By security practitioners, for security practitioners novacoast federal | Pillr | novacoast | about innovate
By security practitioners, for security practitioners

Weekly Top 10 – 01.15.2024- Free Decryptor Released for Babuk Ransomware, Microsoft Patches Critical Vulnerabilities in Hyper-V and Kerberos, Zero-Day in Ivanti VPN Exploited, and more.

WEEKLY TOP TEN | January 15,2024, 15:00 GMT

Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:

  1. Free Decryptor Released for Babuk Ransomware

    Cisco Talos has partnered with Dutch authorities to obtain and release a decryptor for the newest variant of Babuk ransomware, dubbed Tortilla, following the arrest of the ransomware’s developer. The decryption tool is now available for free on Avast’s website.
  2. Microsoft Patches Critical Vulnerabilities in Hyper-V and Kerberos

    In the first patch Tuesday of 2024, Microsoft patched two critical vulnerabilities in Hyper-V and Kerberos. The Kerberos vulnerability (CVE-2024-20674) is a flaw in an authentication feature that allows for a bypass. However, this does require a previously compromised network, as this is a MiTM attack. The Hyper-V vulnerability (CVE-2024-20700) is a race condition that allows for remote code execution on exploitation.
  3. New Information on the Delivery of Stuxnet Uncovered

    New information on Stuxnet, perhaps one of the most infamous cyberattacks in history, has been uncovered. It is alleged that the malware was delivered to its intended recipient via a Dutch intelligence agent, who planted it in water pumps connected to the Iranian nuclear power plant, which then moved laterally and executed, damaging the nuclear centrifuges. The alleged Dutch intelligence agent, Van Sabben, passed away in a motorcycle accident two weeks after the attack.
  4. Black Basta Leverages New Pikabot Malware in Infections

    A Black Basta ransomware associate has been observed using a new loader malware in place of the more common QakBot. Pikabot has been observed in use starting in the last quarter of 2023 in place of Qakbot, following it’s takedown by law enforcement. Pikabot is typically delivered via phishing and employs thread-jacking techniques to evade typical signature-based detection.
  5. Threat Actors Pose as Security Researchers to Distribute Ransomware

    Researchers at Arctic Wolf have published information on two ransomware deployments in which they observed affiliates of the Akira and Royal ransomware gangs posing as security researchers. These actors were then given access to perform their supposed work, which they used to ransom and extort victims, asking for 5 Bitcoin worth over $200,000 at the time of writing.
  6. Zero-Day in Ivanti VPN Exploited in the Wild

    Threat actors are actively targeting two zero-day vulnerabilities in Ivanti VPNs to gain network access. These vulnerabilities are present in Ivanti Connect Secure, which has had similar zero-day vulnerabilities in the past. These vulnerabilities (CVE-2023-46805, CVE-2024-21887) allow for authentication bypass and remote code execution, respectively, giving attackers complete control over vital network infrastructure and an entry point into impacted networks.
  7. Malicious Usage of GitHub Continues to Grow

    Researchers at Recorded Futures have stated that usage of GitHub for cybercrime has continued to rise over the past year. GitHub provides several functions that are useful to threat actors, and its widespread usage makes it easy to blend malicious traffic with legitimate traffic. GitHub is being seen as a method for dead-dropping, command-and-control, and more. This technique has been referred to as ‘LOTS, or Living Off Trusted Sites’, similar to LOLBAS, Living Off the Land Binaries and Scripts.
  8. Cisco Unity Vulnerability Allows Threat Actors to Obtain Root Privileges

    Cisco Unity is an instant messaging application for email inboxes, web browsers, and more. Cisco recently patched a critical vulnerability in this software and stated that attackers may be able to gain root access remotely on unpatched systems. This vulnerability (CVE-2024-20272) is an arbitrary file upload in the web management interface.
  9. Atomic Stealer Uses Encrypted Payloads to Evade Defenses

    The macOS-specific
    info-stealer Atomic Stealer has released a new version as of December 2023. This version delivers the malware as an encrypted file, making initial scans by signature-based defense tools ineffective. As with many info-stealers, Atomic is typically delivered through malicious Google Ads posing as legitimate software, specifically in this case, Slack.
  10. FBot Hacking Toolkit Targets Cloud Services

    Kingdom Market is a darknet site used for the sale of illegal goods, especially narcotics. German authorities, in collaboration with the US, Switzerland, Moldova, and Ukraine, have taken down this marketplace in an operation that started on December 16th. One of the site’s administrators has been detained on charges of identity theft and money laundering in the US. The rest are still at large; however, server infrastructure has been seized.
Previous Post
Social engineering has become a popular tactic among cybercriminals to gain access to networks since most organizations have implemented zero-trust mechanisms. Driving them to use tactics such as business email compromise and phishing, smishing, and vishing campaigns. The hacker collective Scattered Spider is known to use social engineering tactics. The recent attacks against MGM Casino and Caesars Entertainment were attributed to the group. During these attacks, it encrypted systems using the BlackCat/ALPHV locker.

Tactics, Techniques, and Procedures of Cyberattacks

Next Post

Innovator Series EP3: Hed Kovetz of Silverfort

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.