Weekly Top 10: 9.23.2024: Enterprise ServiceNow Knowledge Bases at Risk: Extensive Data Exposures Uncovered; Highway Blobbery: Data Theft using Azure Storage Explorer; Chinese Botnet Infects 260,000 SOHO Routers, IP Cameras with Malware, and More.

WEEKLY TOP TEN: September 23, 2024, 16:00 GMT

1. Enterprise ServiceNow Knowledge Bases at Risk: Extensive Data Exposures Uncovered
   
   Security researcher Aaron Costello has spent the last year researching security vulnerabilities in ServiceNow. One shocking discovery is that 45% of instances were vulnerable to Knowledge Base (KB) data exposure. The main guardrail protecting KBs is a single security option that allows public access. Years ago, this option’s default toggle was on; when the default was changed to toggle off, past instances were not updated. Aaron has also released a proof-of-concept showing how simple a KB attack is using Burp Suite.
2. Highway Blobbery: Data Theft using Azure Storage Explorer
   
   Over time, ransomware groups have been observed exfiltrating data at a higher volume year over year. Security firm Modepush has noticed a shift in tools and techniques that groups have been using, notably a shift to Azure and MEGA. Exfiltrating data over Azure allows ransomware gangs to go unnoticed for longer, as Azure is used everywhere. In an attack, Azure Storage Explorer will be installed, and files will be uploaded to a blob container. Notably, Azure is optimized for handling large amounts of unstructured data, and there is a low chance that Azure is blocked on a network.
3. Chinese Botnet Infects 260,000 SOHO Routers, IP Cameras with Malware
   
   The FBI has stopped a sizable Chinese botnet known as “Raptor Train.” This botnet contains over 260,000 hosts and has been used to target many entities in the US and Taiwan. The FBI was able to remove the malware from thousands of infected devices. Raptor Train has been linked to Flax Typhoon, a Chinese state-sponsored group.
4. Malware Locks Browser in Kiosk Mode to Steal Google Credentials
   
   An unusual new malware technique has been seen locking a user’s browser when attempting to log into Google. Researchers from OALABS have observed this attack since August 22, 2024. They explain that the malware will launch Chrome in Kiosk mode while disabling the F11 (full-screen hotkey) and escape key. Kiosk mode is a special browser setting designed for Kiosks; it disables user elements and limits typical user interaction. If the user is not technically savvy, they will think their only option is to enter their credentials, which the malware will steal.
5. Hadooken Malware Targets Weblogic Applications
   
   A new Linux malware called Hadooken has been seen targeting Oracle Weblogic servers. The attackers start by looking for weak passwords or misconfigurations in the Weblogic server. Once they obtain access, they download, execute, and delete their loader. When executed, two elf binaries are dropped: a cryptominer and Tsunami malware.
6. New Phishing Campaign Exploiting Google App Scripts: What Organizations Need to Know
   
   Security firm Check Point has identified a new phishing campaign that contains malicious Google Apps script macros. The email will ask the user to activate their account linking to a Google URL starting with “script[.]google[.]com.” Since the link is hosted on a Google site, the user may trust the link and continue with the process. Users should exercise caution and never enter credentials into unknown pages.
7. Clever ‘GitHub Scanner’ Campaign Abusing Repos to Push Malware
   
   A new malware campaign is abusing GitHub’s email notification system to send malicious links to GitHub users. Repo owners and contributors will receive emails when new issue requests are opened. Threat actors are abusing this feature and creating new issues that contain malicious links. These links are then emailed from the official GitHub email servers, adding legitimacy to the request. Once the link is clicked, there’s a fake verification system in place; this system requests the user to click a button and then press some keyboard keys. If this request is made, the user will press Windows+r, opening the run prompt. They will then press ctrl+v and enter, pasting a base64 PowerShell script and executing it. The result is Lumma Stealer being installed on the user’s machine.
8. Security Advisory Ivanti CSA 4.6 (Cloud Services Appliance) (CVE-2024-8963)
   
   Ivanti is issuing a security advisory for their Cloud Services Appliance version 4.6; there is a critical path traversal vulnerability. This vulnerability allows a remote, unauthenticated attacker to access restricted functionality in the appliance. This vulnerability can be used in parallel with CVE-2024-8190, which allows for command injection. Together, these two vulnerabilities allow a remote attacker access to bypass admin authentication and execute remote code.
9. Europol Shuts Down Major Phishing Scheme Targeting Mobile Phone Credentials
   
   International law enforcement has taken down a major Phishing-as-a-Service (PhaaS) platform, iServer. iServer has been running since 2018 and has unlocked over 1.2 million stolen phones. This takedown is the result of an additional takedown on an encrypted communications network named Ghost. Ghost allowed cybercriminals and other miscreants to communicate securely.
10. Chrome Switching to NIST-approved ML-KEM Quantum Encryption
    
    Google is rolling out new security features in Chrome, switching from Kyber to Module Lattice Key Encapsulation Mechanism (ML-KEM). This change is to protect against TLS attacks and store-now-decrypt-later attacks. While ML-KEM has NIST’s approval, Kyber was an experimental feature. Google has also stated that Kyber was optimized for post-quantum cryptography and would experience performance issues if it was maintained.