Threat Intel Brief for October 28 - November 3, 2024

Written by CoreTek | Nov 7, 2024 1:39:34 PM

In this weekly Threat Intelligence Brief we look back at top stories and security-related callouts to provide relevant and actionable insights for the information security consumer.

We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.

In this edition:
RDP attachment phishing
Azure OpenAI abuse
SharePoint server compromise
CISA KEV updates

RDP attachment phishing

CISA and Microsoft have both issued reports this week detailing large-scale phishing campaigns sending malicious Remote Desktop Protocol (RDP) attachments to gain initial access. According to CISA, sectors targeted include mostly government and IT.

When the malicious RDP file is executed, the user is asked to accept a signed certificate which leads to a connection to the attacker controlled system. Once the connections is made, the victim's local system resources are bidirectionally mapped to the attacker controller system. Resources that are then accessible to the attacker can include logical hard disks, clipboard contents, printers, connected peripheral devices, audio and authentication credentials.

Two of the top proactive measure listed by CISA include restricting outbound RDP connections and blocking RDP files in communications platforms. For a full list of proactive measure, please visit the linked article.

Source: CISA / Microsoft Threat Intelligence

Azure OpenAI abuse

Generative AI abuse continues to be a hot topic as many companies strive to offer solutions based on this emerging technology. Red Canary has a recent report that explores an attacker's methodology of compromising key material for authentication in Azure OpenAI.

Authentication to Azure OpenAI resources can occur via Entra ID or API key, with API keys being the preferred target as they are "persistent and do not expire unless they are explicitly regenerated". From a logging perspective, "API key usage is more difficult to track and correlate than Entra ID authentication", according to the report.

Guidance provided by Red Canary for logging and mitigation related to API key compromise includes using an Azure API Management gateway as a front end, using an Azure key vault to store and access API keys, auditing Azure OpenAI API ListKey operations, limiting network access to OpenAI endpoints and preferring Entra ID authentication over API key authentication.

Source: Red Canary

SharePoint server compromise

During a recent IR investigation, Rapid7 discovered exploitation of a Microsoft SharePoint Remote Code Execution Vulnerability(CVE 2024-38094) used for initial access. The compromised Sharepoint server was on-prem and an authenticated attacker with site owner permissions was able to exploit the vulnerability.

While the attacker was able to achieve remote code execution, of particular note was the installation of external AV (Horoung Antivirus) on the target system which crashed legitimate security products already installed. Some important points to reiterate are that the attacker had initial access already established before exploiting the SharePoint vulnerability and that this particular CVE was patched by Microsoft in the July 2024 monthly security update. The key takeaway here is to ensure your products have the latest security updates.

Source: Rapid7 / Microsoft

CISA KEV updates

CISA has added 2 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week:

CVE-2024-8956 - PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability - CVSS 9.1
CVE-2024-8957 - PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability - CVSS 7.2

Don't know where to begin with vulnerability management?

Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.

Source: Known Exploited Vulnerabilities Catalog | CISA

Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact