.svg)
.svg)
The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Latest Vulnerabilities and Exploits in August 2024
In this section, we will provide information on the latest vulnerabilities and exploits being targeted by adversaries in the wild, the affected products, and the available patches.
CISA Adds Actively Exploited Apache OFBiz Vulnerability CVE-2024-38856 to KEV Catalog, Urges Immediate Patching
-
Victim Location: United States
-
Sectors: Government
-
CVEs: CVE-2024-38856 Apache OFBiz Vulnerability
CISA has added the critical Apache OFBiz vulnerability, CVE-2024-38856, to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. With a CVSS score of 9.8, this flaw allows unauthenticated attackers to execute remote code via a Groovy payload within the OFBiz user process. The vulnerability emerged as a patch bypass for CVE-2024-36104, another flaw enabling remote code execution. Public proof-of-concept exploits for CVE-2024-38856 are available [1], further increasing the risk. This is the second Apache OFBiz vulnerability actively exploited recently, following the addition of CVE-2024-32113, which was linked to the Mirai botnet. Organizations are strongly advised to update to version 18.12.15, with Federal Civilian Executive Branch agencies mandated to apply the updates by September 17, 2024, to mitigate the threat.
CISA Adds Actively Exploited Jenkins Vulnerability CVE-2024-23897 to KEV Catalog
-
Victim Location: United States, China, India
-
Sectors: Government, Technology, Finance
-
CVEs: CVE-2024-23897 Jenkins RCE Vulnerability
CISA has added the critical Jenkins vulnerability, CVE-2024-23897, to its Known Exploited Vulnerabilities (KEV) catalog, warning that it is being actively exploited in ransomware attacks. This remote code execution flaw, caused by a security weakness in the args4j command parser, allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system via the built-in command line interface. Proof-of-concept exploits have been available since January 2024, with over 28,000 Jenkins instances exposed, particularly in China and the United States. The vulnerability has been linked to ransomware attacks, including a recent breach by the RansomEXX group that disrupted Indian banking services [2]. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies patch the vulnerability by September 9, 2024, and is urging all organizations to prioritize remediation to prevent further ransomware attacks.
Volt Typhoon Exploits CVE-2024-39717 Zero-Day, Targeting US ISPs and IT Firms
-
Victim Location: United States
-
Sectors: Technology
-
Threat Actor: Volt Typhoon
-
Actor Motivation: Cyber Espionage, Financial Gain
-
Malware: VersaMem Webshell (Director_tomcat_memShell [3])
-
CVEs: CVE-2024-39717
In August 2024, Chinese state-sponsored hacking group Volt Typhoon exploited a zero-day vulnerability (CVE-2024-39717) in Versa Director [4], a platform used by ISPs and IT firms for managing SD-WAN infrastructure. Researchers observed the exploitation as early as June 12, 2024, with active exploitation continuing through August 9, 2024, when Versa Networks informed customers of the vulnerability. The flaw allowed attackers to upload malicious files, leading to the deployment of a web shell, dubbed VersaMem, which stole credentials and enabled further access to victim systems. Despite a patch being released in late August, the vulnerability was actively exploited before the fix. Organizations are urged to apply the latest patches and review system hardening measures to mitigate the threat.
Microsoft Patches CVE-2024-38213 Windows SmartScreen Zero-Day Exploited Since March 2024
-
Sectors: Technology
-
Actor Motivation: Financial Gain
-
Malware: DarkGate Malware
-
CVEs: CVE-2024-38213
On August 13, 2024, Microsoft disclosed a Windows SmartScreen vulnerability (CVE-2024-38213) that had been actively exploited as a zero-day since March 2024. Although the flaw was patched during the June Patch Tuesday, Microsoft inadvertently omitted the advisory from both the June and July updates. This vulnerability allowed attackers to bypass SmartScreen protections by tricking users into opening malicious files [5]. Despite requiring user interaction, DarkGate malware operators effectively exploited the flaw to distribute harmful payloads disguised as legitimate software, such as iTunes and Notion. Trend Micro researchers, who discovered and reported the issue, dubbed it "copy2pwn" due to its ability to bypass Mark-of-the-Web protections for files from WebDAV shares [6].
Top Threat Actors Observed in the Wild: August 2024
Here are the most active threat actors that have been observed in August in the wild.
Pioneer Kitten Facilitate Ransomware Attacks Against U.S. Organizations
-
Victim Location: United States, Israel, Azerbaijan, United Arab Emirates
-
Victim Sectors: Education, Finance, Healthcare, Defense, Local Government
-
Threat Actor Aliases: Fox Kitten, Lemon Sandstorm, Rubidium, Parisite, UNC757
-
Threat Actor Affiliates: NoEscape Ransomware, BlackCat Ransomware, RansomHub Ransomware
-
Actor Motivation: Financial Gain
-
Exploited CVEs: CVE-2019-19781, CVE-2023-3519, CVE-2022-1388, CVE-2024-21887, CVE-2024-3400
On August 28th, 2024, the FBI, CISA, and the Department of Defense Cyber Crime Center (DC3) released a joint advisory warning organizations about the activities of an Iran-based cyber group known as Fox Kitten. This group, also referred to as Pioneer Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm, has been exploiting organizations across various sectors in the United States, including education, finance, healthcare, and defense, as well as in Middle Eastern countries such as Israel, Azerbaijan, and the United Arab Emirates. The FBI assesses that these actors aim to develop network access, which is then used in collaboration with ransomware affiliates like BlackCat and NoEscape to deploy ransomware.
To have a deeper understanding of the TTPs used by Pioneer Kitten, visit our blog.
Halliburton Cyberattack Tied to RansomHub, Impacting IT Systems and Business Operations
-
Victim Organization: Halliburton
-
Victim Location: United States
-
Sectors: Energy
-
Threat Actor: RansomHub Ransomware Group
-
Actor Motivations: Financial Gain, Data Theft
The RansomHub ransomware group has been linked to a recent cyberattack on Halliburton [7], a major player in the oil and gas services sector. The attack, which occurred on August 21, 2024, disrupted Halliburton's IT systems and operations, affecting customers' ability to generate invoices and purchase orders. The company disclosed the breach in an SEC filing, stating that they immediately activated their cybersecurity response plan and engaged external advisors to investigate and mitigate the impact.
While Halliburton has provided limited details about the attack, sources indicate that the RansomHub group is behind it. RansomHub, which first emerged in February 2024 as a Ransomware-as-a-Service (RaaS) operation, is mostly known for its double-extortion tactics, where data is stolen before systems are encrypted and a ransom is demanded. The group has a history of targeting high-profile organizations, and its ransomware encryptors are reportedly based on the Knight ransomware, which was sold and rebranded earlier this year.
To have a deeper understanding of the TTPs used by RansomHub, visit our blog.
Recent Malware Attacks in August 2024
In August 2024, a variety of malware attacks were recorded, highlighting the persistent threat landscape. Below is a detailed list of the active malware incidents for the month. For those seeking a more comprehensive analysis or interested in the Indicators of Compromise (IOCs), please refer to the respective sections within this blog.
Peach Sandstorm Deploys Tickler Backdoor in US and UAE Satellite, Communications, Oil & Gas, and Government Sectors
-
Victim Location: United States, United Arab Emirates
-
Sectors: Government, Defense, Space, Education, Oil and Gas
-
Actor Motivation: Cyber Espionage, Intelligence Collection
-
Threat Actor: Peach Sandstorm
-
Threat Actor Aliases: APT33, Refined Kitten
-
Malware: Tickler Backdoor
The Iranian state-sponsored threat group Peach Sandstorm, also known as APT33, deployed a new custom malware, Tickler, to backdoor organizations in sectors like satellite, communications, oil and gas, and government in the US and UAE [8]. The group, operating on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC), utilized password spray attacks and compromised Azure infrastructure to target these sectors for intelligence collection. Peach Sandstorm also conducted social engineering operations via LinkedIn and used fraudulent Azure subscriptions for command-and-control operations, with Microsoft disrupting these activities and notifying affected organizations. The Tickler malware, a multi-stage backdoor, was observed to collect network information and establish persistence via DLL sideloading techniques.
Some of the IOCs regarding the malware used by Tickler malware are given in the table below, however, to access a whole list, read here.
|
IOCs of Malware Used by Peach Sandstorm APT |
|
|
A .batch file |
5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57b |
|
A .dll file |
fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f |
|
A .dll file |
711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350 |
North Korean Group UAT-5394 Develops and Deploys Advanced MoonPeak Malware with Evolving Infrastructure
Researchers have uncovered a new remote access trojan (RAT) called 'MoonPeak,' developed by the North Korean threat actor group UAT-5394 [9]. This group is particularly notable for its adaptability and sophisticated infrastructure, which includes command-and-control (C2) servers, staging servers, and test machines used to develop and deploy the malware. In June 2024, UAT-5394 shifted from using third-party cloud providers to controlling their own infrastructure, ensuring persistence and avoiding disruptions. They continuously test and evolve MoonPeak on multiple virtual machines, refining the malware's evasion techniques with each iteration. The group operates stealthily by using VPNs and high-flux servers, making them a highly adaptable and resourceful threat actor.
The IOCs from their operations have been shared on GitHub by Cisco Talos [10].
Fake Palo Alto GlobalProtect Used as Lure in Targeted Malware Attacks on Middle Eastern Enterprises
Threat actors are targeting Middle Eastern organizations with malware disguised as the legitimate Palo Alto GlobalProtect VPN tool [11]. The malware, which can steal data and execute remote PowerShell commands, is used to infiltrate internal networks. The attack likely begins with a phishing email that leads the victim to download a fake "setup.exe" file, which installs a malicious "GlobalProtect.exe." While the fake installation process runs, the malware stealthily loads in the background, sending machine profiling data to a command-and-control (C2) server. The malware uses AES encryption for exfiltration and communicates with the attackers via periodic beacons. Although no attribution has been made, the operation appears highly targeted, using custom URLs and newly registered domains to evade detection.
References
[1] “GitHub - 0x20c/CVE-2024-38856-EXP: CVE-2024-38856 Exploit,” GitHub. Available: https://github.com/0x20c/CVE-2024-38856-EXP. [Accessed: Sep. 05, 2024]
[2] S. Gatlan, “CISA warns of Jenkins RCE bug exploited in ransomware attacks,” BleepingComputer, Aug. 19, 2024. Available: https://www.bleepingcomputer.com/news/security/cisa-warns-of-jenkins-rce-bug-exploited-in-ransomware-attacks/. [Accessed: Sep. 05, 2024]
[3] “Chinese Volt Typhoon hackers exploited Versa zero-day to breach ISPs, MSPs
.” Available: https://www.bleepingcomputer.com/news/security/chinese-volt-typhoon-hackers-exploited-versa-zero-day-to-breach-isps-msps/
[4] L. Constantin, “China’s Volt Typhoon exploits Versa zero-day to hack US ISPs and IT firms,” CSO Online, Aug. 27, 2024. Available: https://www.csoonline.com/article/3497078/chinas-volt-typhoon-exploits-versa-zero-day-to-hack-us-isps-and-it-firms.html. [Accessed: Sep. 05, 2024]
[5] S. Gatlan, “New Windows SmartScreen bypass exploited as zero-day since March,” BleepingComputer, Aug. 13, 2024. Available: https://www.bleepingcomputer.com/news/microsoft/new-windows-smartscreen-bypass-exploited-as-zero-day-since-march/. [Accessed: Sep. 05, 2024]
[6] P. Girnus, “CVE-2024-38213: Copy2Pwn Exploit Evades Windows Web Protections,” Zero Day Initiative, Aug. 15, 2024. Available: https://www.thezdi.com/blog/2024/8/14/cve-2024-38213-copy2pwn-exploit-evades-windows-web-protections. [Accessed: Sep. 05, 2024]
[7] L. Abrams, “Halliburton cyberattack linked to RansomHub ransomware gang,” BleepingComputer, Aug. 29, 2024. Available: https://www.bleepingcomputer.com/news/security/halliburton-cyberattack-linked-to-ransomhub-ransomware-gang/. [Accessed: Sep. 05, 2024]
[8] M. T. Intelligence, “Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations,” Microsoft Security Blog, Aug. 28, 2024. Available: https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/. [Accessed: Sep. 05, 2024]
[9] J. Alan, “North Korean Hackers Observed Deploying New ‘MoonPeak’ Malware Infrastructure,” The Cyber Express, Aug. 21, 2024. Available: https://thecyberexpress.com/north-korean-hackers-new-moonpeak-uat-5394/. [Accessed: Sep. 05, 2024]
[10] “IOCs/2024/08 at main · Cisco-Talos/IOCs,” GitHub. Available: https://github.com/Cisco-Talos/IOCs/tree/main/2024/08. [Accessed: Sep. 05, 2024]
[11] “Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool,” Trend Micro, Aug. 29, 2024. Available: https://www.trendmicro.com/en_us/research/24/h/threat-actors-target-middle-east-using-fake-tool.html. [Accessed: Sep. 05, 2024]
