Weekly Top 10: 9.2.2024: Trend Micro Discovers Cryptojacking Attacks Targeting Atlassian Confluence Servers; Windows Downgrading Tool Publicly Available; BlackByte Ransomware Attacking VMware ESXi Servers, and More.

WEEKLY TOP TEN: September 2, 2024, 16:00 GMT

1. Trend Micro Discovers Cryptojacking Attacks Targeting Atlassian Confluence Servers
   
   Threat researchers at Tend Micro discovered that a critical remote code execution (RCE) vulnerability rated 10/10 by CVSS tracked as CVE-2023-22527 that impacts Atlassian Confluence Data Center and Confluence Server that was discovered in January is still being actively exploited. The attacks that have been discovered are linked to 3 different threat actors all attempting to use this exploit to facilitate their cryptojacking malware. These attacks started ramping up around mid-June. These attacks employed the use of either an ELF binary or shell file that, when executed, will download and launch their XMRig miner to begin their mining activities.
2. CISA Added Apache OFBiz RCE Vulnerability to the Known Exploited Vulnerabilities Catalog
   
   The Google’s Threat Analysis Group (TAG) discovered that the Russian sponsored threat group named APT29(AKA Midnight Blizzard) was conducting a series of attacked between November 2023 and July 2024. Their initial target was the multiple Mongolian government websites, in effort to conduct a watering hole attack by using a malicious Iframe exploiting CVE-2023-41993 to steal IOS WebKit cookies. Later they used one site they compromised to exploit CVE-2024-5274 and CVE-2024-4671 to steal sensitive information from Google Chrome on Android devices.
3. Google’s TAG Discovered a Russian Hacker Group Targeting the Mongolian Government
   
   Mandiant has discovered a memory-only malware dropper. This malware has been seen delivering multiple different MaaS infostealers, such as LUMMAC.v2, SHADOWLADDER, and CRPYTBOT. Initial access is gained by distributing a .LNK file disguised as a movie. These movies are distributed by pirating sites, and once the .LNK is executed, a PowerShell script is run, loading a memory-only javascript dropper. This dropper is obfuscated with ASCII characters. Then another PowerShell command is executed, this time encoded with either Base64 or Hex. These encoded commands download the final payload, which are multiple different MaaS infostealers.
4. Kernal-Mode Malware Driver PoorTry Turned EDR WIper
   
   The Sophos threat team X-Ops released an update on the EDR killer they have been tracking named PoorTry (also known as ‘BurntCigar’) a kernel-mode Windows driver. This driver has been used by multiple ransomware gangs to disable Endpoint and Detection (EDR) solutions. Recently, the malicious driver has evolved into an EDR wiper, making it impossible for defenders to restart or recover the EDR before the ransomware’s encryption phases are complete.
5. Windows Downgrading Tool Publicly Available
   
   Alon Leviev, a security researcher from SafeBreach, released his Windows downgrading tool, which is a Python-based program that can downgrade Windows 10, Windows 11, and Windows Server system components to previously vulnerable versions. He was able to accomplish this is by exploiting the CVE’s CVE-2024-21302 and CVE-2024-38202, with the former being the only one that currently has an available patch.
6. Volt Typhoon Targets Versa Director in Credential Harvesting Attack
   
   Researchers at Lumen’s Black Lotus Labs discovered that Volt Typhoon, a Chinese sponsored hacking group, used a recently discovered vulnerability tracked as CVE-2024-3971. This vulnerability allows users with administrative access to upload malicious Java files disguised as PNG images in the change favicon feature in Versa Director GUI software. Volt Typhoon used this exploit to upload a web shell that was primarily used to harvest credentials and had a feature to use Tomcat webserver to execute Java bytecode.
7. CISA and FBI Warns About Fox Kittens New Ransomware Affiliation
   
   A joint advisory from CISA and the FBI was released detailing the Iranian backed threat group named Fox Kitten has started aiding ransomware groups in addition to their current campaigns. They have done this by selling access to some of the companies to which they have gained initial access, as well as working with ransomware affiliates to encrypt networks and aiding in the ransomware extortion efforts.
8. BlackByte Ransomware Attacking VMware ESXi Servers
   
   Cisco Talos, through recent investigations, has discovered the ransomware group BlackByte has been exploiting CVE-2024-37085, an authentication bypass vulnerability in VMware ESXi hypervisors. In addition to exploiting ESXi they have been using their victims already in place remote access tools such as a VPN and using stolen Active Directory credentials to self-propagate their ransomware across the network.
9. New Unicode QR Code Phishing Technique
   
   Researchers from Slashnet recently discovered a new phishing technique named ‘Unicode QR code’. This technique is being used to bypass email security. This is possible due to the threat actor not using image changed QR codes that are routinely scanned by security solutions, they instead form QR codes out of Unicode text characters.
10. SQL Injection Vulnerability Found to Bypass TSA Security Checks
    
    Researchers Ian Carroll and Sam Curry discovered a SQL vulnerability in FlyCASS ‘s login system. FlyCASS is a third-party web application that the TSA uses to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). This system allows anyone added to bypass security screening and then access the cockpits of a commercial airliner. This issue has been since fixed by FlyCASS and was disconnected from the TSA system between the time they were made aware of the vulnerability and the fix was released.