7 June: Top Threat Actors, Malware, Vulnerabilities and Exploits

Welcome to Picus Security's weekly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our new threat intelligence tool will enable you to identify threats targeting your region and sector, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.

June 7: Latest Vulnerabilities, Exploits and Patches

Here are the most notable vulnerabilities and exploitations observed from May 30, 2024 to June 7, 2024.

CVE-2024-24919: CISA Adds A New Vulnerability to KEV Catalog

On May 28, 2024, Check Point disclosed CVE-2024-24919, a high-severity vulnerability (CVSS 8.6) that allows attackers to access sensitive information on Security Gateways and potentially gain domain admin privileges [1]. Although the advisory was vague, it revealed that attacks had been occurring since April 7, 2024. The vulnerability, a path traversal issue, lets attackers read any file on the filesystem due to the server running as root.

Exploitation attempts were observed starting May 30, 2024, with a proof of concept published by researchers on May 30 [2], leading to CISA adding it to the Known Exploited Vulnerabilities (KEV) list [3]. The attacks involved sending POST requests to fetch critical files like /etc/shadow. Scanners targeting this vulnerability increased rapidly, with most attempts seeking to access configuration files and sensitive directories. 

Despite the public proof of concept and the rise in exploitation, Check Point advises users to patch their systems immediately to mitigate risks.

CVE-2024-1086: CISA Warns About the Linux Kernel Vulnerability

CISA has added a high-severity Linux kernel vulnerability, CVE-2024-1086, to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation evidence [4]. The flaw, a use-after-free issue in the netfilter: nf_tables component, allows local attackers to escalate privileges to root. 

Introduced in 2014 and disclosed in January 2024 [5], it was fixed by rejecting problematic QUEUE/DROP verdict parameters. Despite most Linux distributions quickly applying the fix, Red Hat's delay until March left some systems exposed. 

In March 2024, a security researcher published a detailed write-up and proof-of-concept (PoC) exploit on GitHub, demonstrating local privilege escalation on kernel versions between 5.14 and 6.6 [6]. 

CISA has given federal agencies until June 20, 2024, to apply the patches. If updating is not feasible, mitigations include blocklisting 'nf_tables', restricting user namespace access, and loading the Linux Kernel Runtime Guard (LKRG) module, despite potential instability.

June 7: Top Threat Actors Observed In Wild

Here are the top threat actors observed from May 29 to June 7, 2024.

Darknet Site for Qilin Ransomware Gang Suspected in London Hospital Attack Goes Down

The Qilin ransomware gang is behind a recent attack on Synnovis, which has disrupted several major NHS hospitals in London, including Guy's and St Thomas' and King's College Hospital ([7], [8]). The attack has caused significant service disruptions, resulting in postponed non-emergency pathology appointments, surgeries, and blood transfusions. Despite these issues, urgent and emergency services remain operational. Synnovis systems are currently locked, and the NHS cyber incident response team is assessing the full impact. 

Originally known as Agenda, the Qilin gang has been active since late 2023, targeting VMware ESXi virtual machines and using double-extortion tactics to demand ransoms ranging from $25,000 to millions.

Ticketmaster Confirms Massive Data Breach After Stolen Data Appears Online

• Victim Organization: Snowflake

• Victim Location:  United States

• Sectors: Technology, Cloud Services

• Threat Actor: UNC5537

• Actor Motivation: Data Theft, Financial Gain

• Malware: Rapeflake

Live Nation confirmed a data breach affecting Ticketmaster after data from a third-party cloud provider, Snowflake, was stolen [9]. 

On May 27, 2024, a threat actor named ShinyHunters offered Ticketmaster user data for sale on the dark web. Over 560 million users' details, including names, addresses, and ticket information, were allegedly exposed [10]. Live Nation stated they are working with law enforcement and have notified affected users, though they don't expect a significant impact on operations. ShinyHunters reportedly used credentials stolen through malware to access a Snowflake employee's account, exfiltrating data using unexpired auth tokens. Other companies, such as Anheuser-Busch and State Farm, were also mentioned as potential victims. Snowflake attributed the breaches to poorly secured customer accounts lacking multi-factor authentication. 

Snowflake has shared IOCs from the attacks so that customers can query logs to determine if they were breached.

Advance Auto Parts Stolen Data for Sale After Snowflake Attack

Threat actors, identified as "Sp1d3r," are selling 3TB of data stolen from Advance Auto Parts' Snowflake cloud storage for $1.5 million [11]. This breach, part of a series of attacks targeting Snowflake customers since mid-April 2024, includes 380 million customer profiles, 140 million customer orders, 44 million loyalty card numbers, auto parts data, and sensitive employee information.

Although Advance Auto Parts has not publicly disclosed the breach, researchers confirmed the legitimacy of many customer records [11]. The attackers claim other Snowflake customers have also been targeted, and some have allegedly paid to retrieve their data. The breach follows similar attacks on Santander and Ticketmaster, with compromised accounts primarily due to stolen credentials and lack of multi-factor authentication. 

Johnson & Johnson Reports Data Breach Potentially Linked to Cencora Incident

Johnson & Johnson has reported a data breach potentially linked to a larger incident involving Cencora's Lash Group [9], affecting sensitive patient data. In February, Cencora disclosed that personal data had been exfiltrated from its systems. On May 29, Johnson & Johnson informed the Texas Attorney General that approximately 175,000 Texans were affected, with the total number possibly higher nationwide. Compromised data includes names, addresses, medical information, and dates of birth.

This breach mirrors other incidents tied to Cencora/Lash Group, impacting over a dozen pharmaceutical companies and more than 540,000 patients. Companies like AbbVie, Bayer, and Bristol Myers Squibb have reported breaches. Although no misuse of data has been detected, Johnson & Johnson is offering free credit monitoring and remediation services to those affected. 

June 7: Latest Malware Attacks

Here are the malware attacks and campaigns that were active in the first week of June.

New Linux Variant of TargetCompany Ransomware Targets VMware ESXi Environments

Researchers have identified a new Linux variant of the TargetCompany ransomware, (a.k.a Mallox, FARGO, and Tohnichi), which specifically targets VMware ESXi environments [12]. Emerging in June 2021, TargetCompany ransomware has historically focused on database attacks in East Asia but has recently expanded to Linux systems. The new variant employs a custom shell script to gain administrative privileges, deliver payloads, and exfiltrate data to two servers. The ransomware checks for a VMware ESXi environment, encrypts files with VM-related extensions, and drops a ransom note with decryption instructions. Post-attack, it deletes traces to hinder investigations. 

Researchers attribute this Linux variant attack to an affiliate named "vampire," and link the involved IP addresses to a Chinese ISP [13]. The shift from Windows to Linux and ESXi targets marks an evolution in the ransomware's tactics. 

To mitigate risks, Trend Micro recommends enabling multi-factor authentication, maintaining regular backups, and ensuring systems are up-to-date. They also provide indicators of compromise and hashes related to the new variant and its custom script [13].

References

[1] “CVE-2024-24919: Check Point Security Gateway Information Disclosure,” Rapid7, May 30, 2024. Available: https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/. [Accessed: Jun. 06, 2024]

[2] A. Hammond, “Check Point - Wrong Check Point (CVE-2024-24919),” watchTowr Labs - Blog, May 30, 2024. Available: https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/. [Accessed: Jun. 06, 2024]

[3] “Known Exploited Vulnerabilities Catalog,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog. [Accessed: Jun. 06, 2024]

[4] “CISA Adds Two Known Exploited Vulnerabilities to Catalog,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/alerts/2024/05/30/cisa-adds-two-known-exploited-vulnerabilities-catalog. [Accessed: Jun. 06, 2024]

[5] “netfilter: nf_tables: reject QUEUE/DROP verdict parameters - kernel/git/torvalds/linux.git - Linux kernel source tree.” Available: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660. [Accessed: Jun. 06, 2024]

[6] “GitHub - Notselwyn/CVE-2024-1086: Universal local privilege escalation Proof-of-Concept exploit for CVE-2024-1086, working on most Linux kernels between v5.14 and v6.6, including Debian, Ubuntu, and KernelCTF. The success rate is 99.4% in KernelCTF images,” GitHub. Available: https://github.com/Notselwyn/CVE-2024-1086. [Accessed: Jun. 06, 2024]

[7] A. Scroxton, “Qilin ransomware gang likely behind crippling NHS attack,” ComputerWeekly.com, Jun. 05, 2024. Available: https://www.computerweekly.com/news/366587407/Qilin-ransomware-gang-likely-behind-crippling-NHS-attack. [Accessed: Jun. 06, 2024]

[8] S. Gatlan, “Major London hospitals disrupted by Synnovis ransomware attack,” BleepingComputer, Jun. 04, 2024. Available: https://www.bleepingcomputer.com/news/security/major-london-hospitals-disrupted-by-synnovis-ransomware-attack/. [Accessed: Jun. 06, 2024]

[9] BBC News, “Ticketmaster confirms data hack,” BBC News, BBC News, Jun. 01, 2024. Available: https://www.bbc.com/news/articles/cw99ql0239wo. [Accessed: Jun. 06, 2024]

[10] S. Gatlan, “Data of 560 million Ticketmaster customers for sale after alleged breach,” BleepingComputer, May 30, 2024. Available: https://www.bleepingcomputer.com/news/security/data-of-560-million-ticketmaster-customers-for-sale-after-alleged-breach/. [Accessed: Jun. 06, 2024]

[11] S. Jain, “Advance Auto Parts: Alleged Data Breach Exposes Millions After Snowflake Cyberattack,” The Cyber Express, Jun. 06, 2024. Available: https://thecyberexpress.com/alleged-advance-auto-parts-data-breach/. [Accessed: Jun. 06, 2024]

[12] B. Toulas, “Linux version of TargetCompany ransomware focuses on VMware ESXi,” BleepingComputer, Jun. 05, 2024. Available: https://www.bleepingcomputer.com/news/security/linux-version-of-targetcompany-ransomware-focuses-on-vmware-esxi/. [Accessed: Jun. 06, 2024]

[13] “TargetCompany’s Linux Variant Targets ESXi Environments,” Trend Micro, Jun. 05, 2024. Available: https://www.trendmicro.com/en_us/research/24/f/targetcompany-s-linux-variant-targets-esxi-environments.html. [Accessed: Jun. 06, 2024]