Weekly Threat Briefing: April 15 - 19, 2024

Weekly Threat Briefing: April 15 - 19, 2024

Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.


Get up to 50% off eSentire Threat Intelligence 

We’re thrilled to announce the launch of our first standalone cybersecurity product, eSentire Threat Intelligence, a curated feed of high-fidelity Indicators of Compromise (IOCs) with a 99% true positive rate that have been verified by our Elite Threat Hunters and Threat Response Unit (TRU). 

Learn how you can leverage eSentire Threat Intelligence to reduce false positive alerts and enhance your threat detection and response capabilities.


Patches for Exploited Palo Alto Networks Critical Vulnerability

On April 12th, 2024, Palo Alto Networks disclosed a critical, actively exploited vulnerability in Palo Alto Networks’ firewalls which was identified by Volexity. Tracked as CVE-2024-3400 (CVSS:10), this is a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software.

Exploitation of CVE-2024-3400 would allow a remote, unauthenticated attacker to execute arbitrary code with root privileges on the firewall. CVE-2024-3400 specifically impacts PAN-OS versions 10.2, 11.0, and 11.1.

In response to the increase in attacks, CISA added CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog on April 12th, ordering U.S federal agencies to secure their devices within seven days of the addition, by April 19th.

eSentire has released multiple advisories for CVE-2024-3400, including the initial disclosure of the vulnerability and subsequent exploitation observed in the wild.

As patches for the vulnerability are available and widespread exploitation has been observed, it is highly recommended that any organization using Palo Alto firewall products apply the fixes immediately and review impacted products for signs of compromise. Alternative mitigations have been provided by Palo Alto if patches cannot be applied immediately.

Learn more in the full threat briefing here.


APT44: Unearthing Sandworm

On April 17th, Mandiant, now part of Google Cloud, released a report on Sandworm, a prolific Russian state-backed threat group. Given the active and ever-present nature of the Sandworm group, Mandiant has decided to graduate this group to a named Advanced Persistent Threat: APT44. Alongside this report, they released a comprehensive analysis providing insights into the group’s operations.

Additionally, on July 12th, 2023, Mandiant released a report titled “The GRU's Disruptive Playbook.” The activity in this report was originally attributed to UNC3810 but is now attributed to APT44 as UNC3810 has been merged into APT44.

The group targets include government agencies, critical infrastructure operators, and organizations within the defense, energy, media, and civil society sectors across the globe. APT44's operations are often aimed at undermining democratic processes, stealing sensitive information, and creating disruptions that align with the military and political objectives of the Russian government.

The group's extensive targeting also reflects an effort to influence public opinion and political outcomes in countries perceived as adversaries by the Kremlin, particularly during election cycles and times of international tension.

APT44 employs a wide range of sophisticated tools and techniques to conduct its operations globally:

  • The group often initiates its cyberattacks through phishing and credential harvesting, targeting vulnerabilities in widely used public-facing applications like VPNs, email servers, and routers.
  • For espionage and data theft, APT44 is known for distributing trojanized software installers via torrent files, particularly targeting Ukrainian and Russian-language forums; DCRAT was employed in attacks against telecommunications entities in Ukraine.
  • APT44 also utilizes 'Living Off the Land' (LOTL) techniques, exploiting existing network tools and utilities to maintain stealth and persistence within compromised networks. The group’s arsenal includes destructive malware such as NotPetya (EternalPetya), which caused significant disruption in Ukraine in 2017, along with more recent wiper malware such as Industroyer, CaddyWiper, and PartyTicket.
  • Software supply chain compromises are a particular strength of APT44, allowing them to infiltrate multiple organizations through a single attack vector. Recent examples include attacks that compromised software developers leading to downstream deployment of wiper malware in critical infrastructure networks.

eSentire’s Threat Response Unit (TRU) agrees with Mandiant’s assessment that “APT44 will almost certainly continue to present one of the widest and highest severity cyber threats globally.”

Defending against sophisticated cyber threat groups like APT44 requires a multi-layered, defense-in-depth security strategy. Organizations, especially those within critical infrastructure sectors and government entities, need to prioritize the detection and mitigation of threats through advanced cybersecurity frameworks. This includes implementing robust network defenses, regular system audits, and comprehensive employee training on phishing and other common attack vectors.

Additionally, advanced Endpoint Detection and Response (EDR) solutions are crucial for identifying, investigating, and responding to potential threats in real-time. Ultimately, enhancing resilience against APT44 involves not only strengthening technical defenses but also fostering a culture of cybersecurity awareness and collaboration at all levels.

Learn more in the full threat briefing here.


Cyber Threats and Iran-Israel Tensions

On April 15th, the Flashpoint Intel Team released a report detailing cyber activity surrounding Iran's aerial attack on Israel on April 13th, 2024. This event was a response to an earlier attack on the Iranian Consulate in Syria. Cyber threat groups have exploited these tensions, using social media to enhance their notoriety by making bold claims about their cyber capabilities.

In the early hours of April 19th, Iranian state media reported on explosions and the downing of drones in Isfahan, Iran. Notably, the incident was referred to as an attack by "infiltrators", rather than by Israel, in a potential attempt to remove the need for retaliation. A senior Iranian official told Reuters, "[t]he foreign source of the incident has not been confirmed. We have not received any external attack, and the discussion leans more towards infiltration than attack.”

The cyber conflict between Iran and Israel, set against a backdrop of regional tensions, offers a revealing glimpse into the future of warfare where cyber operations play a critical role. The development of cyber capabilities in these nations has been shaped by events like the Stuxnet attack, which is believed to have impacted Iran's nuclear program and jumpstarted its investment into both offensive and defensive cyber capabilities.

Additionally, there is a considerable risk that state-sponsored cyber warfare could spill over into the private sector, significantly impacting businesses worldwide. Cyberattacks aimed at government or military targets can sometimes unintentionally, or intentionally, disrupt businesses, causing an impact that reaches well beyond their original political motives.

Companies in critical infrastructure sectors, such as telecommunications, are especially at risk due to their heavy dependence on digital systems. A notable instance of this is the targeting of a Ukrainian telecommunications company by APT44 (also known as Sandworm), a group associated with Russia's GRU military intelligence. This attack was used as part of a broader strategy to disrupt communications and gain strategic advantages.

Learn more in the full threat briefing here.


About the eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics