In our Threat Bulletins, our highly skilled Security Operations Center (SOC) team has meticulously analyzed and summarized the top threats that have been monitored over the past several weeks. Stay one step ahead of the adversaries as we delve into the ever-evolving landscape of cyber threats, uncover their tactics, and equip you with the knowledge to fortify your defenses against them.
Sources:
- https://www.bleepingcomputer.com/news/security/advance-auto-parts-stolen-data-for-sale-after-snowflake-attack/
- https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion
- https://community.snowflake.com/s/question/0D5VI00000Emyl00AB/detecting-and-preventing-unauthorized-user-access
Entities:
- Advance Auto Parts
- Snowflake
- Sp1d3r (threat actor)
Indicators of Compromise:
- DBeaver_DBeaverUltimate
- Known IPs found here
Attack Vector:
- Breach of Advance Auto Parts’ Snowflake cloud storage environment
- Exfiltration of customer records, orders, loyalty card numbers, and employee data
- Sale of stolen data by threat actor ‘Sp1d3r’ on hacking forum
Risk Impact:
- Compromised personal and financial information of customers and employees
- Potential identity theft, fraud, and phishing attacks
- Reputational damage to Advance Auto Parts
Detailed Description:
- Mandiant identified a campaign by UNC5537 targeting Snowflake customer instances for data theft and extortion.
- Using credentials stolen through various infostealer malware, UNC5537 has accessed multiple Snowflake instances, exfiltrated data, and attempted to extort victims.
- The threat actor advertises stolen data on cybercrime forums. Investigations revealed that the lack of MFA and outdated credentials were primary reasons for the successful compromises.
- The campaign underscores the need for robust credential security measures.
- Threat actors, using the alias Sp1d3r, claim to have stolen 3TB of data from Advance Auto Parts’ Snowflake cloud storage.
- The stolen data includes extensive customer and employee information, sales history, and transaction details.
- The breach appears to be part of a larger campaign targeting multiple Snowflake customers.
- Investigations indicate that the attackers used stolen credentials to access Snowflake accounts with disabled multi-factor authentication.
Recommendation:
- Enable Multi-Factor Authentication (MFA): Ensure MFA is enabled for all accounts accessing Snowflake instances.
- Credential Management: Regularly rotate credentials.
Sources:
Entities:
- PHP for Windows (versions 5.x, 7.x, 8.0, 8.1, 8.2, 8.3)
- XAMPP installations on Windows
Attack Vector: Remote Code Execution (RCE) via character encoding conversion flaw in CGI mode
Risk Impact:
- The flaw bypasses previous protections for CVE-2012-1823.
- Default configurations in XAMPP installations on Windows are particularly at risk.
- Threat actors are already scanning for vulnerable servers, indicating active exploitation attempts.
Detailed Description:
- A critical remote code execution (RCE) vulnerability, CVE-2024-4577, affecting all PHP versions for Windows, has been disclosed.
- Discovered by Orange Tsai from Devcore, the flaw stems from improper handling of character encoding conversions in CGI mode.
- This oversight allows attackers to bypass protections from CVE-2012-1823, leading to arbitrary code execution.
- The PHP team has released patches, but due to the widespread use of PHP, many systems remain at risk.
- The Shadowserver Foundation has detected active scanning for this vulnerability, highlighting the urgency of applying updates.
Recommendation:
- Upgrade to patched PHP versions: PHP 8.3.8, PHP 8.2.20, PHP 8.1.29.
- For systems unable to upgrade immediately or using EoL versions, apply mod_rewrite rules to block attack patterns.
- Comment out the ‘ScriptAlias’ directive in the Apache configuration file if PHP CGI is not needed in XAMPP.
- Check the ‘Server API’ value using phpinfo() to determine if PHP-CGI is in use.
- Consider migrating from CGI to more secure alternatives such as FastCGI, PHP-FPM, and Mod-PHP.
Sources:
Entities:
- Educational organizations in the U.S.
- VPN gateway vendors
Indicators of Compromise:
- Encrypted file extensions: .FOG, .FLOCKED
- Ransom note file: readme.txt
- PsExec
Attack Vector: Compromised VPN credentials for initial access
Risk Impact:
- Network breaches and data encryption
- Data theft for double-extortion
- Disruption of educational operations
Detailed Description:
- The Fog ransomware operation, identified in early May 2024, is targeting U.S. educational institutions using compromised VPN credentials.
- Once inside the network, attackers use techniques like pass-the-hash and credential stuffing to access valuable accounts and deploy ransomware.
- The ransomware disables security features, performs multi-threaded encryption, and appends file extensions (. FOG or .FLOCKED).
- Encrypted files are accompanied by a ransom note directing victims to a Tor-based negotiation site. SE
- The operation is still under investigation, and it is unclear if it operates as a RaaS or within a small group of cybercriminals.
Recommendation:
- Update and secure VPN credentials, and enforce strong, unique passwords.
- Regularly update and patch VPN gateway software.
- Implement multi-factor authentication (MFA) for remote access.
- Regularly back up data and ensure backups are secure and offline.
Sources:
Entities:
- Microsoft
- Tenable
Attack Vector: Network
Risk Impact:
- Hackers could gain unauthorized access to cloud resources, leading to potential data breaches or malicious operation
- If exploited, the vulnerability could lead to disruptions in service for Azure customers, affecting business operations and service reliability.
Detailed Description:
- The Microsoft Security Response Center (MSRC) has issued a warning about vulnerabilities in Azure Service Tags that could allow malicious actors to bypass firewall protections.
- These vulnerabilities impact 10 Azure services, including Azure Application Insights, Azure DevOps, and Azure Machine Learning, allowing attackers to forge requests that seem to originate from trusted Azure services.
- The vulnerability arises when Azure services allow inbound traffic via a service tag, which could be exploited to send specially crafted web requests across tenants
- There is currently no evidence of these vulnerabilities being exploited in the wild, but the inherent risk remains significant due to the potential for impersonating trusted services.
- The Shadowserver Foundation has detected active scanning for this vulnerability, highlighting the urgency of applying updates.
Recommendation:
- Do not treat service tags as security boundaries. Implement additional validation controls to ensure that incoming traffic is thoroughly vetted.
- Regularly review firewall rules that depend on service tags for security. Adjust these rules to incorporate multi-layered security measures beyond service tags.
- Update security documentation and train IT staff on potential risks associated with service tags and the importance of using them with other security protocols.
Sources:
- https://www.bleepingcomputer.com/news/security/exploit-for-critical-veeam-auth-bypass-available-patch-now/
- https://www.veeam.com/kb4510
Entities: Veeam
Attack Vector: VMware SSO Token sent to vulnerable Veeam service
Risk Impact: Hackers could gain unauthorized access to Veeam backups and restoration services
Detailed Description:
- Proof-of-concept (PoC) exploit for CVE-2024-29849, a Veeam Backup Enterprise Manager authentication bypass flaw, is publicly available.
- Discovered flaw resides in the ‘Veeam.Backup.Enterprise.RestAPIService.exe’ service, listening on TCP port 9398, serving as a REST API server for the main web application.
- Exploit involves sending a specially crafted VMware single-sign-on (SSO) token to the vulnerable service via the Veeam API.
- Token contains authentication request impersonating an administrator user and an SSO service URL that Veeam doesn’t verify.
- Base64-encoded SSO token decoded and interpreted in XML form to validate its authenticity via a SOAP request to an attacker-controlled URL.
- The attacker then sets up a rogue server responding affirmatively to validation requests, leading Veeam to accept the authentication request, granting administrator access to the attacker.
Recommendation:
- Veeam issued a security bulletin on May 21, recommending upgrading to VEEAM version 12.1.2.172.
Sources:
Entities:
- Microsoft
Attack Vector: Deprecated DirectAccess remote access solution
Risk Impact: Companies relying on DirectAccess might face security risks and operational disruptions once it is removed from Windows.
Detailed Description:
- Microsoft has announced that the DirectAccess remote access solution is deprecated and will be removed in a future release of Windows.
- DirectAccess, introduced in Windows 7 and Windows Server 2008 R2, provides domain-joined remote users with an “always on” connection to internal corporate networks without using VPN connections.
- This system is widely used by remote employees requiring constant access to corporate resources and IT administrators managing devices outside the corporate network.
- As a replacement, Microsoft recommends migrating to ‘Always On VPN’ for enhanced security and continued support.
- Always On VPN, available on Windows Server 2016, Windows 10, and later versions, supports modern VPN protocols like IKEv2 and SSTP and offers multi-factor authentication (MFA) for better security.
- Always On VPN is more flexible than DirectAccess, working with both domain-joined and non-domain-joined devices.
- Migration should be planned and executed promptly to avoid downtime or issues when DirectAccess is eventually removed.
