Weekly Threat Briefing: April 15 - 19, 2024
Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Get up to 50% off eSentire Threat Intelligence
We’re thrilled to announce the launch of our first standalone cybersecurity product, eSentire Threat Intelligence, a curated feed of high-fidelity Indicators of Compromise (IOCs) with a 99% true positive rate that have been verified by our Elite Threat Hunters and Threat Response Unit (TRU).
Learn how you can leverage eSentire Threat Intelligence to reduce false positive alerts and enhance your threat detection and response capabilities.
Patches for Exploited Palo Alto Networks Critical Vulnerability
On April 12th, 2024, Palo Alto Networks disclosed a critical, actively exploited vulnerability in Palo Alto Networks’ firewalls which was identified by Volexity. Tracked as CVE-2024-3400 (CVSS:10), this is a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software.
Exploitation of CVE-2024-3400 would allow a remote, unauthenticated attacker to execute arbitrary code with root privileges on the firewall. CVE-2024-3400 specifically impacts PAN-OS versions 10.2, 11.0, and 11.1.
In response to the increase in attacks, CISA added CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog on April 12th, ordering U.S federal agencies to secure their devices within seven days of the addition, by April 19th.
eSentire has released multiple advisories for CVE-2024-3400, including the initial disclosure of the vulnerability and subsequent exploitation observed in the wild.
As patches for the vulnerability are available and widespread exploitation has been observed, it is highly recommended that any organization using Palo Alto firewall products apply the fixes immediately and review impacted products for signs of compromise. Alternative mitigations have been provided by Palo Alto if patches cannot be applied immediately.
APT44: Unearthing Sandworm
On April 17th, Mandiant, now part of Google Cloud, released a report on Sandworm, a prolific Russian state-backed threat group. Given the active and ever-present nature of the Sandworm group, Mandiant has decided to graduate this group to a named Advanced Persistent Threat: APT44. Alongside this report, they released a comprehensive analysis providing insights into the group’s operations.
Additionally, on July 12th, 2023, Mandiant released a report titled “The GRU's Disruptive Playbook.” The activity in this report was originally attributed to UNC3810 but is now attributed to APT44 as UNC3810 has been merged into APT44.
The group targets include government agencies, critical infrastructure operators, and organizations within the defense, energy, media, and civil society sectors across the globe. APT44's operations are often aimed at undermining democratic processes, stealing sensitive information, and creating disruptions that align with the military and political objectives of the Russian government.
Recommended by LinkedIn
The group's extensive targeting also reflects an effort to influence public opinion and political outcomes in countries perceived as adversaries by the Kremlin, particularly during election cycles and times of international tension.
APT44 employs a wide range of sophisticated tools and techniques to conduct its operations globally:
eSentire’s Threat Response Unit (TRU) agrees with Mandiant’s assessment that “APT44 will almost certainly continue to present one of the widest and highest severity cyber threats globally.”
Defending against sophisticated cyber threat groups like APT44 requires a multi-layered, defense-in-depth security strategy. Organizations, especially those within critical infrastructure sectors and government entities, need to prioritize the detection and mitigation of threats through advanced cybersecurity frameworks. This includes implementing robust network defenses, regular system audits, and comprehensive employee training on phishing and other common attack vectors.
Additionally, advanced Endpoint Detection and Response (EDR) solutions are crucial for identifying, investigating, and responding to potential threats in real-time. Ultimately, enhancing resilience against APT44 involves not only strengthening technical defenses but also fostering a culture of cybersecurity awareness and collaboration at all levels.
Cyber Threats and Iran-Israel Tensions
On April 15th, the Flashpoint Intel Team released a report detailing cyber activity surrounding Iran's aerial attack on Israel on April 13th, 2024. This event was a response to an earlier attack on the Iranian Consulate in Syria. Cyber threat groups have exploited these tensions, using social media to enhance their notoriety by making bold claims about their cyber capabilities.
In the early hours of April 19th, Iranian state media reported on explosions and the downing of drones in Isfahan, Iran. Notably, the incident was referred to as an attack by "infiltrators", rather than by Israel, in a potential attempt to remove the need for retaliation. A senior Iranian official told Reuters, "[t]he foreign source of the incident has not been confirmed. We have not received any external attack, and the discussion leans more towards infiltration than attack.”
The cyber conflict between Iran and Israel, set against a backdrop of regional tensions, offers a revealing glimpse into the future of warfare where cyber operations play a critical role. The development of cyber capabilities in these nations has been shaped by events like the Stuxnet attack, which is believed to have impacted Iran's nuclear program and jumpstarted its investment into both offensive and defensive cyber capabilities.
Additionally, there is a considerable risk that state-sponsored cyber warfare could spill over into the private sector, significantly impacting businesses worldwide. Cyberattacks aimed at government or military targets can sometimes unintentionally, or intentionally, disrupt businesses, causing an impact that reaches well beyond their original political motives.
Companies in critical infrastructure sectors, such as telecommunications, are especially at risk due to their heavy dependence on digital systems. A notable instance of this is the targeting of a Ukrainian telecommunications company by APT44 (also known as Sandworm), a group associated with Russia's GRU military intelligence. This attack was used as part of a broader strategy to disrupt communications and gain strategic advantages.
About the eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.