In this weekly Threat Intelligence Brief we look back at top stories and security-related callouts to provide relevant and actionable insights for the information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
DNS Hijacking
Remcos RAT abuse targeting Windows users
ZIP Concatenation malware
CISA KEV updates
Unit42 recently published a report covering DNS Hijacking in detail. While the focus of the report is on detection in passive DNS, it includes real-world examples and a number of Indicators of Compromise (IoCs) that can be searched across your environment.
A successful DNS hijack can lead to devastating consequences for both the domain owners and their customers. Once a domain owner's or DNS service provider's credentials are compromised, the attacker can then alter DNS records to point unsuspecting victims to malicious sites. Auditing your domain's DNS record at a regular cadence is advised.
Source: Unit42
Remote Access Tools (RATs) have long been a popular method of gaining control over compromised systems. Fortinet labs threat research reported on a phishing campaign spreading a new variant of Remcos RAT, a commercially available tool.
The phishing campaign starts with an attached Excel document that is intended to exploit CVE-2017-0199, a Remote Code Execution Vulnerability in Office/Wordpad. Once the file is opened, malware is deployed that uses sophisticated evasion techniques, including multi-layered obfuscation, API hooking, and anti-debugging mechanisms to avoid detection and analysis. The ultimate goal here is full system takeover. The following graphic provided by Fortinet details the entire process from the initial phish to delivery of Remcos RAT:
Source: Fortinet
Cybersecurity company Perception Point authored an article describing exploitation of the zip file structure to hide malware. The obfuscation abuses concatenation, a method of appending multiple zip archives into a single file.
The tactic used by attackers "exploits the varied behaviors of ZIP readers, including those commonly used by popular cybersecurity tools and human malware researchers", according to Perception Point. Zip archive readers like 7.zip, Windows File Explorer, and WinRAR handle concatenated zip files differently, allowing malicious content to be hidden. Only some zip file readers fully expose the hidden malicious executable, while others may miss or overlook the malicious content.
Source: Perception PointCISA has added 6 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week:
CVE-2024-8956 - PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability - CVSS 9.1
CVE-2024-8957 - PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability - CVSS 7.2
CVE-2019-16278 - Nostromo nhttpd Directory Traversal Vulnerability - CVSS 9.8
CVE-2024-51567 - CyberPanel Incorrect Default Permissions Vulnerability - CVSS 9.8
CVE-2024-43093 - Android Framework Privilege Escalation Vulnerability - CVSS N/A
CVE-2024-5910 - Palo Alto Expedition Missing Authentication Vulnerability - CVSS 9.3
Don't know where to begin with vulnerability management?
Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.
Source: Known Exploited Vulnerabilities Catalog | CISA
Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact