In this weekly Threat Intelligence Brief we look back at top stories and security-related callouts to provide relevant and actionable insights for the information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
Microsoft Azure "Honeypot" tenants
DarkVision Remote Access Trojan (RAT)
MacOS "HM Surf" vulnerability
CISA KEV updates
During a recent conference, principal security software engineer at Microsoft Ross Bevington detailed the use of honeypot Azure tenants to lure and study cybercriminals. These "fake" tenants are created in an effort to both distract and ultimately learn from adversary behavior to bolster defenses. According to Microsoft's Director of Threat Intelligence Strategy, with intelligence gathered from these operations "we have blocked over 40k connections from accessing Microsoft resources."
With the threat landscape constantly evolving, it's important to both understand the various attack paths and use that information gained in meaningful ways. The deception technology used in these operations by Microsoft translates to wasting roughly 30 days of an attackers time before they realize they have breached a honeypot environment.
Source: Bleepingcomputer
A Security Researcher for Zscaler recently posted a technical analysis of the DarkVision Remote Access Trojan (RAT). While this specific RAT was first discovered in 2020, it has "gained popularity due to its affordability and extensive feature set, making it accessible even to low-skilled cybercriminals." It's capabilities include file manipulation, process injection, remote code execution, password theft, keylogging and screenshots.
The attack chain for this malware starts with the execution of a malicious file, loading .NET assemblies directly into memory using Donut loader and then loading DarkVision RAT with the PureCrypter injector. Once the RAT is injected, a powershell command executes to "add malicious file paths and process names used by the RAT to the list of exclusions in Windows Defender", effectively bypassing endpoint detection capabilities. If you don't have alerting or visibility for additions to your endpoint detection exclusions, this is your wakeup call.
A recent post from the Microsoft Threat Intelligence blog, details the potential abuse of macOS' transparency, Consent, and Control (TCC) for the Safari browser. The vulnerability dubbed "HM Surf" involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent.
The vulnerability known as CVE-2024-44133 was addressed in a fix released on September 16, 2024 for Safari only. "Microsoft is currently collaborating with other major browser vendors to investigate the benefits of hardening local configuration files." It's important to note that Microsoft has identified the threat family known as "Adload" exploiting this vulnerability in the wild but also can detect and block this behavior through the use of Microsoft Defender for Endpoint.
Source: Microsoft
CISA has added 4 CVE to their Known Exploited Vulnerability (KEV) catalog this week:
CVE-2024-28987 - SolarWinds Web Help Desk Hardcoded Credential Vulnerability - CVSS 9.1
CVE-2024-9680 - Mozilla Firefox Use-After-Free Vulnerability - CVSS 7.5
CVE-2024-30088 - Microsoft Windows Kernel TOCTOU Race Condition Vulnerability - CVSS 7.0
CVE-2024-40711 - Veeam Backup and Replication Deserialization Vulnerability - CVSS 9.8
Don't know where to begin with vulnerability management?
Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA .
Source: Known Exploited Vulnerabilities Catalog | CISA
Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact