August 2024: Latest Malware, Vulnerabilities and Exploits

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our Picus CTI platform will enable you to identify threats targeting your region, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.

Latest Vulnerabilities and Exploits in July 2024

In this section, we will provide information on the latest vulnerabilities and exploits being targeted by adversaries in the wild, the affected products, and the available patches.

CVE-2024-37085: CISA Warns that Ransomware Gangs exploit VMware ESXi auth bypass in attacks

• Victim Location: United States

• Sectors: Technology

• Threat Actor: Storm-0506, Storm-1175, Octo Tempest, Manatee Tempest

• Actor Motivation: Financial Gain

• Malware Used: Akira, Black Basta Ransomware

• CVEs: CVE-2024-37085

CISA has issued a directive for the U.S. Federal Civilian Executive Branch (FCEB) agencies to secure their systems against a VMware ESXi authentication bypass vulnerability (CVE-2024-37085) that is being exploited in ransomware attacks [1]. This medium-severity flaw, discovered by Microsoft and fixed by VMware on June 25, allows attackers to gain full administrative privileges by adding a user to the 'ESX Admins' group. 

Despite requiring user interaction and high privileges, ransomware gangs like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have been exploiting it to deploy Akira and Black Basta ransomware, stealing data and causing significant operational disruptions. Federal agencies have until August 20 to address this vulnerability, and CISA has added it to its 'Known Exploited Vulnerabilities' catalog, urging all organizations to prioritize fixing the flaw to prevent ransomware attacks.

CVE-2024-4879 And CVE-2024-5217 (ServiceNow RCE) Being Exploited Globally

• Victim Location: United States, the United Kingdom, India, and the European Union

• Sectors: Government, Energy, Software Development

• Actor Motivation: Financial Gain, Data Theft, Business Disruption

• CVEs: CVE-2024-4879, CVE-2024-5217, CVE-2024-5178

ServiceNow recently disclosed three critical security vulnerabilities (CVE-2024-4879, CVE-2024-5217, CVE-2024-5178) in its platform, with CVE-2024-4879 and CVE-2024-5217 being exploited in a global reconnaissance campaign. These vulnerabilities, carrying CVSSv4 scores of 9.3 and 9.2 respectively, allow unauthenticated remote attackers to execute arbitrary code within the Now Platform, potentially leading to data theft and operational disruption.

Foreign threat actors have targeted these flaws, primarily focusing on organizations in the United States, the United Kingdom, India, and the European Union [2]. The vulnerabilities were patched following reports of exploitation attempts observed across over 6,000 sites, especially in the financial services industry. 

Figure 2. Hunter.how outputs of web.title = “ServiceNow”

Attackers employed various TTPs, including injecting payloads to test for RCE and accessing database details. Despite the rapid patch release, the incidents highlight the critical need for timely vulnerability management and threat detection in enterprise environments.

CISA Alerts on Active Exploitation of Critical GeoServer CVE-2024-36401 RCE Vulnerability

CISA has issued a warning about the critical remote code execution vulnerability in GeoServer, tracked as CVE-2024-36401, which is actively being exploited. This flaw, found in the GeoTools plugin, arises from unsafe XPath evaluation of property names, allowing arbitrary code execution on exposed servers (read the advisory) [4].

Figure 2. PoC of CVE-2024-36401 [3]

Disclosed on June 30, 2024, with a severity rating of 9.8, the vulnerability affects all GeoServer instances. CISA has added CVE-2024-36401 to its Known Exploited Vulnerabilities Catalog and mandates federal agencies to patch by August 5, 2024. The flaw is being actively exploited, with significant exposure in the US, China, Romania, Germany, and France. GeoServer users are advised to upgrade to patched versions 2.23.6, 2.24.4, or 2.25.2 and review their systems for potential compromise.

Top Threat Actors Observed in the Wild: July 2024

Here are the most active threat actors that have been observed in July in the wild.

Daixin Team, Allegedly, Hit Acadian Ambulance Demanding 7$ Million Dollars 

Acadian Ambulance has been hit by a ransomware attack claimed by the Daixin Team, which alleges the theft of information on 10 million patients. Daixin encrypted 1,000-2,000 servers on June 21, 2024, and negotiations began the next day, with Daixin demanding $7 million [5]. Acadian countered with significantly lower offers, ultimately proposing $572,500 in negotiations that continued into July, which Daixin rejected. 

Figure 1. Negotiations Behind Daixin Team and Acadian Ambulance (allegedly) [5]

The ransomware group has threatened to publish and sell the data, including personal and medical records, if their demands are not met. Daixin's leak site lists sensitive information, including patient and employee data, although no data has been leaked yet. Acadian Ambulance operates in Louisiana, Mississippi, Tennessee, and Texas, and has not yet commented on the incident or its response strategy.

SEXi Ransomware Group Rebrands to APT INC, Intensifies VMware ESXi Attacks

The SEXi ransomware group, notorious for targeting VMware ESXi servers, has rebranded as APT INC and continues its assault on organizations [6]. Initially active since February 2024, the threat actors employed the leaked Babuk and LockBit 3 encryptors to encrypt VMware ESXi servers and Windows systems. The rebranded APT INC has recently gained attention for new attacks, including a significant incident affecting IxMetro Powerhost in Chile. The ransomware operation uses encrypted messaging for ransom negotiations and assigns random names for ransom notes and encrypted file extensions. Victims report ransom demands ranging from tens of thousands to millions of dollars, with no known weaknesses in the Babuk and LockBit 3 encryptors.

Recent Malware Attacks in July 2024

In July 2024, a variety of malware attacks were recorded, highlighting the persistent threat landscape. Below is a detailed list of the active malware incidents for the month. For those seeking a more comprehensive analysis or interested in the Indicators of Compromise (IOCs), please refer to the respective sections within this blog.

• Macma macOS Backdoor Malware by Evasive Panda

• New Linux Version of Play Ransomware

• Specula Tool (actively used to exploit CVE-2017-11774)

Evasive Panda Deploys New Macma macOS Backdoor Version

The Daggerfly espionage group, also known as Evasive Panda and Bronze Highland, has significantly updated its toolset, introducing new versions of its malware for Windows, Linux, macOS, and Android. These updates, likely a response to the exposure of older variants, were deployed in recent attacks against organizations in Taiwan and a U.S. NGO based in China. 

Notable additions to their arsenal include a new malware family based on the MgBot framework and an updated version of the Macma macOS backdoor, now attributed to Daggerfly. The group exploited an Apache HTTP server vulnerability to deliver MgBot malware and continues to evolve its tools, such as the multi-staged Windows backdoor Trojan.Suzafk, capable of using TCP or OneDrive for command-and-control. This development underscores Daggerfly's extensive capabilities and resources in targeting major operating systems and responding swiftly to exposures.

Some of the IOCs regarding the malware used by Evasive Panda are given in the table below, however, to access a whole list, read Symantec's research blog [7].

The Play Ransomware Group’s New Linux Variant Targets ESXi

• Victim Location: United States, Canada, Germany, United Kingdom, Netherlands

• Sectors: Manufacturing, Professional Services, Construction, IT, Retail, Financial Services, Transportation, Media, Legal Services, Real Estate

• Threat Actor: Prolific Puma, Play Ransomware Gang

• Actor Motivation: Financial Gain

• Malware: Play Ransomware Linux Variant

The Play ransomware group has developed a new Linux variant targeting VMware ESXi environments. This variant verifies if it is running on an ESXi environment before executing and encrypting files, evading detection on VirusTotal [8]. It uses commands like vim-cmd and esxcli to power off VMs and encrypt critical data, appending the ".PLAY" extension to files. The ransomware is distributed via a URL hosting a RAR file with both Linux and Windows variants. The Play group appears to utilize infrastructure from Prolific Puma, evidenced by shared IP addresses and tools such as PsExec, NetScan, and the Coroxy backdoor. This collaboration enhances Play’s ability to bypass security measures and execute their attacks effectively.

Specula Tool Exploits Outlook for Remote Code Execution on Windows

The newly released Specula tool by TrustedSec exploits Microsoft Outlook for remote code execution on Windows systems [10]. It leverages CVE-2017-11774, an Outlook security feature bypass vulnerability, by creating custom Outlook Home Pages using WebView. Although Microsoft patched this vulnerability in October 2017, attackers can still use Windows Registry values to set malicious home pages.

Specula operates by setting a URL in Outlook's WebView registry entries under HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\WebView, pointing to an attacker-controlled website [11]. This site serves custom VBScript files to execute arbitrary commands on compromised systems. The tool runs entirely within Outlook's context, making it difficult to detect as it uses outlook.exe, a trusted process, to execute commands. Once the Outlook Registry entry is configured, attackers can maintain persistence and spread laterally to other systems.

References

[1] “VMware ESXi CVE-2024-37085 Targeted in Ransomware Campaigns,” Rapid7, Jul. 30, 2024. Available: https://www.rapid7.com/blog/post/2024/07/30/vmware-esxi-cve-2024-37085-targeted-in-ransomware-campaigns/. [Accessed: Aug. 02, 2024]

[2] “Resecurity.” Available: https://www.resecurity.com/blog/article/cve-2024-4879-and-cve-2024-5217-servicenow-rce-exploitation-in-a-global-reconnaissance-campaign. [Accessed: Aug. 02, 2024]

[3] L. Abrams, “CISA warns critical Geoserver GeoTools RCE flaw is exploited in attacks,” BleepingComputer, Jul. 16, 2024. Available: https://www.bleepingcomputer.com/news/security/cisa-warns-critical-geoserver-geotools-rce-flaw-is-exploited-in-attacks/. [Accessed: Aug. 02, 2024]

[4] “Remote Code Execution (RCE) vulnerability in evaluating property name expressions,” GitHub. Available: https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv. [Accessed: Aug. 02, 2024]

[5] Dissent, “Acadian Ambulance hit by ransomware attack; Daixin claims info on 10 million patients stolen.” Available: https://databreaches.net/2024/07/23/acadian-ambulance-hit-by-ransomware-attack-daixin-claims-info-on-10-million-patients-stolen/. [Accessed: Aug. 02, 2024]

[6] L. Abrams, “SEXi ransomware rebrands to APT INC, continues VMware ESXi attacks,” BleepingComputer, Jul. 15, 2024. Available: https://www.bleepingcomputer.com/news/security/sexi-ransomware-rebrands-to-apt-inc-continues-vmware-esxi-attacks/. [Accessed: Aug. 02, 2024]

[7] “Daggerfly: Espionage Group Makes Major Update to Toolset.” Available: https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfly-espionage-updated-toolset. [Accessed: Aug. 02, 2024]

[8] “VirusTotal.” Available: https://www.virustotal.com/gui/file/7a55c8391fda90a5d4653fdebe2d685edb662859937e14b6756f45e29b76901d. [Accessed: Aug. 02, 2024]

[9] “New Play Ransomware Linux Variant Targets ESXi Shows Ties With Prolific Puma,” Trend Micro, Jul. 19, 2024. Available: https://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html. [Accessed: Aug. 02, 2024]

[10] “Home,” GitHub. Available: https://github.com/trustedsec/specula/wiki/Home. [Accessed: Aug. 02, 2024]

[11] S. Gatlan, “New Specula tool uses Outlook for remote code execution in Windows,” BleepingComputer, Jul. 29, 2024. Available: https://www.bleepingcomputer.com/news/security/new-specula-tool-uses-outlook-for-remote-code-execution-in-windows/. [Accessed: Aug. 02, 2024]