Weekly Threat Briefing: April 8 - 12, 2024
Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Get up to 50% off eSentire Threat Intelligence?
We’re thrilled to announce the launch of our first standalone cybersecurity product, eSentire Threat Intelligence, a curated feed of high-fidelity Indicators of Compromise (IOCs) with a 99% true positive rate that have been verified by our Elite Threat Hunters and Threat Response Unit (TRU).?
Learn how you can leverage eSentire Threat Intelligence to reduce false positive alerts and enhance your threat detection and response capabilities.
Raspberry Robin Spreading Through Windows Script Files
Raspberry Robin, a notorious Windows worm first identified in late 2021, has evolved significantly in its infection vectors, spreading mechanisms, and the complexity of its operations. Initially observed targeting technology and manufacturing organizations, it has since evolved into one of the most prevalent threats impacting a wide array of sectors.
On April 10th, HP Threat Research released a report revealing a shift towards distributing the malware via Windows Script Files (WSF), a method that allows the worm to exploit administrative scripts within Windows environments. These script files are highly obfuscated and utilize anti-VM and anti-analysis techniques to ensure execution on targeted machines, thus evading traditional detection methods.
The recent change from spreading through USB devices to now heavily obfuscated Windows scripting files, highlights the continuous efforts of the Raspberry Robin actors to evade security defenses. This new delivery method will likely aid the malware in infecting a wider range of victims, resulting in an increase in stolen credentials and even ransomware as it has been observed in the past.
Given the evolving nature of Raspberry Robin, organizations are advised to implement multi-layered security strategy that emphasizes both proactive measures and reactive capabilities. A few key strategies to consider are:
Critical Vulnerability in Palo Alto Networks Exploited
On April 12th, Palo Alto Networks released an advisory on a critical vulnerability which is being actively exploited, impacting the PAN-OS operating system running on their appliances. The vulnerability tracked as CVE-2024-3400 (CVSS: 10), is a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software.
领英推荐
The exploitation of CVE-2024-3400 would allow an unauthenticated remote attacker to execute arbitrary code with root privileges on the firewall. The vulnerability was identified in PAN-OS versions 10.2, 11.0, and 11.1.
After initial exploitation, threat actors have been observed deploying reverse shells and the UPSTYLE backdoor, as well as executing a variety of commands on the firewall including copying and exfiltrating configuration files. Volexity tracks the threat actor group behind Operation MidnightEclipse as UAT0218.
?Palo Alto Networks released security patches to address CVE-2024-3400 on April 14th, 2024. If patching is not possible, it is critical that organizations apply the available mitigations to prevent exploitation; organizations are recommended to enable Vulnerability Protection for the GlobalProtect interface, and companies that subscribe to Palo Alto Threat Prevention should enable Threat ID 95187 to block attacks.
In response to the disclosure of CVE-2024-3400, eSentire released a security advisory on April 12th. We have also released an updated security advisory on April 16th. Additionally, threat hunts have been performed across the eSentire customer base, and eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices.
Microsoft Patch Tuesday Release
In the April 9th Microsoft Patch Tuesday release, Microsoft addressed a total of 149 vulnerabilities, including 67 Remote Code Execution (RCE) vulnerabilities. Most notably, the release includes one confirmed zero-day vulnerability, and a second that Microsoft has not stated is exploited, but the researchers that discovered the vulnerability, state is exploited.
The vulnerability that Microsoft has confirmed to be exploited in the wild is tracked as CVE-2024-26234 (CVSS: 6.7) - Proxy Driver Spoofing vulnerability. In real-world attacks, the vulnerability was exploited to disguise malicious content in a campaign delivering a backdoor malware to victims.
CVE-2024-29988 (CVSS: 8.8) is disputed, with researchers stating that exploitation is ongoing, but Microsoft classifies the vulnerability as “Exploitation more likely”. The vulnerability is tracked as SmartScreen Prompt Security Feature Bypass vulnerability. In an attack scenario, a threat actor would deliver a maliciously crafted file to a potential victim; interaction with the malicious file would enable code execution, bypassing the SmartScreen security feature.
Organizations are strongly recommended to review the full Microsoft Patch Tuesday release for April 2024, and ensure security patches are applied for all impacted systems.
The eSentire Threat Intelligence team continues to track the recently disclosed vulnerabilities for additional details and detection opportunities. Threat hunts have been performed for exploitation of CVE-2024-26234, based on Indicators of Compromise (IoCs) shared by Sophos.
About the eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.