Weekly Top 10 – 01.15.2024- Free Decryptor Released for Babuk Ransomware, Microsoft Patches Critical Vulnerabilities in Hyper-V and Kerberos, Zero-Day in Ivanti VPN Exploited, and more.

WEEKLY TOP TEN | January 15,2024, 15:00 GMT

1. Free Decryptor Released for Babuk Ransomware
   
   Cisco Talos has partnered with Dutch authorities to obtain and release a decryptor for the newest variant of Babuk ransomware, dubbed Tortilla, following the arrest of the ransomware’s developer. The decryption tool is now available for free on Avast’s website.
2. Microsoft Patches Critical Vulnerabilities in Hyper-V and Kerberos
   
   In the first patch Tuesday of 2024, Microsoft patched two critical vulnerabilities in Hyper-V and Kerberos. The Kerberos vulnerability (CVE-2024-20674) is a flaw in an authentication feature that allows for a bypass. However, this does require a previously compromised network, as this is a MiTM attack. The Hyper-V vulnerability (CVE-2024-20700) is a race condition that allows for remote code execution on exploitation.
3. New Information on the Delivery of Stuxnet Uncovered
   
   New information on Stuxnet, perhaps one of the most infamous cyberattacks in history, has been uncovered. It is alleged that the malware was delivered to its intended recipient via a Dutch intelligence agent, who planted it in water pumps connected to the Iranian nuclear power plant, which then moved laterally and executed, damaging the nuclear centrifuges. The alleged Dutch intelligence agent, Van Sabben, passed away in a motorcycle accident two weeks after the attack.
4. Black Basta Leverages New Pikabot Malware in Infections
   
   A Black Basta ransomware associate has been observed using a new loader malware in place of the more common QakBot. Pikabot has been observed in use starting in the last quarter of 2023 in place of Qakbot, following it’s takedown by law enforcement. Pikabot is typically delivered via phishing and employs thread-jacking techniques to evade typical signature-based detection.
5. Threat Actors Pose as Security Researchers to Distribute Ransomware
   
   Researchers at Arctic Wolf have published information on two ransomware deployments in which they observed affiliates of the Akira and Royal ransomware gangs posing as security researchers. These actors were then given access to perform their supposed work, which they used to ransom and extort victims, asking for 5 Bitcoin worth over $200,000 at the time of writing.
6. Zero-Day in Ivanti VPN Exploited in the Wild
   
   Threat actors are actively targeting two zero-day vulnerabilities in Ivanti VPNs to gain network access. These vulnerabilities are present in Ivanti Connect Secure, which has had similar zero-day vulnerabilities in the past. These vulnerabilities (CVE-2023-46805, CVE-2024-21887) allow for authentication bypass and remote code execution, respectively, giving attackers complete control over vital network infrastructure and an entry point into impacted networks.
7. Malicious Usage of GitHub Continues to Grow
   
   Researchers at Recorded Futures have stated that usage of GitHub for cybercrime has continued to rise over the past year. GitHub provides several functions that are useful to threat actors, and its widespread usage makes it easy to blend malicious traffic with legitimate traffic. GitHub is being seen as a method for dead-dropping, command-and-control, and more. This technique has been referred to as ‘LOTS, or Living Off Trusted Sites’, similar to LOLBAS, Living Off the Land Binaries and Scripts.
8. Cisco Unity Vulnerability Allows Threat Actors to Obtain Root Privileges
   
   Cisco Unity is an instant messaging application for email inboxes, web browsers, and more. Cisco recently patched a critical vulnerability in this software and stated that attackers may be able to gain root access remotely on unpatched systems. This vulnerability (CVE-2024-20272) is an arbitrary file upload in the web management interface.
9. Atomic Stealer Uses Encrypted Payloads to Evade Defenses
   
   The macOS-specific info-stealer Atomic Stealer has released a new version as of December 2023. This version delivers the malware as an encrypted file, making initial scans by signature-based defense tools ineffective. As with many info-stealers, Atomic is typically delivered through malicious Google Ads posing as legitimate software, specifically in this case, Slack.
10. FBot Hacking Toolkit Targets Cloud Services
    
    Kingdom Market is a darknet site used for the sale of illegal goods, especially narcotics. German authorities, in collaboration with the US, Switzerland, Moldova, and Ukraine, have taken down this marketplace in an operation that started on December 16^th. One of the site’s administrators has been detained on charges of identity theft and money laundering in the US. The rest are still at large; however, server infrastructure has been seized.