The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Welcome to Picus Security's weekly cyber threat intelligence roundup!
Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.
Our new threat intelligence tool will enable you to identify threats targeting your region and sector, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.
March 15: Latest Vulnerabilities, Exploits and Patches
Here are the top vulnerabilities and exploitations that were observed in the second week of March.
CVE-2024-27198 & CVE-2024-27199: Patch Released for JetBrains TeamCity Authentication Bypass Vulnerabilities
Two critical security vulnerabilities, known as CVE-2024-27198 and CVE-2024-27199, have been found in TeamCity On-Premises software [1]. In fact, they are now added to CISA’s known exploited vulnerabilities catalog [2].
These vulnerabilities could allow an unauthenticated attacker with HTTP(S) access to bypass authentication mechanisms and gain administrative control over the software [3]. Affecting all versions up to 2023.11.3, these issues have been addressed in the newly released version 2023.11.4, which users are urged to install.
For those who cannot immediately upgrade to the latest version, a security patch plugin is available [4].
- Plugin: TeamCity 2018.2 and newer
- Plugin: TeamCity 2018.1 and older
This plugin is designed to fix the vulnerabilities in affected versions, offering a temporary safeguard until a full update can be implemented. The urgency to apply these fixes is significant, given the potential risk of unauthorized access and control over the software. Users are encouraged to either update to version 2023.11.4 or apply the security patch plugin to ensure their systems are protected against these serious vulnerabilities.
CVE-2024-22252 - CVE-2024-22255: Patching of Code Execution and Sandbox Escaping Vulnerabilities in VMware ESXi, Workstation, and Fusion
VMware has released updates to tackle critical and high-severity vulnerabilities across its product range, including ESXi versions 7.0 and 8.0, Workstation version 17.x, Fusion version 13.x for macOS, and Cloud Foundation versions 4.x and 5.x.
The most urgent issues, CVE-2024-22252 and CVE-2024-22253, are use-after-free vulnerabilities in USB controllers that pose a risk of unauthorized code execution or VMX sandbox escape, with CVSS scores peaking at 9.3. Additionally, the out-of-bounds write vulnerability CVE-2024-22254 and the information disclosure vulnerability CVE-2024-22255 also present substantial threats. Recognizing the seriousness of these vulnerabilities, VMware has extended patches to include end-of-life versions such as ESXi 6.7 (6.7U3u) and 6.5 (6.5U3v), as well as current versions like Cloud Foundation 3.x, ESXi v7.0, ESXi v8.0, Workstation v17.x, and Fusion v13.x (macOS).
Source: VMware VMSA-2024-0006 Advisory
For immediate mitigation where patching isn't an option, VMware suggests removing USB controllers from VMs, a temporary measure that may impact functionality. To further secure systems, upgrading to vSphere versions 7 or 8 and removing any outdated vSphere plugins is recommended.
CVE-2024-21888 & CVE-2024-21893: Ivanti VPN Appliances Are Still Actively Exploited in the Wild as of March
The vulnerabilities CVE-2024-21888 and CVE-2024-21893 found in Ivanti's products are actively exploited in the wild.
Source: ShadowServer
CVE-2024-21888 is a privilege escalation vulnerability within the web component of Ivanti Connect Secure and Policy Secure, which could enable a user to gain administrative privileges. On the other hand, CVE-2024-21893 is a Server-Side Request Forgery (SSRF) vulnerability present in the SAML component of several Ivanti products, potentially allowing an attacker to access restricted resources without proper authentication. Currently, this vulnerability is added to known exploited vulnerabilities catalog by CISA [5].
These vulnerabilities have attracted the attention of various threat actors, including groups known for their sophisticated cyber espionage activities. For instance, groups identified as UNC5325 and UNC3886 have exploited these vulnerabilities to deploy malware on affected systems [6], with activities including the deployment of new malware strains and leveraging Ivanti vulnerabilities for initial access and persistence in targeted networks.
Another group, Magnet Goblin, has been exploiting these vulnerabilities as part of their financially motivated campaigns, rapidly deploying exploits and delivering malware such as the Nerbian RAT and MiniNerbian [6].
Ivanti has released patches for these vulnerabilities (for more information, please refer to Ivanti Security Advisory (000090322)), and it is crucial for organizations using affected Ivanti products to apply these patches promptly to mitigate the risks posed by these vulnerabilities and the activities of these threat groups.
CVE-2024-20337: Patch Available for Cisco’s High-Severity VPN Hijacking Bug in Secure Client
Cisco has addressed a critical vulnerability in its Secure Client software, labeled CVE-2024-20337, which posed a high risk with a CVSS score of 8.2. This flaw allowed an unauthenticated, remote attacker to perform a carriage return line feed (CRLF) injection attack.
Exploiting this vulnerability, an attacker could deceive a user into clicking a malicious link during a VPN session setup, enabling the execution of arbitrary script code or accessing sensitive browser-based information, such as a valid SAML token. With this token, the attacker could establish a VPN session with the same privileges as the targeted user, potentially leading to unauthorized access to internal networks. Discovered by researcher Paulos Yibelo Mesfin, this issue has been rectified in specific versions of Secure Client across Windows, Linux, and macOS platforms.
Source: X
To address this vulnerability, Cisco has released a security advisory with available patches. Additionally, Cisco patched another significant vulnerability in the Linux version of Secure Client, identified as CVE-2024-20338, which allowed privilege escalation and was fixed in version 5.1.2.42 [7].
CVE-2024-21762: Fortinet FortiOS Vulnerability Is Exposing 150,000 Devices
The critical vulnerability CVE-2024-21762 in Fortinet's FortiOS has raised alarms due to its potential impact on approximately 150,000 internet-facing devices [8]. This vulnerability, with a high CVSS score of 9.6, allows for remote code execution and was identified in the SSL VPN component of FortiOS. Attackers can exploit this vulnerability by sending specially crafted HTTP requests to the affected devices, leading to arbitrary code execution. In response, Fortinet has recommended disabling the SSL VPN feature as an immediate workaround, highlighting the severity of the risk and the urgency of addressing it.
Source: X
The spread and potential exploitation of CVE-2024-21762 have been significant enough for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to include it in its Known Exploited Vulnerabilities Catalog. Despite this, a large number of devices remain vulnerable, underscoring the challenge of securing widespread network infrastructure.
The geographic distribution of vulnerable devices, with the highest numbers in the United States, India, and Brazil, indicates a global risk profile. Organizations using affected Fortinet FortiOS versions are urged to upgrade to the patched versions as specified by Fortinet to mitigate the risks associated with this critical vulnerability.
March 15: Latest Malware Attacks
Here are the malware attacks and campaigns that were active in the first week of March.
CVE-2024-21887 and CVE-2023-46805: KrustyLoader, a New Rust-based Backdoor, Actively Targeting Ivanti Products
KrustyLoader, a Rust-based backdoor, has been notably used in conjunction with specific vulnerabilities to compromise systems [9]. The Linux variant of KrustyLoader exploited vulnerabilities CVE-2024-21887 and CVE-2023-46805 in Ivanti products. CVE-2024-21887 is a critical vulnerability that allows unauthenticated remote code execution (RCE), while CVE-2023-46805 facilitates authentication bypass, both affecting Ivanti Connect Secure and Ivanti Policy Secure Gateway devices. These vulnerabilities provide a gateway for attackers to deploy KrustyLoader, which then downloads additional malicious tools like the Sliver post-exploitation toolkit.
On Windows systems, KrustyLoader's deployment involves a different process, where a batch file named 'r.bat' is used to initiate a sequence of actions that download and execute the malware from a remote server. This process exemplifies a multi-stage attack where KrustyLoader serves as the initial intrusion tool, setting the stage for further exploitation and control over the compromised system. Through these specific vulnerabilities and tactics, KrustyLoader enables attackers to establish a foothold and extend their reach within the targeted networks, underscoring the need for timely patching and vigilance against such sophisticated threats.
KrustyLoader IOCs [10]:
e1c31f503da20c8326b566ec042db1f0d3b56fe3579ae37398ff3f6fa5bc54d2
415a70897761c65c3ff59b686d2b1c69a56df06cbf9fbff5dec03751b51d53db
c26da19e17423ce4cb4c8c47ebc61d009e77fc1ac4e87ce548cf25b8e4f4dc28
47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04
95ffea9b7c5c2e18f7fc801290d4bb2777c05e468e5b3e513a597c41ec9b36fc
c7ddd58dcb7d9e752157302d516de5492a70be30099c2f806cb15db49d466026
41aa6b45277445d34060d8cd00a528b08636b86605bbafe643357f2614b66887
e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2
ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815
030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0
f93e9bc9583058d82d2d3fe35117cbb9a553d54e7149846b2dc94446f0836201
49062378ab3e4a0d78c6db662efb4dbc680808fb75834b4674809bc8903adaea
816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17
bc7c7280855c384e5a970a2895363bd5c8db9088977d129b180d3acb1ec9148a
Xehook Crypto-Stealing Malware
Xehook Stealer represents a significant evolution in the landscape of cyber threats, originating from the Cinoshi project and transforming into an advanced crypto-stealing malware [11].
This .NET-based stealer, targeting Windows systems, is specifically designed to siphon sensitive information, with a keen focus on cryptocurrencies and two-factor authentication (2FA) data. Its development from the initial Cinoshi project, through the Agniane Stealer phase, showcases a trajectory of increasing sophistication, culminating in the release of Xehook Stealer by the cybercriminal "thx4drugs."
Source: The Cyber Express
Technical analysis reveals that Xehook Stealer is adept at extracting data from Chromium and Gecko-based browsers, targeting over 110 cryptocurrency environments and 2FA extensions. It supports various desktop cryptocurrency wallets and employs a recursive file grabber to pinpoint and exfiltrate targeted data. Notably, its distribution has been linked to SmokeLoader binaries, indicating an active and strategic approach to dissemination.
Xehook Stealer's operational features are tailored to enhance its stealth and efficacy. It includes an API for custom traffic bots, aiding in the automation of data theft, and possesses the ability to recover "dead" Google cookies, maintaining access to compromised accounts. Its defense mechanisms are designed to thwart analysis and reverse engineering, employing time and language-based checks alongside process injection techniques for evasion.
March 15: Top Threat Actors Observed In Wild
Here are the top threat actors that were active in the second week of March.
Anonymous Sudan Targeted Alabama Government Agencies
Anonymous Sudan has reportedly employed its InfraShutdown DDoS tool to disrupt three Alabama government agencies, highlighting the group's ability to impact critical state functions [12]. This cyber-activism is attributed to political motivations, specifically protesting U.S. support for Israel and interference in Sudanese affairs. The group's message asserts their intent to continue such attacks until their concerns are addressed, emphasizing the cyber realm as a battleground for geopolitical disputes. These incidents underscore the increasing use of cyberattacks in political activism, raising questions about the ethics and legality of such actions, especially when they threaten public services and infrastructure.
In a broader context, Anonymous Sudan's recent activities, including attacks on Egypt's Vodafone network and a shift to using the Infrashutdown DDoS-for-hire service, indicate a strategic evolution in their operations. Moving away from the Skynet Botnet to Infrashutdown, the group aims to enhance its disruption capabilities with a service that offers global reach, sector-specific targeting, and a high degree of anonymity and security. This transition reflects a more organized and potentially more dangerous phase of digital activism by Anonymous Sudan, challenging cybersecurity defenses and highlighting the need for vigilant and robust cybersecurity measures globally.
Anonymous Collective Targeted Liverpool Airport for Political Hacktivism
Anonymous Collective hackers claimed responsibility for a cyberattack on Liverpool Airport, stating the action was a retaliation against the UK's support for Israel amid the Palestine conflict [13]. While the airport's spokesperson acknowledged intermittent website access issues, they didn't confirm a cyberattack's occurrence. This incident reflects the broader trend of targeting airports with cyber intrusions, which have varied from data breaches to politically motivated hacks, illustrating the cyber vulnerabilities within critical aviation infrastructure.
The incident at Liverpool Airport is part of a concerning pattern of cyber threats against global aviation facilities. For example, cyberattacks have affected Beirut International Airport's display systems and compromised data at Los Angeles International Airport. Italian aviation entities have also been targeted. These attacks underscore the reliance of modern airports on integrated IT and OT systems, which, while essential for operations, introduce significant cybersecurity risks.
R00TK1T Hacker Group Has Issued Warning in Dark Web Post
The R00TK1T hacker group has issued a stark warning to Nestle, hinting at a planned cyberattack against the multinational corporation [14]. This announcement on the dark web underscores the group's intention to disturb Nestle's digital peace, leveraging their cyber capabilities to target the company's essential online infrastructure. Their message conveys a clear threat of imminent digital chaos, though without specific details on the timing or nature of the attack, leaving Nestle and the cybersecurity community on high alert for potential disruptions.
This isn't Nestle's first encounter with cyber threats, as the company was previously implicated in attacks by different hacker groups, suggesting a pattern of being a high-profile target in the cyber domain. R00TK1T, known for its stealthy operations and targeting a range of sectors, adds to the company's challenges. The group's history of cyberattacks on various industries demonstrates their capability and intent to breach security defenses, making it crucial for Nestle and similar entities to bolster their cybersecurity measures in anticipation of potential threats from such formidable adversaries.
References
[1] “CISA Adds One Known Exploited JetBrains Vulnerability, CVE-2024-27198, to Catalog,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/alerts/2024/03/07/cisa-adds-one-known-exploited-jetbrains-vulnerability-cve-2024-27198-catalog. [Accessed: Mar. 14, 2024]
[2] “Known Exploited Vulnerabilities Catalog,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog. [Accessed: Mar. 14, 2024]
[3] I. Ilascu, “Critical TeamCity flaw now widely exploited to create admin accounts,” BleepingComputer, Mar. 06, 2024. Available: https://www.bleepingcomputer.com/news/security/critical-teamcity-flaw-now-widely-exploited-to-create-admin-accounts/. [Accessed: Mar. 14, 2024]
[4] D. Gallo, “Additional Critical Security Issues Affecting TeamCity On-Premises (CVE-2024-27198 and CVE-2024-27199) – Update to 2023.11.4 Now,” The JetBrains Blog. Available: https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/. [Accessed: Mar. 14, 2024]
[5] “CISA Adds One Known Exploited Vulnerability to Catalog,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-adds-one-known-exploited-vulnerability-catalog-0. [Accessed: Mar. 14, 2024]
[6] “Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities,” Check Point Research, Mar. 08, 2024. Available: https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/. [Accessed: Mar. 14, 2024]
[7] 2024 newsroom Mar 08, “Cisco Issues Patch for High-Severity VPN Hijacking Bug in Secure Client,” The Hacker News, Mar. 08, 2024. Available: https://thehackernews.com/2024/03/cisco-issues-patch-for-high-severity.html. [Accessed: Mar. 14, 2024]
[8] P. Paganini, “Critical Fortinet FortiOS bug CVE-2024-21762 potentially impact 150,000 internet-facing devices,” Security Affairs, Mar. 09, 2024. Available: https://securityaffairs.com/160224/hacking/fortios-bug-cve-2024-21762-150k-devices.html. [Accessed: Mar. 14, 2024]
[9] “IBM X-Force Exchange.” Available: https://exchange.xforce.ibmcloud.com/osint/guid:95c4419fa96338b4757f5eeda279765a. [Accessed: Mar. 14, 2024]
[10] The Hivemind, “KrustyLoader Backdoor.” Available: https://blog.polyswarm.io/krustyloader-backdoor. [Accessed: Mar. 14, 2024]
[11] A. Khaitan, “Xehook Stealer: Evolution from Cinoshi Project to an Advanced Crypto-Stealing Malware,” The Cyber Express, Mar. 13, 2024. Available: https://thecyberexpress.com/xehook-stealer-arrives-on-dark-web/. [Accessed: Mar. 14, 2024]
[12] S. Jain, “Anonymous Sudan Unleashes InfraShutdown: Alabama Government Agencies Targeted,” The Cyber Express, Mar. 13, 2024. Available: https://thecyberexpress.com/anonymous-sudan-unleashes-infrashutdown/. [Accessed: Mar. 14, 2024]
[13] A. Khaitan, “Liverpool Airport Targeted in Alleged Cyberattack by Anonymous Collective Hackers,” The Cyber Express, Mar. 13, 2024. Available: https://thecyberexpress.com/liverpool-airport-cyberattack/. [Accessed: Mar. 14, 2024]
[14] A. Khaitan, “R00TK1T Hacker Group Issues Warning to Nestle in Dark Web Post,” The Cyber Express, Mar. 12, 2024. Available: https://thecyberexpress.com/nestle-cyberattack-claims-r00tk1t/. [Accessed: Mar. 14, 2024]