- Microsoft published a migration guide suggesting a phased approach, allowing for easier troubleshooting and transition.
- The guide includes details on issuing required certifications, deploying new VPN configurations with PowerShell scripts, Intune management tips, and monitoring problems via Microsoft Endpoint Configuration Manager.
- Post-migration steps include removing the DirectAccess server role, updating DNS records, and decommissioning the server from Active Directory Domain Services (AD DS).
Recommendation:
- Users are advised to migrate to “Always On VPN” as soon as possible to avoid future disruptions.
- Follow Microsoft’s migration guide to ensure a smooth transition and to maintain continuous access and security.
Sources:
Entities:
- Microsoft
Attack Vector:
- Threat actors can exploit the identified vulnerabilities, particularly the critical RCE flaw in MSMQ, by sending specially crafted packets to vulnerable systems over the network, leading to remote code execution.
Risk Impact:
- Failure to apply the security patches released by Microsoft could leave systems vulnerable to exploitation by threat actors, potentially resulting in unauthorized access, data breaches, and system compromise.
Detailed Description:
- Microsoft released its Patch Tuesday updates for June 2024, addressing 51 vulnerabilities, including one critical and 50 important flaws.
- The critical vulnerability, CVE-2024-30080, resides in the Microsoft Message Queuing (MSMQ) service and could lead to remote code execution (RCE) if exploited by an attacker sending a specially crafted MSMQ packet.
- Other RCE vulnerabilities resolved in the update affect Microsoft Outlook, Windows Wi-Fi Driver, and various components of the Windows operating system.
- Additionally, privilege escalation flaws in Windows Win32 Kernel Subsystem, Windows Cloud Files Mini Filter Driver, and Win32k have been patched.
- The critical nature of CVE-2024-30080 underscores the potential severity of the vulnerability, enabling attackers to execute arbitrary code on the target system remotely.
- Security researchers have highlighted the ease of exploitation for certain vulnerabilities, such as CVE-2024-30103, which allows for code execution without user interaction, increasing the risk of initial access and system compromise.
- Beyond Microsoft, numerous other vendors have also released security updates to address vulnerabilities across a wide range of products and services.
Recommendation:
- Promptly apply the latest security updates released by Microsoft to mitigate the risk posed by the identified vulnerabilities.
- Employ network segmentation and firewall configurations to limit exposure to potentially vulnerable services such as Microsoft Message Queuing (MSMQ).
- Utilize intrusion detection and prevention systems to monitor and block malicious network traffic targeting known vulnerabilities.
Sources:
- https://blog.eclecticiq.com/onnx-store-targeting-financial-institution
- https://www.bleepingcomputer.com/news/security/onnx-phishing-service-targets-microsoft-365-accounts-at-financial-firms/
Entities:
- Financial institutions
- Microsoft 365
- ONNX
Indicators of Compromise:
- Phishing URLs:
- authmicronlineonfication[.]com
- verify-office-outlook[.]com
- stream-verify-login[.]com
- zaq[.]gletber[.]com
- v744[.]r9gh2[.]com
- bsifinancial019[.]ssllst[.]cloud
- 473[.]kernam[.]com
- docusign[.]multiparteurope[.]com
- 56789iugtfrd5t69i9ei9die9di9eidy7u889[.]rhiltons[.]com
- agchoice[.]us-hindus[.]com
- Malicious PDF Files:
- 432b1b688e21e43d2ccc68e040b3ecac4734b7d1d4356049f9e1297814627cb3
- 47b12127c3d1d2af24f6d230e8e86a7b0c661b4e70ba3b77a9beca4998a491ea
- 51fdaa65511e7c3a8d4d08af59d310a2ad8a18093ca8d3c817147d79a89f44a1
- f99b01620ef174bb48e22e54327ca9cffa4520868f49a41c524b81ab6d935070
- 52e04c615b08af10b4982506c1cee74cb062116d31f0300ed027f6efd3119b1a
- 3d58733b646431a60d39394be99ff083d6db3583796b503e8422baebed8d097e
- 702008cae9a145741e817e6c6566cd1d79c737d51b718f13a2d16d72a00cd5a7
- 908af49857b6f5d1e0384a5e6fc8ee53ca1df077601843ebdd7fc8a4db8bcb12
- d3b03f79cf1d088d2ed41e25c961e9945533aeabb93eac2d33ebc4b589ba6172
- 4751234ac4e1b0a5d4685b870de1ea1a7754258977f5d1d9534631c09c748732
- ONNX Store API Error Page:
- 0f5be6f53fe198ca32d82a75339fe832b70d676563ce8b7ca446d1902b926856
- Admin panel of ONNX Store (medium confidence):
- onnx[.]su
- 5[.]181[.]156[.]247
Attack Vector:
- Phishing emails with embedded QR codes in PDF attachments
- QR codes redirecting to phishing landing pages designed to steal login credentials and 2FA tokens
Risk Impact: Increased success rate of business email compromise (BEC) attacks due to the 2FA bypass mechanism, leading to credential theft, unauthorized account access, and potential ransomware attacks.
Detailed Description:
- In February 2024, analysts at EclecticIQ discovered that financial institutions were being targeted by phishing campaigns using QR codes embedded in PDFs.
- These attacks were facilitated by a Phishing-as-a-Service (PhaaS) platform called ONNX Store, which is accessed through Telegram bots.
- ONNX Store includes a 2FA bypass mechanism, which increases the success of BEC attacks by mimicking Microsoft 365 login pages.
- Analysts believe ONNX Store is a rebranding of the Caffeine phishing kit due to infrastructural and operational similarities.
- The platform leverages Cloudflare to protect phishing domains and uses encrypted JavaScript to complicate detection and analysis.
- ONNX Store offers various services, including phishing page templates and bulletproof hosting for cybercriminals.
Recommendation:
- Educate employees about the dangers of scanning QR codes from unknown sources.
- Implement advanced email filtering and QR code scanning solutions.
- Regularly update anti-phishing training and simulations.
SOC Response:
- The SOC has created the monitoring rule for potential ONNX phishing activity based on the known indicators of compromise at this time.
Sources:
- https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-vcenter-rce-vulnerability-patch-now/
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
Entities:
- VMware vCenter Server 7.0, 8.0
- VMware Cloud Foundation 4.x, 5.x
Attack Vector:
- Network access to vCenter Server, leading to heap-overflow vulnerabilities (CVE-2024-37079 and CVE-2024-37080)
- Authenticated local user exploiting misconfigured sudo (CVE-2024-37081)
Risk Impact: Remote Code Execution (RCE), Local Privilege Escalation (LPE) and Potential control over vCenter Server and associated infrastructure
Detailed Description:
- VMware has released patches for three critical vulnerabilities in vCenter Server:
- CVE-2024-37079: A heap-overflow in DCERPC protocol, allowing RCE.
- CVE-2024-37080: Similar heap-overflow in DCERPC protocol, allowing RCE.
- CVE-2024-37081: Misconfiguration of sudo, allowing LPE to root.
- The affected versions are vCenter Server 7.0, 8.0, and Cloud Foundation 4.x, 5.x.
- No workarounds or mitigations are available, and admins must apply updates immediately.
Recommendation:
- Apply the security updates for vCenter Server 8.0 U2d, 8.0 U1e, and 7.0 U3r, and for Cloud Foundation as per KB88287.
Sources:
- https://www.bleepingcomputer.com/news/security/cdk-global-hacked-again-while-recovering-from-first-cyberattack/
- https://www.cbsnews.com/news/cdk-cyber-attack-outage-auto-dealerships-cbs-news-explains/
Entities:
- CDK Global
- Proton Dealership IT
- Penske Automotive Group
Attack Vector: Unknown
Risk Impact:
- High impact on car dealership operations globally.
- Disruption in sales, service, and back-office operations.
- Potential risk of theft of customer
Detailed Description:
- CDK Global, a SaaS platform for car dealerships, experienced a second cyberattack while recovering from an earlier breach
- The first attack led to the shutdown of their data centers and IT systems, impacting dealership operations across sales, financing, inventory, and service
- During restoration efforts, a subsequent breach occurred, forcing CDK to shut down systems again to prevent further damage.
- The outages have significantly impacted major dealers like Penske Automotive Group, disrupting both commercial and automotive sales operations
- Dealerships have resorted to manual processes for sales and service due to the unavailability of CDK’s platform
- Concerns are growing over CDK’s swift attempts to restore services, which may overlook comprehensive security assessments, potentially exposing the systems to further attacks
Recommendation:
- Conduct a full security audit before restoring systems to operation.
- Maintain transparent communication with customers and stakeholders regarding system status and recovery efforts.
