Welcome to Picus Security's weekly cyber threat intelligence roundup!
Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.
Our new threat intelligence tool will enable you to identify threats targeting your region and sector, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.
Here are the most notable vulnerabilities and exploitations observed from May 24 to May 31, 2024.
Victim Location: Global
Sectors: Judicial, Legal, Government
Actor Motivation: Credential Theft, Ransomware Deployment
Threat Campaign Name: ShadowSyndicate Supply Chain Attack
Malware: RustDoor, fffmpeg.exe, chrome_installer.exe, main.exe
Exploited Vulnerability: CVE-2024-4978 (added to CISA's Known Exploited Vulnerabilities Catalog [1])
fffmpeg.exe SHA-256: 421a4ad2615941b177b6ec4ab5e239c14e62af2ab07c6df1741e2a62223223c4
Malicious actors backdoored the installer of JAVS Viewer v8.3.7, a component of courtroom video recording software by Justice AV Solutions (JAVS), to deploy RustDoor malware, tracked as CVE-2024-4978 with a CVSS score of 8.7 [2].
The malware, distributed via a trojanized installer signed by "Vanguard Tech Limited" instead of the legitimate "Justice AV Solutions Inc," connects to a command-and-control server to gather host information and execute obfuscated PowerShell scripts, eventually downloading further payloads for credential theft. RustDoor, a Rust-based backdoor also seen targeting macOS under the guise of Visual Studio updates, shares infrastructure with a ransomware-as-a-service affiliate called ShadowSyndicate, suggesting either a direct connection or collaboration in providing malicious infrastructure. JAVS has since pulled the compromised software, reset passwords, and advised users to verify the digital signatures of their software.
Threat actors have been exploiting a high-severity Check Point Remote Access VPN zero-day vulnerability (CVE-2024-24919) since at least April 30, 2024, to steal Active Directory data and move laterally through victim networks [3].
Check Point warned that attackers are targeting security gateways using old VPN local accounts with insecure password-only authentication [4]. The vulnerability, which allows attackers to read information on internet-connected gateways with remote access enabled, has led to the extraction of password hashes and Active Directory data within hours of gaining access.
Check Point released hotfixes to block exploitation attempts on vulnerable CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. Recommendations include updating affected systems, removing local users on vulnerable gateways, rotating LDAP connection passwords, and monitoring for signs of compromise.
Okta, a leading identity and access management company, has reported that its Customer Identity Cloud (CIC) feature is being exploited in credential stuffing attacks [5], with targeted attacks starting from April 15, 2024. Credential stuffing involves using large lists of stolen usernames and passwords to breach online accounts. The attacks are specifically targeting endpoints that utilize Okta's cross-origin authentication feature.
Okta's Cross-Origin Resource Sharing (CORS) feature allows customers to add JavaScript to their websites and applications to send authentication calls to the Okta API. Customers must grant access to URLs from which cross-origin requests can originate. Threat actors have been targeting these URLs in their credential stuffing attempts. Okta has notified affected customers and provided remediation guidance to secure their accounts.
Some recommended actions include checking logs for 'fcoa,' 'scoa,' and 'pwd_leak' events that indicate cross-origin authentication and login attempts using leaked credentials, with abnormal spikes suggesting targeted attacks. Admins also should rotate compromised user credentials immediately, implement passwordless, phishing-resistant authentication methods with passkeys, and enforce strong password policies along with multi-factor authentication (MFA).
Here are the top threat actors observed from May 24 to May 31, 2024.
Victim Location: Global
Sectors: Government, Political Entities, Journalism, Various Industries
Actor Motivation: Espionage, Intelligence Gathering, Financial Gain
Threat Actors/Campaign Name: APT28, APT29, Gamaredon, Gossamer Bear, UAC-0050, and UAC-0149
Malware: BURNTBATTER, DONUT, Wineloader, ROOTSAW, Agent Tesla, Remcos, Smokeloader, Snake Keylogger, Guloader
Russian APT groups are intensifying their cyberattacks by leveraging readily available malware and broadening their targets beyond traditional government entities to include a wider range of victims such as political entities and journalists [6].
Researchers report that, amid the ongoing Ukraine-Russian War, these groups are evolving their TTPs by using shared delivery methods and paid malware from illegal online marketplaces, increasing their detection evasion. The analysis highlighted several active Russian APT groups in 2024, including APT28, APT29, Gamaredon, Gossamer Bear, UAC-0050, and UAC-0149, noting their use of various malware such as BURNTBATTER, DONUT, Wineloader, Agent Tesla, Remcos, Smokeloader, Snake Keylogger, and Guloader for espionage, intelligence gathering, and financial gain.
Organizations are advised to implement robust security measures like detecting abnormal child processes, reviewing network logs, and detecting DLL side-loading to mitigate these threats.
Victim Location: Global
Sectors: Non-Profit, Research, Cybersecurity
Actor Motivation: Persistent Access, Credential Theft
Threat Campaign Name: UNC5221 MITRE Breach
Malware: BEEFLUSH, BRICKSTORM, BUSHWALK
CVE: CVE-2023-46805, CVE-2024-21887
Hackers targeted MITRE Corporation in late December 2023 by exploiting zero-day flaws in Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887) [7]. The China-linked threat actor UNC5221 created rogue virtual machines (VMs) within MITRE's VMware environment by leveraging compromised vCenter Server access.
Attackers deployed a JSP web shell (BEEFLUSH) under the vCenter Server's Tomcat server to execute a Python-based tunneling tool, enabling SSH connections between the rogue VMs and the ESXi hypervisor infrastructure. This tactic allowed the attackers to bypass detection from centralized management interfaces like vCenter, maintain persistent access, and obscure their activities. The use of rogue VMs, which operate outside standard management processes and established security policies, made them difficult to detect and manage through the GUI alone, requiring specialized tools and techniques to identify and mitigate.
MITRE has recommended enabling secure boot and using PowerShell scripts (Invoke-HiddenVMQuery and VirtualGHOST) to detect and mitigate such threats effectively.
Here are the malware attacks and campaigns that were active in the last week of May.
Victim Location: Asia-Pacific
Sectors: Various, primarily mobile device users
Actor Motivation: Surveillance, Data Theft
Threat Actors/Campaign Name: Not specified
Malware: LightSpy
Exploited Vulnerabilities: CVE-2018-4233 & CVE-2018-4404
Researchers have discovered a macOS version of the LightSpy surveillance framework, previously known for targeting Android and iOS devices, revealing its broader reach. LightSpy, which steals extensive data such as files, screenshots, location data, voice recordings, and payment information, primarily targets the Asia-Pacific region. The macOS implant, active since January 2024, uses WebKit exploits (CVE-2018-4233 and CVE-2018-4404) to execute code in Safari on older macOS versions.
The attack involves a disguised MachO binary that decrypts and executes scripts, fetching additional payloads that gain root access and establish persistence. LightSpy employs ten plugins to capture audio, browser data, photos, keychain information, and more. Researchers gained insights by exploiting a control panel misconfiguration, confirming the existence of implants for Windows, Linux, and routers, though their exact use remains unclear.
Victim Location: Europe and United States
Sectors: Financial and Insurance Organizations
Actor Motivation: Unauthorized Access, Data Theft
Threat Actors/Campaign Name: UAC-0188
Malware: Trojanized Minesweeper Clone, SuperOps RMM
Russian hackers are utilizing a trojanized Python clone of the Minesweeper game to hide malicious scripts and target financial organizations in Europe and the US [8].
Identified by Ukraine's CSIRT-NBU and CERT-UA as 'UAC-0188,' these attacks begin with phishing emails from "support@patient-docs-mail.com," posing as a medical center and urging recipients to download a 33MB .SCR file from Dropbox [9]. This file contains both harmless Minesweeper code and a hidden malicious Python script. The malicious script uses a function named "create_license_ver" to decode and execute the hidden payload, assembling a ZIP file that includes an MSI installer for SuperOps RMM. Once installed using a static password, SuperOps RMM, though a legitimate remote management tool, grants attackers unauthorized access to the victim's system.
CERT-UA has reported at least five breaches in financial and insurance institutions using this method and advises organizations not using SuperOps RMM to treat its presence as a sign of compromise. Additional indicators of compromise (IoCs) have been shared by CERT-UA for further detection and prevention.
Victim Location: Global
Sectors: Financial Institutions, General Users
Actor Motivation: Credential Theft, Fraudulent Transactions, Ad Revenue
Malware: Anatsa (Teabot), Joker, Facestealer, Coper, Adware
Over 90 malicious Android apps, installed more than 5.5 million times from Google Play, have been found to deliver malware and adware, with the Anatsa banking trojan (aka "Teabot") experiencing a significant resurgence [10]. Anatsa targets over 650 financial applications worldwide, aiming to steal e-banking credentials for fraudulent transactions. Zscaler identified two new decoy apps, 'PDF Reader & File Manager' and 'QR Reader & File Manager,' distributing Anatsa, amassing 70,000 installations. These dropper apps evade detection through a multi-stage payload loading mechanism. Zscaler also reported other malware families, including Joker, Facestealer, Coper, and various adware. Google has since removed the identified malicious apps and banned the developers.
[1] “Known Exploited Vulnerabilities Catalog,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog. [Accessed: May 30, 2024]
[2] 2024 newsroom May 24, “JAVS Courtroom Recording Software Backdoored - Deploys RustDoor Malware,” The Hacker News, May 24, 2024. Available: https://thehackernews.com/2024/05/courtroom-software-backdoored-to.html. [Accessed: May 30, 2024]
[3] S. Gatlan, “Check Point VPN zero-day exploited in attacks since April 30,” BleepingComputer, May 29, 2024. Available: https://www.bleepingcomputer.com/news/security/check-point-vpn-zero-day-exploited-in-attacks-since-april-30/. [Accessed: May 30, 2024]
[4] “Important Security Update – Stay Protected Against VPN Information Disclosure (CVE-2024-24919)
” Available: https://blog.checkpoint.com/security/enhance-your-vpn-security-posture
[5] “Detecting Cross-Origin Authentication Credential Stuffing Attacks,” Okta Security. Available: https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks. [Accessed: May 30, 2024]
[6] D. Ahmed, “Russian Hackers Shift Tactics, Target More Victims with Paid Malware,” Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News, May 24, 2024. Available: https://hackread.com/russian-hackers-target-victims-with-paid-malware/. [Accessed: May 30, 2024]
[7] 2024 newsroom May 24, “Hackers Created Rogue VMs to Evade Detection in Recent MITRE Cyber Attack,” The Hacker News, May 24, 2024. Available: https://thehackernews.com/2024/05/hackers-created-rogue-vms-to-evade.html. [Accessed: May 30, 2024]
[8] B. Toulas, “Hackers phish finance orgs using trojanized Minesweeper clone,” BleepingComputer, May 26, 2024. Available: https://www.bleepingcomputer.com/news/security/hackers-phish-finance-orgs-using-trojanized-minesweeper-clone/. [Accessed: May 30, 2024]
[9] M. Bagwe, “Russian Hackers Use Legit Remote Monitoring Software to Spy on Ukraine and Allies,” The Cyber Express, May 27, 2024. Available: https://thecyberexpress.com/remote-monitoring-software-to-spy-on-ukraine/. [Accessed: May 30, 2024]
[10] B. Toulas, “Over 90 malicious Android apps with 5.5M installs found on Google Play,” BleepingComputer, May 28, 2024. Available: https://www.bleepingcomputer.com/news/security/over-90-malicious-android-apps-with-55m-installs-found-on-google-play/. [Accessed: May 30, 2024]