Written by
Team Nucleus
Content
Written on
22nd August, 2024
SHARE ARTICLE
Analyst Insight
This week in cyber, the focus is on the increasing sophistication of cyber threats targeting critical infrastructure and popular software platforms. A recent zero-day vulnerability in Cisco switches, CVE-2024-20399, was exploited by a threat group to gain control over systems, demonstrating the ongoing risks even in well-defended environments. The attackers employed advanced techniques, transitioning from Windows systems to network devices, which highlights the evolving strategies threat actors use to evade detection and maintain persistence.
In parallel, a new strain of malware targeting PostgreSQL databases was discovered, repurposing compromised systems for cryptocurrency mining. This development underscores the persistent threat to widely-used database management systems. Additionally, high-profile vulnerabilities, such as those in Jenkins and Windows, continue to be leveraged by cybercriminals, emphasising the need for constant vigilance.
Cybercriminals Use Fake Windows Update Screen to Hide Data Theft
According to Sophos X-Ops, Mad Liberator is a new data extortion group leverages social engineering and AnyDesk to extract data from the victims target device. The attack starts with unwanted connection to a computer using AnyDesk. Once the connection is successful, “Microsoft Windows Update” binary is delivered onto the computer. A fake Windows update screen is displayed to deceive the user into thinking a normal Windows update is occurring, but their data is being covertly exfiltrated by AnyDesk’s File Transfer tool. The victim’s keyboard is also disabled to avoid exiting the update screen.
Sophos reports that Mad Liberator did not perform any data encryption in the post-exfiltration stage, but still left ransom notes in the shared network directories.
CISA Issues Warning of Critical Jenkins RCE Vulnerability
Jenkins is an open-source automation server utilised by many development teams. Reported as CVE-2024-23897. The vulnerability affecting Jenkins v2.441 and earlier, LTS v2.4262 and earlier, has been assigned a CVSS score of 9.8 (Critical) by NIST. Jenkins uses the args4j library to parse command arguments, “This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles)” the Jenkins team explained. Allowing attackers to read arbitrary files on the Jenkins controller file system.
Juniper Threat Labs disclosed that the vulnerability has been utilised for a recent Ransomware attack targeting Indian banks. Brontoo Technology Solutions was impacted by a ransomware attack, in which CVE-2024-23897 was leveraged to gain initial unauthorised access.
Microsoft Patches Zero-Day Vulnerability Used by Lazarus Group
Tracked as CVE-2024-38193 (CVSS 7.8 High) explained as “Windows Ancillary Function for WinSock Elevation of Privilege Vulnerability” has been patched by Microsoft recently. The zero-day was leveraged by the infamous Lazarus Group which as explained by Microsoft MSRC “could allow the attacker to gain SYSTEM privileges.” A zero day is a vulnerability in software or hardware that is unknown to the vendor, so they are usually utilised by threat actors to avoid detection.
New PostgreSQL Cryptocurrency Mining Malware Discovered
Security researchers at Aqua Nautilus have recently discovered a new malware strain affecting the popular PostgreSQL database management system. The malware brute forces into PostgreSQL databases, delivers payloads to obfuscate itself and then steals computing resources for mining crypto currencies.
A successful brute force will allow the attacker to execute commands on the victim’s database. “Once accessed, attackers can leverage the ‘COPY … FROM PROGRAM’ SQL command to execute arbitrary shell commands on the host, allowing them to perform malicious activities such as data theft or deploying malware” said Assaf Morgan in an Aqua Security technical report. After this, the attacker will create a new user to keep persistence within the PostgreSQL database and strip superuser privileges off the default user, which was used for initial access. This will then lead to the attacker deploying the cryptocurrency mining malware onto the victims system.
Hackers Exploit Zero-Day Flaw in Cisco Switches to Gain System Control
A sophisticated threat group has been discovered exploiting a zero-day vulnerability in Cisco switches to gain control over systems and evade detection. The flaw, identified as CVE-2024-20399 and now patched, was used by the attackers to deliver custom malware, allowing for data exfiltration and persistent access to compromised environments. The vulnerability enabled attackers with valid administrator credentials to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the underlying Linux operating system.
The exploitation of this flaw was uncovered by cybersecurity firm Sygnia, which linked it to a broader multi-year campaign targeting dozens of organisations. The attackers demonstrated advanced techniques by initially infiltrating Windows systems and then shifting to legacy servers and network devices to avoid detection. Using the CVE-2024-20399 flaw, they broke into Cisco switch appliances, conducted reconnaissance, and ultimately deployed a backdoor known as VELVETSHELL.