- Develop and rehearse incident response and business continuity plans to minimize disruption from future incidents
SOC Response:
- The SOC has created a custom STAR rule for all SentinelOne customers to temporarily mitigate any CDK related software as a precautionary measure. We will stay vigilant for any updates regarding this attack and update affected customers when additional information becomes available.
Sources:
Entities:
- Okta
Indicators of Compromise: ‘fcoa’, ‘scoa’, and ‘pwd_leak’ events in Auth0 logs
Attack Vector: Credential stuffing via Okta’s Customer Identity Cloud and Cross-Origin Resource Sharing features
Risk Impact: Risk of account compromise
Detailed Description:
- Okta alerts about ongoing attacks specifically targeting its Customer Identity Cloud (CIC) feature, which have been occurring since April.
- Credential stuffing attacks, a method used by threat actors, use stolen login credentials to gain unauthorized access to online accounts.
- The attacks are focused on exploiting Customer Identity Cloud’s cross-origin authentication feature, identified by Okta since April 15, 2024.
- Okta’s Cross-Origin Resource Sharing (CORS) feature, enabling JavaScript integration for authentication calls to the Okta API, is being exploited in these attacks.
- For this feature to work, customers must grant access to the URLs from which cross-origin requests can originate.
- If cross-origin authentication isn’t in active use within the environment but ‘fcoa’ and ‘scoa’ are detected in Auth0 logs, it suggests potential targeting in credential stuffing attacks.
- This warning comes after Okta’s previous notification regarding “unprecedented” credential stuffing attacks, which targeted Cisco Talos products from March 2024 onwards.
Recommendation:
- Disable cross-origin authentication if not used.
- Remove unused cross-origin devices.
- Use strong password requirements and enable MFA if not already in use.
Sources:
- https://thehackernews.com/2024/05/check-point-warns-of-zero-day-attacks.html
- https://www.bleepingcomputer.com/news/security/check-point-vpn-zero-day-exploited-in-attacks-since-april-30/
Entities:
- Check Point VPN
- CloudGuard Network
- Quantum Appliances
Attack Vector: Currently undisclosed Zero Day Vulnerability in Check Point VPN Products
Risk Impact:
- Exposure of Sensitive Information to an Unauthorized Actor
- This includes password hashes of local user accounts, including the service account used connected to Active Directory
Detailed Description:
- Check Point has issued hotfixes to address a zero-day vulnerability affecting VPN devices, exploited in attacks targeting remote access to firewalls and corporate networks.
- Initially warning of heightened attack activity against VPN devices, the company later identified the zero-day flaw as the root cause of these attacks.
- Tracked as CVE-2024-24919, the vulnerability allows attackers to retrieve specific information from internet-facing Check Point Security Gateways with remote access VPN or Mobile Access Software Blades enabled.
- Check Point has released security updates for affected products, including Quantum Security Gateway, CloudGuard Network Security, Quantum Maestro, Quantum Scalable Chassis, and Quantum Spark Gateways, across different versions.
Recommendation:
- Follow the instructions listed by Check Point in the following security advisory.
Sources:
Entities:
- Palo Alto Networks firewalls
- TP-Link routers
- ThinkPHP
- Ivanti Connect Secure
- VMware Workspace ONE Access and Identity Manager
- RedTail malware
Attack Vector:
- Exploitation of vulnerabilities in Palo Alto Networks firewalls, TP-Link routers, ThinkPHP, Ivanti Connect Secure, VMware Workspace ONE Access and Identity Manager.
- Use of a bash shell script to download the RedTail payload.
Risk Impact:
- Unauthorized access and arbitrary code execution on vulnerable systems.
- Financial gains through unauthorized cryptocurrency mining.
- Increased operational costs due to private mining pools.
Detailed Description:
- The RedTail cryptocurrency mining malware has incorporated a recent vulnerability in Palo Alto Networks firewalls (CVE-2024-3400) into its exploit toolkit.
- The malware has been updated with advanced anti-analysis techniques and now employs private crypto-mining pools.
- Akamai discovered the infection sequence, which begins with exploiting the firewall vulnerability, leading to arbitrary code execution and the downloading of the RedTail payload.
- The malware also exploits other known vulnerabilities in various systems to propagate.
- The latest version includes an encrypted mining configuration for the XMRig miner and lacks a cryptocurrency wallet, indicating a switch to private mining pools.
Recommendation:
- Follow the appropriate steps listed in the security advisory issued by Palo Alto networks to mitigate this vulnerability (CVE-2024-3400).