Daily Drop (792): Snowflake Compromised | RedTail Malware | Okta | Pegasus | WordPress Plugins | LilacSquid | FlyingYeti | Analygence | GENAI: IO
06-01-24
Saturday, Jun 01 2024 // (IG): BB // ShadowNews // Coffee for Bob
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
Snowflake Compromised? Attackers Exploit Stolen Credentials
Bottom Line Up Front (BLUF): Attackers, using stolen customer credentials, have targeted Snowflake customers in a series of data theft and extortion attempts. The attackers, identified as UNC5537, utilized a custom attack tool named “rapeflake” and commercial VPN IPs to exploit environments lacking two-factor authentication. While Snowflake itself denies any breach of its infrastructure, it has noted unauthorized access to certain customer accounts.
Analyst Comments: This incident underscores the critical importance of enforcing robust security measures, including multi-factor authentication (MFA) and strict access controls, especially in cloud environments. The conflicting claims about the nature of the breach highlight the challenges organizations face in securing complex cloud infrastructures and the necessity of maintaining vigilant security practices.
FROM THE MEDIA: Snowflake, a prominent cloud-based data storage and analytics company with nearly 9,500 customers globally, has been implicated in a series of data theft incidents. A threat actor group, UNC5537, has been stealing data from Snowflake’s customers by exploiting stolen credentials and using an attack tool called “rapeflake.” These attacks, primarily targeting environments without two-factor authentication, aim to extort organizations by threatening to release stolen data on hacker forums.
READ THE STORY: HelpNetSecurity // CRN
Massive 911 S5 Botnet Dismantled, Chinese Mastermind Arrested
Bottom Line Up Front (BLUF): The U.S. Department of Justice announced the successful dismantling of the 911 S5 botnet, which infected 19 million devices worldwide. The botnet's alleged administrator, Chinese national Yunhe Wang, has been arrested in Singapore and faces severe charges including computer fraud and money laundering.
Analyst Comments: The takedown of the 911 S5 botnet marks a significant achievement in global cybersecurity efforts. This botnet's extensive reach and diverse malicious activities highlight the ongoing threat posed by sophisticated cybercriminal networks. The arrest of Yunhe Wang and the associated international cooperation underline the importance of collaborative efforts in combating cybercrime. Moving forward, it's crucial for cybersecurity entities to maintain vigilance and continue developing advanced detection and mitigation strategies to prevent the emergence of similar threats.
FROM THE MEDIA: The U.S. Department of Justice revealed that the 911 S5 botnet, also known as Cloud Router, was dismantled following an international operation involving agencies from the U.S., Germany, Singapore, and Thailand. The botnet had compromised 19 million Windows devices across more than 190 countries. Yunhe Wang, identified as the botnet's administrator, was arrested on May 24, 2024, in Singapore and is awaiting extradition to the United States. The botnet operated by exploiting vulnerabilities in free VPN applications, including MaskVPN and DewVPN, to turn compromised devices into proxies for malicious activities. These activities included cyberattacks, financial fraud, identity theft, and other illicit operations. The 911 S5 botnet initially shut down in 2022 but reemerged under a new name before being permanently dismantled recently.
READ THE STORY: SecurityWeek // THN
RedTail Crypto-Mining Malware Exploits Palo Alto Networks Firewall Vulnerability
Bottom Line Up Front (BLUF): The RedTail cryptocurrency mining malware has been updated to exploit a critical security flaw in Palo Alto Networks firewalls (CVE-2024-3400), enabling attackers to execute arbitrary code with root privileges. The malware's sophistication indicates potential involvement of a nation-state actor.
Analyst Comments: The integration of a recently disclosed, critical vulnerability in Palo Alto Networks firewalls into the RedTail malware's arsenal marks a significant escalation in cyber threats. This development underscores the evolving tactics of cybercriminals who are increasingly targeting high-value infrastructure with sophisticated methods. The use of private mining pools and advanced anti-analysis techniques suggest a high level of operational maturity, potentially indicating backing by well-resourced actors, such as nation-state groups. Organizations must prioritize patching and enhance their security posture to mitigate such advanced threats.
FROM THE MEDIA: RedTail, a cryptocurrency mining malware, has added a new exploit to its toolkit, targeting a severe vulnerability (CVE-2024-3400) in Palo Alto Networks firewalls. The flaw, which scores a perfect 10.0 on the CVSS scale, allows unauthenticated attackers to execute arbitrary code with root privileges. Akamai researchers report that the malware has also incorporated new anti-analysis techniques, including forking multiple times to hinder debugging and removing instances of the GNU Debugger.
READ THE STORY: THN // PoC: CVE-2018-20062 , CVE-2023-1389 , CVE-2024-3400 , CVE-2022-22954
Okta’s Customer Identity Cloud Vulnerable to Credential-Stuffing Attacks
Bottom Line Up Front (BLUF): Okta has warned customers of a vulnerability in its Customer Identity Cloud, specifically within the cross-origin authentication feature, that makes it susceptible to credential-stuffing attacks. This type of attack uses lists of stolen usernames and passwords to gain unauthorized access.
Analyst Comments: Okta's disclosure highlights the ongoing challenges in maintaining robust cybersecurity within Identity and Access Management (IAM) systems. The frequent emergence of such vulnerabilities underlines the need for stronger authentication methods beyond traditional passwords. The use of multi-factor authentication (MFA) and the adoption of passwordless authentication solutions, such as passkeys, are critical steps towards mitigating these risks. Organizations must proactively address these vulnerabilities by implementing stronger security measures and closely monitoring their systems for unusual activities to prevent exploitation by threat actors.
FROM THE MEDIA: Okta has notified its customers that the cross-origin authentication feature in its Customer Identity Cloud is vulnerable to credential-stuffing attacks. This type of attack involves cybercriminals attempting to sign into online services using large lists of usernames and passwords obtained from previous data breaches or phishing campaigns. The company observed that endpoints used to support credential stuffing were being targeted. Okta recommends implementing strong MFA and rate limiting to enhance security beyond just passwords. It also suggests enrolling users in passwordless, phishing-resistant authentication, with passkeys as the most secure option available on all Auth0 plans from Okta’s free plan through Enterprise.
READ THE STORY: SCMAG
Exiled Russian and Belarusian Opposition Journalists Targeted with Pegasus Spyware
Bottom Line Up Front (BLUF): A new investigation has revealed that at least seven Russian and Belarusian-speaking independent journalists and opposition activists living in Europe were targeted with Pegasus spyware. These individuals, who have faced threats for their critical views on their governments, are now dealing with advanced surveillance tactics while in exile.
Analyst Comments: The use of Pegasus spyware to target journalists and activists highlights the persistent threats faced by those who oppose authoritarian regimes. This sophisticated surveillance tool, sold exclusively to governments by the Israel-based NSO Group, allows state actors to monitor and potentially disrupt the activities of dissidents. The targeting of exiled individuals suggests that regimes are willing to extend their reach beyond national borders to silence critics. The implications for press freedom and personal security are profound, necessitating stronger cybersecurity measures and international cooperation to protect these vulnerable groups.
FROM THE MEDIA: Researchers from Access Now and Citizen Lab have discovered that Russian and Belarusian opposition journalists and activists living in Europe have been targeted with Pegasus spyware. Among the victims is Galina Timchenko, a prominent Russian media figure whose phone was infected while she was in Berlin. Other targeted individuals include Maria Epifanova and Evgeniy Pavlov from Novaya Gazeta Europe and Baltia, and Belarusian journalist Natallia Radzina. The investigation revealed that the spyware attacks occurred between August 2020 and January 2023. Although the exact state behind these attacks remains unidentified, researchers suggest that the infections may have been orchestrated by a single customer. Despite the lack of direct evidence linking Russia or Belarus to Pegasus, suspicions remain high given their history of targeting dissidents.
READ THE STORY: The Record
Researchers Uncover Active Exploitation of WordPress Plugin Vulnerabilities
Bottom Line Up Front (BLUF): Cybersecurity researchers have identified active exploitation of multiple high-severity vulnerabilities in WordPress plugins, leading to unauthorized creation of administrator accounts and potential site compromise. WordPress site owners are urged to update affected plugins and monitor for unusual activities.
Analyst Comments: The exploitation of vulnerabilities in popular WordPress plugins highlights the persistent risks associated with web application security. The affected plugins are widely used, making the scope of potential impacts significant. Site administrators must prioritize prompt updates and thorough security audits to mitigate the risks. This incident also underscores the importance of employing robust security measures such as Web Application Firewalls (WAFs) and regular vulnerability assessments.
FROM THE MEDIA: Researchers from Fastly have identified that threat actors are actively exploiting security vulnerabilities in several WordPress plugins. These vulnerabilities allow for unauthenticated stored cross-site scripting (XSS) attacks due to insufficient input sanitization and output escaping. Attackers leverage these vulnerabilities to inject malicious scripts, create rogue administrator accounts, and establish backdoors within the affected WordPress sites. The PHP backdoors are typically embedded into plugin and theme files, while tracking scripts are designed to relay information back to a remote server.
READ THE STORY: THN // PoC: CVE-2023-40000
Cyber Espionage Alert: LilacSquid Targets IT, Energy, and Pharma Sectors
Bottom Line Up Front (BLUF): LilacSquid, a newly identified cyber espionage group, has been actively targeting IT, energy, and pharmaceutical sectors in the U.S., Europe, and Asia since at least 2021. The group employs sophisticated tactics to maintain long-term access and steal sensitive data.
Analyst Comments: The discovery of LilacSquid underscores the evolving threat landscape where cyber espionage groups leverage both known vulnerabilities and compromised credentials to infiltrate critical sectors. The use of sophisticated malware like PurpleInk and common remote management tools such as MeshAgent indicates a high level of organization and technical capability. Organizations in targeted sectors should enhance their monitoring and incident response capabilities, especially focusing on the detection of unusual login patterns and the presence of unauthorized remote management tools.
FROM THE MEDIA: Cisco Talos researchers have exposed a cyber espionage campaign conducted by a threat actor known as LilacSquid. The group has been active since at least 2021 and has targeted diverse sectors, including IT, energy, and pharmaceuticals, across the U.S., Europe, and Asia. The main goal of the campaign appears to be establishing persistent access to victim networks to exfiltrate sensitive data to attacker-controlled servers. LilacSquid's operations involve heavily obfuscating their malware to evade detection and maintaining secondary access through tools like Secure Socket Funneling (SSF). Researchers also noted overlaps with tactics used by North Korean APT groups such as Andariel, a subset of the Lazarus Group.
READ THE STORY: THN
FlyingYeti Exploits WinRAR Vulnerability to Deliver COOKBOX Malware in Ukraine
Bottom Line Up Front (BLUF): The Russia-aligned threat actor FlyingYeti has been exploiting a WinRAR vulnerability (CVE-2023-38831) in a phishing campaign targeting Ukraine. The campaign uses debt-themed lures to deliver COOKBOX malware via compromised Cloudflare Workers and GitHub pages, aiming to control and manipulate victims' systems.
Analyst Comments: The use of CVE-2023-38831 by FlyingYeti to exploit WinRAR vulnerabilities highlights the continuous evolution of threat actors' techniques. This campaign's targeting of Ukrainian entities amid geopolitical tensions underscores the need for heightened vigilance and robust cybersecurity measures, particularly in critical sectors. Organizations should prioritize updating vulnerable software, monitoring for unusual activity, and employing advanced threat detection mechanisms to mitigate such threats.
FROM THE MEDIA: Cloudflare has reported that the Russia-aligned cyber espionage group FlyingYeti is leveraging a WinRAR vulnerability (CVE-2023-38831) in its latest phishing campaign targeting Ukraine. The group, also known as UAC-0149 by CERT-UA, has been active since mid-April 2024, using debt-themed phishing lures to spread the PowerShell-based malware COOKBOX.
READ THE STORY: THN // PoC: CVE-2023-38831
Analygence Hired to Help NIST Clear National Vulnerability Database Backlog
Bottom Line Up Front (BLUF): Analygence, a Maryland-based cybersecurity company, has been selected by the National Institute of Standards and Technology (NIST) to address the backlog of software and hardware vulnerabilities in the National Vulnerability Database (NVD).
Analyst Comments: The partnership between NIST and Analygence underscores the critical need to manage and mitigate cybersecurity risks efficiently. With a history of providing cybersecurity services to federal agencies, Analygence's involvement is expected to streamline the process of reviewing and addressing vulnerabilities, enhancing the overall security posture of the NVD. This collaboration is indicative of a broader trend of government reliance on private sector expertise to bolster national cybersecurity infrastructure.
FROM THE MEDIA: NIST has confirmed that it has enlisted the help of Analygence to reduce the backlog affecting the National Vulnerability Database (NVD). This decision follows NIST's announcement seeking external assistance to manage the influx of new software and hardware vulnerabilities.Analygence, established by U.S. military veterans in 2010, has a proven track record of cybersecurity service provision to U.S. federal agencies. The company has held contracts with the Department of Homeland Security (DHS), the U.S. Air Force, and the U.S. Navy. Recently, Analygence secured a five-year, $125 million contract with NIST to support various cybersecurity and privacy initiatives across NIST divisions.
READ THE STORY: Recorded Future
CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw
Bottom Line Up Front (BLUF): The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Linux kernel vulnerability, CVE-2024-1086, to its Known Exploited Vulnerabilities (KEV) catalog. This high-severity flaw, actively exploited in the wild, requires immediate patching by federal agencies by June 20, 2024.
Analyst Comments: The inclusion of CVE-2024-1086 in the KEV catalog underscores the persistent threats posed by vulnerabilities in widely used software components like the Linux kernel. This particular flaw's ability to escalate local privileges to root makes it a critical risk, especially for systems with network-facing applications. Prompt action by federal agencies and other organizations is essential to mitigate potential exploitation and maintain system integrity.
