Weekly Threat Briefing: April 8 - 12, 2024

Weekly Threat Briefing: April 8 - 12, 2024

Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.


Get up to 50% off eSentire Threat Intelligence?

We’re thrilled to announce the launch of our first standalone cybersecurity product, eSentire Threat Intelligence, a curated feed of high-fidelity Indicators of Compromise (IOCs) with a 99% true positive rate that have been verified by our Elite Threat Hunters and Threat Response Unit (TRU).?

Learn how you can leverage eSentire Threat Intelligence to reduce false positive alerts and enhance your threat detection and response capabilities.


Raspberry Robin Spreading Through Windows Script Files

Raspberry Robin, a notorious Windows worm first identified in late 2021, has evolved significantly in its infection vectors, spreading mechanisms, and the complexity of its operations. Initially observed targeting technology and manufacturing organizations, it has since evolved into one of the most prevalent threats impacting a wide array of sectors.

On April 10th, HP Threat Research released a report revealing a shift towards distributing the malware via Windows Script Files (WSF), a method that allows the worm to exploit administrative scripts within Windows environments. These script files are highly obfuscated and utilize anti-VM and anti-analysis techniques to ensure execution on targeted machines, thus evading traditional detection methods.

The recent change from spreading through USB devices to now heavily obfuscated Windows scripting files, highlights the continuous efforts of the Raspberry Robin actors to evade security defenses. This new delivery method will likely aid the malware in infecting a wider range of victims, resulting in an increase in stolen credentials and even ransomware as it has been observed in the past.

Given the evolving nature of Raspberry Robin, organizations are advised to implement multi-layered security strategy that emphasizes both proactive measures and reactive capabilities. A few key strategies to consider are:

  • Implementing a robust patch management process to ensure all systems are up-to-date
  • Deploying advanced Endpoint Detection and Response (EDR) tools that can detect, analyze, and respond to suspicious activities on endpoints
  • Educating employees about the risks of malware, particularly through social engineering and phishing attacks which might lead to unauthorized installations of Raspberry Robin

Learn more in the full threat briefing here.


Critical Vulnerability in Palo Alto Networks Exploited

On April 12th, Palo Alto Networks released an advisory on a critical vulnerability which is being actively exploited, impacting the PAN-OS operating system running on their appliances. The vulnerability tracked as CVE-2024-3400 (CVSS: 10), is a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software.

The exploitation of CVE-2024-3400 would allow an unauthenticated remote attacker to execute arbitrary code with root privileges on the firewall. The vulnerability was identified in PAN-OS versions 10.2, 11.0, and 11.1.

After initial exploitation, threat actors have been observed deploying reverse shells and the UPSTYLE backdoor, as well as executing a variety of commands on the firewall including copying and exfiltrating configuration files. Volexity tracks the threat actor group behind Operation MidnightEclipse as UAT0218.

?Palo Alto Networks released security patches to address CVE-2024-3400 on April 14th, 2024. If patching is not possible, it is critical that organizations apply the available mitigations to prevent exploitation; organizations are recommended to enable Vulnerability Protection for the GlobalProtect interface, and companies that subscribe to Palo Alto Threat Prevention should enable Threat ID 95187 to block attacks.

In response to the disclosure of CVE-2024-3400, eSentire released a security advisory on April 12th. We have also released an updated security advisory on April 16th. Additionally, threat hunts have been performed across the eSentire customer base, and eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices.

Learn more in the full threat briefing here.


Microsoft Patch Tuesday Release

In the April 9th Microsoft Patch Tuesday release, Microsoft addressed a total of 149 vulnerabilities, including 67 Remote Code Execution (RCE) vulnerabilities. Most notably, the release includes one confirmed zero-day vulnerability, and a second that Microsoft has not stated is exploited, but the researchers that discovered the vulnerability, state is exploited.

The vulnerability that Microsoft has confirmed to be exploited in the wild is tracked as CVE-2024-26234 (CVSS: 6.7) - Proxy Driver Spoofing vulnerability. In real-world attacks, the vulnerability was exploited to disguise malicious content in a campaign delivering a backdoor malware to victims.

CVE-2024-29988 (CVSS: 8.8) is disputed, with researchers stating that exploitation is ongoing, but Microsoft classifies the vulnerability as “Exploitation more likely”. The vulnerability is tracked as SmartScreen Prompt Security Feature Bypass vulnerability. In an attack scenario, a threat actor would deliver a maliciously crafted file to a potential victim; interaction with the malicious file would enable code execution, bypassing the SmartScreen security feature.

Organizations are strongly recommended to review the full Microsoft Patch Tuesday release for April 2024, and ensure security patches are applied for all impacted systems.

The eSentire Threat Intelligence team continues to track the recently disclosed vulnerabilities for additional details and detection opportunities. Threat hunts have been performed for exploitation of CVE-2024-26234, based on Indicators of Compromise (IoCs) shared by Sophos.

Learn more in the full threat briefing here.


About the eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.

要查看或添加评论,请登录

eSentire的更多文章

社区洞察

其他会员也浏览了