Threat Intel: Thursday, April 25

Hey folks, it’s time for another Threat Intel Thursday!

This past month has been a busy one. The threat landscape has absolutely exploded with multiple high impact campaigns being launched by threat actors across the world.

As always, we’ll begin with a review of the most urgent items we’ve covered this week through threat intelligence emails, delivered directly to your inbox.

This Week’s Threat Intel Emails:

Details Released on Urgent Cisco 0-Days: Cisco ASA and FTD firewalls are under attack, in addition to several other edge security devices from a variety of vendors. Over the last 18 months, a set of campaigns have been tracked and revealed involving sophisticated Chinese based threat actors that are successfully compromising firewalls, routers and VPN devices. Please check the threat intelligence emails immediately for recommendations on patching, even if you don’t use Cisco ASA or FTD.

Legitimate GitHub Projects Being Abused to Host Malware: A currently unknown number of trusted GitHub projects, such as Microsoft, are being abused to host malware. A vulnerability recently discovered by researchers allows threat actors to upload malware to seemingly legitimate GitHub projects. Moving forward, you need to ensure your engineers are aware of heavily increased risk of downloading tools and scripts from GitHub.

Our Thursday Threat Roundup:

Atera RMM agents used to distribute malware: An Iranian threat actor has been abusing Atera RMM agents as well as agents from ScreenConnect, Synchro, SimpleHelp and RemoteUtilities to control systems remotely. They are using free options from the RMM vendors to create packages that allow remote control. If you are used to distributing any RMM installers, your clients might be used to clicking those links. This prevents a huge risk. Please train your clients and communicate directly when you plan to rollout agents. Also, keep in mind that our pen test analysis does identify foreign RMM installers and can be used to rat out RMM agents that shouldn’t exist in your environment.

Palo Alto Hacked Firewalls Remediation Advice: Palo Alto’s PAN-OS has recently been the target of a campaign that shows signs of hackers exfiltrating sensitive data. Please read the attached disclosure immediately and ensure you are patching and reviewing logs for any Palo Alto devices running PAN-OS within you or your client’s infrastructure.

CISA adds Windows Print Spooler Vulnerability to its Known Exploited Catalog: A rather serious vulnerability being abused by Russia-linked threat actors has been getting worse and worse. Wide-scale exploitation of this vulnerability in Windows Print Spooler has made thousands of Windows workstations a target. This vulnerability has been around for quite some time and is still being exploited in the wild. Please review Microsoft’s disclosure for patching information and to ensure your Windows systems are up to date.

AutoDesk Drive Data Sharing the New Kid on the Block for Sharing Malware: Remember the campaigns we discussed a few threat intel emails ago, where attackers were using legitimate services like DocuSign and Google Drive to share malicious software that bypasses email filtering? Well, AutoDesk Drive Data sharing is the newly abused vendor for phishing emails. Please be cautious of any emails that make it to your inbox from AutoDesk and any other popular file sharing websites, even if they come from a trusted client. Always be on the lookout as many of these files or links lead to Microsoft 365 phishing pages. Always verify the URL you have arrived at.

Serious Exploit in CrushFTP: A previously unknown critical 0-day exploit affects CrushFTP, a popular file transfer software. This puts millions of users at risk and allows attackers to download sensitive system files and completely compromise affected servers. If you use CrushFTP or know someone that does, tell them to install patches immediately and direct them to the following advisory. All CrushFTP instances must be updated to the latest version.

Although there are many more juicy pieces of threat intelligence, these are the items we feel are currently critical for businesses to be aware of over the last 7 days.

Leave a Reply