U.S. Targets RedLine and META Infostealers in Operation Magnus

The Red Report 2024

Defend Against the Top 10 MITRE ATT&CK TTPs

DOWNLOAD

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our Picus CTI platform will enable you to identify threats targeting your region, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.


Latest Vulnerabilities and Exploits in October 2024

In this section, we will provide information on the latest vulnerabilities and exploits being targeted by adversaries in the wild, the affected products, and the available patches.

FortiManager Zero-Day Vulnerability CVE-2024-47575 Actively Exploited

  • Victim Location: Global

  • Threat Actor: UNC5820 Threat Group

  • Actor Motivation: Espionage, Financial

  • CVEs: CVE-2024-47575

In October 2024, a critical vulnerability (CVE-2024-47575) in Fortinet’s FortiManager was found under active exploitation by the UNC5820 threat group. This flaw (CWE-306) allows attackers to bypass authentication in the fgfmsd service [1], gaining control over FortiManager devices to execute arbitrary commands and steal sensitive data, including hashed passwords from managed FortiGate devices. The vulnerability has been exploited since June, with attackers staging and exfiltrating configuration files to launch broader attacks across networks. 

cve-2024-47575

Figure 1. CISA Added CVE-2024-47575 to its KEV

To protect against this threat, Fortinet recommends updating affected FortiManager versions or applying workaround measures [2]. For further information, read our latest blog for detailed patching and workaround recommendations [3].

CVE-2024-43532: Critical NTLM Relay Vulnerability in Microsoft Remote Registry Client Could Lead to Domain Compromise

  • Victim Location: Global

  • Sectors: Any sector using Windows, including government, finance, healthcare, and tech

  • Actor Motivation: Financial gain, espionage, or domain control

  • CVEs: CVE-2024-43532

A proof-of-concept (PoC) exploit for CVE-2024-43532, affecting Microsoft's Remote Registry (WinReg) client, has been released. This vulnerability allows attackers to perform an NTLM relay attack by exploiting a fallback mechanism in the WinReg client. When the SMB transport is unavailable, the client switches to older, less secure protocols, enabling attackers to relay NTLM authentication to Active Directory Certificate Services (ADCS) and obtain user certificates for domain access. 

The flaw affects Windows Server versions 2008 through 2022, as well as Windows 10 and 11. Discovered by the researcher Stiv Kupchik, Microsoft initially dismissed the report but later confirmed the vulnerability and issued a fix [4]. If exploited, this flaw could allow attackers to fully compromise a Windows domain.

CVE-2024-9537: CISA Adds ScienceLogic SL1 Zero-Day Vulnerability to KEV Catalog 

CISA has added CVE-2024-9537, a critical vulnerability in ScienceLogic SL1, to its Known Exploited Vulnerabilities (KEV) catalog following reports of active zero-day exploitation. The flaw, with a CVSS score of 9.3, involves a third-party component that could lead to remote code execution [5]. ScienceLogic has released patches for versions 10.1.x through 12.3.x and later [6].

cve-2024-28987

Figure 2. CISA Added CVE-2024-9537 to its KEV

Rackspace confirmed that the vulnerability led to unauthorized access to three internal monitoring servers [7]. Federal agencies are required to apply the fixes by November 11, 2024 (as shown in Fig 2).

CVE-2024-28987: Critical SolarWinds Help Desk Software Vulnerability Actively Exploited, CISA Warns

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical flaw in SolarWinds Web Help Desk (WHD) software, tracked as CVE-2024-28987, due to active exploitation [8]. The vulnerability, with a CVSS score of 9.1, involves hard-coded credentials that allow unauthorized access and data modification [9]. 

Disclosed by SolarWinds in August 2024, the flaw enables attackers to remotely access sensitive help desk ticket information, including passwords and service account credentials. CISA has mandated Federal Civilian Executive Branch (FCEB) agencies to apply the latest updates by November 5, 2024, to mitigate the risk. 

Figure 3. CISA Added CVE-2024-28987 to its KEV

This comes shortly after a similar vulnerability (CVE-2024-28986) was added to CISA's Known Exploited Vulnerabilities catalog. The extent of real-world exploitation remains unclear.

Top Threat Actors Observed in the Wild: October 2024

Here are the most active threat actors that have been observed in October in the wild.

U.S. Target RedLine and META Infostealers in Operation Magnus

  • Victim Location: United States, Netherlands, Belgium

  • Sectors: Government

  • Threat Actor: Maxim Rudometov (one of RedLine’s developers)

  • Actor Motivation: Financial Gain, Data Theft

  • Malware: RedLine, META Infostealers

On October 29, 2024, the U.S. Department of Justice joined an international coalition to disrupt RedLine and META, two widespread infostealers responsible for compromising millions of computers worldwide [10]. This operation, named “Operation Magnus,” was a coordinated effort involving U.S. agencies such as the FBI, IRS Criminal Investigation, and international partners including Europol, Eurojust, and the Dutch and Belgian police.

Infostealers like RedLine and META are malicious software designed to capture sensitive data—such as usernames, passwords, financial details, and cryptocurrency accounts—from infected computers. This stolen information, often referred to as “logs,” is sold on cybercrime forums and used in further attacks. RedLine and META operate under a "Malware as a Service" (MaaS) model, allowing affiliates to purchase licenses and run their own cyber campaigns, often distributed through phishing and fraudulent downloads.

As part of Operation Magnus, law enforcement seized domains, servers, and Telegram channels associated with the malware's administrators. The DOJ also unsealed charges against Maxim Rudometov, one of RedLine’s developers, accusing him of access device fraud, conspiracy, and money laundering. If convicted, he faces up to 35 years in prison.

Iranian Cyber Actors Target Critical Infrastructure with Brute Force and MFA Attacks

  • Victim Organization: Multiple Critical Infrastructure Entities

  • Victim Location: Global (North America, Europe, Middle East)

  • Sectors: Healthcare, Government, Energy, Information Technology

  • Threat Actor: Iranian Cyber Actors

  • Actor Motivations: Geopolitical, Economic Disruption, Espionage

  • Malware: Built-in tools, Open-Source Tools (e.g., Cobalt Strike)

  • CVE: CVE-2020-1472

On October 16, 2024, the FBI, CISA, NSA, CSE, and ASD issued a joint advisory warning about Iranian cyber actors targeting critical infrastructure sectors such as healthcare, government, energy, and information technology. These actors use brute force attacks and multifactor authentication (MFA) push-bombing to gain unauthorized access to networks. 

Once inside, they exploit vulnerabilities like Zerologon (CVE-2020-1472) to escalate privileges, perform credential harvesting, and maintain persistent access. Their tactics include lateral movement, credential theft, and exploiting MFA weaknesses, aiming to destabilize critical services and steal sensitive information. The advisory emphasizes the importance of continuous exposure management to defend against these persistent threats.

For further information, please visit our latest blog on Iranian cyber attackers [11].

Recent Malware Attacks in October 2024

In October 2024, a variety of malware attacks were recorded, highlighting the persistent threat landscape. Below is a detailed list of the active malware incidents for the month. 

Critical Veeam Vulnerability Fuels Surge in Akira and Fog Ransomware Attacks

  • Victim Location: United Kingdom, United States

  • Sectors: Technology

  • Actor Motivation: Financial Gain

  • Malware: Akira, Fog

  • CVEs: CVE-2024-40711

A critical vulnerability in Veeam Backup & Replication (CVE-2024-40711), rated 9.8/10 on the CVSS scale, is being actively exploited by threat actors to spread Akira and Fog ransomware [12]. 

This flaw, which allows unauthenticated remote code execution, was patched in September 2024. Attackers are leveraging compromised VPN credentials and exploiting Veeam's URI /trigger on port 8000 to create local accounts and deploy ransomware. In one instance, Fog ransomware was dropped on an unprotected Hyper-V server, while other attempts were unsuccessful. The exploitation has led to warnings from NHS England, highlighting backup and disaster recovery applications as prime targets for cybercriminals. 

Additionally, other ransomware variants like Lynx, Trinity, and BabyLockerKZ are emerging ([13], [14], [15] respectively), often using publicly available tools for credential theft and lateral movement within compromised systems. These ransomware attacks typically use double extortion tactics, exfiltrating data before encrypting it to increase pressure on victims to pay.

References

[1] “FGFM - FortiGate to FortiManager Protocol.” Available: https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/373486/fgfm-fortigate-to-fortimanager-protocol. [Accessed: Oct. 30, 2024]

[2] “PSIRT,” FortiGuard Labs. Available: https://fortiguard.com/psirt/FG-IR-24-423. [Accessed: Oct. 30, 2024]

[3] S. Özeren, “CVE-2024-47575: FortiManager Missing Authentication Zero-Day Vulnerability Explained,” Oct. 24, 2024. Available: https://www.picussecurity.com/resource/blog/cve-2024-47575-fortimanager-missing-authentication-zero-day-vulnerability-explained. [Accessed: Oct. 30, 2024]

[4] “Security Update Guide - Microsoft Security Response Center.” Available: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43572. [Accessed: Oct. 30, 2024]

[5] The Hacker News, “CISA Adds ScienceLogic SL1 Vulnerability to Exploited Catalog After Active Zero-Day Attack,” The Hacker News, Oct. 22, 2024. Available: https://thehackernews.com/2024/10/cisa-adds-sciencelogic-sl1.html. [Accessed: Oct. 30, 2024]

[6] ATCP, “ScienceLogic Security Update Advisory (CVE-2024-9537),” ASEC, Oct. 21, 2024. Available: https://asec.ahnlab.com/en/84007/. [Accessed: Oct. 30, 2024]

[7] “Detailed Status - Rackspace System Status.” Available: https://rackspace.service-now.com/system_status?id=detailed_status&service=4dafca5a87f41610568b206f8bbb35a6. [Accessed: Oct. 30, 2024]

[8] The Hacker News, “CISA Warns of Active Exploitation in SolarWinds Help Desk Software Vulnerability,” The Hacker News, Oct. 16, 2024. Available: https://thehackernews.com/2024/10/cisa-warns-of-active-exploitation-in.html. [Accessed: Oct. 30, 2024]

[9] The Hacker News, “Hardcoded Credential Vulnerability Found in SolarWinds Web Help Desk,” The Hacker News, Aug. 22, 2024. Available: https://thehackernews.com/2024/08/hardcoded-credential-vulnerability.html. [Accessed: Oct. 30, 2024]

[10] Dissent, “U.S. Joins International Action Against RedLine and META Infostealers; unseals charges against Maxim Rudometov (1).” Available: https://databreaches.net/2024/10/29/u-s-joins-international-action-against-redline-and-meta-infostealers-unseals-charges-against-maxim-rudometov/. [Accessed: Oct. 30, 2024]

[11] S. Özeren, “Iranian Cyber Actors’ Brute Force and Credential Access Attacks: CISA Alert AA24-290A,” Oct. 18, 2024. Available: https://www.picussecurity.com/resource/blog/cisa-alert-aa24-290a-iranian-cyber-actors-brute-force-and-credential-access-attacks. [Accessed: Oct. 30, 2024]

[12] The Hacker News, “Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware,” The Hacker News, Oct. 14, 2024. Available: https://thehackernews.com/2024/10/critical-veeam-vulnerability-exploited.html. [Accessed: Oct. 30, 2024]

[13] P. K. Chhaparwal, M. Yates, and B. Chang, “Lynx Ransomware: A Rebranding of INC Ransomware,” Unit 42, Oct. 10, 2024. Available: https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/. [Accessed: Oct. 30, 2024]

[14] “Trinity Ransomware.” Available: https://www.broadcom.com/support/security-center/protection-bulletin/trinity-ransomware. [Accessed: Oct. 30, 2024]

[15] T. Pereira, “Threat actor believed to be spreading new MedusaLocker variant since 2022,” Cisco Talos Blog, Oct. 03, 2024. Available: https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/. [Accessed: Oct. 30, 2024]