Welcome to Picus Security's monthly cyber threat intelligence roundup!
Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.
Our Picus CTI platform will enable you to identify threats targeting your region, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.
In this section, we will provide information on the latest vulnerabilities and exploits being targeted by adversaries in the wild, the affected products, and the available patches.
Victim Location: United States (and potentially global)
Sectors: Government, Manufacturing, Transportation, Law Enforcement, Healthcare, Education
CVEs: CVE-2024-7593
On September 24, 2024, CISA added CVE-2024-7593 to its Known Exploited Vulnerabilities list. This critical flaw in Ivanti Virtual Traffic Manager (vTM) allows remote attackers to bypass authentication and create unauthorized administrator accounts, posing a severe risk to affected systems with a CVSS score of 9.8. All U.S. federal agencies must remediate the vulnerability by October 15, 2024. The vulnerability, found in Ivanti vTM versions older than 22.2R1, stems from improper implementation of an authentication algorithm [1]. Ivanti has confirmed the availability of proof-of-concept exploit code and urged users to upgrade to patched versions or restrict admin access to the management interface.
Victim Location: North America, Europe, Southeast Asia
Sectors: Various sectors, including financial, technology, and government organizations
Threat Actor: Void Banshee
Actor Motivation: Financial gain and data theft
Malware: Atlantida Information-Stealer
CVEs: CVE-2024-43461
On September 16, 2024, CISA issued a warning regarding CVE-2024-43461, a Windows MSHTML spoofing vulnerability exploited by the Void Banshee APT group to deliver information-stealing malware called Atlantida. This flaw allows attackers to execute code on unpatched systems by tricking users into opening maliciously crafted files or visiting harmful websites. The Void Banshee group used this vulnerability to deploy Atlantida malware, which steals passwords, authentication cookies, and cryptocurrency wallets. CISA added the flaw to its Known Exploited Vulnerabilities catalog and mandated U.S. federal agencies to patch affected systems by October 7, 2024. Although primarily directed at federal agencies, private organizations are also urged to address the vulnerability to protect against active exploits.
Here are the most active threat actors that have been observed in September in the wild.
Victim Location: United States
Victim Sectors: Government, Manufacturing, Transportation, Law Enforcement, Healthcare, Education
Threat Actor Aliases: Storm-0501, Sabbath(54bb47h)
Threat Actor Affiliates: Ransomware-as-a-Service (RaaS) affiliates, including Hive, BlackCat (ALPHV), Hunters International, LockBit, Embargo ransomware group
Actor Motivation: Financial gain through ransomware and data extortion
Malware: Hive, BlackCat, Embargo
Exploited CVEs:
- Zoho ManageEngine (CVE-2022-47966)
- Citrix NetScaler (CVE-2023-4966)
- ColdFusion 2016 (CVE-2023-29300, CVE-2023-38203)
On September 26, 2024, Microsoft reported that the threat actor Storm-0501 launched multi-staged attacks on hybrid cloud environments [2], leading to data exfiltration, credential theft, and ransomware deployment. The group targeted sectors like government, manufacturing, and law enforcement in the U.S., using compromised on-premises systems to gain access to the cloud. Known for its RaaS operations, Storm-0501 has been active since 2021, employing a variety of ransomware strains, including Hive, BlackCat, and Embargo. They exploit vulnerabilities in systems like Zoho ManageEngine and Citrix NetScaler, using stolen credentials to escalate privileges and deploy ransomware. Microsoft emphasizes the growing importance of securing hybrid cloud environments and offers guidance on detecting and mitigating such attacks.
Victim Organization: Undisclosed U.S. healthcare organization (likely similar to McLaren Health Care)
Victim Location: United States
Sectors: Healthcare
Threat Actor: Vanilla Tempest (formerly Vice Society)
Threat Actor Affiliations: INC Ransomware-as-a-Service (RaaS), BlackCat, Quantum Locker, Zeppelin, Rhysida
Actor Motivations: Financial gain through ransomware and data extortion
Malware: Gootloader, Supper, AnyDesk, MEGA, INC Ransomware
On September 18, 2024, Microsoft warned that Vanilla Tempest, a financially motivated ransomware affiliate, is targeting U.S. healthcare organizations with INC ransomware [3]. This marks the first observed use of INC ransomware by the group. Vanilla Tempest, previously known as Vice Society, gained network access through the Storm-0494 threat actor, which deployed Gootloader malware. After gaining access, the attackers backdoored systems with Suppermalware and used AnyDesk and MEGA tools to synchronize stolen data. They then moved laterally using Remote Desktop Protocol (RDP) and Windows Management Instrumentation to deploy the ransomware. While Microsoft didn’t disclose the specific victim, the attack is similar to a recent cyberattack on Michigan’s McLaren Health Care, which disrupted hospital operations. Vanilla Tempest has a history of targeting sectors like healthcare, education, and manufacturing with various ransomware strains.
In September 2024, a variety of malware attacks were recorded, highlighting the persistent threat landscape. Below is a detailed list of the active malware incidents for the month.
Victim Location: United States, United Kingdom, Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, Australia
Sectors: Energy, Aerospace
Actor Motivation: Cyber espionage to collect strategic intelligence for North Korean interests
Threat Actor: UNC2970
Threat Actor Aliases: Lazarus Group, TEMP.Hermit, Diamond Sleet, ZINC
Malware: MISTPEN, BURNBOOK, TEARPAGE
North Korean-linked hackers, tracked as UNC2970 (also known as Lazarus Group), have been observed targeting the energy and aerospace sectors with a new malware called MISTPEN. The attack begins with job-themed phishing lures, tricking senior-level employees into opening malicious job descriptions via a trojanized Sumatra PDF reader. Once opened, the malware BURNBOOK launches MISTPEN, a lightweight backdoor, which communicates with command-and-control servers to download and execute malicious payloads. The group, affiliated with North Korea’s Reconnaissance General Bureau, has a history of cyber espionage and has continuously improved its malware to evade detection. Victims span multiple countries, including the U.S., U.K., Germany, and Australia.
Victim Location: Global, primarily targeting cryptocurrency and financial sectors
Actor Motivation: Financial gain, generating illicit revenue for North Korea's regime
Threat Actor: North Korean state-sponsored hackers
Threat Actor Aliases: DPRK, Lazarus Group, Operation Dream Job
Malware: RustDoor (macOS backdoor), also known as Thiefbucket
North Korean hackers are targeting cryptocurrency users on LinkedIn with malware called RustDoor [4]. The attackers pose as recruiters from legitimate decentralized cryptocurrency exchanges, such as STON.fi, and engage victims with coding challenges or job interviews. Their goal is to infiltrate networks in the financial and cryptocurrency sectors, using social engineering tactics like requests to execute code or run unknown applications. The latest attack involves a booby-trapped Visual Studio project that delivers RustDoor, a macOS backdoor. RustDoor, tracked as Thiefbucket, steals information and establishes backdoor access using two separate payloads. Researchers warn crypto industry employees to be cautious of unsolicited contacts on social media.
[1] Z. Zorz, “Ivanti vTM auth bypass flaw exploited in attacks, CISA warns (CVE-2024-7593),” Help Net Security, Sep. 25, 2024. Available: https://www.helpnetsecurity.com/2024/09/25/cve-2024-7593-exploited/. [Accessed: Oct. 04, 2024]
[2] M. T. Intelligence, “Storm-0501: Ransomware attacks expanding to hybrid cloud environments,” Microsoft Security Blog, Sep. 26, 2024. Available: https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/. [Accessed: Oct. 04, 2024]
[3] S. Gatlan, “Microsoft: Vanilla Tempest hackers hit healthcare with INC ransomware,” BleepingComputer, Sep. 18, 2024. Available: https://www.bleepingcomputer.com/news/microsoft/microsoft-vanilla-tempest-hackers-hit-healthcare-with-inc-ransomware/. [Accessed: Oct. 04, 2024]
[4] The Hacker News, “North Korean Hackers Target Cryptocurrency Users on LinkedIn with RustDoor Malware,” The Hacker News, Sep. 16, 2024. Available: https://thehackernews.com/2024/09/north-korean-hackers-target.html. [Accessed: Oct. 04, 2024]