Threat Intel Brief for November 18 - November 24, 2024

Written by CoreTek | Dec 6, 2024 6:45:00 PM

In this weekly Threat Intelligence Brief we look back at top stories and security related callouts to provide relevant and actionable insights for the information security consumer.

We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.

In this edition:
ONNX Phishing-as-a-Service
BlackBasta Malware Tactics
FS-ISAC’s Phishing Prevention Framework
CISA KEV updates

ONNX Phishing-as-a-Service

Recently, Microsoft has taken action against one of the most prominent Phishing-as-a-Service providers from 2024, ONNX. ONNX advertised its services primarily on telegram and accepted payment using a subscription model. The phishing kit included 2FA bypass mechanisms and focused on targeting some of the biggest names in the technology industry, including Microsoft, Google and Dropbox.

ONNX was rebranded in January 2024 from the highly successful and well known Adversary-in-The-Middle (AiTM) phishing service Caffeine. According to Microsoft's Digital Defense Report 2024, in April, ONNX customers were able to start using their own domains which made tracking the kit more difficult. The action taken by Microsoft includes the seizure of 240 domains belonging to ONNX. To review the case or look at the full list of domains, please visit the following link: ONNX Case

Source: Microsoft Dark Reading

BlackBasta Malware Tactics

The BlackBasta ransomware group has been a key player in the space since the takedown of Conti's operations in 2022. According to an article from threat intelligence company RedSense, BlackBasta has shifted from primarily relying on botnets to distribute malware to more nuanced methods leaning increasing on social engineering. Noted below is a typical BlackBasta attack chain before the expansion of social engineering tactics:

The diversification of tactics is "to sustain relevance and resilience in a challenging environment disrupted by LEA takedowns" and serves as a model for other would be ransomware operators.

One particular recent case was the use of Microsoft Teams to target users. The attack would start with an overwhelming amount of spam sent to the user, followed by an external Microsoft Teams invite from someone claiming to be from IT support. The external user would typically come from a tenant with a domain that was set up to fool the user further, i.e. securityadminhelper.onmicrosoft[.]com, supportserviceadmin.onmicrosoft[.]com, supportadministrator.onmicrosoft[.]com, cybersecurityadmin.onmicrosoft[.]com. The attacker then pushed for the victim to scan a QR code in an attempt to capture credentials or install RMM software to further the attack. A few ways to mitigate this type of attack include turning off external Teams access (if possible) or educating your users about internal IT support staff procedures.

Source: RedSense Reliaquest

FS-ISAC’s Phishing Prevention Framework

The Financial Services - Information Sharing and Analysis Center (FS-ISAC), recently published a report titled "Stop the Scams: A Phishing Prevention Framework for Financial Services". The framework focuses on creating a data-driven process for handling abuse complaints, disseminating intelligence across the organization, and collaborating with telecom providers to limit attack vectors. Three large US Banks participated in a pilot program adopting the framework and saw a significant reduction in reported scam attempts, which the following graphic depicts.

 

Best practices for adapting the framework as detailed in the report are as follows:

1. Design a Fraud and Phishing Report Intake Process that gets actionable answers
2. Build an Abuse Box infrastructure that facilitates information sharing
3. Use Consumer-Facing Education and Awareness to tell consumers what to expect from you
4. Do Internal Telecommunications Research to identify every means of communication
5. Engage with Telecommunications Providers to discover their phishing prevention capabilities

Source: FSISAC

CISA KEV updates

CISA has added 8 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week:
CVE-2024-9474 - Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability - CVSS 6.9
CVE-2024-0012 - Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability - CVSS 9.3
CVE-2024-1212 - Progress Kemp LoadMaster OS Command Injection Vulnerability - CVSS 9.8
CVE-2024-38813 - VMware vCenter Server Privilege Escalation Vulnerability - CVSS 9.8
CVE-2024-38812 - VMware vCenter Server Heap-Based Buffer Overflow Vulnerability - CVSS 9.8
CVE-2024-21287 - Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability - CVSS 7.5
CVE-2024-44309 - Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability - CVSS 6.4
CVE-2024-44308 - Apple Multiple Products Code Execution Vulnerability - CVSS 8.8


Don't know where to begin with vulnerability management?

Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.

Source: Known Exploited Vulnerabilities Catalog | CISA

Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact