Today’s Cybersecurity Threats and Trends - 10/14/2024

OilRig targets oil rigs and APT activities are increasing dramatically.

Author

J.W. Croley
October 14, 2024

1. GitHub, Telegram Bots, and QR Code Scams Converge

Primary Threat: A new malware campaign has emerged, utilizing a combination of GitHub repositories, Telegram bots, and malicious QR codes to target users with tax extension phishing scams. According to Cofense security research, this campaign tricks victims into scanning QR codes that lead to malicious GitHub pages, which deploy malware via Telegram bot interactions. The combination of legitimate-looking platforms with social engineering tactics makes this threat particularly dangerous.

  • MITRE Tactics: Initial Access, Execution, Collection

  • Risk: Medium – Potential for identity theft and unauthorized access to sensitive financial data.

2. OilRig Exploits Windows Kernel Flaw

Primary Threat: APT34 (aka OilRig) is exploiting a previously unknown Windows kernel vulnerability as part of an espionage campaign targeting Gulf-region organizations. As detailed in APT34's MITRE profile and Trend Micro's research, this advanced persistent threat group uses sophisticated tactics to infiltrate networks and gain access to highly sensitive data. This campaign underscores the growing risks of zero-day vulnerabilities in critical infrastructure.

  • MITRE Tactics: Privilege Escalation, Persistence, Collection

  • Risk: High – Exploitation of critical vulnerabilities can lead to major espionage and operational disruptions.

Did you know...?

In 2013, Target suffered one of the most notorious supply chain attacks in history, resulting in the breach of over 40 million credit and debit card records. The attackers infiltrated Target's network by compromising a third-party HVAC vendor, gaining access to the retailer's point-of-sale (POS) systems. Once inside, they deployed malware that harvested customers' payment card information as it was swiped at registers across the U.S. This breach highlighted the critical need for organizations to secure not only their own networks but also those of their vendors. It also underscored how even small vulnerabilities in the supply chain can lead to massive breaches.

3. Supply Chain Attack Trojanizes CLI Commands

Primary Threat: A new supply chain attack technique has been discovered, allowing attackers to trojanize Command Line Interface (CLI) commands, effectively embedding malicious payloads into development environments. The Checkmarx report warns that this technique exploits developers' reliance on trusted CLI tools, making it difficult to detect without proper security measures.

  • MITRE Tactics: Execution, Persistence

  • Risk: High – Trojanized development tools can lead to compromised software development pipelines and widespread infections.

4. Nation-State Attackers Exploiting Zero-Days in Ivanti CSA

Primary Threat: A suspected nation-state actor is leveraging zero-day vulnerabilities in Ivanti’s Cloud Services Appliance (CSA) to carry out highly targeted attacks. FortiLabs Threat Research reveals that these attackers are exploiting these flaws to gain access to sensitive systems and remain undetected for extended periods.

  • MITRE Tactics: Initial Access, Persistence, Command and Control

  • Risk: High – Unpatched vulnerabilities in critical infrastructure tools can lead to prolonged, stealthy intrusions.

5. F5 BIG-IP Cookies Abused to Map Internal Servers

Primary Threat: CISA has issued a warning about threat actors abusing F5 BIG-IP persistence cookies to map internal servers. According to CISA's security bulletin, attackers can use these cookies to gather internal network information, which can be exploited to escalate privileges or launch further attacks.

  • MITRE Tactics: Discovery, Collection

  • Risk: Medium – Abusing persistence cookies can allow attackers to map internal infrastructures, potentially leading to more severe exploits.

IN SUMMARY:

Today's roundup highlights the growing complexity of cyber threats, from clever QR code malware campaigns targeting tax filers to advanced APT operations exploiting kernel vulnerabilities.

Attackers continue to innovate, whether it’s Trojanizing CLI tools or exploiting zero-day flaws in Ivanti’s CSA. Meanwhile, nation-state actors remain relentless, leveraging every possible flaw to infiltrate critical infrastructure.

The lesson? Stay vigilant, keep systems patched, and remember—any crack in your defenses is an invitation for exploitation.

As always - “Its better to be paranoid than pwnd.”

J.W.


(P.S. Check out our partners! It goes a long way to support this newsletter!)