CTI Weekly Highlights - 09/05/23
Vulnerabilities and Exploitation Attempts
VMware Aria Vulnerable to Critical SSH Authentication Bypass Flaw
A critical authentication bypass vulnerability in VMware Aria Operations for Networks, tracked as CVE-2023-34039, could allow remote attackers to bypass SSH authentication and access private endpoints.
Command Injection in Splunk Enterprise Using External Lookups
Splunk Enterprises are vulnerable to a security flaw - tracked as CVE-2023-40598 - that could allow an attacker to execute arbitrary code on the Splunk platform.
Azure Active Directory Flaw Could Result In Privilege Escalation
A recently discovered security flaw in Microsoft's Azure Active Directory had the potential to compromise the Power Platform and allow threat actors to escalate their privileges within the system.
Malware Developments
New Malspam Campaign Delivers The DarkGate Loader
A recent malspam campaign that is being distributed via phishing emails delivers the DarkGate loader. The campaign leverages stolen email threads to lure victims into clicking on a malicious link that downloads the malware.
New Remcos RAT Campaign as A Complex Multi-Stage Threat
The Remcos RAT has recently observed using phishing emails to deliver malicious VBS files. The emails contain seemingly harmless ZIP or RAR attachments that actually hide obfuscated VBS files, initiating the attack.
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Info Stealers
A new development has emerged in the realm of cyber threats, with researchers recently uncovering a deceptive scheme employing a Fake Browser Update lure, to deceive users into executing malicious binaries.
Recommended by LinkedIn
Ransomware Operations
HTML Smuggling Leads to Abnormally Fast Nokoyawa Ransomware Infections
Attackers are now delivering Nokoyawa ransomware via HTML smuggling, deploying the final ransomware payload within only 12 hours of the initial compromise.
Identified Trends
Advanced PaaS Techniques Now Involving AiTM Attacks
The cybersecurity landscape is seeing a surge in advanced phishing attacks - fueled by both new phishing-as-a-service (PaaS) platforms and well-known ones such as PerSwaysion. These attacks now include adversary-in-the-middle (AiTM) techniques.
Security researchers highlight that these enhanced methods enable large-scale attacks aimed at bypassing multi-factor authentication. Specialized kits like EvilGinx and Modlishka make phishing sites nearly indistinguishable from real ones, focusing on stealing not just credentials but also session cookies. This trend complicates traditional security measures and amplifies the need for stronger identity verification.
New LockBit Phishing Campaign Targets Spain; Relates to LockBit Builder Leak
In late 2022, the source code of Lockbit 3.0 ransomware was leaked. Such events often fuel new threat variants. According to researchers, nearly 400 distinct samples were observed, with many of the detected samples corresponding to the default configuration of the builder.
This week, the National Police of Spain reported a recent, ongoing ransomware campaign that is potentially related to Lockbit, with attackers likely using the leaked LockBit 3.0 ransomware builder. The campaign is currently targeting architecture companies through phishing emails; however, it is noted that additional sectors could be targeted in the future as well.
Gain deeper CTI insights!
CyberProof’s CTI service offers comprehensive threat intelligence coverage, ensuring that your organization stays ahead of active threats that pose the greatest risk to your assets.
Our advanced CTI team investigates the threat landscape, providing you with detailed reports, related Indicators of Compromise (IOCs), technical recommendations, and MITRE ATT&CK mapping.