December 2024 Novel Threat Tactics, Notable Vulnerabilities, and Current Trends

Every month, the Pondurance research team hosts a webinar to keep clients current on the state of cybersecurity. In November, the team discussed notable vulnerabilities and trends, security operations center (SOC) updates, and SOC engineering insights.

Vulnerabilities and trends

In the recent webinar, the team reviewed notable vulnerabilities from October. Approximately 2,800 new vulnerabilities were disclosed, which is normal for 2024 and will average out at approximately 3,000 new vulnerabilities per month for the year. Thirty-five of those 2,800 vulnerabilities were high risk, a record number compared to the 14 high-risk vulnerabilities usually seen per month. Thirteen of those 35 were known to be actively exploited in the wild, impacting Microsoft Windows, Zimbra, Qualcomm, Cisco, Ivanti, Mozilla, Grafana, ONS Spectra, and Samsung. In addition, eight vulnerabilities have known proof-of-concept codes available on the internet, raising the chances of exploitation by threat actors.

In October, 118 vulnerabilities were addressed during Microsoft Patch Tuesday. Among those 118, five were zero-day vulnerabilities, including a Windows MSHTML platform spoofing vulnerability (CVE-2024-43573), a remote code execution vulnerability (CVE-2024-43572) on the Microsoft Management Console, a remote code execution vulnerability (CVE-2024-6197) on libcurl, a security feature bypass vulnerability (CVE-2024-20659) on Hyper-V, and a privilege elevation vulnerability (CVE-2024-43583) on Winlogon. 

Our team provided an in-depth analysis of two specific exploitations that occurred in October:

• The Cisco ASA vulnerability (CVE-2024-20481) is a denial-of-service condition that impacts the adaptive security appliance (ASA) software. In this attack, a remote, unauthenticated threat actor overwhelms the device with virtual private network authentication requests, causing resource exhaustion and device shutdown. The vulnerability is part of a larger brute-force attack campaign that also targets Check Point, Fortinet, and SonicWall. The Cisco security advisory from Oct. 23 also addressed 50 additional vulnerabilities. Three of the most critical ones included a root access via SSH vulnerability (CVE-2024-20329) that impacted Cisco ASA and two remote code access and unauthorized access vulnerabilities (CVE-2024-20424 and CVE-2024-20412) that impacted Firepower Management Console. Clients should apply patches and focus on perimeter devices to secure their networks.

• The Ivanti cloud services appliance vulnerability is a combination of three vulnerabilities: a SQL injection vulnerability (CVE-2024-9379), a command injection vulnerability (CVE-2024-9380), and a path traversal vulnerability (CVE-2024-9381) that is not believed to be actively exploited. Some attacks also incorporated a fourth Ivanti vulnerability that was patched in August. Together, these vulnerabilities allow the threat actor to bypass access controls. Then, the threat actor can attain administrator-level privileges and run a SQL code on the system that can lead to a remote code execution situation. The security advisory on these vulnerabilities pointed out that the cloud service appliance version 4.6 is at its end of life, so the team recommends that clients running that version upgrade to version 5.0.2. 

In November, Microsoft reported and addressed 89 vulnerabilities during Microsoft Patch Tuesday. Among those 89, five were considered critical. Of those critical vulnerabilities, four were zero-day vulnerabilities and two were known to be actively exploited. To reduce the likelihood of a cyberattack, the team highly recommends that clients apply the Microsoft patches as they are released. 

SOC updates

Recent cybersecurity trends that the SOC team observed in October were also discussed. 

Credential stuffing attacks. These attacks are trending up slightly, as the team is starting to see more true positive types of credential stuffing attacks. Okta and Microsoft 365 have built-in protections against credential stuffing attacks. Okta uses adaptive multifactor authentication (MFA) with behavioral detection and dynamic zones, and Microsoft 365 has a similar feature under Azure Active Directory Identity Protection.

Ransomware. These attacks are still trending steady as the most prevalent threat seen by the SOC. The team is seeing manual versus automated deployment of ransomware.

Social engineering help desk calls. These attacks are finally trending down. However, the team expects the shift in focus to move elsewhere, possibly to holiday phishing emails. 

Phishing emails. These attacks, especially adversary-in-the-middle attacks, are trending steady with the vast majority linking to credential harvesting web pages. The use of artificial intelligence services, such as ChatGPT, is making phishing emails harder to detect due to more convincing language and correct grammar. To stay protected against phishing threats, the team recommends enabling MFA — though threat actors are finding ways to bypass MFA — and offering user awareness training to stay protected during the holiday season and year-round.

SOC engineering insights

Our discussion also covered recent attack trends that the SOC engineering team recently detected.

Threats actors are employing infrequently used apps available in the Microsoft Store, such as eM Client. The team recommends blocking such apps in the app store and also has compiled a list of malicious apps that it has detected. The new trend with these apps is that the threat actor compromises an account; then, when someone dumps or exfiltrates an email, the threat actor uses it for a business email compromise (BEC) attack or ransomware incident. 

In addition, threat actors have recently put a new twist on the attack method for BECs. Typically, the team sees inbox forwarding rules that place files in specific folders. Now, the team is seeing an inbox rule that moves conversation pieces to a previously deleted email. As an example, the Senior Manager of SOC Engineering showed how threat actors compromised a live.com email address by blocking the sender of an email thread so that the sender could not send follow-up emails. The threat actors put their own emails in the trusted recipients list, made a copy of the email thread, and sent it from a different address, hoping the recipient was accustomed to chatting on that thread and wouldn’t question it. Fortunately, the team has rules in place and analysts looking for this behavior to protect clients from harm.

From late October through November, four different types of malware communications have been trending up:

• Adload. This malicious adware targets Mac devices and tends to require higher-level privileges. It allows a proxying connection that can be used to install malware and other malvertising activities, is known to impersonate legitimate apps, and may drop an additional payload from Update, Trojan, or Variance. Organizations that have seen Adload should investigate to make sure their systems are malware-free.

• Shlayer. This malware comes across via malware advertising campaigns and installs unauthorized packages via Python and bash scripts on Mac OS X. It uses the scripts to mount the DMG files — disk images that allow Mac OS X to install packages on the operating system — making it a typical dropper. These droppers can be used for ransomware, but most of the time, they are pay-to-play or pay-for-install activities.

• Lu0bot. This Node.js infection, which takes place on web servers, presents malware to another downloader for the victim on the other end. The attack often comes from a trusted source that has been compromised.

• SocGholish. This antivirus update-type presentation is a heavy hitter. SocGholish is known for its drive-by download that poses as a software update, though it does sometimes come across as a phishing attack. The attack uses JavaScript, and if the JavaScript unsuccessfully tries to phone home, it tends to be loud and noisy. Network sensor clients, in particular, will see an accompanying SSL connection go out from the infected host.

The Pondurance research team also discussed the importance of tuning to maximize the effectiveness of our services, specifically emphasizing that clients experiencing a ticket that appears to be a false positive should reach out to us with detailed information about the issue. The team can tune out a specific case and any repeated activity and, as a security partner, make recommendations. Also, as always, the team stressed the importance of disclosing crown jewels, such as hosts, IP addresses, VIP lists, and honey tokens. 

Learn more

To stay informed about the evolving threat landscape and enhance your cybersecurity measures, we encourage you to follow us on Linkedin, X, and Bluesky. For further insights into our industry-leading risk-based Pondurance MDR service, please check out our blogs. To schedule a demo with one of our cybersecurity experts, check out the button below to request a demo.