Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1. CrowdStrike Falcon Sensor Update: Worldwide Blue Screen of Death (BSOD) Incident by @CyfirmaR
- disrupted businesses, airports, train stations, banks, broadcasters & healthcare •cybercriminals started phishing orgs via malicious domains with issue fixes
2.The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409 by @TrendMicro
- does not pose a widespread threat to the internet due to its exploitation complexity and existing mitigations
https://www.trendmicro.com/en_us/research/24/g/cve-2024-6387-and-cve-2024-6409.html
3.Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma by @TrendMicro
- it has successfully evaded security measures •appears to be using the services and infrastructure peddled by the Prolific Puma group
4.CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks by @TrendMicro
- 0day to access & execute files via disabled IE using MSHTML •example of how unsupported Windows relics are overlooked attack surface
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
5.HotPage: Story of a signed, vulnerable, ad-injecting driver by @ESETresearch
- kernel component with large set of techniques to manipulate processes & went through requirements imposed by Microsoft to obtain code-signing certificate for driver component
https://www.welivesecurity.com/en/eset-research/hotpage-story-signed-vulnerable-ad-injecting-driver/
6. APT41 Has Arisen From the DUST by @Mandiant
- used ANTSWORD & BLUEBEAM web shells for execution of DUSTPAN to execute BEACON backdoor C2
- used publicly available tools SQLULDR2 for copying data from dbs and PINEGROVE to exfiltrate data to MS OneDrive
https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust
7. Beware of BadPack: One Weird Trick Being Used Against Android Devices by #PaloAlto‘s #Unit42
•APK file intentionally packaged in malicious way. This means attacker has maliciously altered header information used in compressed file format for APK files.
https://unit42.paloaltonetworks.com/apk-badpack-malware-tampered-headers/
8.Container Breakouts: Escape Techniques in Cloud Environments by #PaloAlto‘s #Unit42
- external attacker who has gained low-privilege access to container will attempt to escape it through variety of methods that include exploiting misconfigs and vulns
https://unit42.paloaltonetworks.com/container-escape-techniques/
9.The Gatekeeper’s Secrets: DarkGate Malware Analysis by @esthreat
- loading multiple malware, including Danabot & SocGholish. Previously utilized AutoIt for loading and has abused CVE-2024-21412, an Internet Shortcut File (LNK) security feature bypass vuln
https://www.esentire.com/blog/the-gatekeepers-secrets-darkgate-malware-analysis
10. Dark Web Shows Cybercriminals Ready for Olympics. Are You? by #FORTIGUARD LABS
- significant increase in resources being gathered for Paris Olympic Games, targeting French-speaking users, French gov agencies & businesses & French infra providers
https://www.fortinet.com/blog/threat-research/dark-web-shows-cybercriminals-ready-for-olympics
11.NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI by @LabsSentinel
- targets AI- and gaming-focused entities
- targets the software supply chain by weaponizing code in publicly available repositories on GitHub and Hugging Face
12.Hunting Lazarus: Expanding Indicators with Historic DNS by @ValidinLLC
- use historical DNS to expand from known indicators and discover current and recent domain names and IP addresses associated with Lazarus Group with high confidence
https://www.validin.com/blog/hunting-lazarus-dns-history-host-responses/
13. Fake Browser Updates Lead to BOINC Volunteer Computing Software by @HuntressLabs
- infections typically begin as a result of a user visiting a compromised website, which results in a fake browser update prompt to the user
https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
Thanks a lot for reading.