Threat Bulletin | September

Source(s): 

• https://hackread.com/albeast-aws-misconfiguration-flaw-load-balancers-risk/
• https://thehackernews.com/2024/08/new-albeast-vulnerability-exposes.html#:~:text=As%20many%20as%2015%2C000%20applications,access%20controls%20and%20compromise%20applications
  
  

Entities:

• AWS, Application Load Balancer (ALB), ALBeast
  
  

Attack Vector:

• Exploitation of configuration issues in AWS ALB user authentication allowing unauthorized access
  
  

Risk Impact:   

• ALBeast is a misconfiguration and implementation vulnerability in AWS ALB’s user authentication, allowing attackers to bypass authentication.
• Attackers can exploit ALBeast by creating malicious ALBs, forging tokens, and manipulating issuer fields to gain unauthorized access.
• The vulnerability impacts applications using AWS ALB for authentication, including those using OIDC and AWS Cognito.
• 15,000 vulnerable ALBs out of 371,000 analyzed have been identified, with many lacking proper signer validations.
• The issue was reported to AWS in April 2024, and documentation updates were made in May 2024.
  
  

Detailed Description: 

• ALBeast is a misconfiguration and implementation vulnerability in AWS ALB’s user authentication, allowing attackers to bypass authentication.
• Attackers can exploit ALBeast by creating malicious ALBs, forging tokens, and manipulating issuer fields to gain unauthorized access.
• The vulnerability impacts applications using AWS ALB for authentication, including those using OIDC and AWS Cognito.
• 15,000 vulnerable ALBs out of 371,000 analyzed have been identified, with many lacking proper signer validations.
• The issue was reported to AWS in April 2024, and documentation updates were made in May 2024.
  
  

Recommendations:  

• Update AWS ALB configurations to validate token signers as per the latest AWS documentation.
• Restrict access to applications by configuring security groups to accept traffic only from trusted ALB instances.
• Verify and validate tokens to ensure they are signed by authorized ALBs.

Source(s): 

• https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-chrome-zero-day-to-deploy-rootkit/
• https://thehackernews.com/2024/08/breaking-down-ad-cs-vulnerabilities.html

Entities:

• Cryptocurrency organizations and financial institutions
• North Korean threat actor groups
• Google Chrome and Windows Kernel

Attack Vector:

• Exploitation of Google Chrome zero-day vulnerability (CVE-2024-7971)
• Deployment of FudModule rootkit via Windows Kernel exploit (CVE-2024-38106)

Risk Impact:   

• Full control over compromised systems
• Financial theft from cryptocurrency organizations
• Persistent and stealthy access through rootkit deployment

Detailed Description: 

• North Korean threat actors exploited a Google Chrome zero-day vulnerability (CVE-2024-7971), attributed to Citrine Sleet, to target the cryptocurrency sector for financial gain.
• The zero-day, a type of confusion weakness in Chrome’s V8 JavaScript engine, allowed remote code execution in the sandboxed Chromium renderer process.
• After escaping the sandbox, attackers downloaded a Windows Kernel exploit (CVE-2024-38106) to gain SYSTEM privileges.
• Using these privileges, they deployed the FudModule rootkit, which performs kernel tampering and direct kernel object manipulation (DKOM), bypassing kernel security mechanisms.
• Citrine Sleet, also known as AppleJeus, Labyrinth Chollima, and UNC4736, has a history of targeting financial institutions, particularly cryptocurrency organizations, often using trojanized cryptocurrency trading platforms and software.
• Previously, UNC4736 breached the site of Trading Technologies and trojanized the 3CX video conferencing software’s Electron-based desktop client in a supply-chain attack.
• The FudModule rootkit, first discovered in October 2022, is shared by both Citrine Sleet and Diamond Sleet, indicating collaboration between these groups.

Recommendations:  

• Ensure Google Chrome and Windows systems are updated with the latest security patches.
• Educate employees on recognizing phishing attempts and the risks of downloading software from untrusted sources.

Source(s):  

• https://www.bleepingcomputer.com/news/security/fake-palo-alto-globalprotect-used-as-lure-to-backdoor-enterprises/?&web_view=true
• https://thehackernews.com/2024/08/new-malware-masquerades-as-palo-alto.html
  
  

Entities:   

• Command and Control (C2) Server:131.108[.]78
• C2 URL: Newly registered URL with the string “sharjahconnect”
  
  

Attack Vector:  

• Phishing Email: The initial attack is suspected of involving phishing emails tricking users into executing a malicious file disguised as the legitimate Palo Alto GlobalProtect VPN client.
  
  

Indicators of Compromise:

• Filename:exe, GlobalProtect.exe
• C2 IP Address:131.108[.]78
• Command and Control URL: Contains the string “sharjahconnect”
• Domain Used for Beaconing: oast[.]fun
  
  

Risk Impact:  

• Data Theft: The malware can steal data by transmitting profiling information about the breached machine to the C2 server.
• Remote Command Execution: It allows attackers to execute remote PowerShell commands, which can lead to further infiltration and manipulation of the victim’s internal network.
• Evasion Techniques: The malware uses AES encryption to obscure communications and checks for sandbox environments to evade detection.
  
  

Detailed Description: 

• The campaign involves malware masquerading as the Palo Alto GlobalProtect VPN tool, commonly used for secure remote access.
• The malware is delivered via a phishing email that prompts the user to execute a file named setup.exe.
• This file deploys GlobalProtect.exe, which pretends to be a legitimate installation process while secretly installing the malware.
• Once executed, the malware communicates with a C2 server, sending system profiling information and receiving commands for further malicious activities, including file uploads, downloads, and PowerShell script executions.
  
  

Recommendations:  

• Educate employees about phishing attacks and the risks of downloading and executing unsolicited files.
• Implement robust email filtering solutions to detect and block phishing attempts.
• Regularly update and patch all software, including security tools, to close any vulnerabilities that could be exploited by such malware.
  
  

SOC Response:

• The SOC has implemented a custom ATH rule to hunt for the known indicators of compromise at this time related to this campaign. We will continue to monitor this activity and will adjust this rule as more information becomes available.
  
  

Sources:

• https://www.bleepingcomputer.com/news/security/cisco-warns-of-backdoor-admin-account-in-smart-licensing-utility/
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw

Entities:  Cisco Systems, Cisco Smart Licensing Utility (CSLU)

Attack Vector:

• CVE-2024-20439: Exploited through undocumented static user credentials for remote administrative access.
• CVE-2024-20440: Exploited via crafted HTTP requests to access sensitive log files containing API credentials.
  
  

Risk Impact:

• Unauthorized remote administrative access to unpatched CSLU systems.
• Potential exposure of sensitive data, including API credentials, from affected systems.
  
  

Detailed Description:

• Cisco has addressed two critical vulnerabilities in the Cisco Smart Licensing Utility (CSLU).
• The first, CVE-2024-20439, involves an undocumented backdoor account allowing unauthenticated remote administrative access.
• The second, CVE-2024-20440, involves an information disclosure vulnerability that lets attackers access sensitive log files containing API credentials.
• Cisco has released updates to fix these vulnerabilities and has not yet found evidence of active exploitation.
• The issues affect specific CSLU versions and require the application to be running for exploitation.
  
  

Recommendations:

• Update to the latest fixed release of Cisco Smart Licensing Utility here.

Sources:

• https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/?utm_source=tldrinfosec

Entities: YubiKey 5 Series, Infineon Technologies

Attack Vector:

• Exploitation of a side channel vulnerability in the Infineon cryptographic library used by YubiKey 5 Series devices.
• Physical access to the device is required to perform the cloning attack using sophisticated equipment to measure electromagnetic emissions during cryptographic operations.

Risk Impact:

• Cloning of YubiKey 5 Series devices allows attackers to extract private keys, enabling unauthorized access to accounts protected by these keys.
• The attack requires both physical access to the device and knowledge of the victim’s login credentials.

Detailed Description:

• A newly discovered side channel vulnerability in YubiKey 5 Series devices allows for cloning attacks, where attackers with physical access to the device can extract cryptographic keys using sophisticated equipment.
• The flaw is in the Infineon cryptographic library used in these devices, specifically in the implementation of the Extended Euclidean Algorithm for modular inversion.
• The vulnerability affects all YubiKeys with firmware versions prior to 5.7, released in May 2024, and potentially impacts other devices using similar Infineon microcontrollers.

Recommendations:

• Update YubiKey firmware to version 5.7 or later, which uses a different cryptographic library.
• Assess and replace any affected devices that cannot be updated.

Sources:

• https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/noname
• https://www.bleepingcomputer.com/news/security/noname-ransomware-gang-deploying-ransomhub-malware-in-recent-attacks/

Entities:  Small and Medium-sized Businesses (SMBs) (CSLU)

Indicator of Compromise:

• IP: 66.29.141[.]245 | Domain: www.lockbitblog[.]info
• Ransom note fragments – Email addresses:
  • decservice@ukr[.]net
  • nonamehack2024@gmail[.]com
  • tufhackteam@gmail[.]com
  • nonamehack2023@gmail[.]com
  • nonamehack2023@tutanota[.]com
  • lockbit2023@proton[.]me
  • serverrecoveryhelp@gmail[.]com
  • recoverydatalife@gmail[.]com
  • recoverydatalife@mail[.]ru

Attack Vector:

• Brute-force attacks and exploitation of older vulnerabilities

Risk Impact:

• Data encryption and potential data loss
• Increased complexity in decryption, potentially causing permanent loss of encrypted files

Detailed Description:

• The NoName gang (tracked as CosmicBeetle by ESET) is evolving its tactics, deploying ScRansom and RansomHub malware in recent attacks.
• The gang is experimenting with LockBit 3.0 ransomware and has set up a fake extortion site branded “NONAME” to impersonate LockBit.
• NoName ransomware gang targets SMBs using brute-force attacks and exploiting vulnerabilities.
• ScRansom, a file-encrypting malware part of the Spacecolon family, is used to encrypt files across all drives and features a destructive ‘ERASE’ mode.
• The encryption process is complex, using AES-CTR-128 and RSA-1024, with multiple key exchanges, which sometimes results in decryption failures.
• Recent attacks involved the deployment of RansomHub’s EDR killer tool followed by the execution of the RansomHub ransomware.
• The gang appears to be increasing its visibility by impersonating the LockBit ransomware group.

Recommendations:

• Implement emergency patching for vulnerabilities CVE-2017-0144, CVE-2020-1472, CVE-2023-27532, and CVE-2022-42475.
• Reinforce network defenses against brute-force attacks.

SOC Response:

• The SOC has implemented two custom rules regarding the activity seen from these attacks. These rules are checking for any email contact with the known indicators of compromise as well as checking for the known IP/Domain at this time. We will continue to monitor this threat and will adjust our detections to update for any changes.

Sources:

• https://thehackernews.com/2024/09/patch-issued-for-critical-vmware.html?&web_view=true
• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968

Entities:  

• VMware, Broadcom, CVE-2024-38812 (Heap Overflow), CVE-2024-38813 (Privilege Escalation)

Attack Vector:

• Remote code execution via specially crafted network packets targeting vCenter Server

Risk Impact:

• High (CVSS Score: 9.8 for CVE-2024-38812)
• Medium (CVSS Score: 7.5 for CVE-2024-38813)
• Potential for unauthorized remote access and privilege escalation

Detailed Description:

• A critical heap-overflow vulnerability in VMware vCenter Server (CVE-2024-38812) allows malicious actors with network access to execute remote code by sending specially crafted packets.
• This could lead to significant breaches, as attackers may gain control over vCenter Server instances.
• A related privilege escalation flaw (CVE-2024-38813) also exists, which can allow attackers to escalate privileges to root access.

Recommendations:

• Update VMware vCenter Server to the latest versions (8.0 U3b or 7.0 U3s) immediately.
• Please follow the instructions provided by Broadcom in the following security advisory.
• Implement proper input validation and sanitization to mitigate similar vulnerabilities.

Sources:

• https://access.redhat.com/security/cve/cve-2024-45496

Entities:  

• Red Hat OpenShift, Git-clone containers, Developers with access to OpenShift

Attack Vector:

• CVE-2024-45496: Exploits elevated privileges in the build process, allowing attackers to inject malicious code via crafted .gitconfig files.
• CVE-2024-7387: Facilitates command injection through path traversal in BuildConfig, allowing malicious users to override executable files in privileged build containers.

Risk Impact:

• High; both vulnerabilities can lead to arbitrary command execution on nodes, compromising the integrity and confidentiality of OpenShift environments.

Detailed Description:

• Red Hat OpenShift has two critical vulnerabilities that could severely compromise security.
• CVE-2024-45496 allows attackers with developer-level access to execute arbitrary commands on worker nodes by misusing elevated privileges during the build initialization phase.
• CVE-2024-7387 enables command injection through path traversal, allowing unauthorized users to manipulate executable files in the build container.
• Both vulnerabilities do not affect the “Custom” build strategy, which is restricted to trusted users by default.

Recommendations:

• Review the following security advisory from Red Hat in regard to mitigation until you are able to upgrade to fully resolve this vulnerability.

