Threat Intel Brief for October 14 - October 20, 2024

Written by CoreTek | Oct 23, 2024 5:11:35 PM

In this weekly Threat Intelligence Brief we look back at top stories and security-related callouts to provide relevant and actionable insights for the information security consumer.

We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.

In this edition:
Microsoft Azure "Honeypot" tenants
DarkVision Remote Access Trojan (RAT)
MacOS "HM Surf" vulnerability
CISA KEV updates

Microsoft Azure "Honeypot" tenants

During a recent conference, principal security software engineer at Microsoft Ross Bevington detailed the use of honeypot Azure tenants to lure and study cybercriminals. These "fake" tenants are created in an effort to both distract and ultimately learn from adversary behavior to bolster defenses. According to Microsoft's Director of Threat Intelligence Strategy, with intelligence gathered from these operations "we have blocked over 40k connections from accessing Microsoft resources."

With the threat landscape constantly evolving, it's important to both understand the various attack paths and use that information gained in meaningful ways. The deception technology used in these operations by Microsoft translates to wasting roughly 30 days of an attackers time before they realize they have breached a honeypot environment.

Source: Bleepingcomputer

DarkVision Remote Access Trojan (RAT)

A Security Researcher for Zscaler recently posted a technical analysis of the DarkVision Remote Access Trojan (RAT). While this specific RAT was first discovered in 2020, it has "gained popularity due to its affordability and extensive feature set, making it accessible even to low-skilled cybercriminals." It's capabilities include file manipulation, process injection, remote code execution, password theft, keylogging and screenshots.


The attack chain for this malware starts with the execution of a malicious file, loading .NET assemblies directly into memory using Donut loader and then loading DarkVision RAT with the PureCrypter injector. Once the RAT is injected, a powershell command executes to "add malicious file paths and process names used by the RAT to the list of exclusions in Windows Defender", effectively bypassing endpoint detection capabilities. If you don't have alerting or visibility for additions to your endpoint detection exclusions, this is your wakeup call.

Source: Zscaler
MacOS "HM Surf" vulnerability

A recent post from the Microsoft Threat Intelligence blog, details the potential abuse of macOS' transparency, Consent, and Control (TCC) for the Safari browser. The vulnerability dubbed "HM Surf" involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent.

The vulnerability known as CVE-2024-44133 was addressed in a fix released on September 16, 2024 for Safari only. "Microsoft is currently collaborating with other major browser vendors to investigate the benefits of hardening local configuration files." It's important to note that Microsoft has identified the threat family known as "Adload" exploiting this vulnerability in the wild but also can detect and block this behavior through the use of Microsoft Defender for Endpoint.

Source: Microsoft

CISA KEV updates

CISA has added 4 CVE to their Known Exploited Vulnerability (KEV) catalog this week:

CVE-2024-28987 - SolarWinds Web Help Desk Hardcoded Credential Vulnerability - CVSS 9.1
CVE-2024-9680 - Mozilla Firefox Use-After-Free Vulnerability - CVSS 7.5
CVE-2024-30088 - Microsoft Windows Kernel TOCTOU Race Condition Vulnerability - CVSS 7.0
CVE-2024-40711 - Veeam Backup and Replication Deserialization Vulnerability - CVSS 9.8

Don't know where to begin with vulnerability management?

Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA .

Source: Known Exploited Vulnerabilities Catalog | CISA

Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact