Threat Bulletin | March 8

Sources: 

• https://thehackernews.com/2024/01/new-glibc-flaw-grants-attackers-root.html 
• https://blog.qualys.com/vulnerabilities-threat-research/2024/01/30/qualys-tru-discovers-important-vulnerabilities-in-gnu-c-librarys-syslog

Entities:  

• Linux Operating Systems, Debian, Ubuntu, Fedora 

Attack Vectors:  

• Local exploitation of Glibc vulnerability. 

Impact:  

• High – Potential for full root access by attackers. 

Detailed Description: 

• A severe heap-based buffer overflow vulnerability in the GNU C library (glibc) allows malicious local attackers to gain full root access on Linux machines.  
• Identified as CVE-2023-6246, this flaw, along with additional vulnerabilities CVE-2023-6779, CVE-2023-6780, and a qsort() function bug, impact major Linux distributions, including Debian, Ubuntu, and Fedora.  
• The exploitation requires specific conditions but poses a significant risk due to glibc’s widespread use. 

Recommendation: 

• Prompt patching of the affected systems is crucial, use the following fedora project security release for guidance on necessary updates. 
• System administrators should review and apply available updates for their Linux distributions.

Sources: 

• https://thehackernews.com/2024/02/warning-new-malware-emerges-in-attacks.html  
• https://nvd.nist.gov/vuln/detail/CVE-2023-46805   
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21887   

Entities:  

• Threat Actors, Ivanti Connect Secure VPN and Policy Secure devices 

Attack Vectors:  

• Exploitation of Ivanti VPN vulnerabilities, execution of arbitrary commands with elevated privileges. 

Impact:  

• Post-exploitation activities, arbitrary command execution, data exfiltration, network reconnaissance 

Detailed Description: 

• UNC5221, a China-linked threat actor, has deployed new malware, including web shells (such as BUSHWALK, CHAINLINE, FRAMESTING), in post-exploitation attacks on Ivanti Connect Secure VPN and Policy Secure devices.  
• The malware exploits Ivanti VPN vulnerabilities (CVE-2023-46805 and CVE-2024-21887) as zero-days, enabling unauthenticated actors to execute arbitrary commands with elevated privileges.  
• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued supplemental guidance urging agencies running affected Ivanti to disconnect them from their network 

Recommendation: 

• Apply vendor-released patches promptly to address Ivanti VPN vulnerabilities. 
• Please review the following Mandiant Hardening  + Remediation guide to mitigate this vulnerability. 

Sources: 

• https://www.bleepingcomputer.com/news/security/cloudflare-hacked-using-auth-tokens-stolen-in-okta-attack/ 
• https://www.securityweek.com/cloudflare-hacked-by-suspected-state-sponsored-attacker/ 
• https://thehackernews.com/2024/02/cloudflare-breach-nation-state-hackers.html

Entities:  

• Cloudflare, Atlassian, Okta 

Attack Vectors:  

• Nation state attacker gaining access through stolen Okta credentials. 

Impact:  

• Unauthorized access to Atlassian server, Confluence wiki, Jira bug database, and Bitbucket source code management. Attempted breach of data center in São Paulo. Limited operational impact, no impact on customer data. 

Detailed Description: 

• The breach occurred on November 14, with the attacker gaining persistent access on November 22.  
• Cloudflare detected malicious activity on November 23, severed access on November 24, and initiated a forensic investigation on November 26.  
• The threat actor accessed Cloudflare’s Atlassian server during a four-day reconnaissance period, creating a rogue user account and gaining access to Confluence, Jira, and eventually Bitbucket.  
• Approximately 120 code repositories were viewed, with 76 estimated to be exfiltrated.  
• The stolen credentials, including one access token and three service accounts, were linked to AWS, Atlassian Bitbucket, Moveworks, and Smartsheet. 
• Cloudflare failed to rotate these credentials, leading to the breach.  
• Remediation measures included rotating over 5,000 production credentials, segmenting systems, forensic triages, and reimaging and rebooting the entire global network.  
• The attacker also unsuccessfully attempted to breach Cloudflare’s São Paulo data center. 

Recommendation: 

• Rotate all access tokens and service account credentials regularly. 
• Conduct regular security audits and penetration testing to identify vulnerabilities. 
• Enhance employee training on recognizing phishing attempts. 
• Implement multi-factor authentication to add an extra layer of security.

Sources: 

• https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/#google_vignette   

Entities:  

• AnyDesk, CrowdStrike, UNC5221 threat actor 

Attack Vectors:  

• Cyberattack on AnyDesk production systems, theft of source code and code signing keys 

Impact:  

• Exposure of source code and private keys, potential misuse of stolen credentials, risk of maliciously signed software 

Detailed Description: 

• AnyDesk suffered a cyberattack on its production systems, leading to the theft of source code and private code signing keys.  
• UNC5221, the threat actor responsible, targeted the company’s servers.  
• While AnyDesk stated that no end-user devices were affected, the stolen source code and keys pose a risk of potential misuse and maliciously signed software. 
• AnyDesk has responded by revoking security certificates, replacing compromised systems, and urging users to update to the latest version (8.0.8).  
• Although AnyDesk claims no authentication tokens were stolen, passwords to the web portal are being revoked as a precaution.  

Recommendation: 

• Immediately update AnyDesk software to the latest version (8.0.8) to ensure the use of the new code signing certificate. 
• Change AnyDesk passwords and avoid using the same password on other sites as a precautionary measure. 
• Stay informed about updates and security advisories from AnyDesk regarding the incident. 
• Consider implementing multi-factor authentication (MFA) for enhanced security. 

SOC Response: 

• The SOC has created a custom STAR rule in SentinelOne to detect AnyDesk software signed by the revoked certificate “philandro Software GmbH”. 

Sources: 

• https://www.bleepingcomputer.com/news/security/new-fortinet-rce-flaw-in-ssl-vpn-likely-exploited-in-attacks/  
• https://www.fortiguard.com/psirt/FG-IR-24-015   

Entities:  

• Fortinet, RCE flaw 

Indicators of Compromise:  

• CVE-2024-21762 

Attack Vectors:  

• Remote code execution via crafted requests 

Impact:  

• Remote code execution, potential exploitation in attacks 

Detailed Description: 

• Fortinet has disclosed a critical remote code execution (RCE) vulnerability, CVE-2024-21762, in FortiOS SSL VPN, potentially exploited in attacks.  
• The flaw, with a severity rating of 9.6, enables unauthenticated attackers to execute arbitrary code via crafted requests.  
• Fortinet advises upgrading to patched versions based on the affected FortiOS version or disabling SSL VPN if patching is not feasible.  
• Below are the affected versions and the recommended patches for them: 

Recommendation: 

• Apply Patches: Immediately upgrade FortiOS devices to patched versions according to the provided table to mitigate CVE-2024-21762. 
• Mitigate Flaw: If unable to apply patches, consider disabling SSL VPN on FortiOS devices as a temporary mitigation measure. 

Sources: 

• https://thehackernews.com/2024/02/warning-new-ivanti-auth-bypass-flaw.html 
• https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US  

Entities:  

• Ivanti, Auth Bypass Flaw 

Indicators of Compromise:  

• CVE-2024-22024 

Attack Vectors:  

• XML External Entity (XXE) vulnerability in SAML component 

Impact:  

• Bypass of authentication, unauthorized access to restricted resources 

Detailed Description: 

• CVE-2024-22024 is an XML External Entity (XXE) vulnerability in the SAML component of Ivanti Connect Secure, Policy Secure, and ZTA gateways, allowing unauthorized access to restricted resources without authentication.  
• CVE-2024-22024 affects the following versions of the products : 

• • Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1) 
  • Ivanti Policy Secure (version 22.5R1.1) 
  • ZTA (version 22.6R1.3) 

• The flaw was discovered internally by Ivanti and disclosed by cybersecurity firm watchTowr, highlighting the importance of applying the latest fixes to prevent exploitation. 

Recommendation: 

• Apply Patches: Immediately apply patches provided by Ivanti for affected versions to mitigate CVE-2024-22024. 

Sources: 

• https://thehackernews.com/2024/02/critical-exchange-server-flaw-cve-2024.html 
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410    

Entities:

• Microsoft, Exchange Server, Threat Actors 

Indicators of Compromise:  

• CVE-2024-21410  

Attack Vectors:  

• Privilege Escalation via NTLM Credentials Leakage 

Impact:  

• Successful exploitation allows attackers to gain privileges and perform operations on Exchange Server 

Detailed Description: 

• CVE-2024-21410 is actively exploited in the wild, facilitating privilege escalation by targeting Outlook clients with NTLM credentials-leaking vulnerabilities. 
• Microsoft has updated its bulletin, indicating exploitation detection and enabling Extended Protection for Authentication by default. 
• Details about exploitation methods and threat actors remain undisclosed. 

Recommendation: 

• Apply Microsoft’s Patch Tuesday updates immediately to mitigate CVE-2024-21410. 

Sources: 

• https://www.bleepingcomputer.com/news/security/zoom-patches-critical-privilege-elevation-flaw-in-windows-apps/  
• https://www.zoom.com/en/trust/security-bulletin/ZSB-24008/ 

Entities:  

• Zoom, Windows Desktop Client, VDI Client, Meeting SDK, Input Validation Flaw 

Indicators of Compromise:  

• CVE-2024-24691 

Attack Vectors:  

• Network-based privilege escalation requiring user interaction  

Impact:  

• Potential for unauthorized privilege escalation, information disclosure, denial of service, and improper authentication 

Detailed Description: 

• Zoom has patched a critical privilege escalation flaw (CVE-2024-24691) affecting its Windows Desktop Client, VDI Client, and Meeting SDK.  
• The flaw, discovered by Zoom’s offensive security team, received a CVSS v3.1 score of 9.6.  
• Additionally, six other vulnerabilities have been addressed in the latest release. The vulnerabilities include: 

• • CVE-2024-24697: A high-severity issue in Zoom 32-bit Windows clients allows privilege escalation through local access by exploiting an untrusted search path. 
  • CVE-2024-24696: An in-meeting chat vulnerability in Zoom Windows clients caused by improper input validation enables information disclosure over the network. 
  • CVE-2024-24695: Similar to CVE-2024-24696, improper input validation in Zoom Windows clients allows information disclosure over the network. 
  • CVE-2024-24699: A business logic error in Zoom’s in-meeting chat feature can lead to information disclosure over the network. 
  • CVE-2024-24690: Vulnerability in some Zoom clients caused by improper input validation can trigger a denial of service over the network. 
  • CVE-2024-24698: Improper authentication flaw in some Zoom clients permits information disclosure through local access by privileged users. 

Recommendation: 

• Users are advised to update their Zoom applications to the latest versions (Windows Desktop Client 5.16.5, VDI Client 5.16.10, Zoom Rooms Client 5.17.0, Meeting SDK 5.16.5) to mitigate the risk of exploitation.  

Sources: 

• https://www.bleepingcomputer.com/news/security/new-critical-microsoft-outlook-rce-bug-is-trivial-to-exploit/#google_vignette    
• https://nvd.nist.gov/vuln/detail/CVE-2024-21413  

Entities:  

• Microsoft Outlook RCE Vulnerability 

Indicators of Compromise:  

• CVE-2024-21413, Moniker Link 

Attack Vectors:  

• Remote unauthenticated attackers can exploit the vulnerability via malicious links in emails or in the Preview Pane of Outlook 

Impact:  

• The vulnerability allows for remote code execution, bypassing Office Protected View, and theft of NTLM credential information 

Detailed Description: 

• The flaw, tracked as CVE-2024-21413, permits attackers to execute arbitrary code by tricking users into clicking on malicious links or previewing infected Office documents.  
• Check Point researchers discovered the vulnerability, named Moniker Link, which enables attackers to bypass Outlook security by adding an exclamation mark to file:// protocol URLs. 
• The vulnerability stems from the incorrect parsing of “file://” hyperlinks, which makes it possible to achieve code execution by adding an exclamation mark to URLs pointing to arbitrary payloads hosted on attacker-controlled servers (e.g., “file:///\\10.10.111.111\test\test.rtf!something”).  
• The vulnerability bypasses built-in Outlook protections and has been confirmed on various Windows and Office environments. 

Recommendation:  

• Microsoft has released patches for affected versions of Outlook and Office. Users are advised to apply the updates immediately to mitigate the risk of exploitation. 

Sources: 

• https://thehackernews.com/2024/02/critical-flaws-found-in-connectwise.html 
• https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8    
• https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass 

Entities:

• ConnectWise ScreenConnect Software 

Indicators of Compromise:

• 155.133.5[.]15 
• 155.133.5[.]14 
• 118.69.65[.]60 

Attack Vectors:  

• Attackers can exploit authentication bypass and path traversal vulnerabilities in vulnerable versions of ScreenConnect to execute remote code or access confidential data 

Impact:  

• The flaws have the potential to enable remote code execution or compromise critical systems, posing a severe risk to affected organizations 

Detailed Description: 

• Attackers are actively exploiting two vulnerabilities in ConnectWise ScreenConnect servers—CVE-2024-1709 and CVE-2024-1708—to deploy LockBit ransomware on compromised networks.  
• CVE-2024-1709 is a maximum severity authentication bypass flaw that has since been addressed by ConnectWise via security updates. 
• CVE-2024-1708, a high-severity path traversal vulnerability was also addressed with these security updates released by ConnectWise, however this vulnerability can only be exploited by threat actors with high privileges.  
• With the release of these vulnerabilities CVE-2024-1709 has actively been seen exploited in the wild, with reports of 600+ IP’s actively targeting vulnerable servers. 