Sources:

• https://securityaffairs.com/168456/security/solarwinds-fixed-rce-cve-2024-28991.html
• https://www.zerodayinitiative.com/advisories/ZDI-24-1224/

Entities:  

• SolarWinds Access Rights Manager (ARM)
• RabbitMQ management console
• IT and security administrators

Attack Vector:

• CVE-2024-28990: Hardcoded credentials enable attackers to bypass authentication for the RabbitMQ console, gaining unauthorized access.
• CVE-2024-28991: Allows authenticated attackers to execute arbitrary code remotely, compromising the ARM system entirely.

Risk Impact:

• High potential outcomes include unauthorized data access, code execution, privilege escalation, and disruption of IT operations.

Detailed Description:

• SolarWinds has revealed two critical vulnerabilities in their Access Rights Manager software.
• CVE-2024-28990 involves hardcoded credentials that allow unauthorized access to the RabbitMQ management console, while CVE-2024-28991 enables authenticated attackers to execute remote code, leading to full control of the ARM application.
• The severity of these vulnerabilities presents a significant threat to organizations relying on SolarWinds ARM for managing user access rights.

Recommendations:

• Immediately upgrade to SolarWinds ARM version 2024.3.1 to address both vulnerabilities.
• Review user access controls and permissions within ARM to limit potential damage

Sources:

• https://www.darkreading.com/application-security/microsoft-discloses-4-zero-days-in-september-update?&web_view=true

Entities: 

• CVE-2024-38226 (Security Bypass)
• CVE-2024-38217 (Security Bypass)
• CVE-2024-38014 (Elevation of Privilege)
• CVE-2024-43491 (Remote Code Execution)
• CVE-2024-43461 (Spoofing)
• CVE-2024-38018 (Remote Code Execution in SharePoint)
• CVE-2024-38241 (Elevation of Privilege)
• CVE-2024-38242 (Elevation of Privilege)

Attack Vector:

• Social engineering to convince users to open malicious files
• Exploiting known vulnerabilities in Windows and Microsoft products
• Bypassing security features such as Office macros and Mark of the Web

Detailed Description:

• In September 2024, Microsoft issued a significant security update addressing 79 vulnerabilities, including four critical zero-day vulnerabilities that attackers are actively exploiting.
  • CVE-2024-38226: This security bypass vulnerability affects Microsoft Publisher. It allows an authenticated user to circumvent important security measures designed to block untrusted macros. An attacker could exploit this by convincing a victim to download and open a specially crafted file, leading to potential local attacks. While the CVSS score of 6.8 indicates moderate severity, the requirement for user interaction raises concerns about targeted social engineering attacks, which can be difficult to detect.
  • CVE-2024-38217: This vulnerability involves the Windows Mark of the Web (MoTW) feature, which protects against harmful files downloaded from the internet. An attacker could exploit this flaw by persuading a user to visit a malicious site and download an infected file, effectively bypassing the MoTW protections. Microsoft rated this vulnerability with a CVSS score of 5.0, indicating lower severity but still presenting risks due to the potential for compromised file integrity.
  • CVE-2024-38014: This elevation of privilege vulnerability in Windows Installer allows attackers to gain system-level privileges if they have already compromised a system. With a CVSS score of 7.8, it indicates significant risk, especially in environments where attackers can establish a foothold. Despite being moderately severe, the impact of privilege escalation can lead to severe consequences, as attackers could potentially control critical system functions.
  • CVE-2024-43491: A high-severity remote code execution (RCE) vulnerability affecting Microsoft Windows Update, which rolled back previously applied patches for certain Windows 10 versions. This flaw could allow attackers to exploit vulnerabilities that Microsoft had already mitigated. The CVSS score of 8.5 underscores the urgency for organizations to apply the required updates (KB5043936 and KB5043083) to restore system security and integrity.
• In addition to these zero-days, other vulnerabilities in this update, such as CVE-2024-43461 and CVE-2024-38018, also require attention. CVE-2024-43461 presents a spoofing risk across all supported versions of Windows, enabling unauthorized actions like phishing. Meanwhile, CVE-2024-38018 poses a significant risk to Microsoft SharePoint Server, as it lacks mitigations or workarounds.

Recommendations:

• Immediately prioritize patching CVE-2024-43491 and CVE-2024-38018 due to their severe risk and impact.
  • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43491
  • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38018
• Implement user training to mitigate risks from social engineering attacks related to the exploitation of CVE-2024-38226 and CVE-2024-38217.