Threat Bulletin | May 24

Sources: 

• https://www.bleepingcomputer.com/news/security/hpe-aruba-networking-fixes-four-critical-rce-flaws-in-arubaos/   
• https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt 

Entities:  

• HPE Aruba Networking, RCE Flaws in ArubaOS. 

Attack Vectors:  

• Remote code execution via specially crafted packets to PAPI UDP ports. 

Impact:  

• Potential for unauthorized code execution. 

Detailed Description: 

• HPE Aruba Networking releases April 2024 security advisory addressing critical RCE flaws in ArubaOS versions, urging prompt installation of security updates to mitigate risks. 
• Four critical RCE vulnerabilities in ArubaOS pose significant risks to network infrastructure, with potential for exploitation by unauthenticated attackers. The flaws are:  
  • CVE-2024-26305 – Flaw in ArubaOS’s Utility daemon allowing an unauthenticated attacker to execute arbitrary code remotely by sending specially crafted packets to the PAPI (Aruba’s access point management protocol) UDP port (8211). 
  • CVE-2024-26304 – Flaw in the L2/L3 Management service, permitting unauthenticated remote code execution through crafted packets sent to the PAPI UDP port. 
  • CVE-2024-33511 – Vulnerability in the Automatic Reporting service that can be exploited by sending specially crafted packets to the PAPI protocol port to allow unauthenticated attackers to execute arbitrary code remotely. 
  • CVE-2024-33512 – Flaw allowing unauthenticated remote attackers to execute code by exploiting a buffer overflow in the Local User Authentication Database service accessed via the PAPI protocol.
• Currently, HPE Aruba Networking is not aware of any cases of active exploitation or the existence of proof-of-concept (PoC) exploits for the vulnerabilities mentioned.

Recommendation: 

• To mitigate the flaws the vendor recommends enabling Enhanced PAPI Security and upgrading to patched versions for ArubaOS. 

Sources: 

• https://www.bleepingcomputer.com/news/security/change-healthcare-hacked-using-stolen-citrix-account-with-no-mfa/  
• https://apnews.com/article/change-healthcare-cyberattack-unitedhealth-senate-9e2fff70ce4f93566043210bdd347a1f 

Entities:  

• Change Healthcare, Citrix Accounts, MFA 

Indicators of Compromise:  

• Stolen Citrix credentials associated with remoteapps[.]changehealthcare[.]com/vpn/index.htm 

Attack Vectors:  

• The BlackCat ransomware gang breached Change Healthcare’s network by exploiting stolen Citrix credentials, gaining unauthorized access to critical systems.  
• The compromised Citrix account did not have multi-factor authentication (MFA) enabled, facilitating the breach. 

Impact:  

• The ransomware attack on Change Healthcare in late February 2024 caused severe operational disruptions, impacting critical healthcare services across the U.S. The financial damages were estimated at $872 million. 
•  The breach exposed protected health information (PHI) and personally identifiable information (PII) of patients, posing significant privacy and security risks.  

Detailed Description: 

• Change Healthcare’s network was breached by the BlackCat ransomware gang using stolen Citrix credentials.  
• The lack of multi-factor authentication (MFA) on the compromised Citrix account allowed threat actors to move laterally within the network and deploy ransomware.  
• The CEO of UnitedHealth confirmed the breach and disclosed the ransomware attack’s impact on critical healthcare services. 

Recommendation: 

• Organizations should implement multi-factor authentication (MFA) to enhance account security and mitigate the risk of unauthorized access.  
• Regular security awareness training and phishing simulations can help employees recognize and avoid phishing attempts that lead to credential theft. 

SOC Response:

• Enhance network monitoring to detect and respond to unauthorized access promptly. 

Sources: 

• https://www.bleepingcomputer.com/news/security/okta-warns-of-unprecedented-credential-stuffing-attacks-on-customers/  

Entities:  

• Okta, Credential Stuffing Attacks 

Indicators of Compromise: 

• TOR anonymization network, residential proxies (e.g., NSOCKS, Luminati, DataImpulse) 

Attack Vectors:  

• Threat actors are conducting credential stuffing attacks against Okta’s identity and access management solutions, utilizing automated methods to test lists of stolen usernames and passwords.  
• The attacks originate from TOR anonymization network and residential proxies. 

Impact:  

• Some customer accounts have been breached in the attacks, particularly impacting organizations running on the Okta Classic Engine with ThreatInsight configured in Audit-only mode. Organizations not denying access from anonymizing proxies also face higher attack success rates.  

Detailed Description: 

• Okta issues an advisory warning of a significant increase in credential stuffing attacks targeting its solutions.  
• Threat actors use automated techniques to compromise user accounts, with attacks originating from TOR network and residential proxies.  
• Okta provides recommendations to mitigate the risk, including: 
  • Enable ThreatInsight in Log and Enforce Mode to block IP addresses known for involvement in credential stuffing proactively before they can even attempt authentication. 
  • Deny access from anonymizing proxies to proactively block requests that come through shady anonymizing services. 
  • Switching to Okta Identity Engine, which offers more robust security features, including CAPTCHA challenges for risky sign-ins and password less authentication options like Okta FastPass. 
  • Implement Dynamic Zones which enables organizations to specifically block or allow certain IPs and manage access based on geolocation and other criteria. 

Recommendation: 

• Organizations should proactively implement security measures such as multi-factor authentication, strong password policies, and geolocation-based access controls.  
• They should also monitor for anomalous sign-ins and block IP addresses associated with suspicious activities. 

SOC Response: 

• The SOC has several detections in place to alert all XDR customers with Okta for these types of events.

Sources:

• https://thehackernews.com/2024/04/palo-alto-networks-outlines-remediation.html  
• https://nvd.nist.gov/vuln/detail/CVE-2024-3400  
• https://security.paloaltonetworks.com/CVE-2024-3400 

Entities:  

• Palo Alto Networks

Attack Vectors:  

• Threat actors exploit a critical security flaw (CVE-2024-3400) in PAN-OS to execute remote shell commands on vulnerable devices. The flaw has been actively exploited by a threat cluster known as UTA0218 since at least March 26, 2024. 

Impact:  

• Successful exploitation of the vulnerability could lead to unauthorized remote command execution and potential compromise of affected devices.  

Detailed Description: 

• The vulnerability in PAN-OS, tracked as CVE-2024-3400, allows threat actors to gain unauthenticated remote shell command execution on susceptible devices. 
• Palo Alto Networks has released remediation advice to mitigate the risk posed by this flaw, addressing different levels of compromise observed in affected devices: 
  • Level 0 Probe: Unsuccessful exploitation attempt – Update to the latest provided hotfix 
  • Level 1 Test: Evidence of vulnerability being tested on the device, including the creation of an empty file on the firewall but no execution of unauthorized commands – Update to the latest provided hotfix 
  • Level 2 Potential Exfiltration: Signs where files like “running_config.xml” are copied to a location that is accessible via web requests – Update to the latest provided hotfix and perform a Private Data Reset 
  • Level 3 Interactive Access: Evidence of interactive command execution, such as the introduction of backdoors and other malicious code – Update to the latest provided hotfix and perform a Factory Reset 

Recommendation: 

• Organizations using PAN-OS should urgently apply the latest provided hotfix to patch the vulnerability.  
  • Additionally, they should follow Palo Alto Networks remediation guidance based on the level of compromise detected on their devices.

Sources: 

• https://thehackernews.com/2024/05/new-cuckoo-persistent-macos-spyware.html 

Entities:  

• Apple macOS users 

Indicators of Compromise:  

• dumpmedia[.]com
• tunesolo[.]com
• fonedog[.]com
• tunesfun[.]com
• tunefab[.]com 

Attack Vector:  

• Distribution through compromised websites offering free and paid applications. 

Risk Impact:  

• Potential compromise of sensitive data including passwords, crypto keys, and personal information 

Detailed Description: 

• Cybersecurity experts uncover “Cuckoo” spyware targeting Apple macOS, capable of running on both Intel and Arm-based Macs.  
• It employs sophisticated methods to gather information and establish persistence, posing a significant threat to user privacy and security. 
• It utilizes compromised websites to distribute malicious binaries, employs various techniques for persistence, and steals sensitive information from infected systems. 

Recommendation: 

• macOS users should exercise caution when downloading applications from unknown sources and regularly update their systems with the latest security patches.

Sources: 

• https://thehackernews.com/2024/05/critical-f5-central-manager.html   
• https://my.f5.com/manage/s/article/K000090258 

Entities:  

• Users of F5 BIG-IP Next Central Manager 

Attack Vectors:  

• Exploitation of SQL injection and OData injection vulnerabilities via the BIG-IP Next Central Manager API to execute malicious SQL statements. 

Risk Impact: 

• Full administrative control of affected devices, potential creation of rogue administrator accounts, which could remain undetected. 

Detailed Description: 

• The critical vulnerabilities, identified as CVE-2024-21793 and CVE-2024-26026, primarily affect the F5 BIG-IP Next Central Manager’s API, which lacks proper sanitization for SQL and OData inputs. This oversight allows attackers to execute arbitrary SQL commands without authentication. 
• By exploiting these vulnerabilities, attackers can manipulate database queries to create or modify user accounts, potentially gaining persistent administrative privileges without detection. 
• The nature of these vulnerabilities makes it possible for attackers to not only gain control over the Central Manager but also manipulate or access critical network operations managed by the device, posing a significant threat to enterprise networks. 

Recommendation:  

• Immediately update F5 BIG-IP Next Central Manager to the latest version (20.2.0 or later) to patch the vulnerabilities. 

Sources: 

• https://www.bleepingcomputer.com/news/security/citrix-warns-admins-to-manually-mitigate-putty-ssh-client-bug/  
• https://nvd.nist.gov/vuln/detail/CVE-2024-31497  

Entities:  

• Citrix, PuTTY, XenCenter admin’s private SSH key 

Attack Vectors:  

• Exploitation of a PuTTY SSH client vulnerability impacting XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, potentially allowing attackers to steal admin SSH keys 

Impact:  

• The vulnerability poses a risk of unauthorized access to XenCenter admin credentials and compromises the security of Citrix Hypervisor environments. 

Detailed Description: 

• Citrix has alerted customers to a security flaw impacting XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, allowing attackers to pilfer admin SSH keys via a PuTTY SSH client vulnerability (CVE-2024-31497).  
• The security flaw (tracked as CVE-2024-31497) impacts multiple versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, which bundle and use PuTTY to make SSH connections from XenCenter to guest VMs when clicking the “Open SSH Console” button.  
• Citrix says that the PuTTY third-party component has been removed starting with XenCenter 8.2.6, and any versions after 8.2.7 will no longer include it. 
• The vulnerability, discovered by researchers at Ruhr University Bochum, stems from improper nonce generation in older PuTTY versions. 

Recommendation:  

• Administrators are advised to take immediate action by either updating PuTTY to the latest version or removing it from affected XenCenter releases.

Sources: 

• https://thehackernews.com/2024/05/critical-flaws-in-cacti-framework-could.html    
• https://www.cacti.net/info/changelog 

Entities:  

• Cacti Network Monitoring Framework 
• Developers and users of Cacti 

Attack Vectors:  

• Arbitrary file write 
• Command injection 
• SQL injection 
• File inclusion 

Impact:  

• Unauthorized remote code execution 
• Data breach and system compromise potential 

Detailed Description: 

• Multiple severe vulnerabilities identified in Cacti, including two critical ones allowing arbitrary code execution. 
• Authenticated users could exploit these to write arbitrary PHP code or execute arbitrary commands. 
• Other significant vulnerabilities could lead to SQL injection and file inclusion, further enabling remote code execution. 
• Affects all versions up to 1.2.26; patches released in version 1.2.27. 