Recommendation: 

• Immediately patch ScreenConnect servers, upgrading to version 23.9.8 or newer. Please follow the mitigation steps listed in the following security advisory by ConnectWise. 

SOC Response: 

• The SOC has implemented a new Global Detection “Potential ScreenConnect Vulnerability Exploitation” for all XDR customers. This detection covers the known indicators of compromise at this time, the SOC will stay up to date with any changes or additional indicators as they’re released. 

Sources: 

• https://thehackernews.com/2024/02/vmware-alert-uninstall-eap-now-critical.html   

Entities:  

• VMware Enhanced Authentication Plugin (EAP), Active Directory 

Indicators of Compromise:  

• CVE-2024-22245 (EAP arbitrary authentication relay), CVE-2024-22250 (EAP session hijack) 

Attack Vectors:  

• Malicious actors could exploit EAP vulnerabilities to trick users into relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs), and seize privileged EAP sessions with unprivileged local access to Windows OS 

Impact:  

• The flaws pose significant risks to systems using EAP for vSphere login, potentially compromising Active Directory security and enabling unauthorized access to privileged sessions. 

Detailed Description: 

• VMware has identified critical vulnerabilities (CVE-2024-22245 and CVE-2024-22250) in the deprecated Enhanced Authentication Plugin (EAP), urging users to uninstall it immediately. 
• The flaws could lead to arbitrary authentication relay and session hijacking, impacting systems connected to vSphere through EAP. 
• Additional specifics about this flaw are currently being withheld. 

Recommendation: 

• Users are advised to uninstall the Enhanced Authentication Plugin from client systems using the operating system’s uninstallation method. This action is crucial to prevent exploitation of vulnerabilities and safeguard Active Directory integrity. 

Sources: 

• https://www.bleepingcomputer.com/news/security/unitedhealth-confirms-optum-hack-behind-us-healthcare-billing-outage/    

Entities:  

• UnitedHealth Group, Optum Solutions, Columbia University, Tricare 

Attack Vectors:  

• Cyberattack by suspected “nation-state” actors targeting IT systems of Optum’s Change Healthcare platform, leading to widespread service disruptions. Optum is United Health Care’s IT company.  

Impact:  

• The takedown of the LockBit ransomware operation marks a significant disruption to one of the world’s most harmful cybercrime groups. The arrest of key actors and the release of decryption keys provide relief to victims and undermine the credibility of the LockBit group. 

Detailed Description: 

• UnitedHealth Group’s subsidiary, Optum, experienced a severe cyberattack targeting its Change Healthcare platform, disrupting services across the US healthcare system.  
• The attack led to the shutdown of IT systems and various services, affecting payment processing and healthcare service delivery. 
• UnitedHealth Group has taken steps to isolate and remediate the impacted systems, but the extent and duration of the disruption remain uncertain. 
• Healthcare organizations, including Columbia University and Tricare, have taken preventive measures by disconnecting from Optum and related services.  

Recommendation: 

• Healthcare organizations should immediately disconnect from Optum and related services until they are deemed safe. 
• Consider alternative methods for processing payments and healthcare claims during the outage. 
• Prepare for potential data breach notifications and take steps to protect patient data. 

Sources: 

• https://www.bleepingcomputer.com/news/security/cisa-cautions-against-using-hacked-ivanti-vpn-gateways-even-after-factory-resets/ 

Entities:

• Palo Alto Networks’ Unit 42, VMware 

Indicators of Compromise:

• download.vmfare[.]com 

Attack Vectors:  

• Malicious email attachments, payload-dropping sites. 

Impact:  

• Data exfiltration, potential system compromise, evasion of detection mechanisms. 

Detailed Description: 

• Palo Alto Networks’ Unit 42 researchers have uncovered a new variant of the Bifrost RAT targeting Linux systems.  
• This variant utilizes a deceptive domain, “download.vmfare[.]com,” which mimics a legitimate VMware domain, aiding in evasion.  
• The malware collects sensitive information from infected hosts and exfiltrates it to a command-and-control server via RC4 encryption.  
• Additionally, an ARM version of the malware has been identified, indicating the attackers’ intention to target a broader range of system architectures. 

Recommendation: 

• Organizations should update their security measures to detect and block the deceptive domain “download.vmfare[.]com.”  

SOC Response: 

• The SOC has implemented a global detection for all XDR customers to detect any connection to the known deceptive domain listed.