The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Welcome to Picus Security's weekly cyber threat intelligence roundup!
Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.
Our new threat intelligence tool will enable you to identify threats targeting your region and sector, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.
May 17: Latest Vulnerabilities, Exploits and Patches
Here are the most notable vulnerabilities and exploitations observed from May 11 to May 17, 2024.
Google Issues Emergency Chrome Update to Patch Third Zero-Day in a Week
Google has released an emergency Chrome update to address a zero-day vulnerability (CVE-2024-4947) actively exploited in attacks, marking the third such issue in a week [1]. This high-severity flaw, caused by a type confusion weakness in the Chrome V8 JavaScript engine, was reported by Kaspersky researchers. It can lead to arbitrary code execution on targeted devices.
Google fixed the flaw with versions 125.0.6422.60/.61 for Mac/Windows and 125.0.6422.60 for Linux, rolling out to all users in the Stable Desktop channel [2]. Users can verify they're running the latest version by navigating to the Chrome menu > Help > About Google Chrome.
This update is part of ongoing efforts to address a total of seven zero-day vulnerabilities in Chrome this year, emphasizing the need for timely updates to protect against evolving threats.
Millions of IoT Devices at Risk from Cinterion Modem Vulnerabilities
Millions of IoT devices across industrial, healthcare, automotive, financial, and telecommunication sectors are at risk due to seven critical vulnerabilities found in Cinterion modems, manufactured by Telit Cinterion [3]. These vulnerabilities, discovered by Kaspersky researchers and presented at OffensiveCon in Berlin [4], include remote code execution (RCE) and unauthorized privilege escalation flaws.
The most severe, CVE-2023-47610, is a memory heap overflow that allows attackers to execute arbitrary commands via crafted SMS messages without physical access, potentially unlocking special AT commands to manipulate the modem’s memory [5]. Additional vulnerabilities (CVE-2023-47611 through CVE-2023-47616) affect user applications (MIDlets) and OEM firmware, allowing unauthorized code execution and privilege escalation.
All of the vulnerabilities mentioned, from CVE-2023-47610 to CVE-2023-47616, impact the following list of cellular IoT modems [6]:
- Cinterion BGS5
- Cinterion EHS5/6/8
- Cinterion PDS5/6/8
- Cinterion ELS61/81
- Cinterion PLS62
Despite Telit Cinterion issuing some patches, many devices remain vulnerable. To mitigate threats, organizations should disable non-essential SMS capabilities, use private Access Point Names (APNs), restrict physical access, and perform regular security audits.
May 17: Top Threat Actors Observed In Wild
Here are the top threat actors observed from May 11 to May 17, 2024.
CISA Released a Joint Advisory on BlackBasta Ransomware as a Service Group as Part of #StopRansomware
On May 10, 2024, the CISA released a joint advisory detailing the tactics, techniques, and procedures (TTPs) of Black Basta, a ransomware-as-a-service (RaaS) group [7]. Black Basta targets critical infrastructure sectors, including healthcare, in North America, Europe, and Australia, impacting over 500 organizations globally. The group's initial access techniques include -, exploiting known vulnerabilities like ConnectWise CVE-2024-1709 [8], and using valid credentials obtained through Initial Access Brokers [9]. They employ a double-extortion model, encrypting systems and exfiltrating data. Black Basta affiliates use tools such as Mimikatz for credential dumping, SoftPerfect network scanner for discovery, and PowerShell to disable antivirus defenses. Their ransomware encrypts files with ChaCha20 and RSA-4096 algorithms, adding a .basta extension and leaving a ransom note directing victims to a Tor site for payment.
Windows Quick Assist Abused in Black Basta Ransomware Attacks
Financially motivated cybercriminals, tracked as Storm-1811, are abusing the Windows Quick Assist feature in social engineering attacks to deploy Black Basta ransomware on victims' networks [10]. Starting in mid-April 2024, these attacks involve email bombing targets with subscriptions to various services, followed by voice phishing where attackers impersonate Microsoft support or IT staff.
Victims are tricked into granting access via Quick Assist, allowing attackers to download malicious payloads through scripted cURL commands, leading to the deployment of tools like Qakbot, ScreenConnect, and Cobalt Strike. Following domain enumeration and lateral movement, Black Basta ransomware is deployed using PsExec. Microsoft advises blocking or uninstalling Quick Assist and training employees to recognize tech support scams to mitigate these attacks.
Dark Web Hacker Claims Responsibility for Exposing 70K National PTA Records
On May 13, 2024, the hacker known as IntelBroker allegedly leaked a database belonging to the National Parent Teacher Association (PTA) on BreachForums, compromising over 70,000 records [11]. This breach, which occurred in March, exposed sensitive data including insured data, college information, client lists, medical insurance records, and payment information [12]. The leaked data poses significant privacy and security risks, affecting individuals across the United States. The breach highlights the vulnerability of educational institutions to cyberattacks, with the PTA data breach serving as a recent example. Despite the severity of the incident, the National PTA has not yet issued an official response.
This breach underscores the increasing trend of cyberattacks on educational organizations, which saw a 258% increase in incidents in 2023, driven by both external threats like ransomware and internal risks from uninformed users. Enhanced cybersecurity measures are urgently needed to protect such institutions and their sensitive data.
May 17: Latest Malware Attacks
Here are the malware attacks and campaigns that were active in the second week of May.
Malicious PyPI Package Targets macOS with Sliver C2 Framework
A malicious package mimicking the popular 'requests' library on the Python Package Index (PyPI) was discovered targeting macOS devices with the Sliver C2 adversary framework. Discovered by Phylum, this campaign involved multiple obfuscation layers, including steganography in a PNG image file to covertly install the Sliver payload [13].
The attack began with a package named 'requests-darwin-lite,' which decoded a base64 string to retrieve the system's UUID and validated the target before extracting and executing the Sliver binary.
Although the package has been removed from PyPI, its discovery highlights Sliver's growing use for gaining remote access to corporate networks, replacing the more detectable Cobalt Strike [14].
Phorpiex Botnet Delivers Millions of Emails in LockBit Black Ransomware Campaign
Since April, the Phorpiex botnet has sent millions of phishing emails to execute a large-scale LockBit Black ransomware campaign. The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) warned that the attackers use ZIP attachments containing an executable that deploys the LockBit Black payload [15], encrypting the recipients' systems if launched.
This campaign uses the LockBit 3.0 builder leaked in September 2022 and is not believed to be affiliated with the original LockBit operation [16]. Phishing emails, using aliases like "Jenny Brown" or "Jenny Green," are sent from over 1,500 unique IP addresses globally. Once the recipient opens the ZIP archive and executes the binary, it downloads and runs the ransomware, stealing data, terminating services, and encrypting files.
References
[1] S. Gatlan, “Google patches third exploited Chrome zero-day in a week,” BleepingComputer, May 15, 2024. Available: https://www.bleepingcomputer.com/news/google/google-patches-third-exploited-chrome-zero-day-in-a-week/. [Accessed: May 16, 2024]
[2] “Stable Channel Update for Desktop,” Chrome Releases. Available: https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html. [Accessed: May 16, 2024]
[3] J. Alan, “Millions of IoT Devices at Risk from Cinterion Modem Vulnerabilities,” The Cyber Express, May 14, 2024. Available: https://thecyberexpress.com/millions-iot-cinterion-modem-vulnerabilities/. [Accessed: May 16, 2024]
[4] “Alexander Kozlov and Sergey Anufrienko.” Available: https://www.offensivecon.org/speakers/2024/alexander-kozlov-and-sergey-anufrienko.html. [Accessed: May 16, 2024]
[5] “KLCERT-23-018: Telit Cinterion (Thales/Gemalto) modules. Buffer Copy without Checking Size of Input vulnerability,” KLCERT-23-018: Telit Cinterion (Thales/Gemalto) modules. Buffer Copy without Checking Size of Input vulnerability | Kaspersky ICS CERT. Available: https://ics-cert.kaspersky.com/advisories/2023/11/08/klcert-23-018-telit-cinterion-thales-gemalto-modules-buffer-copy-without-checking-size-of-input-vulnerability. [Accessed: May 16, 2024]
[6] “Critical vulnerabilities in Telit Cinterion M2M modems,” Kaspersky, May 15, 2024. Available: https://www.kaspersky.com/blog/telit-cinterion-m2m-modems-vulnerabilities/51237/. [Accessed: May 16, 2024]
[7] “[No title].” Available: https://www.cisa.gov/sites/default/files/2024-05/aa24-131a-joint-csa-stopransomware-black-basta_1.pdf. [Accessed: May 16, 2024]
[8] S. Özeren, “CVE-2024-1709 & CVE-2024-1708: ConnectWise ScreenConnect Vulnerability Exploitations,” Feb. 27, 2024. Available: https://www.picussecurity.com/resource/blog/cve-2024-1709-cve-2024-1708-connectwise-screenconnect-vulnerability-exploitations. [Accessed: May 16, 2024]
[9] H. C. Yuceel, “Black Basta Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA24-131A,” May 13, 2024. Available: https://www.picussecurity.com/resource/blog/black-basta-ransomware-analysis-cisa-alert-aa24-131a. [Accessed: May 16, 2024]
[10] S. Gatlan, “Windows Quick Assist abused in Black Basta ransomware attacks,” BleepingComputer, May 15, 2024. Available: https://www.bleepingcomputer.com/news/security/windows-quick-assist-abused-in-black-basta-ransomware-attacks/. [Accessed: May 16, 2024]
[11] “Website.” Available: https://twitter.com/DailyDarkWeb/status/1790014259897729200
[12] A. Khaitan, “Dark Web Hacker Claims to Expose 70K National Parent Teacher Association Records,” The Cyber Express, May 14, 2024. Available: https://thecyberexpress.com/national-parent-teacher-association-breach/. [Accessed: May 16, 2024]
[13] “Malicious Go Binary Delivered via Steganography in PyPI,” Phylum, May 10, 2024. Available: https://blog.phylum.io/malicious-go-binary-delivered-via-steganography-in-pypi/. [Accessed: May 16, 2024]
[14] B. Toulas, “PyPi package backdoors Macs using the Sliver pen-testing suite,” BleepingComputer, May 13, 2024. Available: https://www.bleepingcomputer.com/news/security/pypi-package-backdoors-macs-using-the-sliver-pen-testing-suite/. [Accessed: May 16, 2024]
[15] “[No title].” Available: https://www.cyber.nj.gov/Home/Components/News/News/1312/214?fsiteid=2&loadingmode=PreviewContent. [Accessed: May 16, 2024]
[16] S. Gatlan, “Botnet sent millions of emails in LockBit Black ransomware campaign,” BleepingComputer, May 13, 2024. Available: https://www.bleepingcomputer.com/news/security/botnet-sent-millions-of-emails-in-lockbit-black-ransomware-campaign/. [Accessed: May 16, 2024]