Recommendation:  

• Urgently update to Cacti version 1.2.27 to mitigate these vulnerabilities. 
• Regularly monitor and audit all system logs for signs of unauthorized access. 

Sources: 

• https://thehackernews.com/2024/05/researchers-uncover-11-security-flaws.html 
• https://www.nozominetworks.com/blog/ge-healthcare-vivid-ultrasound-vulnerabilities 

Entities:   

• GE HealthCare
• Nozomi Networks
• Siemens
• Merge DICOM  

Attack Vector:  

• Physical access to devices, hospital network infiltration, USB ports, VPN credential theft. 

Risk Impact:  

• Ransomware implantation 
• Patient data manipulation and exfiltration 
• Arbitrary code execution with administrative privileges 
• Potential denial-of-service (DoS) 

Detailed Description: 

• Security researchers from Nozomi Networks have identified 11 vulnerabilities in the GE HealthCare Vivid Ultrasound product family, notably affecting the Vivid T9 ultrasound system and EchoPAC software. 
• The identified vulnerabilities include hard-coded credentials (CVE-2024-27107, CVSS score: 9.6), command injection (CVE-2024-1628), execution with unnecessary privileges (CVE-2024-27110, CVE-2020-6977), path traversal (CVE-2024-1630, CVE-2024-1629), and protection mechanism failure (CVE-2020-6977).  
• Exploiting these requires physical access to the devices or network infiltration.  
• The report outlines how an attacker could use these vulnerabilities to execute arbitrary code, implant ransomware, and tamper with patient data. 

Recommendation:  

• Strengthen physical access controls to prevent unauthorized access to medical devices. 
• In all workstations that have Echopac installed, block incoming connections via firewall to SMB and 2638/tcp (SQL Anywhere DB server port) when the workstation is connected to an unprotected network.

Sources: 

• https://www.bleepingcomputer.com/news/security/ghostengine-mining-attacks-kill-edr-security-using-vulnerable-drivers/ 
• https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine 

Entities:   

• GhostEngine
• EDR
• Vulnerable Drivers
• XMRig miner 

Indicators of Compromise:  

• Initial payload: Tiworker.exe 
• PowerShell script: get.png 
• Primary payload executable: smartsscreen.exe 
• Vulnerable drivers: aswArPots.sys (Avast), IObitUnlockers.sys (Iobit) 
• Persistence DLL: oci.dll 

Attack Vector:  

• Execution of a masquerading file (Tiworker.exe) 
• PowerShell script execution 
• Download and deployment of malicious modules. 
• Termination of EDR processes using vulnerable drivers 
• Deployment of XMRig miner 

Risk Impact:  

• Compromise and disabling of EDR (Endpoint Detection and Response) security systems. 
• Unauthorized crypto mining, leading to potential performance degradation and resource misuse. 
• Difficulty in detection and remediation due to advanced persistence mechanisms 

Detailed Description: 

• A newly discovered malicious campaign, REF4578, is deploying the GhostEngine payload to conduct unauthorized crypto mining.  
• The attack begins with a fake Windows file, Tiworker.exe, which triggers a PowerShell script (get.png) to disable security defenses and maintain persistence through scheduled tasks.  
• The primary payload (smartsscreen.exe) then terminates EDR software using vulnerable drivers and launches the XMRig miner.  
• Researchers have yet to identify the perpetrators or the full scope of the campaign. 

Recommendation: 

• Monitor for unusual PowerShell executions and process activities. 
• Be vigilant about network traffic associated with crypto-mining pools. 
• Block the creation and execution of files from known vulnerable drivers (aswArPots.sys, IObitUnlockers.sys). 
• Implement YARA rules provided by Elastic Security to detect GhostEngine infections. 

SOC Response: 

• The SOC is working to implement a detection around the known indicators of compromise known at this time, details of this detection can be found in the monthly changelog.