Weekly Top 10 – 04.29.2024- Custom Exploit Tool by Russian APT Fancy Bear, Coveware Quarterly Report Released, CrushFTP Zero-day Allows Sandbox Escape, and More.

WEEKLY TOP TEN: April 29, 2024, 09:00 GMT

1. Custom Exploit Tool Crafted by Russian APT Fancy Bear Discovered
   
   A well-known Russian advanced persistent threat (APT) group called Fancy Bear has been exploiting the print spooler service in Windows to gain elevated privileges and exfiltrate sensitive information for years now. However, a recent discovery of the group’s custom exploit tool named “GooseEgg” sheds light on how this group has been exploiting CVE-2022-38028. In short, this tool would replace the symbolic link for the C: drive, and when the print spooler services start, it will be pointed to an attacker-controlled folder that contains a .dll file named wayzgoose.dll and will be loaded in when the service tries to load “C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_amd64_a7412a554c9bc1fd\MPDW-Constraints.js.”
2. Coveware Quarterly Report Released
   
   Security company Coveware released their quarterly report on ransomware, stating this quarter had the least amount of ransomware attacks resulting in payment to the attacker, at 28%. Payment rates have been on a steady decline since Q1 of 2019, when 85% of ransoms were being paid. Although the payment rate has declined, overall payments made reached a record high of $1.1 billion last year. Coveware didn’t just collect data for ransom payments; they also collected the initial infiltration methods the attackers employed. The primary highlight is the three most common CVEs used, which are CVE-2023-20269, CVE-2023-4966, and CVE-2024-1708-9.
3. CrushFTP Zero-Day Allows Sandbox Escape
   
   Security researcher Simon Garrelou found and reported an arbitrary read flaw in the CrushFTP vendor’s application for its cloud-based file transfer server. This flaw would allow a low-privilege attacker to escape the server’s virtual file system, which, if successfully exploited, would allow for unauthenticated root access to the underlying system. This flaw affects most versions of CrushFTP. Fortunately, CrushFTP released a patch for this flaw in version 11.1.0 on April 19th and is tracking the vulnerability in CVE-2024-4040, marked as critical with a CVSSv3 score of 9.8.
4. Threat Actors are abusing GitHub and GitLab Comment Feature
   Threat actors are abusing the Github and GitLab comment features to distribute malware. They are accomplishing this by leaving a comment on a trusted repository such as Microsoft’s vcpkg or STL repository and using this comment to upload a malicious zip file. The threat actors are then able to distribute the zip file while staying under the radar due to the URL appearing as an official file from the repository.
   
   The URLs follow the format “github[.]com/{project_username}/{repo_name}/files/{file_id}/{file_name}” and for videos and images, the URL path will be “assets” instead of “files.”
   
   When the threat actor uploads these files, they are saved to the CDN that Github and Gitlab use, so even if the comment is deleted, the URL continues to work until it is deleted from the CDN. Currently, there are no mitigations that a repository owner can put in place to limit comment abuse.
5. ThreatFabric Releases Information on New Banking Trojan Brokewell
   
   Dutch security firm ThreatFabric recently published a report on a newly discovered banking trojan called Brokewell. This trojan uses fake browser updates to trick users into downloading the malicious payload. If the user starts the fake update, they will get prompted to grant the accessibility service permission that the trojan will then use to automatically grant any other permissions it needs to fully execute. This malware is believed to be under active development since each new sample found shows new features being added, some of which allow the process to screen capture, record audio, send SMS messages, install and uninstall applications, as well as cookie and credential stealing.
6. Samourai cryptomixer founders charged with money laundering
   
   The DOJ charged Keonne Rodriguez and William Lonergan Hill, the creators of Samourai Wallet, a cryptocurrency mixer application, with money laundering and operating an unlicensed money-transmitting business. The DOJ alleges Keonne and William processed over $2 billion in illicit funds using the “Ricochet” feature of their application. This feature would allow users to process cryptocurrency by using additional unnecessary transactions, making tracking the transactions more difficult for law enforcement. The U.S. DOJ worked with Icelandic law enforcement to seize the domains and web servers owned by Keonne and William, as well as remove their app from the Google Play Store.
7. Cisco Talos released new information on threat group UAT4356
   Cisco Talos has identified a new threat group given the name UAT4356, which is believed to be a state-sponsored group. The group was originally being tracked under the name ArcaneDoor since January 2024, when Cisco became aware of their cyber-espionage campaign that used the now-known CVEs CVE-2024-20353 and CVE-2024-20359. Cisco Talos stated they believe there are more CVEs to be found from this group since they have yet to identify the initial attack vector used.
8. Sekoia Sinkholed C2 Server for PlugX Malware Analysis
   
   Sekoia cybersecurity experts successfully obtained the IP address 45.142.166[.]112, which was linked to a command and control (C2) server used by a version of the PlugX malware. Sophos released a report in March 2023 documenting this information. The firm’s researchers began analyzing traffic reaching out to the C2 server and logged roughly 2.5 million unique IP addresses from 170 different countries, with 90,000 and 100,000 systems interreacting with the C2 server daily.
9. WP Automatic WordPress Plugin Critical Vulnerability
   
   A newly discovered vulnerability in the WordPress plugin WP Automatic has become the target of attackers, with over 30,000 websites currently using it. On March 13th, PatchStack’s security researchers revealed a new vulnerability, which was labeled CVE-2024-27956 and given a severity rating of 9.9/10. They described this vulnerability as an SQL injection impacting WP Automatic versions before 3.9.2.0 and allowing attackers to send custom-crafted queries to create new administrator accounts on the target website.
10. Citizen Lab Discovered Pinyin Mobile Applications Allow Passive Eavesdropping
    
    A recent discovery by Citizen Lab revealed that 8 out of 9 Pinyin mobile apps have a security vulnerability that enables attackers to exploit the input of Roman letters when typing Chinese characters on their keyboard. Citizen Lab looked at the 9 vendors—Baidu, Samsung, Huawei, Tencent, Xiaomi, Vivo, OPPO, iFlytek, and Honor, that sell these kinds of apps to the Chinese market and found that only Huawei wasn’t sending keystroke data in clear text and properly encrypting it.