Threat Intelligence News from LevelBlue SpiderLabs January 2025
January 2025
Latest Threat Intelligence News
Infected Cyberhaven Chrome Extension Distributed on Christmas
A malicious Chrome browser extension was distributed by Swiss-founded security firm Cyberhaven after a data security startup's administrative account was compromised. Security analyst Jaime Blasco identified over a dozen suspicious domains linked to the attackers' infrastructure, which could include other infected Chrome browser extensions.
The attack occurred on Christmas, with the company removing the malicious package within an hour of detection. Users were vulnerable for over 30 hours, potentially exposing sensitive information.
Secret Blizzard Compromising Storm-0156 Infrastructure for Espionage
Microsoft has reported in a two part blog an investigation on Secret Blizzard.
The Russian state-sponsored threat actor has been observed compromising the infrastructure of Storm-0156, a Pakistan-based espionage group, to conduct their own espionage operations.
Since November 2022, Secret Blizzard has used Storm-0156's backdoors to deploy their own malware on compromised devices, particularly targeting government entities in Afghanistan and India.
The threat actor has employed various tools, including TinyTurla variant, TwoDash, Statuezy, and MiniPocket, alongside Storm-0156's CrimsonRAT and Wainscot backdoors.
The second part of the blog focuses on several other tools used by the APT. Between March and April 2024, Secret Blizzard utilized the Amadey bot malware associated with cybercriminal activity to deploy its custom Tavdig and KazuarV2 backdoors on Ukrainian military devices.
In January 2024, Secret Blizzard also leveraged a backdoor from Storm-1837, a Russia-based threat actor targeting Ukrainian drone pilots, to install its malware.
This activity highlights Secret Blizzard's tactic of leveraging other actors' infrastructure to diversify attack vectors and facilitate intelligence collection.
CVE-2024-49138, Vulnerability in Windows Common Log File System Driver (CLFS)
Microsoft disclosed an actively exploited zero-day vulnerability, CVE-2024-49138, in its latest Patch Tuesday update. The vulnerability, classified as an Elevation of Privilege issue in the Windows Common Log File System Driver, allows attackers to gain SYSTEM privileges on Windows devices.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies implement the required fixes by December 31, 2024.
While details of in-the-wild exploitation are not yet available, it is noteworthy that ransomware operators have shown a growing tendency in recent years to exploit CLFS driver elevation of privilege vulnerabilities.
Tracking, Detection & Hunting Capabilities
The LevelBlue SpiderLabs team updated the following Adversary Trackers to automatically identify and detect malicious infrastructure:
- Meduza Stealer
- Lumma Info-Stealer
The team has identified the following malware/threat actors as the most active during the month of December. December’s malware trends continue to be very similar to previous months, with a main relevant inclusion:
-
Lumma: The popular Info-Stealer continues to show up in the most popular malwares of the month, as well as on the list of most infrastructure detected in our Trackers.
This month, Guardio Labs reported a large-scale fake captcha campaign distributing Lumma. The malvertising ads reportedly had over 1 million daily impressions, proving the efficiency of this attack type that combines redirect chains, obfuscated scripts and Traffic Distribution Systems (TDS).
The LevelBlue trackers have identified over 1300 new IOCs for the different families it tracks. The busiest trackers during the month of December have been:
USM Anywhere Detection Improvements
In December, LevelBlue SpiderLabs added or updated 41 USM Anywhere detections. Here are a few examples of improvements and new elements LevelBlue SpiderLabs developed:
-
A new rule updating the approach to identify suspicious and potentially malicious files dropped by Office applications.
-
New rules related to Brute Force Authentication and Password Spraying for Fortinet and Cisco Firepower.
-
Several rules for Command and Control Communications and Malware detections by Trend Micro.
Please visit the LevelBlue Success Center for a full list of improvements, new elements, issues found, and tasks created.
LevelBlue SpiderLabs Open Threat Exchange
LevelBlue SpiderLabs Open Threat Exchange (OTX) is the world’s largest open threat intelligence community, made up of 450K threat researchers who publish threat information from 140 different countries on the OTX platform, which our LevelBlue SpiderLabs team enriches and consumes. You can go here to find out more about the new pulses or to sign up to be part of the community.
New OTX Pulses
The LevelBlue SpiderLabs team is continuously publishing new pulses in OTX based on their research and discoveries. Pulses are interactive and researchable repositories of information about threats, threat actors, campaigns, and more. This includes indicators of compromise, IoCs, that are useful to members.
In December, 118 new Pulses were created by the SpiderLabs team, providing coverage for the latest threats and campaigns. Here are a few examples of the most relevant new Pulses: