Weekly Threat Briefing: Aug 26 - Aug 30, 2024
Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
The Versa Director Zero-Day Exploitation
Bottom Line: The Chinese state-sponsored APT group Volt Typhoon has been observed exploiting a critical Versa Director zero-day vulnerability in attacks against IT, MSPs, and ISPs. Organizations are urged to apply the relevant security patches as soon as possible to minimize the likelihood of compromise.
On August 26th, Versa disclosed a high severity vulnerability in the Versa Director software, a tool used to streamline “design, automation, and delivery of Secure Access Service Edge (SASE) services". The vulnerability, tracked as CVE-2024-39717 (CVSS: 7.2), would allow a threat actor with Provider-Data- Center-Admin or Provider-DataCenter-System-Admin privileges, to upload malicious files.
The vulnerability comes from the "Change Favicon" feature, which allows threat actors with administrator privileges to upload malicious files camouflaged as PNG images. The vulnerability impacts Versa Director versions 22.2.3, 22.1.2, and 22.1.3. At the time of disclosure, Versa confirmed that CVE-2024-39717 had been exploited by an Advanced Persistent Threat (APT), but did not provide any additional details.
Only one day later, researchers from Black Lotus Labs released a technical report on exploitation of the vulnerability, attributing known malicious activity, with medium confidence, to the infamous Chinese state-sponsored APT group, Volt Typhoon (Bronze Silhouette).
To date, attacks have been confirmed against four U.S. organizations and one non-U.S. target; victim organizations include Internet Service Providers (ISPs), Managed Service Providers (MSPs), and Information Technology (IT) companies. The earliest signs of exploitation have been traced back to June 12th , over two months before a security patch was released.
In observed attacks, CVE-2024-39717 was exploited in order to deliver a custom JAR web shell dubbed VersaMem. Its primary function is to intercept and harvest credentials, enabling unauthorized access. VersaMem operates by hooking and overriding the Versa authentication method, intercepting plain text passwords, encoding them in Base64, and storing them at the location “/tmp/temp.data ”.
It monitors inbound web requests to the Tomcat web server for actor-defined parameters, such as passwords and malicious modules, and dynamically loads in-memory Java modules. In an attempt to evade detection, the webshell performs all operations in memory, rather than on disk. In order to obfuscate where the attacks originated from, Volt Typhoon employed compromised Small Office/Home Office (SOHO) devices to launch attacks. This is a known tactic that Volt Typhoon has employed in past campaigns .
In response to this campaign, the eSentire Threat Response Unit (TRU) has performed threat hunts based on known Indicators of Compromise (IoCs). eSentire MDR for Network has rules in place to identify the VersaMem webshell. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2024-39717. It should be noted that eSentire is not impacted by the recent Versa Director zero-day vulnerability.
CISA #StopRansomware RansomHub
Bottom Line: The joint advisory from CISA, the FBI, MS-ISAC, and HHS follows the notable attack on Haliburton. RansomHub affiliates make use of tried-and-true tactics as well as known vulnerabilities.
On August 29th, CISA released a #StopRansomware advisory on RansomHub, providing details on the Tactics, Techniques, and Procedures (TTPs) the group utilizes. This is a joint report from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi- State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS).
RansomHub, originally discovered in February 2024, has been observed encrypting and exfiltrating data from at least 210 victims in the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors. RansomHub’s Ransomware-as-a-Service (RaaS) model has been attracting higher level associates from other prominent ransomware variants such as LockBit and ALPHV.
RansomHub affiliates typically compromise internet facing systems and user endpoints, using methods such as phishing emails, exploitation of known vulnerabilities, and password spraying attacks. In observed attacks, they utilize several known tools such as AngryIPScanner, Nmap, PowerShell commands, Mimikatz, Remote Desktop Protocol (RDP), PsExec, AnyDesk, Connectwise, N-able, Cobalt Strike, and Metasploit.
The affiliates use these tools to perform network scanning, gather credentials, and move laterally within a network. They have also been observed performing defense evasion techniques such as renaming malicious executables to appear benign, clearing logs, and disabling security products. A notable technique employed by the group is the use of known public exploits to compromise systems.
领英推荐
On August 21st, Halliburton company, in an SEC filing , disclosed that they were aware an "unauthorized third party gained access to certain of its systems". Five days after the filing, Halliburton sent an email to suppliers providing additional information stating that the company took systems offline to protect them and is working with Mandiant to investigate the incident.
The company provided a list of Indicators of Compromise (IoCs) within the email, one of which being a RansomHub ransomware encryptor. At the time of writing there has not been additional details released regarding the incident.
Based on eSentire research, RansomHub is currently the most active ransomware group, posting a high number of victims to their leak site over the past month. The eSentire product suite includes a large number of detections for known RansomHub TTPs. Additionally, eSentire Managed Vulnerability Service (MVS) has plugins in place for commonly exploited vulnerabilities.
Iran-based Cyber Actors Enabling Ransomware Attacks on U.S. Organizations
Bottom Line:?The joint FBI advisory on Pioneer Kitten highlights the persistent threat posed by Iranian cyber actors, who combine state-sponsored espionage with financially motivated cybercrime.
On August 28th, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) released a joint Cybersecurity Advisory (CSA) warning of Iranian-state-sponsored threat actors targeting U.S. and foreign organizations across various sectors, including education, healthcare, and defense.
The activity in this report is attributed to the Iranian state-sponsored APT group Pioneer Kitten (Fox Kitten, UNC757, Parisite, RUBIDIUM, Lemon Sandstorm). According to CISA, the group has previously referred to themselves as Br0k3r, and more recently used the moniker “xplfinder.”
These actors primarily target internet-facing vulnerabilities in networking devices, such as Citrix Netscaler ADC, Fortinet VPN, and Palo Alto firewalls, to gain initial access into victim networks. They then collaborate with ransomware affiliates, such as NoEscape and ALPHV (BlackCat), to monetize their access.
Their involvement goes beyond simply selling access; they are actively engaged in the planning and execution phases of ransomware attacks, working closely with these groups to maximize the impact on the victims and strategize extortion techniques. The Iranian actors also partake in data exfiltration before encrypting networks, ensuring they can further leverage the stolen data in double extortion tactics.
Moreover, the group has been involved in hack-and-leak campaigns, most notably the Pay2Key operation, which targeted Israeli organizations for information operations rather than finical gain. These campaigns are often driven by geopolitical motives and serve to amplify Iran’s strategic objectives by combining cyber operations with information warfare.
The advisory also notes that these actors intentionally obscure their Iranian origins, maintaining anonymity and misleading their ransomware affiliates about their true identity and location.
The dual threat posed by these actors necessitates a multifaceted defense strategy. Organizations must prioritize patch management, particularly for internet-facing systems, and enhance monitoring to detect lateral movement and privilege escalation. In addition, implementing zero-trust architectures can help limit the damage if an initial breach occurs.
In response to the CISA joint advisory, eSentire has blocked known malicious infrastructure via the eSentire Global Block list. eSentire TRU is actively tracking Pioneer Kitten for additional details and detection opportunities.
About the eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.