Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.CVE-2024-7593 Vulnerability in Ivanti Virtual Traffic Manager : Vulnerability Analysis and Exploitation by @CyfirmaR
- allows unauthenticated attackers to gain administrative access to the vTM system. Such access opens the door to a range of serious risks, including data theft, unauthorized deployment of malware, and complete loss of control over the network infrastructure
2.Target Exposed Docker Remote API Servers With perfctl Malware by @TrendMicro
- attack involves creating a Docker container with specific settings and executing a Base64 encoded payload
- Payload execution includes escaping the container, creating a bash script, setting environment variables, and downloading a malicious binary disguised as a PHP extension
- Attackers use evasion techniques to avoid detection, such as checking for similar processes and creating directories and a custom function to download files.
3.Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach by @TrendMicro
- malicious actor targeting Docker remote API servers to deploy the SRBMiner cryptominer and mine XRP cryptocurrency
- threat actor used the gRPC protocol over h2c to evade security solutions and execute their cryptomining operations on the Docker host.
https://www.trendmicro.com/en_us/research/24/j/using-grpc-http-2-for-cryptominer-deployment.html
4.Embargo ransomware: Rock’n’Rust by @ESETresearch
- Embargo is developing and testing new Rust-based tooling.
- Differences in deployed versions, bugs, and leftover artifacts suggest that these tools are under active development.
- he threat actor abuses Safe Mode to disable security solutions.Embargo tailors its tools to each victim
https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust
5.Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) by @Mandiant
- this vulnerability allows a threat actor to use an unauthorized, threat actor-controlled FortiManager device to execute arbitrary code or commands against vulnerable FortiManager devices.
6. Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction by PaloAlto’s #Unit42
- multi-turn technique that engages large language models (LLM) in an interactive conversation, gradually bypassing their safety guardrails and eliciting them to generate unsafe or harmful content
- it operates by embedding unsafe or restricted topics among benign ones, all presented in a positive and harmless context, leading LLMs to overlook the unsafe portion and generate responses containing unsafe content
https://unit42.paloaltonetworks.com/jailbreak-llms-through-camouflage-distraction/
7. Threat actor abuses Gophish to deliver new PowerRAT and DCRAT by @TalosSecurity
- phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor
- campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim’s intervention to trigger the infection chain
- undocumented PowerShell RAT (PowerRAT) as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT
https://blog.talosintelligence.com/gophish-powerrat-dcrat
8.Threat Spotlight: WarmCookie/BadSpaceby @TalosSecurity
- WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns
- WarmCookie, observed being used for initial access and persistence, offers a means for continuous long-term access to compromised environments and is used to facilitate delivery of additional malware such as CSharp-Streamer-RAT and Cobalt Strike
https://blog.talosintelligence.com/warmcookie-analysis
Thanks a lot for reading.