Biweekly Threat Report
81% Increase in Large-Volume DDoS Attacks
Fake POCs on GitHub Target Security Researchers
According to a recently published technical paper, hackers are publishing malicious PoC exploits for known vulnerabilities on GitHub. A PoC for BlueKeep vulnerability (CVE-2019-0708) was found with a base64-obfuscated Python script that fetches a Houdini RAT-laden VBScript from Pastebin. Other fake PoCs were found with info-stealer malware, malicious PowerShell scripts, malicious one-liner payloads, cobalt strike, and even inactive malicious components.
Multiple RCE Vulnerabilities Disclosed in Veeam backup & replication application
Several critical and high-severity vulnerabilities have been discovered affecting the Veeam backup & replication application that could be exploited by advertising fully weaponized tools for remote code execution (RCE). CloudSEK has said malware named ‘Veeamp’ was found in the wild and used by the Monti and Yanluowang ransomware groups to dump credentials from an SQL database for Veeam backup management software. These vulnerabilities are already patched in the 11.0.1.1261 version of its software.
Microsoft data breach exposes customers' contact info, emails and more (BlueBleed)
On the 24th of September Microsoft was notified by researchers at threat intelligence firm SOCRadar. “This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services” Microsoft revealed. The leaked data allegedly linked to 65,000 entities from 111 countries stored in files dated from 2017 to August 2022. This Data reportedly contains Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, PII data and documents that may reveal intellectual property. SOCRadar has released a free tool to check for your company’s information within the documents exposed.
Available: BlueBleed - SOCRadar LABS
Hackers compromised the Hong Kong government agency network for a year
Researchers at Symantec have uncovered cyber-attacks attributed to the China-linked espionage actor APT41 (a.k.a Winnti) that breached the government agencies in Hong Kong and remained undetected for a year in some cases. Winnti has been using custom malware called Spyder Loader. Symantec’s report indicated that the hackers continue to evolve the malware, deploying several variants on the targets, all with the same functions.
New ‘Black Lotus’ UEFI Rootkit Provides APT level capabilities
A new threat actor on an underground criminal forum has been promoting a new vendor-independent UEFI rootkit that can disable security software and controls, warns Scott Scheferman - cybersecurity veteran. The Windows rootkit is a powerful, persistent tool being offered for sale at $5000. Written in Assembly and C, Black Lotus is 80 kilobytes in size and features geofencing. The threat packs evasion capabilities such as anti-virtualization, anti-debugging and code obfuscation. The tool can disable security applications and defence mechanisms including Hypervisor-protected code Integrity (HVCI), BitLocker and Windows Defender. This rootkit can bypass user access control (UAC) and secure boot, load unsigned drivers, and can persist undetected in the UEFI firmware of the target device, supposedly indefinitely. Kaspersky pointed out that the rootkit’s advanced capabilities were previously typical of nation-state malware but are now increasingly accessible to cybercriminals.
Police tricks deadbolt ransomware group out of 155 decryption keys
The Dutch National Police, in collaboration with cybersecurity firm Responders.NU, tricked the DeadBolt ransomware gang into handing over 155 decryption keys by faking ransom payments.
After a ransom was paid to DeadBolt, DeadBolt created a bitcoin transaction to the same bitcoin ransom address containing a decryption key for the victim. The police were able to abuse this automated return by paying the ransom, receiving the decryption keys and then withdrawing the payments. Transactions were made with a minimum fee at a time when the bitcoin network was heavily congested meaning the bitcoin blockchain took much longer to confirm the transaction allowing the police to make the transaction, receive the key, and immediately cancel their bitcoin transaction. This allowed the police to gather 90% of all decryption keys for the victims that reported to the police.
References
81% Increase in Large-Volume DDoS Attacks
New attacks use Windows security bypass zero-day to drop malware
LockBit ransomware is now moving to a triple extortion tactic