By security practitioners, for security practitioners novacoast federal | Pillr | novacoast | about innovate
By security practitioners, for security practitioners

Weekly Top 10 – 04.2.2024- SharePoint and AMD Vulnerabilities, Password Spraying VPN Attacks, Tycoon 2FA, and More.

WEEKLY TOP TEN: April 2, 2024, 17:09 GMT

Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:

  1. CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability

    CISA has issued a warning about active hacker exploitation of a critical vulnerability in Microsoft SharePoint Server (CVE-2023-24955), which allows authenticated attackers with site owner privileges to execute remote code. This vulnerability joins CVE-2023-29357, which is listed in CISA’s known exploited vulnerabilities catalog. These two vulnerabilities were recently demonstrated in an exploit chain at Pwn2Own Vancouver 2024. Patches for these vulnerabilities were released in 2023, while failure to patch has allowed for exploitation in the wild.
  2. ZenHammer Attack Targets DRAM on Systems With AMD CPUs

    Researchers at ETH Zürich have demonstrated Rowhammer attacks against DDR4 and DDR5 memory, which utilize a defense mitigation known as Target Row Refresh (TTR) which should prevent Rowhammer attacks. They have targeted devices powered by AMD Zen 2 and Zen 3 processors, dubbing the attack ZenHammer.

    The ETH Zürich researches state “Rowhammer is a DRAM vulnerability caused by the interference between different rows that store data. This vulnerability enables attackers to change values in memory they are not supposed to have access to, ultimately enabling privilege escalation and escaping from sandboxes.”

    ZenHammer was able to circumvent TTR by reverse engineering DRAM address functions and optimizing refresh synchronization, enabling successful bit flips on a significant portion of tested Zen 2 and Zen 3 devices. It was able to trigger bit flips on seven Zen 2 processors, six Zen 3 processors, and one Zen 4 processor. This is notable due to it being the first report of a successful bit flip on a DDR5 processor.
  3. Exposing a New BOLA Vulnerability in Grafana

    Palo Alto Unit 42 researchers have demonstrated and discovered a new Broken Object Level Authorization vulnerability (CVE-2024-1313) that impacts Grafana, which is a popular open-source data observability and visualization platform. This vulnerability allows low-privileged Grafana users to use publicly available snapshot keys to delete dashboards belonging to other organizations. Additionally, Unit 42 researchers have found an API endpoint which allows any user to create snapshots without enforcing complexity checks on secret keys. This would allow for denial-of-service attacks along with brute-force exploitation. As of March 26, 2024, Grafana has released a patch to resolve this vulnerability and suggests updating promptly.
  4. Cisco warns of password-spraying attacks targeting VPN services

    Cisco has alerted customers about an ongoing password-spray attack which is targeting Remote Access VPN (RAVPN) services on Cisco firewall devices. Cisco has included a mitigation guide which contains IoC and recommendations to harden RAVPN environments. Security researcher Aaron Martin has been investigating this activity and states that it is likely linked to a malware botnet he has named “Brutus”. Martin notes that the botnet currently relies on 20,000 IP addresses worldwide, utilizes IP rotation, as well as specific usernames that are not from a data dump. Attribution is currently unknown, but Martin has identified IPs which signal that this may be the work of APT29.
  5. Hackers exploit Ray framework flaw to breach servers, hijack resources

    Ray is a popular open-source AI framework developed by Anyscale, used by many popular applications to train LLMs such as ChatGPT. “ShadowRay” is a new campaign targeting Ray environments that are not following security recommendations (CVE-2023-48022). The vulnerability allows for remote code execution, giving access to production database creds, access tokens, private AI models, and more. Anyscale does not classify this as a vulnerability, rather as a bug due to the flaw being exploitable only in environments that are not following security recommendations. Security researchers have discovered hundreds of exposed Ray servers which have been compromised, giving attackers full access. On March 28th, Anyscale has released a blog post explaining the issue and has announced tools to help defend against the vulnerability.
  6. Tycoon 2FA: an in-depth analysis of the latest version of the AiTM phishing kit

    Tycoon 2FA is an Adversary-in-The-Middle (AiTM) phishing kit which has been active since August 2023. Tycoon is distributed as a Phishing-as-a-Service (PhaaS) platform, allowing for widespread usage of the malicious kit. In February 2024, a new version was released and distributed in the wild. The Tycoon kit allows threat actors to host a reverse proxy server, serving malicious login pages which look authentic. These pages will forward inputs to a legitimate server while capturing and exfiltrating the login information. This allows threat actors to bypass 2FA as the victim will input their 2FA into the reverse proxy server, giving the threat actor all the info they need to steal user accounts. Security researches have identified over 1200 domain names utilizing Tycoon2FA since August 2023.
  7. New Darcula phishing service targets iPhone users via iMessage

    Continuing with PhaaS news, “Darcula” is in the news for utilizing over 20,000 domains to spoof brands and steal credentials. Darcula is unique in that it does not utilize SMS, instead it uses RCS and iMessage, allowing for more convincing phishing attempts. Security researchers at Netcraft state that Darcula has been used for numerous high-profile phishing attacks over the last year. Their research shows that Darcula employs modern technologies to continuously update its kits, while maintaining a high level of impersonation on crafted sites. While iMessage does have protections built in for phishing links, Darcula attempts to circumvent these with social engineering.
  8. SeeSeeYouExec: Windows Session Hijacking via CcmExec

    Mandiant’s security researchers have discovered novel attack methods utilizing the System Center Configuration Manager (SCCM). SCCM is a comprehensive management solution by Microsoft designed to facilitate the deployment, management, and security of devices and applications within an organization’s network. CcmExec is a windows service that manages software deployment and updates. Mandiant explains a simple exploitation path utilizing AppDomainManager injection to manipulate the process spawned by CcmExec, which allows for remote code execution. The attack chain requires administrator privileges, afterwards the attacker will upload a malicious DLL and point the CcmExec configuration file to load the DLL. Mandiant has also developed CcnPwn, a tool to easily facilitate the attack.
  9. TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service

    “TheMoon” is an emerging malware botnet which has been seen infecting thousands of home office routers and IoT devices. This botnet is associated with the “Faceless” proxy service which utilizes infected devices as proxies, allowing threat actors to anonymize their activities. Security researchers at Black Lotus Labs have been investigating the latest campaign and have discovered over 7000 infected devices, with the primary target being ASUS routers. The ASUS models targeted in this attack are in end-of-life allowing attackers to utilize known vulnerabilities in the outdated firmware.
  10. Revealed: Facebook’s “Incredibly Aggressive” Alleged Theft of Snapchat App Data

    Shifting gears to more familiar threats, recent court documents have just revealed that Facebook had created a VPN to steal analytics and user data from competitors such as Snapchat, YouTube and Amazon. This operation, dubbed “Ghostbusters” allowed Facebook to intercept and decrypt SSL-protected traffic. They utilized their VPN to be an Advisory-in-the-Middle attack, stealing a vast amount of private data from competitors. The VPN created by Facebook was shut down in 2019, and Zuckerberg has previously denied knowing about the project.
Previous Post

Weekly Top 10 – 03.25.2024- AI Enhanced Cyber Attacks Rising, Microsoft Warns Taxpayers of Tax Return Phishing Scams, “Fluffy Wolf” Stealer Malware Targets Corporate Environments, and More.

Next Post

Weekly Top 10 – 04.9.2024- XZ Utils Backdoor, Vultur Banking Trojan, New Chrome Features, and More.

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.