Cyber Threat Download™: A monthly threat intelligence newsletter from Pondurance

Welcome to the first edition of the new Cyber Threat Download™ newsletter from Pondurance. Each month, the Pondurance team of experts in threat intelligence, incident response, security operations, vulnerability management and compliance share their insights with the cybersecurity community in order to ensure that our customers and partners stay on top of recent trends in threats, and how to ensure they don’t evolve to cause harm to organizations. Please feel free to share this with colleagues and other interested parties on social media. 

Threat trends

Our team has noted certain trends when it comes to recent attacks focused on intrusion, operational disruption or financial harms to organizations. The following three trends are notable in that they aren’t new, but they are all increasing in frequency, presumably due to the fact that they continue to prove successful for malicious actors. 

Phishing emails. These attacks are trending up, including emails with links or attachments and emails where the attacker masquerades as a known user. The vast majority of phishing emails link to credential harvesting webpages. To reduce the risk of phishing threats, the team recommends enabling MFA — though threat actors are finding ways to bypass it — and offering user awareness training.

Credential stuffing attacks. These attacks, also known as password sprays, are trending up. Okta and Microsoft 365 have built-in protections against credential stuffing attacks. Okta uses adaptive MFA with behavioral detection and dynamic zones, and Microsoft 365 has a similar feature under Azure Active Directory Identity Protection.

Ransomware. No surprise, these attacks are still the most prevalent threat on the internet. The team is seeing manual deployment of ransomware where the threat actor has to break into the network and stage, deploy, and execute the ransomware. 

Interestingly, social engineering type attacks have been trending down to nearly zero. The reason for this isn’t clear although it may be due to more consistent use of end user security awareness training as well as increased adoption of multi-factor authentication by user organizations. 

Incident response learnings

A recent exploit using a targeted phishing campaign as the initial threat vector actors provides a case example for how a malicous actor can execute an account takeover in order to get access to remotely monitor network devices. They  leverage malicious domain registrations, including foreign domains, and local account creations to gain access to a ScreenConnect remote monitoring and management console. 

To execute such an attack, the threat actor sends the user a phishing email with a link that enables the threat actor to gain access to the environment via a credential harvesting attack. Then, the user is presented with a fake login to a ScreenConnect instance email. Once the user provides a username, password, and sometimes multifactor authentication (MFA) information, the threat actor gains access to the account for the duration of that session token life cycle. Now, having access to the console, the threat actor is able to create a new user and potentially delegate administrative privileges, even if the new user email address is not valid. From there, using a ScreenConnect or ConnectWise control agent, the threat actor can remotely monitor and control any of the devices that the console is monitoring.

To protect against such attacks, several recommendations were made:

• Monitor authentication and audit logs for your ScreenConnect console and all remote monitoring and management consoles

• Implement regular auditing of these accounts or any alerts for new users or logins

• Implement MFA for all accounts, though MFA does not completely mitigate the risk

• Maintain visibility into the accounts within your administrative consoles, so your team can immediately detect and act on any phishing email intended for continued malicious access to the console 

• Train users on the elevated risk of this type of attack

Notable vulnerabilities

As many as 3,400 vulnerabilities were disclosed, and the year closed out with approximately 40,000 new common vulnerabilities and exposures. The large number of disclosed vulnerabilities to the increased number of products and applications released each year, a greater number of independent researchers looking for vulnerabilities, and more companies performing internal searches for vulnerabilities on their own products. As many as 42 — quite a high number — of the 3,400 disclosed vulnerabilities were high risk, due to either the presence of proof-of-concept codes on the internet or an association with previous exploits. Of those 42, three were actively exploited: one Windows vulnerability and two vulnerabilities impacting Cleo file transfer products. 

The Cleo file transfer product vulnerabilities illustrate how file transfer products are attractive targets for threat actors because they are used with important data. The vulnerabilities allow unauthorized file uploads and downloads that can lead to remote code execution. Indicators that your network may be compromised include transfer to an unusual IP address, presence of a Java-based remote access trojan on the network, evidence that a PowerShell instance is or has been active, presence of a Cobalt Strike beacon, and evidence of a pass-the-hash attack. The CL0P ransomware group released a list of 66 victims, urging the organizations to pay a ransom. Later, Blue Yonder and three other victims were specifically named, most likely due to refusal to pay the ransom demand.

In December, 71 reported vulnerabilities were addressed during Microsoft Patch Tuesday. Among those 71, one was a zero-day vulnerability and 16 were critical vulnerabilities, including one privilege elevation vulnerability on Windows common log file system. The other vulnerabilities were all remote code execution vulnerabilities that impacted the Windows lightweight directory access protocol, the Hyper-V virtualization platform, message queuing, the local security authority subsystem service, and Windows remote desktop services.

In January, 159 reported vulnerabilities — the most ever in January — were addressed at the Microsoft Patch Tuesday event. Of those 159, eight were zero-day vulnerabilities and 10 were critical. The zero days included three privilege elevation vulnerabilities on Hyper-V, three remote code execution vulnerabilities on Microsoft Access, a privilege elevation vulnerability on Windows app package installer, and a credential leak vulnerability on Windows Themes. This risk environment  highlights just how essential it is for IT and security organizations to have a continuous and robust patching program to address these vulnerabilities. 

Deep dive into browser extension security risk  

Understanding the security implications of browser extensions is essential for safeguarding sensitive data. Tuning is crucial to ensure that escalations are relevant for clients. If a client encounters a false positive or prefers not to escalate an alert, it is important to respond instead of simply closing it. This approach enables effective adjustments. The significance of disclosing critical assets, such as hosts, IP addresses, VIP lists, and honey tokens, is also emphasized.

Browser extensions, such as password managers and magnifiers, are scripts running inside the browser that have access to nearly everything in the browser, including all tabs, cookies, session IDs, URLs, and scripts. 

Installing browser extensions does not require administrative rights, as browser extensions can be selected directly from the app store. The store scans and checks the browser extensions, but most often, the checks are automated. Once a browser extension is downloaded and granted access to the network, the developers of the browser extensions have ways to bypass further reviews and updates, making it possible for them to change the entire code base without approval.

When a browser extension is found to be malicious, it is simply removed from the store. But beyond that, the malicious browser extension remains on devices, including any browser extension that is synced from one device to another, until it is uninstalled or disabled by users or IT administrators. Store owners do not have the ability to remove an extension from an organization’s device. 

As an example of a browser extension security incident, data security company Cyberhaven was breached in December when a developer fell victim to a phishing exploit. The developer provided credentials to a threat actor who updated Cyberhaven’s GitHub and pushed out a new version of the browser extension. Cyberhaven noticed the breach within 60 minutes, but within that time, the updated code was used in 33 other browser extensions. Five of those 33 are still available in stores, and no endpoint detection and response solution has ever detected or removed the extensions. Other noteworthy browser extension security incidents include Web Developer (2024), DataSpii (2019), Apple-Safari Pitchofcase (2018), and Particle (YouTube) (2017).

To control browser extensions, organizations should take the following actions:

• Remove administrative rights from users

• Prevent users from creating personal profiles in the browsers

• Use Group Policy Objects to administer user browsers

• Use the Google admin console for Chrome

Additionally, the concept of chromoting is introduced, a technology where users can control a remote device from within the Chromium browser. Though currently an uncommon attack method, threat actors can use chromoting to remotely connect to browsers and computers. Your organization can protect against chromoting attacks by controlling user access to other computers using Chrome Remote Desktop. Chrome Remote Desktop can be turned on or off in the Google admin console.

About the Pondurance Threat Intelligence Team:

The Pondurance Threat Intelligence Team consists of cybersecurity experts across our organization dedicated to providing exceptional threat intelligence research and  insights to optimize the efficacy of proactive threat prevention efforts, as well as  threat detection and response. By monitoring emerging cybersecurity trends and collaborating with our Security Operations Center (SOC), we provide real-time insights and actionable intelligence. Through knowledge sharing and advisory posts, we empower organizations to strengthen their cybersecurity posture and foster a more secure digital landscape.