Cybersecurity Wiretap #24: From Authentication Bypasses to Emerging Stealers with a Focus on Nation-State Cyber Operations (week of 9/30/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409) by @pdiscoveryio

  • subtle flaw in signature verification can have severe consequences, allowing attackers to bypass critical authentication mechanisms
  • analysis highlights the importance of strict validation procedures, especially when dealing with security protocols like SAML

https://blog.projectdiscovery.io/ruby-saml-gitlab-auth-bypass/?ref=projectdiscovery-io-blog-newsletter

2.SHROUDED#SLEEP: A Deep Dive into North Korea’s Ongoing Campaign Against Southeast Asia by @Securonix Threat Research

  • North Korea has been identified delivering VeilShell, a stealthy PowerShell-based malware delivered using a series of advanced evasion techniques targeting victims in Southeast Asia
  • Victims are likely the subject of phishing emails where the initial payload would be a zip file attached to the email

https://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/

3.VILSA STEALER by @Cyfirma

  • Steals Discord info, browser data, cookies, passwords, crypto wallets, Steam, Telegram, and more.
  • Supports major browsers and 40+ crypto wallets.
  • The language used is Python.An encryption method is used to mask the runtime behavior of the malware.

https://www.cyfirma.com/research/vilsa-stealer/

4.Separating the bee from the panda: CeranaKeeper making a beeline for Thailand by @ESETresearch

  • group constantly updates its backdoor to evade detection and diversifies its methods to aid massive data exfiltration
  • CeranaKeeper abuses popular, legitimate cloud and file-sharing services such as Dropbox and OneDrive to implement custom backdoors and extraction tools
  • uses GitHub’s pull request and issue comment features to create a stealthy reverse shell, leveraging GitHub, a popular online platform for sharing and collaborating on code, as a C&C server.

https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/

5.capa Explorer Web: A Web-Based Tool for Program Capability Analysis by @Mandiant

  • reverse engineering tool that automates the identification of program capabilities
  • capa analyzes programs using various backends, such as IDA Pro, Ghidra, and CAPE, to extract features.
  • it identifies capabilities by matching these features against rules written by experts. A program matches a capability rule when its extracted features match the set of conditions declared in the rule

https://cloud.google.com/blog/topics/threat-intelligence/capa-explorer-web-program-capability-analysis

6.No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection by #PaloAlto’s #Unit42

  • four previously undisclosed domain name system (DNS) tunneling campaigns that occurred in recent months

https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/

7.Threat actor believed to be spreading new MedusaLocker variant since 2022 by @TalosSecurity

  • active since 2022 and targets orgs worldwide, although the number of victims was higher than average in EU countries until mid-2023 and, since then, in South American countries
  • observed distributing MedusaLocker ransomware variant known as “BabyLockerKZ.”, compiled with a PDB path containing the word “paid_memes” which is also present in other tools observed during the attacks, presumably by the same author.

https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022

8.YUNIT STEALER by @Cyfirma

  • targets system information, browser data (passwords, cookies, autofill), and cryptocurrency wallets, leveraging tools like PowerShell to bypass antivirus defenses
  • ensures persistence by modifying Windows registry keys, adding tasks through batch and VBScript, and setting exclusions in Windows Defender.

https://www.cyfirma.com/research/yunit-stealer/

Thanks a lot for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.