Cybersecurity Wiretap #31: From Water Barghest’s IoT Exploits to Lateral macOS Attacks with a Focus on @lottiefiles/lottie-player Compromise (week of 11/18/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.ELPACO-team Ransomware: A New Variant of the MIMIC Ransomware Family by @CyfirmaR

  • main binary ELPACO-teamv.exe, is a 32-bit Windows executable and acts as a dropper
  • uses tools like 7za.exe to extract additional payloads, which include several files, such as legitimate utilities, xdel.exe (sdelete.exe), a command-line utility from the Microsoft Sysinternals suite, used for securely deleting files and malicious ransom payloads
  • main ransomware payload is ELPACO-team.exe, which renames to svhostss.exe to disguise as a legitimate “svchost” process

https://www.cyfirma.com/research/elpaco-team-ransomware-a-new-variant-of-the-mimic-ransomware-family/

2.CVE-2024-9264: A Critical Vulnerability in Grafana : Vulnerability Analysis and Exploitation by @CyfirmaR

  • CVE-2024-9264 is a critical vulnerability in Grafana 11, which allows low-privilege users to execute arbitrary SQL commands, potentially leading to code execution and unauthorized access to sensitive files.

https://www.cyfirma.com/research/cve-2024-9264-a-critical-vulnerability-in-grafana-vulnerability-analysis-and-exploitation/

3.HEXON STEALER: THE LONG JOURNEY OF COPYING, HIDING, AND REBRANDING by @CyfirmaR

  • stealer capable of extracting browser credentials, autofill data, and other sensitive information which leverages the Electron framework for compiling malware
  • several outlets associated with the malware developer which are used to promote the stealer where identified
  • sites also feature a login panel, enabling Hexon Stealer users to remotely control compromised systems.

https://www.cyfirma.com/research/hexon-stealer-the-long-journey-of-copying-hiding-and-rebranding/

4. Inside Water Barghest’s Rapid Exploit-to-Market Strategy for IoT Devices by @TrendMicro

  • Water Barghest, which comprised over 20,000 IoT devices by October 2024, monetizes IoT devices by exploiting vulnerabilities and quickly enlisting them for sale on a residential proxy marketplace
  • Its botnet uses automated scripts to find and compromise vulnerable IoT devices sourced from public internet scan databases like Shodan
  • Once IoT devices are compromised, the Ngioweb malware is deployed, which runs in memory and connects to command-and-control servers to register the compromised device as a proxy.

5.Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine by @ESETresearch

  • archives with multiple Linux samples, containing 2 previously unknown backdoors
  • 1st – WolfsBane, is a Linux version of Gelsevirine, a Windows backdoor used by Gelsemium
  • 2nd – backdoor, which we have named FireWood, is connected to Project Wood

https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/

6. Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware by #PaloAlto’s #Unit42

  • increase in BlackSuit ransomware activity beginning in March 2024 that suggests a ramp up of operations
  • threat emerged as a rebrand of Royal ransomware, which occurred in May 2023. Unit 42 tracks the group behind this threat as Ignoble Scorpius.

https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-ignoble-scorpius/

7.Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples by #PaloAlto’s #Unit42

  • how attackers can achieve lateral movement by stealing and exfiltrating SSH keys and/or place their own keys in the authorized_keys directory
  • advantage an attacker gains by successfully compromising an administrator’s machine hosting the administrator ARD application, which could ultimately lead to total control over multiple corporate machines
  • AppleScript can be used to create RAE, allowing specific events to be executed on an application, on a remote machine within a local network.

https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movement-macos/

8.Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22) by #PaloAlto’s #Unit42

  • An authentication bypass in Palo Alto Networks PAN-OS software (CVE-2024-0012) enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges. This could allow an adversary to perform administrative actions, tamper with the configuration or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474

https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474

9.Differential analysis raises red flags over @lottiefiles/lottie-player by @ReversingLabs

  • 3 versions (2.0.5, 2.0.6 and 2.0.7) of a popular, legitimate package @lottiefiles/lottie-player were infected and used to spread malicious code that was designed to steal crypto wallet assets from victims.

https://www.reversinglabs.com/blog/differential-analysis-raises-red-flags-over-lottiefiles/lottie-player

Thank you for reading.

Please add interesting items you came across during the week in the comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.