Cybersecurity Wiretap #23: From CVE-2024-38856 RCE Exploits to Gamaredon’s Espionage with Focus on Phishing-as-a-Service Platforms (week of 09/23/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.CVE 2024-38856 – Pre-authentication Remote Code Execution (RCE) – Vulnerability Analysis and Exploitation by @CyfirmaR

  • critical incorrect authorization vulnerability in Apache OFBiz servers, affecting versions up to 18.12.14, allowing unauthenticated users to bypass security restrictions and execute screen rendering code via specially crafted requests through unauthenticated endpoints.

https://www.cyfirma.com/research/cve-2024-38856-pre-authentication-remote-code-execution-rce-vulnerability-analysis-and-exploitation/

2.Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam by @TalosSecurity

  • attackers are abusing normal features of legitimate web sites to transmit spam, such as traditional method of verifying the creation of a new account. 
  • this web infrastructure and its associated email infrastructure is otherwise used for legitimate purposes, which makes blocking these messages more difficult

https://blog.talosintelligence.com/simple-mail-transfer-pirates/

3.OSINT Investigation: Hunting Malicious Infrastructure Linked to Transparent Tribe by @CyfirmaR

  • details an investigation aimed at tracking infrastructure linked to the APT group “Transparent Tribe” and identified potential command-and-control (C2) servers associated with this threat actor
  • 15 malicious hosts were identified – hosted by DigitalOcean – and the threat actor was also found to be employing Linux desktop entry files as a novel attack vector
  • use of Mythic Poseidon binaries as C2 agents, and the tactics used to evade security and maintain persistence

https://www.cyfirma.com/research/osint-investigation-hunting-malicious-infrastructure-linked-to-transparent-tribe/

4.Cups Overflow: When your printer spills more than Ink by @elasticseclabs

  • vulnerabilities allow an unauthenticated remote attacker to exploit the printing system via IPP (Internet Printing Protocol) and mDNS to achieve remote code execution (RCE) on affected systems
  • attack can be initiated over the public internet or local network, targeting the UDP port 631 exposed by cups-browsed without any authentication

https://www.elastic.co/security-labs/cups-overflow

5.Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023 by @ESETresearch

  • research examine operations of Gamaredon, the Russia-aligned group that has been active since 2013 and is currently most engaged APT group in Ukraine
  • level of activity from Gamaredon has remained consistent – group has been methodically deploying its malicious tools against its targets since well before the invasion began

https://www.welivesecurity.com/en/eset-research/cyberespionage-gamaredon-way-analysis-toolset-used-spy-ukraine-2022-2023/

6.Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse by @elasticseclabs

  • threat actors utilized mixture of tools & malware, including C2 channels disguised as kernel processes, telegram bots for communication, and cron jobs for scheduled task execution
  • they deployed KAIJI and RUDEDEVIL, alongside custom-written malware
  • KAIJI, known for its DDoS capabilities, and RUDEDEVIL, cryptocurrency miner, were used to exploit system resources for malicious purposes

https://www.elastic.co/security-labs/betting-on-bots

7.Inside SnipBot: The Latest RomCom Malware Variant by #PaloAlto‘s #Unit42

  • SnipBot gives the attacker the ability to execute commands and download additional modules onto a victim’s system
  • threat operates in several stages, with the initial downloader always being an executable, followed by further EXEs or DLLs.

https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/

8.LummaC2: Obfuscation Through Indirect Control Flow by @Mandiant

  • analysis of control flow obfuscation technique employed by recent LummaC2 (LUMMAC.V2) stealer samples
  • malware now leverages customized control flow indirection to manipulate execution
  • this technique thwarts all binary analysis tools including IDA Pro and Ghidra, significantly hindering reverse engineering process & automation tooling designed to capture execution artifacts and generate detections

https://cloud.google.com/blog/topics/threat-intelligence/lummac2-obfuscation-through-indirect-control-flow

9.Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz by #PaloAlto‘s #Unit42

  • offers online admin panel with catalog of phishing pages
  • phishers can either host these phishing pages on Sniper Dz-owned infra or downloadr phishing templates to host on their own servers
  • Sniper Dz PhaaS offers these services free of charge to phishers – perhaps because Sniper Dz also collects victim credentials stolen by phishers who use the platform

https://unit42.paloaltonetworks.com/phishing-platform-sniper-dz-unique-tactics/

10.Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy by #PaloAlto‘s #Unit42

  • two malware samples used by the Sparkling Pisces (aka Kimsuky) threat group
  • includes an undocumented keylogger, called KLogEXE by its authors, and undocumented variant of a backdoor dubbed FPSpy

https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/

Thanks a lot for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.