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/

12.Hunting Lazarus: Expanding Indicators with Historic DNS by @ValidinLLC

  • use historical DNS to expand from known indicators and discover current and recent domain names and IP addresses associated with Lazarus Group with high confidence

https://www.validin.com/blog/hunting-lazarus-dns-history-host-responses/

13. Fake Browser Updates Lead to BOINC Volunteer Computing Software by @HuntressLabs

  • infections typically begin as a result of a user visiting a compromised website, which results in a fake browser update prompt to the user

https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software

Thanks a lot for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.