Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.ELPACO-team Ransomware: A New Variant of the MIMIC Ransomware Family by @CyfirmaR
- main binary ELPACO-teamv.exe, is a 32-bit Windows executable and acts as a dropper
- uses tools like 7za.exe to extract additional payloads, which include several files, such as legitimate utilities, xdel.exe (sdelete.exe), a command-line utility from the Microsoft Sysinternals suite, used for securely deleting files and malicious ransom payloads
- main ransomware payload is ELPACO-team.exe, which renames to svhostss.exe to disguise as a legitimate “svchost” process
2.CVE-2024-9264: A Critical Vulnerability in Grafana : Vulnerability Analysis and Exploitation by @CyfirmaR
- CVE-2024-9264 is a critical vulnerability in Grafana 11, which allows low-privilege users to execute arbitrary SQL commands, potentially leading to code execution and unauthorized access to sensitive files.
3.HEXON STEALER: THE LONG JOURNEY OF COPYING, HIDING, AND REBRANDING by @CyfirmaR
- stealer capable of extracting browser credentials, autofill data, and other sensitive information which leverages the Electron framework for compiling malware
- several outlets associated with the malware developer which are used to promote the stealer where identified
- sites also feature a login panel, enabling Hexon Stealer users to remotely control compromised systems.
https://www.cyfirma.com/research/hexon-stealer-the-long-journey-of-copying-hiding-and-rebranding/
4. Inside Water Barghest’s Rapid Exploit-to-Market Strategy for IoT Devices by @TrendMicro
- Water Barghest, which comprised over 20,000 IoT devices by October 2024, monetizes IoT devices by exploiting vulnerabilities and quickly enlisting them for sale on a residential proxy marketplace
- Its botnet uses automated scripts to find and compromise vulnerable IoT devices sourced from public internet scan databases like Shodan
- Once IoT devices are compromised, the Ngioweb malware is deployed, which runs in memory and connects to command-and-control servers to register the compromised device as a proxy.
5.Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine by @ESETresearch
- archives with multiple Linux samples, containing 2 previously unknown backdoors
- 1st – WolfsBane, is a Linux version of Gelsevirine, a Windows backdoor used by Gelsemium
- 2nd – backdoor, which we have named FireWood, is connected to Project Wood
6. Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware by #PaloAlto’s #Unit42
- increase in BlackSuit ransomware activity beginning in March 2024 that suggests a ramp up of operations
- threat emerged as a rebrand of Royal ransomware, which occurred in May 2023. Unit 42 tracks the group behind this threat as Ignoble Scorpius.
https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-ignoble-scorpius/
7.Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples by #PaloAlto’s #Unit42
- how attackers can achieve lateral movement by stealing and exfiltrating SSH keys and/or place their own keys in the authorized_keys directory
- advantage an attacker gains by successfully compromising an administrator’s machine hosting the administrator ARD application, which could ultimately lead to total control over multiple corporate machines
- AppleScript can be used to create RAE, allowing specific events to be executed on an application, on a remote machine within a local network.
https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movement-macos/
8.Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22) by #PaloAlto’s #Unit42
- An authentication bypass in Palo Alto Networks PAN-OS software (CVE-2024-0012) enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges. This could allow an adversary to perform administrative actions, tamper with the configuration or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474
https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474
9.Differential analysis raises red flags over @lottiefiles/lottie-player by @ReversingLabs
- 3 versions (2.0.5, 2.0.6 and 2.0.7) of a popular, legitimate package @lottiefiles/lottie-player were infected and used to spread malicious code that was designed to steal crypto wallet assets from victims.
Thank you for reading.
Please add interesting items you came across during the week in the comments below.