The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Welcome to Picus Security's weekly cyber threat intelligence roundup!
Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.
Our new threat intelligence tool will enable you to identify threats targeting your region and sector, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.
April 26: Latest Vulnerabilities, Exploits and Patches
Here are the top vulnerabilities and exploitations observed in the last weeks of April.
State-Sponsored ArcaneDoor Campaign Targets Cisco Devices with Zero-Day Exploits for Espionage
-
Victim Locations: United States, Australia, Canada, United Kingdom
-
Victim Sector: Government
-
Threat Actor: UAT4356
-
Threat Actor Aliases: Storm-1849
-
Malware: Line Dancer
-
CVEs:
A sophisticated state-sponsored cyberespionage campaign, dubbed ArcaneDoor by Cisco Talos, has exploited two zero-day vulnerabilities in Cisco networking gear to implant custom malware for covert data collection and manipulation within targeted environments [1].
The actor behind this operation, identified by Cisco Talos as UAT4356 and referred to as Storm-1849 by Microsoft, leveraged these vulnerabilities to deploy malware known as "Line Runner" and "Line Dancer." These backdoors enabled the attackers to modify configurations, perform reconnaissance, capture and exfiltrate network traffic, and potentially move laterally within the networks. The vulnerabilities in question are CVE-2024-20353, which allows denial-of-service attacks on Cisco Adaptive Security Appliance and Firepower Threat Defense Software, and CVE-2024-20359, which permits persistent local code execution.
The exploitation of these vulnerabilities reflects a deep understanding of Cisco's systems, showcasing UAT4356’s capabilities in maintaining stealth and evading detection through complex methods that complicate memory forensics. The attacks primarily targeted edge devices such as email servers, firewalls, and VPNs, which are crucial for network security but often lack robust endpoint detection and response solutions. This campaign highlights the importance of regular and comprehensive updating and patching of such critical network devices to prevent espionage and data theft.
The affected vulnerabilities have been cataloged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as Known Exploited Vulnerabilities (KEV), emphasizing the urgent need for affected organizations to apply Cisco’s fixes to protect their networks [2].
CVE-2024-2389: Critical Flowmon Vulnerability Has a Publicly Available Proof-of-Concept Exploit
-
Actor Motivation: Financial Gain
-
CVE: CVE-2024-2389
-
Hunter Search: header.server="Flowmon"
-
Shodan Search: flowmon
-
Affected Versions: Flowmon versions 11.x and 12.x, but not versions 10.x and lower [4]
The critical vulnerability, identified as CVE-2024-2389, in Progress Flowmon—a network monitoring tool widely used by enterprises to enhance network performance, diagnostics, and response capabilities—presents a severe security risk [5]. This command injection flaw, rated at the highest severity level of 10/10, compromises the security of affected systems by allowing unauthorized command execution.
CVE-2024-2389 allows attackers to execute remote, unauthenticated commands on the system via a specially crafted API request to the Flowmon web interface [6]. This is achieved by manipulating parameters such as 'pluginPath' or 'file' within the API request to inject malicious commands.
Notably, the exploit employs command substitution syntax to perform arbitrary command executions. This vulnerability could be exploited to plant a webshell, escalate privileges, and potentially gain root access, thus compromising the entire system. Organizations using affected versions of Flowmon are urged to apply updates immediately to mitigate the risk of potential attacks.
CVE-2024-4040: Critical Zero-Day in CrushFTP Exploited for System File Access and Data Exfiltration
-
Victim Location: U.S., Europe
-
Victim Sectors: Technology
-
Actor Motivation: Data Theft, Financial Gain
-
CVEs: CVE-2024-4040
A critical vulnerability identified as CVE-2024-4040 has been discovered in CrushFTP, an enterprise-grade file transfer solution, which is actively being exploited by attackers [7]. This zero-day vulnerability enables attackers, whether authenticated or not, to escape the virtual file system (VFS) constraints through the WebInterface and access or download sensitive system files, such as configuration data.
The vulnerability affects versions 10 and 11 of CrushFTP, with patches available in versions 11.1.0 and 10.7.1. This security flaw is particularly alarming due to over 9,600 CrushFTP hosts being publicly exposed on the internet, predominantly in North America and Europe.
The exploitation of this vulnerability, according to security firms like Crowdstrike [8] and Rapid7 [9], has been observed in reconnaissance activities against multiple US entities and could be politically motivated. Moreover, the ease of exploitation has also attracted the attention of ransomware attackers.
Rapid7's analysis suggests that successful exploitation could lead to arbitrary file reads as the root user, bypass of authentication mechanisms, full remote code execution, and the potential exfiltration of all files stored on the compromised CrushFTP server.
April 26: Top Threat Actors Observed In Wild
Here are the top threat actors that were active in the last week of April.
MITRE Corporation Breached by Nation-State Actor Exploiting Ivanti VPN Zero-Days
Disclaimer: Even though the attack was discovered in January 2024 (not at the time we are writing this blog), since MITRE disclosed it on April 19, 2024, we decided to include this intelligence in this blog.
-
Victim Location: United States
-
Victim Sectors: Technology, Government
-
Victim Organization: MITRE Corporation
-
Threat Actor: Chinese Nation-State Cyber Adversaries (UNC5221)
-
Actor Motivation: Cyber Espionage, Financial Gain
-
CVEs:
The MITRE Corporation, a key non-profit organization serving various US government agencies, has suffered a breach due to two zero-day vulnerabilities in Ivanti’s Connect Secure VPN devices [10]. The security incident, identified late last week, involved a sophisticated nation-state actor that not only exploited these vulnerabilities (CVE-2023-46805, CVE-2024-21887) to gain access but also managed to maneuver laterally within MITRE’s network [11]. After infiltrating through the VPN, the attackers compromised the VMware infrastructure, which included creating and manipulating virtual machines to maintain presence and control within the network. This was accompanied by data exfiltration efforts using C2 infrastructure, suggesting a high level of attacker sophistication and persistence.
Despite MITRE’s adherence to recommended security practices and vendor guidance for securing the Ivanti system, the lateral movement to the VMware infrastructure went undetected initially. The breach was confirmed after observing suspicious activities within MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), which is primarily used for research and development.
Following the detection of these activities, MITRE shut down the NERVE environment, initiated a thorough investigation with the help of internal and external experts, and notified relevant authorities and stakeholders. They have also implemented measures to enhance security, such as monitoring VPN traffic, segmenting networks to prevent lateral movements, and employing deception tactics like honey tokens to detect breaches more effectively.
Akira Ransomware: Escalating Global Cyber Threat with Multi-Variant Attacks and $42 Million in Ransom Demands
The Akira ransomware, as part of a concerted effort under the #StopRansomware initiative [12], has become a significant cybersecurity threat, impacting numerous businesses and critical infrastructure entities across North America, Europe, and Australia.
Initially focusing on Windows systems, the Akira threat actors have since evolved their tactics, deploying a Linux variant targeting VMware ESXi virtual machines [13]. With reported damages surpassing $42 million in ransom payments, Akira employs sophisticated methods including the use of dual ransomware variants—Megazord and Akira, with latter iterations written in Rust for enhanced functionality. This ransomware operates on a double-extortion model, encrypting victim data and threatening to publish it unless a ransom is paid.
U.S. agencies including the FBI and CISA, alongside international bodies such as Europol and the Netherlands' NCSC, advise heightened vigilance and protective measures against this evolving ransomware threat.
April 26: Latest Malware Attacks
Here are the malware attacks and campaigns that were active in the last week of April.
CoralRaider Campaign: Exploiting CDN Caches to Distribute Info-Stealing Malware Across U.S., U.K., Germany and Japan
-
Threat Actor: CoralRaider
-
Actor Motivation: Financial Gain, Data Theft
-
Malware: LummaC2, Rhadamanthys, Cryptbot
-
Victim Sectors: Finance, Technology, Social Media
-
Victim Location: United States, United Kingdom, Germany, Japan, Vietnam, Nigeria, Pakistan, Ecuador, Egypt, Poland, Philippines, Norway, Syria, Turkey
The CoralRaider cyberattacks exploit content delivery network (CDN) caches to distribute information-stealing malware, specifically targeting systems in the U.S., U.K., Germany, and Japan [14]. This campaign is orchestrated by a financially motivated threat actor known as CoralRaider, whose primary goal is to steal credentials, financial information, and social media account details. The attackers utilize malware like LummaC2, Rhadamanthys, and Cryptbot, which are sourced from underground forums and provided as malware-as-a-service on a subscription basis. These tools are sophisticated in capturing sensitive information such as Remote Desktop Protocol (RDP) logins and Google account cookies, enhancing their effectiveness in cyber espionage and financial theft.
In terms of the infection process, CoralRaider utilizes a multi-stage attack beginning with the victim downloading a seemingly harmless archive that contains a malicious Windows shortcut file (.LNK). This shortcut executes PowerShell commands that retrieve and run a complex HTML Application (HTA) file from the CDN, cleverly leveraging the network's cache to speed delivery and evade detection. The HTA file includes scripts that modify system settings, such as Windows Defender exclusions, and use system tools to bypass User Access Control (UAC), allowing the malware to install without alerting the user. Once the system's defenses are bypassed, the malware proceeds to download and execute the info stealers, which then harvest sensitive data from the compromised machine.
APT28 Deploys GooseEgg Malware via Print Spooler Exploits to Target Western Organizations
-
Threat Actor: APT28
-
Victim Sector: Government, Non-governmental, Education, Transportation
-
Actor Motivation: Cyber Espionage, Data Theft
-
Malware: GooseEgg
-
CVEs:
-
-
CVE-2022-38028,
-
CVE-2023-23397,
-
CVE-2021-34527,
-
CVE-2021-1675
-
APT28, a cyberespionage group with ties to Russia, has been deploying a post-exploitation malware known as "GooseEgg" to target numerous organizations across the US, Ukraine, and Western Europe [15]. According to Microsoft, this group, also referred to as Forest Blizzard, exploits vulnerabilities in the Windows Print Spooler service, notably the ones designated as CVE-2022-38028, CVE-2023-23397, and CVE-2021-34527/CVE-2021-1675 (collectively known as PrintNightmare). GooseEgg functions as a launcher that can initiate other programs with elevated privileges, which enables the attackers to execute code remotely, install backdoors, and move laterally across infected networks.
The attacks have particularly focused on sectors such as government, education, and transportation, aiming to gain elevated system privileges, and exfiltrate credentials and sensitive data.
GooseEgg is usually installed alongside a batch script that sets up system persistence and triggers the malware's execution with specific commands, allowing it to manipulate system processes and load unauthorized drivers via the Print Spooler service. Microsoft has emphasized the critical nature of patching the exploited vulnerabilities and provided detailed security recommendations and indicators of compromise to help organizations detect and respond to any infections related to this campaign. This proactive defense is vital for thwarting APT28's efforts and protecting sensitive organizational data.
References
[1] C. Talos, “ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices,” Cisco Talos Blog, Apr. 24, 2024. Available: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/. [Accessed: Apr. 25, 2024]
[2] “Known Exploited Vulnerabilities Catalog,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog. [Accessed: Apr. 25, 2024]
[3] “CVEs/CVE-2024-2389 at master · RhinoSecurityLabs/CVEs,” GitHub. Available: https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-2389. [Accessed: Apr. 25, 2024]
[4] Z. Zorz, “PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389),” Help Net Security, Apr. 24, 2024. Available: https://www.helpnetsecurity.com/2024/04/24/poc-cve-2024-2389/. [Accessed: Apr. 25, 2024]
[5] D. Yesland, “CVE-2024-2389: Command Injection Vulnerability In Progress Flowmon,” Rhino Security Labs, Apr. 23, 2024. Available: https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/. [Accessed: Apr. 25, 2024]
[6] B. Toulas, “Maximum severity Flowmon bug has a public exploit, patch now,” BleepingComputer, Apr. 24, 2024. Available: https://www.bleepingcomputer.com/news/security/maximum-severity-flowmon-bug-has-a-public-exploit-patch-now/. [Accessed: Apr. 25, 2024]
[7] “CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited,” Tenable®, Apr. 23, 2024. Available: https://www.tenable.com/blog/cve-2024-4040-crushftp-virtual-file-system-vfs-sandbox-escape-vulnerability-exploited. [Accessed: Apr. 25, 2024]
[8] “Website.” Available: https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/
[9] C. Condon, “Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise,” Rapid7, Apr. 23, 2024. Available: https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/. [Accessed: Apr. 25, 2024]
[10] Advanced Cyber Threats Impact Even the Most Prepared, (Apr. 19, 2024). Available: https://www.youtube.com/watch?v=gqjwCNgq1NA. [Accessed: Apr. 25, 2024]
[11] Z. Zorz, “MITRE breached by nation-state threat actor via Ivanti zero-days,” Help Net Security, Apr. 22, 2024. Available: https://www.helpnetsecurity.com/2024/04/22/mitre-breached/. [Accessed: Apr. 25, 2024]
[12] “#StopRansomware: Akira Ransomware,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a. [Accessed: Apr. 25, 2024]
[13] H. C. Yuceel, “Akira Ransomware Analysis, Simulation and Mitigation- CISA Alert AA24-109A,” Apr. 22, 2024. Available: https://www.picussecurity.com/resource/blog/akira-ransomware-analysis-simulation-and-mitigation-cisa-alert-aa24-109a. [Accessed: Apr. 25, 2024]
[14] B. Toulas, “CoralRaider attacks use CDN cache to push info-stealer malware,” BleepingComputer, Apr. 23, 2024. Available: https://www.bleepingcomputer.com/news/security/coralraider-attacks-use-cdn-cache-to-push-info-stealer-malware/. [Accessed: Apr. 25, 2024]
[15] I. Arghire, “Russian Cyberspies Deliver ‘GooseEgg’ Malware to Government Organizations,” SecurityWeek, Apr. 23, 2024. Available: https://www.securityweek.com/russian-cyberspies-deliver-gooseegg-malware-to-government-organizations/. [Accessed: Apr. 25, 2024]