Weekly Threat Briefing: Nov 18 - 22, 2024

Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.

#StopRansomware: BianLian Data Extortion Group

Bottom Line:??CISA's latest report on BainLain, a notorious Russian-based extortion group highlights the group pivoting from utilising ransomware and double-extortion tactics to full-fledged extortion, operationalising initial access to corporate systems faster and attempting to avoid EDR detections in the process.

On November 20th, Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) released a joint advisory on the BianLian Ransomware group. The report provides additional information about the Tactics, Techniques, and Procedures (TTPs) obtained as of June 2024 through FBI and ASD’S ACSC investigations.

BianLian is a ransomware developer, deployer and data extortion cybercriminal group. The ransomware group has been active since June 2022, and has a history of targeting critical industry, professional services, and property development organizations in both the U.S. and Australia. Starting in January 2023, the group shifted tactics from ransomware attacks with double extortion, to data extortion only.

In its updated advisory, CISA highlights that the ransomware group gained initial access by exploiting public-facing application of both Windows and ESXi infrastructure, and leveraged the Proxyshell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). They establish Command-and-Control by deploying custom Go-based backdoors. Recent findings suggest they use reverse proxy tools like Ngrok and a modified Rsocks utility to establish SOCKS5 tunnels, concealing the origin of their network traffic. The threat actors manipulate local administrator accounts, including creating new accounts and modifying passwords to maintain access and evade detection.

The group escalates privileges on Windows systems by exploiting vulnerabilities such as CVE-2022-37969. To evade detection, BianLian disables antivirus tools and tamper protection using Powershell and Windows Command Shell, renames binaries to mimic legitimate services, and uses UPX to pack their executables. They conduct network reconnaissance using tools like Advanced Port Scanner and PingCastle, and recent updates indicate an increased reliance on PowerShell scripts for environment discovery, including enumerating running processes, installed software, and local drives.

For credential access, the group uses SessionGopher, to extract session information for Remote Access Tools (RATs). The attackers maintain persistence and move laterally within the network using tools like PsExec, RDP, SMB, and Netlogon exploitation (CVE-2020-1472), while creating domain admin and Azure AD accounts. They have also been observed installing webshells on compromised Exchange servers to ensure ongoing access. Exfiltration methods rely on tools like Rclone, FTP, and Mega file-sharing services.

They issue ransom notes threatening to leak stolen information, providing contact details through Tox messenger and onionmail accounts for victim communication. Additionally, employees of victim organizations have reported receiving threatening phone calls from individuals linked to the group.

In response to the advisory by CISA, eSentire’s Threat Response Unit (TRU) is performing Indicator-based threat hunts and validating detection coverage. eSentire MDR for Endpoint has rules in place to identify TTPs associated with BianLian. The eSentire TRU team is investigating the topic for additional details and detection opportunities.

Learn more in the full threat briefing here.

Palo Alto Networks PAN-OS Vulnerability

Bottom Line:?Palo Alto has disclosed CVE-2024-0012, which is under active exploitation by threat actors. In instances of network misconfigurations, the criticality score for the vulnerability is raised. Organizations are strongly encouraged to review eSentire’s advisory on the subject.

This week, Palo Alto disclosed two actively exploited vulnerabilities found in PAN-OS. The most concerning vulnerability is CVE-2024-0012 (CVSS: 9.3); exploitation would allow a remote and unauthenticated threat actor to perform administrative actions, edit configurations, and exploit other authenticated vulnerabilities. To date, real-world exploitation has been limited to cases where the device’s management web interface was exposed to the Internet.

Impacted products include PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software on PA-Series, VM-Series, and CN-Series firewalls and on Panorama (virtual and M-Series).

The second vulnerability, tracked as CVE-2024-9474 (CVSS: 6.9), is a privilege escalation flaw. Successful exploitation would allow a threat actor that had already achieved admin access to the management web interface, to perform actions on the firewall with root privileges. The vulnerability impacts PAN-OS 10.1, PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software on PA-Series, VM-Series, and CN-Series firewalls and on Panorama (virtual and M-Series) and WildFire appliances.

Palo Alto stated that exploitation of these vulnerabilities has been observed “against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network”. However, on November 21st, researchers from the Shadowserver Foundation announced that they have identified approximately 2,000 currently compromised Palo Alto devices.

Security researchers from Rapid7 have observed exploitation of the vulnerability in a campaign tracked under the name Operation Lunar Peek. CVE-2024-0012 is exploited to achieve initial access, leading to exploitation of CVE-2024-9474 for privilege escalation. Post-exploitation activity includes the deployment of webshells for persistent access.

Here is how eSentire has responded in response to the disclosure of these vulnerabilities:

• eSentire released an advisory on November 18th.
• eSentire’s Tactical Threat Response (TTR) team created new detection for eSentire MDR for Network, within three days of the initial vulnerability disclosure.
• eSentire’s Threat Response Unit (TRU) has performed indicator-based threat hunts across the customer base and known malicious infrastructure is blocked via the eSentire Global Block list.
• eSentire Managed Vulnerability Service (MVS) has plugins in place to detect vulnerable devices.

Learn more in the full threat briefing here.

DPRK IT Workers Network

Bottom Line:?By pretending to be legitimate U.S.-based software and technology consulting firms, North Korean operatives seek to build trust and access sensitive contracts, while bypassing sanctions and avoiding detection.

On November 21st, a report from SentinelOne Labs revealed that the U.S. government recently took down the websites of four companies identified as fronts for threat actors from the Democratic People's Republic of Korea (DPRK). North Korea employs highly skilled IT professionals who engage in various cybercriminal activities that serve the national interests.

The report highlighted that North Korean threat actors impersonated legitimate software companies from around the world, presenting themselves as U.S.-based firms to attract potential victims. The threat actors have also been observed engaging in multiple campaigns where skilled IT personnel impersonate professionals from other countries using fake identities to secure remote jobs, successfully infiltrating organizations. They have also executed campaigns in which the threat actors pose as employers to entice job seekers from the software industry into interview processes, with the aim of delivering malware during these interactions.

The threat actors copied the content from the websites of legitimate software development and consulting organizations around the globe to build their sites for the front companies mentioned in the SentinelOne report. While the websites featured identical content from the original company websites, they included additional information aimed at suggesting that these companies were U.S.-based. They also included contact details on the websites, expecting victims to reach out to them. After identification of these front companies, the U.S. government agencies disrupted these websites and seized the domains associated with the companies. The SentinelOne Labs team found connections between the four websites, suggesting that the DPRK front companies likely originated from China.

Outside of Sentinel One, there have been various recent reports on related DPRK activity. Unit 42 identified two campaigns linked to North Korean state-sponsored threat actors: "Contagious Interview," (tracked as CL-STA-0240) where they pose as employers to lure software developers into installing malware such as BeaverTail and InvisibleFerret, and "Wagemole," (tracked as CL-STA-0241) which involves seeking unauthorized employment for financial gain and espionage. Recently, the Unit 42 researchers identified a North Korean IT worker activity cluster (tracked as CL-STA-0237) involved in phishing campaign. The cluster compromised a US-based small-and-medium-sized business (SMB) IT services company to apply for jobs and conduct the malware operations. They secured employment at a major tech company in 2022, gaining access to sensitive systems, including SSO accounts. On July 23rd, KnowBe4 released a blog disclosing information on a North Korean fake IT worker that attempted to infiltrate their organization. Before identification, the attacker was able to perform several actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software.

eSentire Security Operations Center (SOC) has observed incident where BeaverTail and InvisibleFerret malware were identified impacting a customer. Such incidents indicate that the DPRK threat actors’ malicious campaigns are active, and continuous monitoring is essential to detect these activities proactively.

eSentire MDR Product Suite has variety of detections in place to identify activities associated with BeaverTail and InvisibleFerret. eSentire’s Threat Response Unit (TRU) has published two TRU Positive blogs on the BeaverTail malware, titled Bored BeaverTail Yacht Club – A Lazarus Lure and Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2.

Learn more in the full threat briefing here.

About the eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.