Threat Alerts

Recently, an issue in a content update for the CrowdStrike Falcon sensor affecting Windows operating systems was discovered and quickly resolved. However, this incident has provided cybercriminals with multiple vectors to launch various cyberattacks, exploiting the confusion and urgency created by the update mishap.

Cybercriminals have leveraged the content update issue to distribute a malicious ZIP archive named crowdstrike-hotfix.zip. This archive contains a HijackLoader payload that, upon execution, uses DLL search-order hijacking to load and execute its first-stage payload. HijackLoader, marketed as a private crypting service called ASMCrypt, is a modular multi-stage loader designed to evade detection. Its configuration file provides data that the loader uses to execute the final RemCos payload, which then contacts a command-and-control (C&C) server.

In addition to the ZIP archive, several typosquatting domains impersonating CrowdStrike have been identified. These domains are used to trick users into downloading malicious files or redirect them to scam pages, including those requesting cryptocurrency payments under the pretense of providing a fix for the issue.

The China-based APT41 hacking group has launched a sustained campaign targeting organizations in the shipping, logistics, media, entertainment, technology, and automotive sectors across Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. This campaign, ongoing since 2023, has allowed APT41 to maintain prolonged unauthorized access to victims’ networks, extracting sensitive data over extended periods.

The attack chain involves the use of web shells (ANTSWORD and BLUEBEAM), custom droppers (DUSTPAN and DUSTTRAP), and publicly available tools (SQLULDR2 and PINEGROVE). APT41 employs these tools to achieve persistence, deliver additional payloads, and exfiltrate data of interest. The DUSTTRAP malware, a multi-stage plugin framework, is particularly noteworthy for its extensive capabilities, including executing shell commands, file system operations, process manipulation, keylogging, and Active Directory modifications.

Further details, as well as YARA rules, can be found in the full report: https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust

Cisco has announced a security advisory concerning a critical vulnerability in its Smart Software Manager On-Prem (SSM On-Prem) product. This vulnerability, identified as CVE-2024-20419 (CVSS Score 10), is due to flaws in the authentication system of the software, which is used for managing software licenses and entitlements within enterprise environments.

The vulnerability allows an unauthenticated, remote attacker to change the password of any user, including administrative users, through specially crafted HTTP requests. This exploit is made possible by an improper implementation of the password-change process. Successful exploitation grants the attacker the same privileges as the compromised user, potentially leading to unauthorized access to the web UI or API. Cisco has released software updates to mitigate this risk and strongly recommends users to apply these updates immediately, as there are no known workarounds for this vulnerability​

The Void Banshee APT group has been observed exploiting a critical Windows zero-day vulnerability (CVE-2024-38112, CVSS 7.5) to execute malicious code through the disabled Internet Explorer.

This vulnerability, a Windows MSHTML Platform Spoofing Vulnerability, allows attackers to bypass security measures and deploy the Atlantida info-stealer malware.

The attack chain begins with social engineering tactics, tricking victims into opening zip archives containing malicious files disguised as PDF books. These archives are distributed through cloud-sharing websites, Discord servers, and online libraries.

Once executed, the exploit uses specially crafted .URL files with the MHTML protocol handler and the x-usc! directive to run HTML Application (HTA) files via the disabled Internet Explorer process.

The infection chain progresses through multiple stages, including the execution of various scripts, the LoadToBadXml .NET trojan loader, Donut shellcode, and ultimately the Atlantida stealer. This malware allows attackers to gather system information and steal sensitive data such as passwords and cookies from multiple applications.

A critical security flaw identified as CVE-2024-27348 (CVSS score 9.8) was detected in Apache HugeGraph Server, a service designed for large-scale graph processing, that could lead to remote code execution attacks.

CVE-2024-27348 impacts versions of Apache HugeGraph Server prior to 1.3.0, where attackers can exploit the Gremlin server component to bypass sandbox security measures. The Gremlin query language, which is designed for traversing graph databases, improperly filtered reflection methods allowing the execution of arbitrary code. The vulnerability leverages the scripting capabilities of Gremlin to execute malicious code on the server with the privileges of the HugeGraph application, resulting in unauthorized access and control over the affected server.

If exploited, an attacker could gain full control over an organization’s graph database, leading to data theft, alteration, or even system downtime. It is crucial for organizations using HugeGraph Server to immediately update to the latest version, conduct a security review to ensure they are not vulnerable to similar issues, and continuously monitor for anomalous activities indicative of exploitation attempts.

This week, security researchers observed notable advancements in the operation techniques of FIN7, a prominent cybercrime group known for its financial motivations and sophisticated attacks. The group has added a new method to their repertoire for compromising security systems, primarily focusing on disabling endpoint protection software. Their tool, “AvNeutralizer,” exploits a legitimate Windows driver, ProcLaunchMon.sys, to disrupt the normal functioning of security solutions. By manipulating this driver, which typically has high-level system access, the tool can interfere with the operation of security applications, potentially allowing malicious activities to proceed undetected.

AvNeutralizer’s technique doesn’t directly attack the security software, which would typically raise immediate alarms. Instead, it subtly manipulates system processes to cause the security applications to fail or shut down unexpectedly. This new technique exhibits a high level of technical understanding and a strategic focus on breaching defensive measures.