Cybersecurity Wiretap #25: From Local Privilege Escalation to APT Attacks with a Focus on Ransomware Evolution (week of 07/10/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.iTunes Local Privilege Escalation (CVE-2024-44193) Vulnerability Analysis and Exploitation by @CyfirmaR

  • Attackers can exploit this vulnerability to gain local privilege escalation, granting them administrative access on targeted systems.
  • This vulnerability has widespread implications for any Windows environment running vulnerable iTunes versions, especially for organizations with large numbers of unmanaged endpoints.

https://www.cyfirma.com/research/itunes-local-privilege-escalation-cve-2024-44193-vulnerability-analysis-and-exploitation/

2.Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against UAE and Gulf Regions by @TrendMicro

  • The group utilizes sophisticated tactics that include deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities like CVE-2024-30088 for privilege escalation.
  • Earth Simnavaz uses a combination of customized .NET tools, PowerShell scripts, and IIS-based malware to allow their malicious activity to blend in with normal network traffic and avoid traditional detection methods.

https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html

3.Mind the (air) gap: GoldenJackal gooses government guardrails by @ESETresearch

  • These toolsets provide GoldenJackal a wide set of capabilities for compromising and persisting in targeted networks. Victimized systems are abused to collect interesting information, process the information, exfiltrate files, and distribute files, configurations and commands to other systems.
  • The ultimate goal of GoldenJackal seems to be stealing confidential information, especially from high-profile machines that might not be connected to the internet.

https://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails

4.Telekopye transitions to targeting tourists via hotel booking scam by @ESETresearch

  • Telekopye groups have expanded their targeting to popular accommodation booking platforms, such as Booking.com and Airbnb.
  • This new scam scenario comes with a targeting twist, utilizing compromised accounts of legitimate hotels and accommodation providers.

https://www.welivesecurity.com/en/eset-research/telekopye-hits-new-hunting-ground-hotel-booking-scams

5.Lynx Ransomware: A Rebranding of INC Ransomware by PaloAlto’s #Unit42

  • Lynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven’t confirmed any Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model.

https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/

6.Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware by PaloAlto’s #Unit42

  • the online activity of fake recruiters and technical details of the campaign
  • Analyzing the macOS, Windows and Python malware

https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters

7.Shining Light on the Dark Angels Ransomware Group by @Threatlabz

  • Dark Angels attack a small number of large companies for substantial ransom demands including a $75M ransom payment in 2024—the largest ever discovered.
  • The group leverages third-party ransomware payloads including Babuk and Read the Manual (RTM) Locker for Windows file encryption, as well as a variant of RagnarLocker for encrypting files on Linux/ESXi systems.
  • Dark Angels attempt to remain in the shadows by performing attacks that do not cause significant business disruptions.

https://www.zscaler.com/blogs/security-research/shining-light-dark-angels-ransomware-group

8.Technical Analysis of DarkVision RAT by @Threatlabz

  • The campaign used PureCrypter as a loader to deploy DarkVision RAT.
  • DarkVision RAT communicates with its command-and-control (C2) server using a custom network protocol via sockets.
  • DarkVision RAT employs various evasion and privilege escalation techniques, including DLL hijacking, auto-elevation, and process injection.

https://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat

9.FortiGuard Labs Threat ResearchBurning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA by #FORTIGUARD LABS

  • threat actor exploited the vulnerability CVE-2024-8190 in conjunction with the following 2 publicly unknown vulnerabilities
  • A publicly unknown path traversal vulnerability on the resource /client/index.php, to gain unauthorized access to other resources like users.php, reports.php etc.A
  • publicly unknown command injection vulnerability affecting the resource reports.php

https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa

10.The Global State of Internet of Healthcare Things (IoHT) Exposures on Public-Facing Networks by @censysio

  • Censys discovered 14,004 unique IP addresses exposing healthcare devices and data systems connected to potentially sensitive medical information on the public internet
  • Nearly 50% of the exposed hosts (6,884) are located in the United States, followed by 10.5% (1,476) in India

https://censys.com/state-of-internet-of-healthcare-things/

 

Thanks a lot for reading.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.