General Worldwide activity:

1st: PoC released for Windows Win32k bug exploited in attacks

Overview: Researchers have released a proof-of-concept (PoC) exploit for an actively exploited Windows local privilege escalation vulnerability fixed as part of the May 2023 Patch Tuesday. The Win32k subsystem (Win32k.sys kernel driver) manages the operating system’s window manager, screen output, input, and graphics, and acts as an interface between various types of input hardware. As such, exploiting these types of vulnerabilities tends to provide elevated privileges or code execution. The vulnerability is tracked as CVE-2023–29336 and was originally discovered by cybersecurity firm Avast. It was assigned a CVSS v3.1 severity rating of 7.8 as it allows low-privileged users to gain Windows SYSTEM privileges, the highest user mode privileges in Windows. Avast says they discovered the vulnerability after it was actively exploited as a zero-day in attacks. However, the company has declined to share further details with BleepingComputer, so it is unclear how it was abused. To raise awareness about the actively exploited flaw, and the need to apply Windows security updates, CISA also published an alert and added it to its “Known Exploited Vulnerabilities” catalog. Exactly a month after the patch became available, security analysts at Web3 cybersecurity firm Numen have now released full technical details on the CVE-2023–29336 flaw and a PoC exploit for Windows Server 2016.

Breakdown: Many of the monthly patch Tuesday releases from Microsoft over the last couple years has had at least one high level vulnerability that is already being abused in the wild. Third party researchers or Microsoft themselves discover these vulnerabilities and then get the patch ready to go, but we usually do not get exact details on the exploit side of things. This is a good thing most of the time, because once actual PoC code is released, any threat groups interested have a much easier time abusing the vulnerability. This puts those criminal groups way ahead of the patch cycles most organizations have setup as unfortunately, many orgs do not patch for 60–90 days. In this case, researchers used the details and the patch itself to determine the exploit method and create a Proof of Concept for it, whether you see that as a good thing or again, just helping any threat actors out there looking for a new way to exploit unpatched systems.

2nd: Art of the Hunt: Building a Threat Hunting Hypothesis List

Overview: Threat hunting is a proactive, behaviorally-based approach that empowers you to stay ahead of potential adversaries by focusing on their tactics, techniques, and patterns. By moving away from the traditional indicator of compromise (IOC) mindset, you’ll be able to uncover hidden threats that may have been flying under the radar. In this blog, we’ll walk you through the process of crafting the perfect threat hunting hypothesis list that will set you on the path to becoming a successful and confident threat hunter. So, let’s dive in and start hunting!

Breakdown: Being proactive with security threats should be a focus for all security teams and using attack information to do threat hunting by your SOC staff is a perfect way to accomplish that work. This is an excellent guide by Cyborg Security on how to get started the right way with threat hunting and provide a guided method to build templates around threat hunting processes.

3rd: Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware

Overview: Several Minecraft mods and plugins hosted on the CurseForge and Bukkit modding communities have been tainted with a multi-stage, multi-platform infostealer malware called Fractureiser, a preliminary investigation shows. Several CurseForge and Bukkit accounts have been compromised and used to publish malware-rigged updates of mods and plugins without the knowledge of the original author. These mods have trickled downstream into popular modpacks that have been downloaded several million times to date.

Breakdown: Gaming as a hobby continues to grow, especially around the world as more and more people get access to systems capable of playing games in a browser or that do not require expensive new hardware to run. Minecraft’s popularity is directly tied to how easy it is to run on basic systems and a game with easy-to-understand processes in general. Online games are a primary but many times somewhat forgotten target in our industry for cybercriminals worldwide. This is a great example of the type of malware gamers can run into in a game that has an extensive social component tied around modding the game and sharing mods with the community.

4th: What ChatGPT Can and Can’t Do for Intelligence

Overview: The prospects of ChatGPT for intelligence are mixed. On the one hand, the technology appears “impressive,” and “scarily intelligent,” but on the other hand, its own creators warned that “it can create a misleading impression of greatness.” In the absence of an expert consensus, researchers and practitioners must explore the potential and downsides of the technology for intelligence. To address this gap, we — academics who study intelligence analysis and an information technology engineer — sought to test the ability of ChatGPT (GPT-4) to supplement intelligence analysts’ work. We put it to a preliminary test using Colin Powell’s famous request: “Tell me what you know. Tell me what you don’t know. Then you’re allowed to tell me what you think.” For each task, we provide the output from ChatGPT so that readers can reproduce the analyses and draw their own conclusions.

Breakdown: Amazing article to read how security researchers put ChatGPT to the test to find out which processes work now and what still needs more time to really develop. As noted, getting access to web content will help in the summarization and potential “content creation” aspects of using the tool, but that also leads to a real concern about “what information is being used to keep training the tools” and the accuracy of that data.

5th: Calm In The Storm: Reviewing Volt Typhoon

Overview: Network owners, operators and defenders find themselves in an increasingly contentious and hostile space, with entities ranging from opportunistic criminal elements to state-directed organizations engaging in various types of computer network intrusion. Through the seemingly endless sequence of blogs, alerts and hyperbolic media reporting, stakeholders may find it increasingly difficult to discern a strong “signal” from intense background “noise.” In this blog, we will explore recent disclosures concerning an actor referred to as “Volt Typhoon,” assessed to be linked by multiple sources to the People’s Republic of China (PRC). Through this discussion, we will examine how such strategic network intrusion activity can impact and inform organizations that may believe themselves outside the scope or focus of such targeting. We will then conclude with recommendations for asset owners and operators of all types in the face of an increasingly contested and threatening networking environment.

Breakdown: Excellent research around a new threat actor group and the way they are using their toolsets to cause havoc. Each section has several great pieces of info on the actor and the ways they use those tools, but especially the threat assessment section and the defensive lessons learned section. As noted, they have done a great job breaking down the signal from the noise on applicable techniques we should all be aware of and how to react to this level of attacks.

Contact Us

contact@hunterstrategy.net

Our Website

Top five Cyber Threat Intel stories of the week: 06/05 to 06/09/2023