Weekly Threat Briefing: July 22 - 26, 2024

Weekly Threat Briefing: July 22 - 26, 2024

Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.


Critical ServiceNow Vulnerabilities Actively Exploited

On July 10th, ServiceNow, a widely used enterprise service management platform, released updates for CVE-2024-4879 (CVSS: 9.3), CVE-2024-5217 (CVSS: 9.2), and CVE-2024-5178 (CVSS: 6.9). Both CVE-2024-4879 and CVE-2024-5217 are input validation vulnerabilities that enable an unauthenticated, remote attacker to execute arbitrary code within the Now Platform.

This access could potentially result in compromise, data theft, and disruption of business operations. CVE-2024-5178 enables users with administrative privileges to gain unauthorized access to sensitive files on the web application server.

On July 11th, Assetnote published a technical analysis explaining how to exploit the vulnerabilities. These vulnerabilities can be chained together to first establish remote code execution, then to access sensitive information including usernames and password hashes. Shortly following release, Proof-of-Concept (PoC) exploit code and vulnerability scanners began being published on GitHub.

Attackers have been able to leverage the PoC exploit code with the scanners to gain access to multiple ServiceNow instances. Assetnote also highlights that self-hosted instances are at a higher level of risk due to poor patching practices and possible misconfigurations allowing for attackers to leverage vulnerable instances.

The identified vulnerabilities in ServiceNow (CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217) pose a substantial threat to enterprise security across various industries. ServiceNow's extensive use as a critical enterprise service management platform means that the exploitation of these vulnerabilities can lead to significant disruptions and data breaches. Industries such as government, energy, data centers, and?software firms are particularly at risk, as these sectors rely heavily on ServiceNow for their operational workflows and data management.

On July 26th, eSentire published a security advisory regarding the ongoing exploitation of the ServiceNow vulnerabilities. eSentire’s Threat Response Unit (TRU) has developed detections to identify vulnerability exploitation attempts. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify all three vulnerabilities.

As updates are available it is highly recommended any organization using ServiceNow, especially self-hosted instances, apply patches immediately.

Learn more in the full threat briefing here.


Indictment Sheds Light on North Korean Group’s Use of Ransomware to Fund Espionage Operations

On July 24th, 2024, a grand jury in Kansas City, Kansas returned an indictment charging a North Korean national with their involvement in various attacks against U.S. hospitals and healthcare providers. The indictment links the attacks to Andrariel (Onyx Sleet, Silent Chollima and APT45), a unit within North Korea’s primary military intelligence agency the Reconnaissance General Bureau (RGB).

In their press release, the U.S. Department of Justice (DOJ) describes how Andariel actors used Maui ransomware to extort U.S. based hospitals and other healthcare providers throughout 2021 and 2022. Ransom payments were laundered and used to purchase internet infrastructure (such as virtual private servers) which was subsequently used in intelligence gathering operations. These victims include NASA, various U.S. Air Force bases, U.S. and South Korean defense companies and a Chinese energy company.

In conjunction with the above indictment CISA, Microsoft and Google Mandiant released reports providing insights into North Korean aligned actors with a focus on the RGB 3rd Bureau/APT45/Andariel/Onyx Sleet.

Common Tactics, Techniques and Procedures (TTPs) for this group include initial access via n-day vulnerabilities followed by deployment of custom malware including RATs and ransomware. They are also known to leverage off-the-shelf tooling such as Remote Monitoring and Management (RMM) tools and open-source offensive security tooling.

North Korean aligned threat groups pose a concern not only for Government and Defense industries, but Manufacturing, Healthcare and Finance. Organizations should account for this in their threat modelling and review the advisories from CISA, Microsoft and Mandiant accordingly for actionable steps to reduce risk.

Learn more in the full threat briefing here.


North Korean Fake IT Worker Infiltration Attempt

On July 23rd, KnowBe4 released a blog post detailing a recent security incident in which a North Korean operative attempted to infiltrate KnowBe4 by posing as a U.S.-based IT worker. This individual utilized a stolen identity, supplemented with an AI-enhanced photograph, to successfully pass background checks and interview processes.

Upon being hired, the operative received a company-provided Mac workstation, which they promptly attempted to compromise with malware. The malware deployment was detected by the company’s Endpoint Detection and Response (EDR) software, which immediately flagged the suspicious activity.

KnowBe4’s Security Operations Center (SOC) responded swiftly, contacting the new hire whose inconsistent and evasive responses raised further suspicion. This led to the involvement of an external cybersecurity firm Mandiant as well as the FBI, both of which confirmed the individual’s North Korean origins. The operative used Virtual Private Networks (VPNs) to mask their true location and leveraged a Raspberry Pi device to facilitate malware downloads.

Adding to the complexity of this infiltration attempt is the concept of "IT mule laptop farms." In this scenario, the fake worker requests that their workstation be sent to an address that is essentially a farm of such devices. These farms, located inside the U.S. (or other target countries), facilitate the operatives' ability to VPN into the company network from their actual location, often in North Korea or across the border in China.

They typically work night shifts to align with U.S. daytime hours, maintaining the illusion of being a U.S.-based employee. The operatives perform real work, earning salaries that are substantially redirected to fund North Korea's illicit programs.

Organizations should regularly audit devices for suspicious remote activity, improve vetting processes to verify physical locations, and scrutinize resumes for career inconsistencies. Video interviews focusing on the specifics of candidate’s work and flagging discrepancies such as different shipping addresses for laptops, can help identify potential threats.

Enhanced background checks, more thorough reference verifications, and continuous monitoring for unauthorized access attempts are also critical. Strengthening access controls and authentication processes, along with conducting regular security awareness training, can further mitigate risks.

Be alert for the use of VOIP numbers and lack of digital footprints in provided contact information, discrepancies in personal details such as address and date of birth, conflicting personal information like marital status, and sophisticated use of VPNs or virtual machines to access company systems.

Attempts to execute malware and subsequent cover-up efforts are significant red flags. Additionally, continuous monitoring through advanced EDR solutions is crucial for detecting and responding to anomalies in real-time.

Learn more in the full threat briefing here.


About the eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了