Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.CVE-2024-7479 and CVE-2024-7481 – Privilege Escalation – Vulnerability Analysis and Exploitation by @CyfirmaR
- vulnerabilities in TeamViewer’s Remote Client and Remote Host products on Windows
- both flaws involve improper cryptographic signature verification during driver installation
- these vulnerabilities allow local, unprivileged attackers to escalate their privileges by exploiting TeamViewer’s installation process and loading malicious drivers onto the system
2.Attacker Abuses Victim Resources to Reap Rewards from Titan Network by @TrendMicro
- attacker exploiting the Atlassian Confluence vulnerability CVE-2023-22527 to achieve remote code execution for cryptomining via the Titan Network
- attack involved downloading and executing multiple shell scripts to install Titan binaries and connect to the Titan Network with the attacker’s identity
- malicious actor connects compromised machines to the Cassini Testnet, which allows them to participate in the delegated proof of stake system for reward tokens.
https://www.trendmicro.com/en_us/research/24/j/titan-network.html
3. CloudScout: Evasive Panda scouting cloud services by @ESETresearch
- CloudScout utilizes stolen cookies, provided by MgBot plugins, to access and exfiltrate data stored at various cloud services
- each CloudScout module, programmed in C#, is deployed by an MgBot plugin, programmed in C++
https://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/
4.Jumpy Pisces Engages in Play Ransomware by #PaloAlto’s #Unit42
- North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People’s Army is now collaborating with the Play ransomware group (Fiddling Scorpius)
- This change marks the first observed instance of the group using existing ransomware infra, potentially acting as an initial access broker (IAB) or an affiliate of the Play ransomware group
https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/
5.TA Phone Home: EDR Evasion Testing Reveals Extortion Actor’s Toolkit by PaloAlto’s #Unit42
- recent investigation involving an extortion attempt, discovered that a threat actor had purchased access to the client network via Atera RMM from an initial access broker
- threat actor used rogue systems to install the Cortex XDR agent onto a virtual system to test a new antivirus/endpoint detection and response (AV/EDR) bypass tool leveraging the bring your own vulnerable driver (BYOVD) technique
https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
6. SmokeBuster: Keeping Systems SmokeLoader Free by @Threatlabz
- ThreatLabz has developed a tool named SmokeBuster to detect, analyze, and remediate infections
- SmokeLoader continues to be used by numerous threat groups largely due to numerous cracked versions publicly available on the internet
https://www.zscaler.com/blogs/security-research/smokebuster-keeping-systems-smokeloader-free
7.Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses by @elasticseclabs
- Latest versions of infostealers implement bypasses around Google’s recent cookie protection feature using Application-Bound EncryptionTechniques include integrating offensive security tool ChromeKatz, leveraging COM to interact with Chrome services and decrypt the app-bound encryption key, and using the remote debugging feature within Chrome
https://www.elastic.co/security-labs/katz-and-mouse-game
8. Threat actors use copyright infringement phishing lure to deploy infostealers by @TalosSecurity
- unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan
- decoy email and fake PDF filenames are designed to impersonate a company’s legal department, attempting to lure the victim into downloading and executing malware
- campaign abuses Google’s Appspot[.]com domains, a short URL and Dropbox service, to deliver an information stealer onto the target’s machine to avoid network security product detections
9.Ghostscript wrap-up: overflowing buffers by @CodeanIO
- overview of CVE-2024-29506, CVE-2024-29507, CVE-2024-29508, and CVE-2024-29509
- set of memory-corruption-related vulnerabilities in Ghostscript ≤ 10.02.1
- some may be exploitable but this depends on whether Ghostscript is compiled with hardening countermeasures
https://codeanlabs.com/blog/research/ghostscript-wrap-up-overflowing-buffers/
Thanks a lot for reading.