October 2024 Novel Threat Tactics, Notable Vulnerabilities, and Current Trends

Every month, the Pondurance team hosts a webinar to keep clients current on the state of cybersecurity. In October, the team discussed threat intelligence, notable vulnerabilities and trends, security operations center (SOC) updates, and SOC engineering insights.

Threat intelligence 

The Senior Incident Response Consultant on the Digital Forensics and Incident Response team explained how threat actors weaponize scalable vector graphic (SVG) files — two-dimensional, XML-based vector images typically used in graphic design — and discussed ways clients can mitigate the risk of attack.

Threat actors can use an SVG file to deliver malware via phishing in two different ways. First, as a JavaScript download, an SVG file contains embedded URLs that deliver or execute malware or malicious code when the user opens it. Second, as an HTML embedded object, an SVG file leverages the href or xlink:href functions within the SVG standard and loads a remote resource within the local file or page to present as a phony login site without showing the URL to the user. Both are examples of ways threat actors take normal files available to the public and find ways to weaponize them to serve their financially motivated goals.

To stay safe, clients can proactively take action to prevent or look out for the weaponization of SVG files. The Senior Incident Response Consultant suggested several actions to mitigate the risk:

• Block SVG attachments 

• Train users to be wary of files that end in .svg (and .htm and .html files too)

• Implement branded login screens to help users distinguish a fake login page from a real one

• Educate users on the risk of email attachments

• Restrict execution of JavaScript within browsers and applications

• Keep browsers and other applications up to date

Vulnerabilities and trends

The Vulnerability Management Program (VMP) Team Lead reviewed notable vulnerabilities from September. Approximately 2,800 new vulnerabilities were disclosed, which is back to normal for 2024 but down from the 5,200 vulnerabilities seen last month. Twenty-six of those 2,800 vulnerabilities were high risk, and six of those 26 were known to be actively exploited in the wild, including four zero-day vulnerabilities on Microsoft and one vulnerability each on Ivanti and Veeam. In addition, seven more vulnerabilities have proof-of-concept codes available on the internet. 

In September, 79 vulnerabilities were addressed during Microsoft Patch Tuesday. Among those 79, seven had a critical severity level, and four were actively exploited zero-day vulnerabilities on Microsoft products, including Microsoft Edge, Windows Publisher, Windows SmartScreen, and Windows Installer.

The VMP Team Lead talked in detail about two specific exploitations that happened in September:

• The Windows MSHTML platform spoofing vulnerability (CVE-2024-43461) was chained with a previously patched Microsoft zero-day vulnerability (CVE-2024-38112) and successfully executed by the financially motivated Void Banshee APT group. In this attack, an HTA file appeared as a PDF to the user. When the user clicked on it, code was executed and payloads were downloaded onto the system. Then, Atlandia infostealer malware was deployed on the system to look for and exploit stored passwords, credit card data, and cryptocurrency wallet information. Clients should apply both the July and September security updates to ensure that they are protected.

• Four different vulnerabilities worked together to exploit the Common UNIX Printing System (CUPS). One vulnerability (CVE-2024-47076) allowed the threat actor on the system to send malicious data from the Internet Printing Protocol to the CUPS system. The second one (CVE-2024-47175) allowed the threat actor to inject data into a temporary PostScript Printer Description (PPD) file. The third one (CVE-2024-47176) allowed the threat actor to send malicious packets that caused the system to connect to an external threat actor-controlled URL. The fourth one (CVE-2024-47177) allowed the system to execute commands embedded in the malicious PPD file. These four vulnerabilities can result in the takeover of a system and loss of critical data, so clients should apply the patches and upgrades, particularly if they have remote workers.

In October, 118 vulnerabilities were reported and addressed during Microsoft Patch Tuesday. Among those 118, five were zero-day vulnerabilities, and two were known to be actively exploited. To reduce the likelihood of a successful cyberattack, the team recommends that clients focus their efforts on applying the Microsoft patches as they are released. 

SOC updates

The SOC Director discussed recent cybersecurity trends that the SOC team observed in September. 

Credential stuffing attacks. These attacks are trending steady. During an attack, a threat actor takes a large number of usernames and passwords, finds a login page on the internet, and blasts every single username and password combination on that login page. Fortunately, Okta and Microsoft 365 have built-in protections against credential stuffing attacks. Okta uses adaptive multifactor authentication (MFA) and risk-based authentication, and Microsoft 365 has a similar feature under Azure Active Directory Identity Protection.

Ransomware. These attacks are still trending steady. The team consistently sees threat actors using ransomware.

Social engineering help desk calls. The SOC experienced a slight drop-off in these attacks in September but still saw enough of them to label the activity as steady. Threat actors always look for the weakest link, and right now, they perceive that to be help desks. 

Phishing emails are trending steady, with the vast majority linking to credential harvesting web pages. The use of artificial intelligence services, such as ChatGPT, is making phishing emails harder to detect due to more convincing language and correct grammar. To stay protected against phishing threats, the team recommends enabling MFA and offering user awareness training.

SOC engineering insights

The SOC Technical Advisor started by briefly reinforcing the importance of disclosing crown jewels, such as hosts, IP addresses, VIP lists, and honey tokens. He also discussed new functionality that allows the team to further tailor alerts, even on a temporary basis, for sets of users or systems. In particular, if clients know that a user is going to be traveling abroad, the client can provide the dates of travel so that the team can mute the alerts for that time period.

Next, the Detection Engineer explained how to conduct searches in LogScale and provided numerous examples. All documents on LogScale are available free to clients with no login required. Clients can go to library.humio.com and search for anything they need. He offered numerous tips for searches including:

• Specify which repo or log you are searching for. Clients that have the Pondurance network sensor and are shipping logs to LogScale can use either #repo=xxx-log or #repo=xxx-network to significantly increase their search speed and reduce the load on LogScale. (Note that xxx equals the client code.) The team reminds clients that the network can search only seven days of data and the log typically can search only 30 days of data.

• Write a better query. Clients should place #repo in the first line of the query and start all subsequent lines with the pipe symbol, aka the vertical bar. They may need to cast a “wide net” at first by searching against the @rawstring field and then narrowing the search more and more. The @rawstring field contains each log’s data on one line in a JSON format. The Detection Engineer showed several examples of how to construct such a search.

• Choose a field/value. In LogScale, three dots appear next to every field. When clients click on those dots, they can choose to match a value, match a regular expression (regex), exclude a value, or select a field. At this step, remember to remove the @rawstring field.

• Choose a shortcut. Clients can also select group by value, exclude value in query, or match value in query.

• See what fields are available. Clients can use Fieldset() to see what specific fields are available. Field set only returns the names of fields and does not return counts or key value pairs. For counts on fields, clients can use Fieldstats(). Note that field names are case sensitive. The Detection Engineer showed several examples of how to narrow a search for a particular word in a field name.

The team highly recommends that clients check out the LogScale tutorial for more information about conducting searches. LogScale provides a hands-on experience where users can learn and practice using sample data. LogScale also recommends the following best practices for clients:

• Limit the search time frame as much as possible

• Narrow down the result set starting with a tagged field (one starting with #)

• Continue to filter the dataset with remaining field values that exist

• After filtering what to see, filter what not to see (the NOTs)

• Use any regex needed to further filter the filter

• Transform the data using functions such as math, evaluation, format, etc.

• Use the aggregate functions, such as sum(), top(), or groupby(), to aggregate the data

• Perform any final visualization processing such as sorting or table functions

Next month

The Pondurance team will host another webinar in November to discuss new cybersecurity activity. Check back next month to read the summary.