Cybersecurity Wiretap #22: From Cellular Core Vulnerabilities to Rogue AI with Focus on Emerging Ransomware and Post-Exploitation Tools (week of 09/16/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.ReadText34 Ransomware Incident by @HuntressLabs

  • monitored endpoint triggered alerts for enabling RDP, multiple commands for disabling recovery of the system, and persistence for ransomware executable
  • shortly afterward (less than 20 minutes), the endpoint again triggered alerts, this time for modified ransomware canaries, indicating that files were encrypted.

https://www.huntress.com/blog/readtext34-ransomware-incident

2.Vulnerabilities in Cellular Packet Cores Part IV: Authentication by @TrendMicro

  • 2 vulnerabilities in Microsoft Azure Private 5G Core (AP5GC): CVE-2024-2068 & ZDI-CAN-23960.
  • both exploitation of vulns can result in varying degrees of Denial-of-Service (DoS)
  • Packet cores are critical network infrastructure nodes, which means the impact extends beyond the directly affected device and can disrupt a broader network segment

https://www.trendmicro.com/en_us/research/24/i/vulnerabilities-in-cellular-packet-cores-part-iv-authentication.html

3.Cracks in the Foundation: Intrusions of FOUNDATION Accounting Software by @HuntressLabs

  • emerging threat involving FOUNDATION Accounting Software
  • attackers have been observed brute forcing software at scale, and gaining access simply by using the product’s default credentials.
  • active intrusions among plumbing, HVAC, concrete, and similar sub-industries.

https://www.huntress.com/blog/cracks-in-the-foundation-intrusions-of-foundation-accounting-software

4.Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC by @TrendMicro

  • threat actor employs GrimResource & AppDomainManager injection to deploy additional payloads
  • customized Cobalt Strike components were deployed with modified internal signatures and a changed configuration structure for evasion.
  • also used new backdoor EAGLEDOOR, which supports multiple communication protocols for info gathering & payload delivery.

https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html

5.Go Injector Leading to Stealers by @esthreat

  • infection chain began with user navigating to malicious website that displayed a fake captcha page
  • page copies Base64 encoded PowerShell command to users’ clipboard and provides instructions to execute it using the Windows Run keyboard shortcut as part of a “Verification Step”

https://www.esentire.com/blog/go-injector-leading-to-stealers

6.Identifying Rogue AI by @TrendMicro

  • subverted Rogue AI risk may stem from poisoned training data & malicious prompt injections
  • accidental Rogue AI might feature disclosure of non-compliant, erroneous, illegal or offensive information
  • risk of unrestricted resource consumption—agentic AI creating problem-solving loops that effectively DoS the entire system, or worse still acquiring additional compute resources which were neither anticipated nor desired to be used.

https://www.trendmicro.com/en_us/research/24/i/rogue-ai-part-3.html

7.Storm on the Horizon: Inside the AJCloud IoT Ecosystem by @elasticseclabs

  • research revealed several critical vulnerabilities that span all aspects of cameras operating AJCloud firmware which are connected to their platform
  • significant flaws in access control management on the platform & PPPP peer protocol provides an expansive attack surface
  • exploitation leads to exposure of sensitive user data and provides attackers with full remote control of any camera connected to the AJCloud platform
  • built-in P2P command can be leveraged to either permanently disable cameras or facilitate remote code execution via buffer overflow

https://www.elastic.co/security-labs/storm-on-the-horizon

8.How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections by @TrendMicro

  • includes exploiting the Zerologon vulnerability (CVE-2020-1472) that enable threat actors to take control of an entire network without authentication.
  • targeted industries & critical infra sectors: water & wastewater, IT, commercial & government services and facilities, healthcare, agriculture, financial services, manufacturing, transportations and communications

https://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html

9.Code of Conduct: DPRK’s Python- fueled intrusions into secured networks by @elasticseclabs

  • sophistication of DPRK’s social engineering tactics often involves long-term persona development and targeted narratives.
  • python script from this campaign includes modules that allow for the execution of system commands & to write and execute local files

https://www.elastic.co/security-labs/dprk-code-of-conduct

10.An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader by @Mandiant

  • targets victims under the guise of job openings, masquerading as a recruiter for prominent companies
  • engaged with the victim over email and WhatsApp and ultimately shared a malicious archive that is purported to contain the job description in PDF file format. The PDF file has been encrypted and can only be opened with the included trojanized version of SumatraPDF to ultimately deliver MISTPEN backdoor via BURNBOOK launcher

https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader

11.Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors by #PaloAlto‘s #Unit42

  • attackers behind this campaign uploaded several poisoned Python packages to PyPI
  • threat actor’s objective was to secure access to supply chain vendors through developers’ endpoints and subsequently gain access to the vendors’ customers’ endpoints, as observed in previous incidents

https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/

12.UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks by @Mandiant

  • key feature is its collection of specialized tooling and passive backdoors
  • main-stage backdoors includes a Windows kernel mode driver repurposed from legitimate Iranian anti-virus software filter driver, reflecting group’s reverse engineering capabilities of Windows kernel components & detection evasion capabilities

https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks

13.Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool by #PaloAlto‘s #Unit42

  • several string artifacts in the samples, as well as the collection of features, make it evident that it is a red team tool
  • name is its internal project name, which was left behind in a debug artifact

https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/

Thanks a lot for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.