Skip to the main content.

5 min read

Cyber Threat Intelligence Briefing - January 2, 2024

Cyber Threat Intelligence Briefing - January 2, 2024

PacketWatch returns in 2024 with our bi-weekly threat intelligence report. This week, we cover the return of Qbot, a Google Oauth cookie hijacking technique, and a vulnerability roundup.

We've also enriched our original threat intelligence report to include resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.

The Return of Qbot

Qbot malware image via Dall-e AIIn late August 2023, the FBI announced Operation 'Duck Hunt,' which successfully dismantled the existing infrastructure for the infamous Qakbot (Qbot) malware that was known for infecting over 700,000 computers worldwide.  Qbot malware was widely used as an initial infection point for ransomware operations.  The FBI linked Qbot to over 40 ransomware attacks across a variety of industry verticals.

Although in early October, Cisco Talos documented a ransomware campaign linked to Qbot-affiliated threat actors, it was not until December 15, 2023, that Microsoft disclosed evidence of a new Qbot phishing campaign targeting the hospitality industry.

In this new campaign, a malicious PDF is sent in a phishing email.  Within the PDF is a link to download a digitally signed Windows Installer (.msi) file.  The Qbot execution is triggered via an embedded DLL file.  Also of note with this campaign is the timestamp showing the payload was generated on December 11, and a previously unseen version of the malware was observed, indicating the malware is still under active development. IOCs for this campaign can be found below.

Qbot Phishing Campaign IOCs

C2 IP Addresses

  • 45[.]138.74.191
  • 65[.]108.218.24

MSI File Hash

50e22aa4b3b145fe1193ebbabed0637fa381fac3

How To Protect Your Organization

As with most malware delivered via phishing emails, there are several steps organizations can take to reduce the risk of infection:

  • User awareness and training - Users should scrutinize the sender's email address and be instructed to never click or download attachments from untrusted senders.
  • Deploy, configure, and maintain an EDR solution across all endpoints.
  • Ensure all endpoints are patched regularly.

SOCRadar Resources

Additional Resources

Google OAuth Cookie Hijack 0-day

Over the last several weeks, multiple info-stealer malware variants have begun incorporating a session-hijacking technique that abuses an undocumented endpoint in Google Oauth called "MultiLogin".  This exploit allows threat actors to maintain access to a victim's account, even after they have reset their password.  It centers around a service GIAIA ID and an encrypted token found in the Chrome 'token_service' table, which can be manipulated and leveraged against the MutliLogin endpoint to generate new Google service cookies.

In a detailed report published by CloudSEK, it is implied that Google attempted to quietly prevent abuse of this exploit by performing "IP-based restrictions on cookie regeneration".  However, in late November, the Lumma stealer malware incorporated a workaround to bypass those restrictions.

As of this writing, this exploit still works, and over a half dozen info-stealer variants have added this exploit to their code base.  Until Google issues a formal patch, the best protection is to prevent infection from the info-stealer malware in the first place.  Strong defense-in-depth measures, especially modern EDR solutions, are the best protection against this malware.

Additional Resources

Vulnerability Roundup

critical vulnerability

CVE-2023-49070: Zero-Day in Apache OfBiz

In early December, a critical authentication bypass vulnerability (CVE-2023-49070) was disclosed for Apache's OfBiz open-source ERP system.  This issue was fixed in version 18.12.10 on December 5.

Last week, researchers at SonicWall discovered that the patch for this vulnerability did not completely fix the issue.  The vulnerability for the original 'fixed' version is tracked as CVE-2023-51467, and states that the authentication bypass can lead to Server-Side Request Forgery (SSRF).  This CVE is now fixed in version 18.12.11.

Of note, Apache OfBiz is part of Atlassian JIRA, which is widely used across enterprises worldwide.  As these vulnerabilities have been observed being actively exploited, administrators are urged to patch them as soon as possible.

SOCRadar Resources

Additional Resources

CVE-2023-7027: New Chrome Zero-Day

A new heap-based buffer overflow vulnerability in the WebRTC framework was disclosed by Clement Lecigne and Vlad Stolyarov from Google's Threat Analysis Group, CVE-2023-7027.  Successful exploitation can lead to arbitrary code execution.

Google has acknowledged that an exploit for this vulnerability exists in the wild.  Administrators are urged to patch to Chrome version 120.0.6099.129/130 for Windows and 120.0.6099.129 for MacOS.  As the WebRTC framework is open-source and supported by multiple browsers, administrators should apply fixes to other vulnerable browsers as they become available.


Terrapin

Security researchers from Ruhr University Bochum disclosed an intricate set of vulnerabilities in SSH.  While the details of this vulnerability are beyond the scope of this report, successful exploitation of these vulnerabilities allows for the attacker to downgrade the public key algorithms used for user authentication and can disable built-in protections against keystroke timing attacks in OpenSSH 9.5.

One key aspect of these vulnerabilities is that in order for the attacker to exploit them, they must be a man-in-the-middle on the network.  This greatly reduces the potential attack surface.  However, since the vulnerabilities affect default configurations of OpenSSH, it is recommended that administrators upgrade to OpenSSH version 9.6p1.

Additional Resources

Outlook Zero-Click RCE Chain

Recent research published by Ben Barnea from Akamai found here and here details how two previously patched vulnerabilities in Microsoft Outlook could be chained together to achieve zero-click remote code execution.

The two vulnerabilities in question are CVE-2023-35384, a security feature bypass in Windows HTML Platforms, and CVE-2023-36710, an RCE flaw in Windows Media Foundation Core. These bugs received fixes from Microsoft in August and October of 2023.

The first flaw (CVE-2023-35384) allows the attacker to coerce the Outlook client to download a malicious sound file from an attacker-controlled server.  The vulnerability could also be used to leak NTLM credentials to the attacker.  The specially crafted sound file, which can be autoplayed using the Outlook's reminder sound feature, can then exploit CVE-2023-36710 to get zero-click remote code execution.

In addition to patching, it is also recommended to ensure outbound SMB connections are blocked to public IP addresses and to disable NTLM or add users to the 'Protected Users security group', which prevents the use of NTLM authentication.

Additional Resources

More Ivanti Vulnerabilities

Ivanti released security advisory to address 13 critical vulnerabilities found in its Avalanche enterprise mobile device management solution.  Many of these vulnerabilities allow for unauthenticated remote attackers to gain remote code execution with no user interaction. 

These vulnerabilities affect all supported versions of Avalanche versions 6.3.1 and above.  Administrators are urged to patch to the latest version, 6.4.2, as soon as possible.

Additional Resources


Make sure to stay up to date with all PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered each last Tuesday of the month.

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you are interested in personalized threat intel, contact us today to learn about our enterprise threat intelligence services.


Disclaimer

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.

Cyber Threat Intelligence Briefing - February 26, 2024

6 min read

Cyber Threat Intelligence Briefing - February 26, 2024

This week, we continue to cover the ConnectWise ScreenConnect vulnerabilities and United Healthcare Optum Breach and include a vulnerability roundup.

Read More
Two ConnectWise ScreenConnect Critical RCE Vulnerabilities

2 min read

Two ConnectWise ScreenConnect Critical RCE Vulnerabilities

ConnectWise recently released a security bulletin disclosing two new vulnerabilities in their ScreenConnect platform.

Read More
CVE-2024-21413: Microsoft Outlook Critical RCE

2 min read

CVE-2024-21413: Microsoft Outlook Critical RCE

As part of this month's Patch Tuesday, Microsoft released a fix for a critical vulnerability affecting multiple Outlook versions.

Read More