Threat Intel Brief for November 25 - December 01, 2024

Written by CoreTek | Dec 6, 2024 7:00:00 PM

In this weekly Threat Intelligence Brief we look back at top stories and security related callouts to provide relevant and actionable insights for the information security consumer.

We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.

In this edition:
Rockstar phishing targets M365
Ransomware recruitment
Bootkitty Linux UEFI bootkit
CISA KEV updates

Rockstar phishing targets M365

A recent report from Trustwave has highlighted the rise in popularity of the 'Rockstar 2FA' phishing service. This Phishing as a Service (Paas) model is low cost, easy to use and highly effective. The platform enables adversary-in-the-middle (AiTM) attacks to bypass multi-factor authentication (MFA) on Microsoft 365 accounts. Rockstar 2FA is an updated version of the phishing kits DadSec and Phoenix but has been steadily gaining popularity since August 2024. Below are samples of some of the phishing emails sent from the platform (graphic provided by Trustwave):

While MFA is crucial in helping to defend against password-based attacks, bypassing it's protection is becoming all too easy with features provided in advanced PaaS kits. Microsoft has provided a few recent recommendations for helping to defender against AitM phishing attacks:

1. Go passwordless, ideally using passkeys

2. Set access policies that restrict threat actor activity

3. Be prepared to detect and respond to anomalies that may indicate a phishing attack

For a more in-depth look at how to defend against AitM attacks, please visit the linked Microsoft source article.

Source: Microsoft Trustwave

Ransomware recruitment

Ransomware groups are seeking skilled cybersecurity professionals, particularly penetration testers, to help improve the quality and security of their malware. Cybercriminal groups are continuing to adapt and are becoming more sophisticated, with structures resembling corporations, including software development teams and finance departments.

The top ransomware groups currently are LockBit, RansomHub, PLAY, Hunters International, and Akira, which are likely using more structured roles and cybercriminal services to operate efficiently. Cybercriminals are concerned about law enforcement efforts to take down botnets and help victims recover data, leading them to focus on improving the security of their malware.

Source: Darkreading Rapid7

Bootkitty Linux UEFI bootkit

A project created by cybersecurity students has released a Proof-of-Concept (PoC) UEFI bootkit for Linux based systems. Previously, Windows based system have been the only target for publicly known bootkits. According to an article by ESET Researchers , "The bootkit’s main goal is to disable the kernel’s signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup)." Bypassing kernel signature verification allows for the loading of malicious components' during system boot.

Bootkitty currently relies on self-signed certificates and targets specific Ubuntu distributions, making it unsuitable for widespread deployment. But, adaptation is a defining trait for threat actors and it is only a matter of time before a public PoC like Bootykitty is weaponized. In order to help protect your Linux based systems against UEFI related threats, please consider the following recommendations:

1. Enable UEFI Secure Boot
2. Update firmware/OS and UEFI revocation list.

Source: ESET Research

CISA KEV updates

CISA has added 1 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week:

CVE-2023-28461 - Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability - CVSS 9.8

Don't know where to begin with vulnerability management?

Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.

Source: Known Exploited Vulnerabilities Catalog | CISA

Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact