Cybersecurity Wiretap #27: From Ivanti Vulnerabilities to Rock’n’Rust Ransomware with a Focus on Infrastructure Threats (week of 21/10/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.CVE-2024-7593 Vulnerability in Ivanti Virtual Traffic Manager : Vulnerability Analysis and Exploitation by @CyfirmaR

  • allows unauthenticated attackers to gain administrative access to the vTM system. Such access opens the door to a range of serious risks, including data theft, unauthorized deployment of malware, and complete loss of control over the network infrastructure

https://www.cyfirma.com/research/cve-2024-7593-vulnerability-in-ivanti-virtual-traffic-manager-vulnerability-analysis-and-exploitation/

2.Target Exposed Docker Remote API Servers With perfctl Malware by @TrendMicro

  • attack involves creating a Docker container with specific settings and executing a Base64 encoded payload
  • Payload execution includes escaping the container, creating a bash script, setting environment variables, and downloading a malicious binary disguised as a PHP extension
  • Attackers use evasion techniques to avoid detection, such as checking for similar processes and creating directories and a custom function to download files.

https://www.trendmicro.com/en_us/research/24/j/attackers-target-exposed-docker-remote-api-servers-with-perfctl-.html

3.Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach by @TrendMicro

  • malicious actor targeting Docker remote API servers to deploy the SRBMiner cryptominer and mine XRP cryptocurrency
  • threat actor used the gRPC protocol over h2c to evade security solutions and execute their cryptomining operations on the Docker host.

https://www.trendmicro.com/en_us/research/24/j/using-grpc-http-2-for-cryptominer-deployment.html

4.Embargo ransomware: Rock’n’Rust by @ESETresearch

  • Embargo is developing and testing new Rust-based tooling.
  • Differences in deployed versions, bugs, and leftover artifacts suggest that these tools are under active development.
  • he threat actor abuses Safe Mode to disable security solutions.Embargo tailors its tools to each victim

https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust

5.Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) by @Mandiant

  • this vulnerability allows a threat actor to use an unauthorized, threat actor-controlled FortiManager device to execute arbitrary code or commands against vulnerable FortiManager devices.

https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575

6. Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction by PaloAlto’s #Unit42

  • multi-turn technique that engages large language models (LLM) in an interactive conversation, gradually bypassing their safety guardrails and eliciting them to generate unsafe or harmful content
  • it operates by embedding unsafe or restricted topics among benign ones, all presented in a positive and harmless context, leading LLMs to overlook the unsafe portion and generate responses containing unsafe content

https://unit42.paloaltonetworks.com/jailbreak-llms-through-camouflage-distraction/

7. Threat actor abuses Gophish to deliver new PowerRAT and DCRAT by @TalosSecurity

  • phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor
  • campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim’s intervention to trigger the infection chain
  • undocumented PowerShell RAT (PowerRAT) as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT

https://blog.talosintelligence.com/gophish-powerrat-dcrat

8.Threat Spotlight: WarmCookie/BadSpaceby @TalosSecurity

  • WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns
  • WarmCookie, observed being used for initial access and persistence, offers a means for continuous long-term access to compromised environments and is used to facilitate delivery of additional malware such as CSharp-Streamer-RAT and Cobalt Strike

https://blog.talosintelligence.com/warmcookie-analysis

Thanks a lot for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.