FROM THE MEDIA: CISA has flagged CVE-2024-1086, a high-severity use-after-free vulnerability in the Linux kernel's netfilter component, highlighting its active exploitation. This bug allows local attackers to escalate privileges from a regular user to root, potentially enabling arbitrary code execution. The netfilter framework in the Linux kernel is essential for network packet filtering, network address translation, and port translation. The vulnerability was patched in January 2024, but details on the nature of the attacks exploiting this flaw remain scarce.
READ THE STORY: THN // PoC: CVE-2024-24919 , CVE-2024-1086
OpenAI, Meta, and TikTok Crack Down on Covert Influence Campaigns, Some AI-Powered
Bottom Line Up Front (BLUF): OpenAI, Meta, and TikTok have disrupted multiple covert influence operations (IOs) from China, Iran, Israel, and Russia. These campaigns leveraged AI tools to manipulate public discourse and political outcomes while hiding their true identities.
Analyst Comments: The use of AI in disinformation campaigns highlights the increasing sophistication of threat actors. While these campaigns have not significantly boosted audience engagement, the potential for AI to generate realistic and persuasive content poses a growing threat. Continuous monitoring and proactive measures are crucial in mitigating these risks.
FROM THE MEDIA: OpenAI has shut down five covert influence operations originating from China, Iran, Israel, and Russia over the past three months. These operations abused AI tools to generate comments, articles, social media personas, and debug code for automated posting. Notable networks include Russia's Bad Grammar and Doppelganger, China's Spamouflage, Iran's International Union of Virtual Media (IUVM), and Israel's Zero Zeno. Meta has also removed accounts linked to these operations, particularly focusing on STOIC and Doppelganger. Meta's efforts highlighted the use of AI-generated video news readers and other deceptive tactics. TikTok has disrupted similar networks, emphasizing the global reach and adaptability of these influence operations.
READ THE STORY: THN // The Record
More than 600,000 Routers Knocked Out in October by Chalubo Malware
Bottom Line Up Front (BLUF): The Chalubo malware rendered over 600,000 routers permanently inoperable in the U.S. between October 25-27, 2023. The attack primarily affected routers made by Sagemcom and ActionTec, causing significant disruptions, particularly in rural and underserved communities.
Analyst Comments: The widespread impact of the Chalubo malware underscores the critical vulnerabilities in network infrastructure for small offices and homes. The targeted attack via a firmware update to compromised devices highlights the need for stringent security measures and proactive monitoring to prevent such disruptions. The incident also emphasizes the importance of robust recovery plans, especially for ISPs serving vulnerable areas.
FROM THE MEDIA: Researchers from Lumen Technologies' Black Lotus Labs reported that the Chalubo malware caused a destructive incident, permanently disabling over 600,000 routers from October 25-27, 2023. The routers, predominantly Sagemcom and ActionTec models, were compromised by a firmware update sent to devices already infected by Chalubo. The attack affected Arkansas-based ISP Windstream, though they did not confirm this. Most impacted models were Sagemcom F5380, ActionTec T3200s, and ActionTec T3260s.
READ THE STORY: The Record
Items of interest
DDoS-as-a-Service Botnet Backed by Mirai Attacking Gaming Community
Bottom Line Up Front (BLUF): Cybersecurity researchers have identified a Mirai-backed DDoS-as-a-Service botnet, targeting the gaming community and facilitated through online shops and Telegram channels. The botnet, named RebirthLtd, poses significant risks to corporate entities and individual users by leveraging compromised devices to launch distributed denial-of-service (DDoS) attacks.
Analyst Comments: The emergence of the RebirthLtd botnet underscores the evolving threat landscape, where DDoS-as-a-Service models are becoming more accessible and widespread. The use of Mirai malware to facilitate these attacks highlights the persistent challenge of securing IoT devices. The targeting of gamers and the potential spillover into corporate environments demonstrate the broad and indiscriminate impact of such cyber threats. Continuous monitoring, robust security measures, and public awareness are crucial in mitigating these risks.
FROM THE MEDIA: The Sysdig Threat Research Team recently uncovered a financially motivated DDoS-as-a-Service botnet, known as RebirthLtd, utilizing Mirai malware to attack the gaming community. This service, marketed through Telegram and an online store, enables threat actors to rent or lease compromised devices to conduct large-scale DDoS attacks.
READ THE STORY: GBhackers
Coffee Break Session #110: What Is a Botnet? (Video)
FROM THE MEDIA: In today’s podcast, we’ll hear from Christin Cifaldi, Director of Product Development & Analytics, on the topic of botnets in cyber security. What is a botnet, and what role does it play in the security landscape? Listen in to learn more.
911 S5 Botnet Dismantled and Its Administrator Arrested in Coordinated International Operation (Video)
FROM THE MEDIA: Botnet Infected Over 19M IP Addresses to Enable Billions of Dollars in Pandemic and Unemployment Fraud, and Access to Child Exploitation Materials
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.