In our Threat Bulletins, our highly skilled Security Operations Center (SOC) team has meticulously analyzed and summarized the top threats that have been monitored over the past several weeks. Stay one step ahead of the adversaries as we delve into the ever-evolving landscape of cyber threats, uncover their tactics, and equip you with the knowledge to fortify your defenses against them.
Sources:
- https://thehackernews.com/2024/01/new-glibc-flaw-grants-attackers-root.html
- https://blog.qualys.com/vulnerabilities-threat-research/2024/01/30/qualys-tru-discovers-important-vulnerabilities-in-gnu-c-librarys-syslog
Entities:
- Linux Operating Systems, Debian, Ubuntu, Fedora
Attack Vectors:
- Local exploitation of Glibc vulnerability.
Impact:
- High – Potential for full root access by attackers.
Detailed Description:
- A severe heap-based buffer overflow vulnerability in the GNU C library (glibc) allows malicious local attackers to gain full root access on Linux machines.
- Identified as CVE-2023-6246, this flaw, along with additional vulnerabilities CVE-2023-6779, CVE-2023-6780, and a qsort() function bug, impact major Linux distributions, including Debian, Ubuntu, and Fedora.
- The exploitation requires specific conditions but poses a significant risk due to glibc’s widespread use.
Recommendation:
- Prompt patching of the affected systems is crucial, use the following fedora project security release for guidance on necessary updates.
- System administrators should review and apply available updates for their Linux distributions.
Sources:
- https://thehackernews.com/2024/02/warning-new-malware-emerges-in-attacks.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-46805
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21887
Entities:
- Threat Actors, Ivanti Connect Secure VPN and Policy Secure devices
Attack Vectors:
- Exploitation of Ivanti VPN vulnerabilities, execution of arbitrary commands with elevated privileges.
Impact:
- Post-exploitation activities, arbitrary command execution, data exfiltration, network reconnaissance
Detailed Description:
- UNC5221, a China-linked threat actor, has deployed new malware, including web shells (such as BUSHWALK, CHAINLINE, FRAMESTING), in post-exploitation attacks on Ivanti Connect Secure VPN and Policy Secure devices.
- The malware exploits Ivanti VPN vulnerabilities (CVE-2023-46805 and CVE-2024-21887) as zero-days, enabling unauthenticated actors to execute arbitrary commands with elevated privileges.
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued supplemental guidance urging agencies running affected Ivanti to disconnect them from their network
Recommendation:
- Apply vendor-released patches promptly to address Ivanti VPN vulnerabilities.
- Please review the following Mandiant Hardening + Remediation guide to mitigate this vulnerability.
Sources:
- https://www.bleepingcomputer.com/news/security/cloudflare-hacked-using-auth-tokens-stolen-in-okta-attack/
- https://www.securityweek.com/cloudflare-hacked-by-suspected-state-sponsored-attacker/
- https://thehackernews.com/2024/02/cloudflare-breach-nation-state-hackers.html
Entities:
- Cloudflare, Atlassian, Okta
Attack Vectors:
- Nation state attacker gaining access through stolen Okta credentials.
Impact:
- Unauthorized access to Atlassian server, Confluence wiki, Jira bug database, and Bitbucket source code management. Attempted breach of data center in São Paulo. Limited operational impact, no impact on customer data.
Detailed Description:
- The breach occurred on November 14, with the attacker gaining persistent access on November 22.
- Cloudflare detected malicious activity on November 23, severed access on November 24, and initiated a forensic investigation on November 26.
- The threat actor accessed Cloudflare’s Atlassian server during a four-day reconnaissance period, creating a rogue user account and gaining access to Confluence, Jira, and eventually Bitbucket.
- Approximately 120 code repositories were viewed, with 76 estimated to be exfiltrated.
- The stolen credentials, including one access token and three service accounts, were linked to AWS, Atlassian Bitbucket, Moveworks, and Smartsheet.
- Cloudflare failed to rotate these credentials, leading to the breach.
- Remediation measures included rotating over 5,000 production credentials, segmenting systems, forensic triages, and reimaging and rebooting the entire global network.
- The attacker also unsuccessfully attempted to breach Cloudflare’s São Paulo data center.
Recommendation:
- Rotate all access tokens and service account credentials regularly.
- Conduct regular security audits and penetration testing to identify vulnerabilities.
- Enhance employee training on recognizing phishing attempts.
- Implement multi-factor authentication to add an extra layer of security.
Sources:
Entities:
- AnyDesk, CrowdStrike, UNC5221 threat actor
Attack Vectors:
- Cyberattack on AnyDesk production systems, theft of source code and code signing keys
Impact:
- Exposure of source code and private keys, potential misuse of stolen credentials, risk of maliciously signed software
Detailed Description:
- AnyDesk suffered a cyberattack on its production systems, leading to the theft of source code and private code signing keys.
- UNC5221, the threat actor responsible, targeted the company’s servers.
- While AnyDesk stated that no end-user devices were affected, the stolen source code and keys pose a risk of potential misuse and maliciously signed software.
- AnyDesk has responded by revoking security certificates, replacing compromised systems, and urging users to update to the latest version (8.0.8).
- Although AnyDesk claims no authentication tokens were stolen, passwords to the web portal are being revoked as a precaution.
Recommendation:
- Immediately update AnyDesk software to the latest version (8.0.8) to ensure the use of the new code signing certificate.
- Change AnyDesk passwords and avoid using the same password on other sites as a precautionary measure.
- Stay informed about updates and security advisories from AnyDesk regarding the incident.
- Consider implementing multi-factor authentication (MFA) for enhanced security.
SOC Response:
- The SOC has created a custom STAR rule in SentinelOne to detect AnyDesk software signed by the revoked certificate “philandro Software GmbH”.
Sources:
- https://www.bleepingcomputer.com/news/security/new-fortinet-rce-flaw-in-ssl-vpn-likely-exploited-in-attacks/
- https://www.fortiguard.com/psirt/FG-IR-24-015
Entities:
- Fortinet, RCE flaw
Indicators of Compromise:
- CVE-2024-21762
Attack Vectors:
- Remote code execution via crafted requests
Impact:
- Remote code execution, potential exploitation in attacks
Detailed Description:
- Fortinet has disclosed a critical remote code execution (RCE) vulnerability, CVE-2024-21762, in FortiOS SSL VPN, potentially exploited in attacks.
- The flaw, with a severity rating of 9.6, enables unauthenticated attackers to execute arbitrary code via crafted requests.
- Fortinet advises upgrading to patched versions based on the affected FortiOS version or disabling SSL VPN if patching is not feasible.
- Below are the affected versions and the recommended patches for them:
Version | Affected | Solution |
FortiOS 7.6 | Not affected | Not Applicable |
FortiOS 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
FortiOS 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
FortiOS 7.0 | 7.0.0 through 7.0.13 | Upgrade to 7.0.14 or above |
FortiOS 6.4 | 6.4.0 through 6.4.14 | Upgrade to 6.4.15 or above |
FortiOS 6.2 | 6.2.0 through 6.2.15 | Upgrade to 6.2.16 or above |
FortiOS 6.0 | 6.0 all versions | Migrate to a fixed release |
Recommendation:
- Apply Patches: Immediately upgrade FortiOS devices to patched versions according to the provided table to mitigate CVE-2024-21762.
- Mitigate Flaw: If unable to apply patches, consider disabling SSL VPN on FortiOS devices as a temporary mitigation measure.
Sources:
- https://thehackernews.com/2024/02/warning-new-ivanti-auth-bypass-flaw.html
- https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
Entities:
- Ivanti, Auth Bypass Flaw
Indicators of Compromise:
- CVE-2024-22024
Attack Vectors:
- XML External Entity (XXE) vulnerability in SAML component
Impact:
- Bypass of authentication, unauthorized access to restricted resources
Detailed Description:
- CVE-2024-22024 is an XML External Entity (XXE) vulnerability in the SAML component of Ivanti Connect Secure, Policy Secure, and ZTA gateways, allowing unauthorized access to restricted resources without authentication.
- CVE-2024-22024 affects the following versions of the products :
- Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1)
- Ivanti Policy Secure (version 22.5R1.1)
- ZTA (version 22.6R1.3)
- The flaw was discovered internally by Ivanti and disclosed by cybersecurity firm watchTowr, highlighting the importance of applying the latest fixes to prevent exploitation.
Recommendation:
- Apply Patches: Immediately apply patches provided by Ivanti for affected versions to mitigate CVE-2024-22024.
Sources:
- https://thehackernews.com/2024/02/critical-exchange-server-flaw-cve-2024.html
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410
Entities:
- Microsoft, Exchange Server, Threat Actors
Indicators of Compromise:
- CVE-2024-21410
Attack Vectors:
- Privilege Escalation via NTLM Credentials Leakage
Impact:
- Successful exploitation allows attackers to gain privileges and perform operations on Exchange Server
Detailed Description:
- CVE-2024-21410 is actively exploited in the wild, facilitating privilege escalation by targeting Outlook clients with NTLM credentials-leaking vulnerabilities.
- Microsoft has updated its bulletin, indicating exploitation detection and enabling Extended Protection for Authentication by default.
- Details about exploitation methods and threat actors remain undisclosed.
Recommendation:
- Apply Microsoft’s Patch Tuesday updates immediately to mitigate CVE-2024-21410.
Sources:
- https://www.bleepingcomputer.com/news/security/zoom-patches-critical-privilege-elevation-flaw-in-windows-apps/
- https://www.zoom.com/en/trust/security-bulletin/ZSB-24008/
Entities:
- Zoom, Windows Desktop Client, VDI Client, Meeting SDK, Input Validation Flaw
Indicators of Compromise:
- CVE-2024-24691
Attack Vectors:
- Network-based privilege escalation requiring user interaction
Impact:
- Potential for unauthorized privilege escalation, information disclosure, denial of service, and improper authentication
Detailed Description:
- Zoom has patched a critical privilege escalation flaw (CVE-2024-24691) affecting its Windows Desktop Client, VDI Client, and Meeting SDK.
- The flaw, discovered by Zoom’s offensive security team, received a CVSS v3.1 score of 9.6.
- Additionally, six other vulnerabilities have been addressed in the latest release. The vulnerabilities include:
- CVE-2024-24697: A high-severity issue in Zoom 32-bit Windows clients allows privilege escalation through local access by exploiting an untrusted search path.
- CVE-2024-24696: An in-meeting chat vulnerability in Zoom Windows clients caused by improper input validation enables information disclosure over the network.
- CVE-2024-24695: Similar to CVE-2024-24696, improper input validation in Zoom Windows clients allows information disclosure over the network.
- CVE-2024-24699: A business logic error in Zoom’s in-meeting chat feature can lead to information disclosure over the network.
- CVE-2024-24690: Vulnerability in some Zoom clients caused by improper input validation can trigger a denial of service over the network.
- CVE-2024-24698: Improper authentication flaw in some Zoom clients permits information disclosure through local access by privileged users.
Recommendation:
- Users are advised to update their Zoom applications to the latest versions (Windows Desktop Client 5.16.5, VDI Client 5.16.10, Zoom Rooms Client 5.17.0, Meeting SDK 5.16.5) to mitigate the risk of exploitation.
Sources:
- https://www.bleepingcomputer.com/news/security/new-critical-microsoft-outlook-rce-bug-is-trivial-to-exploit/#google_vignette
- https://nvd.nist.gov/vuln/detail/CVE-2024-21413
Entities:
- Microsoft Outlook RCE Vulnerability
Indicators of Compromise:
- CVE-2024-21413, Moniker Link
Attack Vectors:
- Remote unauthenticated attackers can exploit the vulnerability via malicious links in emails or in the Preview Pane of Outlook
Impact:
- The vulnerability allows for remote code execution, bypassing Office Protected View, and theft of NTLM credential information
Detailed Description:
- The flaw, tracked as CVE-2024-21413, permits attackers to execute arbitrary code by tricking users into clicking on malicious links or previewing infected Office documents.
- Check Point researchers discovered the vulnerability, named Moniker Link, which enables attackers to bypass Outlook security by adding an exclamation mark to file:// protocol URLs.
- The vulnerability stems from the incorrect parsing of “file://” hyperlinks, which makes it possible to achieve code execution by adding an exclamation mark to URLs pointing to arbitrary payloads hosted on attacker-controlled servers (e.g., “file:///\\10.10.111.111\test\test.rtf!something”).
- The vulnerability bypasses built-in Outlook protections and has been confirmed on various Windows and Office environments.
Recommendation:
- Microsoft has released patches for affected versions of Outlook and Office. Users are advised to apply the updates immediately to mitigate the risk of exploitation.
Sources:
- https://thehackernews.com/2024/02/critical-flaws-found-in-connectwise.html
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
Entities:
- ConnectWise ScreenConnect Software
Indicators of Compromise:
- 155.133.5[.]15
- 155.133.5[.]14
- 118.69.65[.]60
Attack Vectors:
- Attackers can exploit authentication bypass and path traversal vulnerabilities in vulnerable versions of ScreenConnect to execute remote code or access confidential data
Impact:
- The flaws have the potential to enable remote code execution or compromise critical systems, posing a severe risk to affected organizations
Detailed Description:
- Attackers are actively exploiting two vulnerabilities in ConnectWise ScreenConnect servers—CVE-2024-1709 and CVE-2024-1708—to deploy LockBit ransomware on compromised networks.
- CVE-2024-1709 is a maximum severity authentication bypass flaw that has since been addressed by ConnectWise via security updates.
- CVE-2024-1708, a high-severity path traversal vulnerability was also addressed with these security updates released by ConnectWise, however this vulnerability can only be exploited by threat actors with high privileges.
- With the release of these vulnerabilities CVE-2024-1709 has actively been seen exploited in the wild, with reports of 600+ IP’s actively targeting vulnerable servers.
Recommendation:
- Immediately patch ScreenConnect servers, upgrading to version 23.9.8 or newer. Please follow the mitigation steps listed in the following security advisory by ConnectWise.
SOC Response:
- The SOC has implemented a new Global Detection “Potential ScreenConnect Vulnerability Exploitation” for all XDR customers. This detection covers the known indicators of compromise at this time, the SOC will stay up to date with any changes or additional indicators as they’re released.
Sources:
Entities:
- VMware Enhanced Authentication Plugin (EAP), Active Directory
Indicators of Compromise:
- CVE-2024-22245 (EAP arbitrary authentication relay), CVE-2024-22250 (EAP session hijack)
Attack Vectors:
- Malicious actors could exploit EAP vulnerabilities to trick users into relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs), and seize privileged EAP sessions with unprivileged local access to Windows OS
Impact:
- The flaws pose significant risks to systems using EAP for vSphere login, potentially compromising Active Directory security and enabling unauthorized access to privileged sessions.
Detailed Description:
- VMware has identified critical vulnerabilities (CVE-2024-22245 and CVE-2024-22250) in the deprecated Enhanced Authentication Plugin (EAP), urging users to uninstall it immediately.
- The flaws could lead to arbitrary authentication relay and session hijacking, impacting systems connected to vSphere through EAP.
- Additional specifics about this flaw are currently being withheld.
Recommendation:
- Users are advised to uninstall the Enhanced Authentication Plugin from client systems using the operating system’s uninstallation method. This action is crucial to prevent exploitation of vulnerabilities and safeguard Active Directory integrity.
Sources:
Entities:
- UnitedHealth Group, Optum Solutions, Columbia University, Tricare
Attack Vectors:
- Cyberattack by suspected “nation-state” actors targeting IT systems of Optum’s Change Healthcare platform, leading to widespread service disruptions. Optum is United Health Care’s IT company.
Impact:
- The takedown of the LockBit ransomware operation marks a significant disruption to one of the world’s most harmful cybercrime groups. The arrest of key actors and the release of decryption keys provide relief to victims and undermine the credibility of the LockBit group.
Detailed Description:
- UnitedHealth Group’s subsidiary, Optum, experienced a severe cyberattack targeting its Change Healthcare platform, disrupting services across the US healthcare system.
- The attack led to the shutdown of IT systems and various services, affecting payment processing and healthcare service delivery.
- UnitedHealth Group has taken steps to isolate and remediate the impacted systems, but the extent and duration of the disruption remain uncertain.
- Healthcare organizations, including Columbia University and Tricare, have taken preventive measures by disconnecting from Optum and related services.
Recommendation:
- Healthcare organizations should immediately disconnect from Optum and related services until they are deemed safe.
- Consider alternative methods for processing payments and healthcare claims during the outage.
- Prepare for potential data breach notifications and take steps to protect patient data.
Sources:
Entities:
- Palo Alto Networks’ Unit 42, VMware
Indicators of Compromise:
- download.vmfare[.]com
Attack Vectors:
- Malicious email attachments, payload-dropping sites.
Impact:
- Data exfiltration, potential system compromise, evasion of detection mechanisms.
Detailed Description:
- Palo Alto Networks’ Unit 42 researchers have uncovered a new variant of the Bifrost RAT targeting Linux systems.
- This variant utilizes a deceptive domain, “download.vmfare[.]com,” which mimics a legitimate VMware domain, aiding in evasion.
- The malware collects sensitive information from infected hosts and exfiltrates it to a command-and-control server via RC4 encryption.
- Additionally, an ARM version of the malware has been identified, indicating the attackers’ intention to target a broader range of system architectures.
Recommendation:
- Organizations should update their security measures to detect and block the deceptive domain “download.vmfare[.]com.”
SOC Response:
- The SOC has implemented a global detection for all XDR customers to detect any connection to the known deceptive domain listed.