Securonix Threat Labs

Intel Source:

SOC Radar

Intel Name:

Security_Risks_in_OpenMetadata

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

Researchers from Microsoft have discovered the critical vulnerabilities within the OpenMetadata platform, an open-source system designed to manage metadata across various data sources. These vulnerabilities affect versions of OpenMetadata earlier than 1.3.1, potentially allowing attackers to bypass authentication and execute Remote Code Execution (RCE).

Source:
https://socradar.io/openmetadata-attackers-cryptomine-in-kubernetes/

Intel Source:

picussecurity

Intel Name:

Threat_Landscape_Update_Exploits_and_Breaches

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

The Red Report 2024 by Picus Security include critical vulnerabilities exploited by threat actors, such as PAN-OS command injection and PuTTY SSH client vulnerability, alongside targeted attacks by groups like IntelBroker and Sandworm

Source:
https://www.picussecurity.com/resource/blog/april-19-top-threat-actors-malware-vulnerabilities-and-exploits

Intel Source:

CERT-UA

Intel Name:

Malicious_Attack_Targeting_Defense_Forces_of_Ukraine

Date of Scan:

2024-04-19

Impact:

MEDIUM

Summary:

The Government Computer Emergency Response Team of Ukraine (CERT-UA) has issued an urgent alert regarding a targeted cyber attack on a computer within the Defense Forces of Ukraine. The attack involves the distribution of a malicious file named “Support.rar” via the Signal messenger, purportedly under the guise of document submission for UN Peace Support Operations. This file contains an exploit for a WinRAR software vulnerability (CVE-2023-38831). Upon successful exploitation, a CMD file is executed, initiating PowerShell scripts associated with the COOKBOX malware.

Source:
https://cert.gov.ua/article/6278620

Intel Source:

Seqrite

Intel Name:

Unveiling_Ghost_Locker_2

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

Seqrite researchers have discovered the two versions of the Ghost Locker ransomware during their threat hunting activities. The initial variant, coded in Python, secures its presence by replicating itself in the Windows Startup directory and utilizes AES encryption to lock files. This variant communicates with a C2 server to dispatch ransom demands and extract data. The subsequent variant, mostly developed in Golang, mirrors the characteristics of the first iteration but distinguishes itself in terms of C2 server interactions and operational procedures. Moreover, it incorporates mechanisms to evade detection and carefully chooses files for encryption and data extraction.

Source:
https://www.seqrite.com/blog/ghost-locker-2-0-the-evolving-threat-of-ransomware-as-a-service-unveiled-by-ghostsec/

Intel Source:

Stairwell

Intel Name:

The_CVE_2024_31497_PuTTY_vulnerability

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

In the Stairwell blog, the analysts discuss the details of a vulnerability, CVE-2024-31497, found in the PuTTY SSH libraries by researchers at Ruhr University Bochum. It allows attackers to access private keys used in key-based authentication. The blog provides a list of potentially vulnerable software, known vulnerable hashes, and a YARA rule for detection, and mentions the importance of quickly addressing supply chain vulnerabilities. The background of the vulnerability is explained, along with a list of potentially vulnerable software not mentioned in the NIST advisory.

Source:
https://stairwell.com/resources/stairwell-threat-report-vulnerable-putty-ssh-libraries-cve-2024-31497/

Intel Source:

Ars Technica

Intel Name:

Phishing_campaign_attacks_LastPass_users

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

The article discusses a recent phishing attack that targeted users of the password manager LastPass. The attack utilized a sophisticated phishing-as-a-service kit called CryptoChameleon, which provided all the necessary resources to deceive even knowledgeable individuals into revealing their master passwords. The attackers used a combination of email, SMS, and voice calls to trick victims into giving up their login credentials. LastPass was just one of the many sensitive services targeted by CryptoChameleon, and the attack was able to bypass multi-factor authentication. The section also mentions previous attacks on LastPass and offers tips for preventing these types of scams from being successful.

Source:
https://arstechnica.com/security/2024/04/lastpass-users-targeted-in-phishing-attacks-good-enough-to-trick-even-the-savvy/

Intel Source:

Avast

Intel Name:

Technical_Analysis_of_Lazarus_Groups_Sophisticated_Attack_Chain_Targeting_Asian_Individuals

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

Avast’s investigation uncovers a sophisticated campaign by the Lazarus group targeting individuals in Asia with fabricated job offers. The attack, employing fileless malware and multi-layered loaders, showcases advanced evasion techniques and intricate C&C communication. The involvement of the Kaolin RAT highlights the group’s commitment to control and data extraction.

Source:
https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams

Intel Source:

NSFOCUS

Intel Name:

Palo_Alto_Networks_Fixes_Critical_Command_Injection_Vulnerability_in_PAN_OS_Firewall

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

NSFOCUS CERT has detected a critical command injection vulnerability (CVE-2024-3400) in Palo Alto Networks’ PAN-OS firewall operating system. Unauthenticated attackers could exploit this flaw to execute arbitrary code with root privileges on affected firewalls. Palo Alto Networks has released security updates addressing this vulnerability, with the PoC already public and actively exploited. The CVSS score of 10.0 underscores the severity of the issue. Users are urged to upgrade to patched versions immediately.

Source:
https://nsfocusglobal.com/palo-alto-networks-pan-os-command-injection-vulnerability-cve-2024-3400/

Intel Source:

Cisco Talos

Intel Name:

The_upload_of_confidential_documents_to_VirusTotal_by_OfflRouter_virus

Date of Scan:

2024-04-18

Impact:

MEDIUM

Summary:

Recently, Cisco Talos discovered documents with some sensitive information from Ukraine. The documents had malicious VBA code, indicating they may be used as a trick to infect organizations. The virus, OfflRouter, has been known in Ukraine since 2015 and is still active on some Ukrainian organizations’ networks, based on over 100 original infected documents uploaded to VirusTotal from Ukraine and the documents’ upload dates.

Source:
https://blog.talosintelligence.com/offlrouter-virus-causes-upload-confidential-documents-to-virustotal/

Intel Source:

ASEC

Intel Name:

Analysis_of_Pupy_RAT

Date of Scan:

2024-04-18

Impact:

LOW

Summary:

ASEC researchers discovered that many bad actors are using Pupy RAT, a tricky type of software. Pupy RAT allows them to control computers from far away and do things like stealing data and getting more control over the system. Now, it’s not just targeting Windows computers; it’s also affecting Linux systems, especially in countries like South Korea.

Source:
https://asec.ahnlab.com/en/64258/