Welcome to Picus Security's weekly cyber threat intelligence roundup!
Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.
Our new threat intelligence tool will enable you to identify threats targeting your region and sector, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.
Here are the most notable vulnerabilities and exploitations observed from June 6, 2024 to June 13, 2024.
The Black Basta ransomware group may have exploited a recently disclosed zero-day privilege escalation flaw in the Microsoft Windows Error Reporting Service, CVE-2024-26169, according to Symantec [1]. This vulnerability, patched in March 2024, allows attackers to gain SYSTEM privileges. Symantec's analysis of an exploit tool used in recent attacks suggests it was compiled before the patch, indicating the flaw was used as a zero-day. The financially motivated group, tracked as Cardinal, uses initial access gained through malware like QakBot and DarkGate, and has recently employed Microsoft Teams and Quick Assist to impersonate IT personnel and execute attacks. Despite an unsuccessful ransomware attempt observed by Symantec, the exploit manipulates Windows registry keys to start a shell with administrative privileges. Metadata shows the exploit tool was compiled before the patch's release, with no significant evidence of timestomping. Microsoft has confirmed that applying the March patch protects against this vulnerability.
The Dutch Military Intelligence and Security Service (MIVD) has revealed that the scope of a Chinese cyber-espionage campaign exploiting a critical FortiOS/FortiProxy vulnerability (CVE-2022-42475) is much larger than initially reported [2]. Between 2022 and 2023, Chinese hackers used this zero-day vulnerability to deploy malware on FortiGate network security appliances, infecting at least 20,000 systems worldwide. The campaign targeted Western governments, international organizations, and defense industry companies. The Coathanger remote access trojan (RAT) used in the attacks was also found on a Dutch Ministry of Defence network but was contained due to network segmentation. The malware, difficult to detect and capable of surviving firmware upgrades, provides persistent access to compromised systems. Despite Fortinet's disclosure and patching of the vulnerability in January 2023, the Chinese threat group continues to maintain access to many infected systems, posing ongoing risks of data theft and further espionage activities.
A critical remote code execution (RCE) vulnerability, CVE-2024-4577, affecting all versions of PHP for Windows since 5.x, has been discovered and disclosed by Devcore Principal Security Researcher Orange Tsai [3]. This flaw, caused by an oversight in character encoding conversions, particularly impacts PHP in CGI mode. The PHP project maintainers released a patch on June 6, 2024, but the widespread use of PHP complicates the rapid application of security updates, leaving many systems vulnerable. The Shadowserver Foundation has already detected multiple scans for susceptible servers. The flaw bypasses previous protections for CVE-2012-1823 and affects all XAMPP installations on Windows. Administrators are advised to upgrade to the latest PHP versions or apply mitigation strategies, including mod_rewrite rules and considering migration to more secure alternatives like FastCGI, PHP-FPM, or Mod-PHP.
A proof-of-concept (PoC) exploit for a critical authentication bypass vulnerability (CVE-2024-29855) in Veeam Recovery Orchestrator (VRO) has been released by security researcher Sina Kheirkha [4]. This vulnerability, rated 9.0 on the CVSS v3.1 scale, allows unauthenticated attackers to log in to the VRO web UI with administrative privileges due to a hardcoded JSON Web Token (JWT) secret. The exploit enables attackers to generate valid JWT tokens for any user, including administrators, bypassing the need for randomness or uniqueness in the installation. Kheirkha's write-up reveals that the requirements to exploit this flaw, such as knowing a valid username and role, can be easily circumvented. His exploitation script iterates through possible roles and uses clues from the SSL certificate to derive potential usernames. The script also tests JWT tokens over a range of timestamps to increase the chances of hitting an active session. Given the public availability of this exploit, it is crucial for administrators to apply the patched versions 7.1.0.230 and 7.0.0.379 immediately to protect against potential attacks.
Here are the top threat actors observed from June 6, 2024 to June 13, 2024.
The TellYouThePass ransomware gang has been exploiting the recently patched CVE-2024-4577 remote code execution (RCE) vulnerability in PHP to deliver webshells and deploy the encryptor payload on target systems [5]. Attacks began on June 8, shortly after the release of security updates by PHP maintainers, using publicly available exploit code. TellYouThePass, known for leveraging high-impact vulnerabilities, previously used exploits for Apache ActiveMQ and Log4j. In the latest attacks, the gang used the Windows mshta.exe binary to run a malicious HTML application file, which injected a .NET variant of the ransomware into memory. The malware then contacted a command-and-control server disguised as a CSS request and encrypted files on the infected machines, demanding a ransom of 0.1 BTC for decryption. CVE-2024-4577, discovered by Orange Tsai of Devcore, affects all PHP versions since 5.x and was patched on June 6. Despite the patch, over 450,000 exposed PHP servers remain vulnerable, with a significant number in the United States and Germany.
The new 'Fog' ransomware, identified in early May 2024, targets U.S. educational organizations by exploiting compromised VPN credentials from at least two vendors [6]. Discovered by Arctic Wolf Labs, Fog's operators use these credentials for initial access and subsequently conduct "pass-the-hash" attacks or credential stuffing to hijack admin accounts. They then disable Windows Defender and deploy the ransomware, which encrypts files and deletes backups. Encrypted files are marked with the '.FOG' or '.FLOCKED' extension, and victims receive a ransom note directing them to a Tor site for negotiations. While Fog has not yet established an extortion portal, BleepingComputer confirms that the gang steals data for double-extortion. It remains unclear whether Fog operates as a RaaS or within a small private group.
Los Angeles Unified School District (LAUSD) officials are investigating claims by a threat actor who alleges to be selling stolen databases containing records of millions of students and thousands of teachers [7]. The threat actor, who is selling the data for $1,000 on a hacking forum, claims the CSV files include over 11GB of data with 26 million student records, 24,000 teacher records, and 500 staff records. While researchers found the data samples to appear legitimate, they noted the information might be outdated. LAUSD, the second-largest public school district in the U.S., has informed law enforcement and is prioritizing the privacy of its students, families, and employees. This incident follows a September 2022 ransomware attack by Vice Society, which had also targeted LAUSD and published stolen data online. It is unclear if the currently sold data is related to the Vice Society breach.
First Priority Restoration (FPR), a leader in disaster restoration services headquartered in Odessa, Florida, has reportedly been targeted by a ransomware attack from the Cactus Ransomware group [8]. This attack could lead to substantial operational disruptions, financial losses, reputational damage, and potential legal repercussions for the company. Ransomware attacks typically involve encrypting critical data and demanding a ransom for the decryption key, with the threat of data publication or destruction if the ransom is not paid. While FPR's website shows no signs of compromise, and no official statement has been received, the attack remains unverified.
Here are the malware attacks and campaigns that were active in the first second week of June.
In May 2024, security researchers identified a phishing attack targeting a recruiter at an industrial services company with the More_eggs malware, disguised as a resume [9]. The attack, attributed to the Golden Chickens group, involved responding to LinkedIn job postings with links to fake resume download sites. This led to the download of a malicious Windows Shortcut file (LNK), which deployed the More_eggs backdoor. More_eggs is a modular backdoor offered under a Malware-as-a-Service (MaaS) model, capable of harvesting sensitive information. Despite the attack being unsuccessful, it highlights the ongoing threat posed by sophisticated phishing tactics targeting professionals. The attack used social engineering to deceive victims and leveraged legitimate Windows programs to maintain persistence and deploy additional payloads.
[1] “Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day.” Available: https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day. [Accessed: Jun. 13, 2024]
[2] S. Gatlan, “Chinese hackers breached 20,000 FortiGate systems worldwide,” BleepingComputer, Jun. 11, 2024. Available: https://www.bleepingcomputer.com/news/security/chinese-hackers-breached-20-000-fortigate-systems-worldwide/. [Accessed: Jun. 13, 2024]
[3] B. Toulas, “PHP fixes critical RCE flaw impacting all versions for Windows,” BleepingComputer, Jun. 07, 2024. Available: https://www.bleepingcomputer.com/news/security/php-fixes-critical-rce-flaw-impacting-all-versions-for-windows/. [Accessed: Jun. 13, 2024]
[4] B. Toulas, “Exploit for Veeam Recovery Orchestrator auth bypass available, patch now,” BleepingComputer, Jun. 13, 2024. Available: https://www.bleepingcomputer.com/news/security/exploit-for-veeam-recovery-orchestrator-auth-bypass-available-patch-now/. [Accessed: Jun. 13, 2024]
[5] B. Toulas, “TellYouThePass ransomware exploits recent PHP RCE flaw to breach servers,” BleepingComputer, Jun. 11, 2024. Available: https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-exploits-recent-php-rce-flaw-to-breach-servers/. [Accessed: Jun. 13, 2024]
[6] B. Toulas, “New Fog ransomware targets US education sector via breached VPNs,” BleepingComputer, Jun. 06, 2024. Available: https://www.bleepingcomputer.com/news/security/new-fog-ransomware-targets-us-education-sector-via-breached-vpns/. [Accessed: Jun. 13, 2024]
[7] S. Gatlan, “Los Angeles Unified School District investigates data theft claims,” BleepingComputer, Jun. 06, 2024. Available: https://www.bleepingcomputer.com/news/security/los-angeles-unified-school-district-investigates-data-theft-claims/. [Accessed: Jun. 13, 2024]
[8] S. Jain, “First Priority Restoration Hit by Alleged Ransomware Attack,” The Cyber Express, Jun. 07, 2024. Available: https://thecyberexpress.com/cactus-ransomware-targets-fpr/. [Accessed: Jun. 13, 2024]
[9] 2024 newsroom Jun 10, “More_eggs Malware Disguised as Resumes Targets Recruiters in Phishing Attack,” The Hacker News, Jun. 10, 2024. Available: https://thehackernews.com/2024/06/moreeggs-malware-disguised-as-resumes.html. [Accessed: Jun. 13, 2024]