Threat Intelligence News from LevelBlue SpiderLabs December 2024

December 2024

Latest Threat Intelligence News

Salt Typhoon Hacks of Telecommunications Companies

A Chinese cyber-espionage group named Salt Typhoon has reportedly compromised multiple telecommunications companies, including T-Mobile, AT&T, Lumen and Verizon. The breach was part of a large-scale campaign that targeted US telcos and around 150 companies, mostly located in the DC area, whom have already been notified by the FBI. The breach allowed Chinese hackers to spy on political figures and tap into the US law enforcement wiretapping system. The New York Times reported that the victims were alerted by Microsoft due to unusual activity on their networks. This activity included data on Salt Typhoon servers that was traced back to nodes within US telecom networks.

Palo Alto vulnerabilities exploited in the wild

On November 8, Palo Alto Networks disclosed CVE-2024-0012, a RCE vulnerability in PAN-OS. This vulnerability enables unauthenticated attackers with access to the management web interface to gain administrative privileges. On November 18, Palo Alto disclosed CVE-2024-9474, a lower-severity PAN-OS flaw enabling privilege escalation under certain conditions. Combining both vulnerabilities allow attackers to first gain admin access through CVE-2024-0012, then exploit CVE-2024-9474 to escalate privileges or further exploitation. Unit 42 has detected limited exploitation activity involving CVE-2024-0012.

In addition, two critical vulnerabilities reported last month are being actively exploited. The CVE-2024-9463, a severe OS command injection vulnerability with a critical rating of 9.9, and CVE-2024-9465, a SQL injection vulnerability rated at 9.2. If exploited, these flaws could result in the exposure of sensitive data. Attackers could also gain unauthorized access to systems, enabling them to execute malicious code

Tracking, Detection & Hunting Capabilities

The team has created a new tracker this month, which happens to be in this month’s most active malwares during the last month:

• RaccoonO365: RaccoonO365 is an Adversary in the Middle (AiTM) Phishing kit that emerged at the beginning of 2024. This AiTM Phishing kit is specialized in supplanting O365 applications to steal credentials. It targets Microsoft O365 and Outlook users, aiming to bypass MFA protections and steal session cookies through advanced phishing techniques. The service is offered via Telegram and includes phishing templates, dynamic URL generation tools, and session cookie theft functionality, primarily focusing on business and cloud-dependent enterprises. Morado cybersecurity company published a blog about this malware during this month.

The LevelBlue trackers have identified over 1,400 new IOCs for the different families it tracks. The busiest trackers during the month of December have been:

USM Anywhere Detection Improvements

In November, 81 USM Anywhere detections were added or improved. Here are a few examples of improvements and new elements created:

• Several new rules related to Anomalous User Behavior for Okta, O365, Anomalous logins and more.

• New alerts in the CrowdStrike Falcon Detection ruleset, to identify brute force activity and generic alerts.

• New alerts in the Trend Micro Vision One ruleset, to identify command line injection and exploit attempts.

Please visit the LevelBlue Success Center for a full list of improvements, new elements, issues found, and tasks created.

LevelBlue SpiderLabs Open Threat Exchange

LevelBlue SpiderLabs Open Threat Exchange (OTX) is the world’s largest open threat intelligence community, made up of 450K threat researchers who publish threat information from 140 different countries on the OTX platform, which our LevelBlue SpiderLabs team enriches and consumes. You can go here to find out more about the new pulses or to sign up to be part of the community.

New OTX Pulses

The LevelBlue SpiderLabs team is continuously creating new Pulses in OTX based on what they are seeing in the wild. In November, 111 new Pulses were created by the SpiderLabs team, providing coverage for the latest threats and campaigns. Here are a few examples of the most relevant new Pulses:

• Chinese hackers exploit Fortinet VPN zero-day to steal credentials

• One Sock Fits All: The use and abuse of the NSOCKS botnet

• Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails

• China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike

• Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware