Weekly Threat Briefing: December 16 - 20, 2024
Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Cleo Zero-day Vulnerability Updates
Bottom Line: The Cl0p ransomware group has claimed responsibility for recent attacks utilizing a zero-day vulnerability in Cleo's Managed File Transfer software. U.S. agencies are urged to apply patches before January 3rd, 2025, and Cleo is advising customers to promptly upgrade to the latest patch to resolve the vulnerability.
Over the past week, there have been a variety of notable updates relating to the recently exploited Cleo Managed File Transfer software CVE-2024-50623 (CVSS: 8.8). The vulnerability was disclosed in October 2024, and exploitation was confirmed in early December by Huntress Labs. Exploitation of the vulnerability could enable a remote and unauthenticated threat actor to execute code.
Huntress also confirmed that the initial security patches were ineffective, and threat actors could exploit fully patched Cleo Harmony, Cleo VLTrader, and Cleo LexiCom software. New security patches to address the vulnerability were released on December 12th.
The vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog on December 13th, but the earliest signs of exploitation have been traced back to December 3rd. CISA does not provide information on real-world exploitation outside of confirming that the exploit has been employed in ransomware campaigns.
On December 13th, Cleo released a new CVE identifier to classify the vulnerability. CVE-2024-55956 (CVSS:9.8): In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host systemby leveraging the default settings of the Autorun directory.
CVE-2024-55956 and CVE-2024-50623 are similar as both are unauthenticated file write vulnerabilities that enable code execution, but the vulnerabilities are due to separate issues in the Synchronization endpoint.
Notably, in an interview with Bleeping Computer, the Cl0p ransomware group, also known as TA505 and FIN11, claimed responsibility for the widespread exploitation of CVE-2024-50623. Cl0p has been active since at least 2020; the group began as a ransomware operation, but over time, they have shifted to data extortion only attacks.
The Cl0p group is known for its data theft attacks targeting various Managed FileTransfer (MFT) software. eSentire has not observed proof of Cl0p’s exploitation claims at the time of writing. CL0p has posted victims to their leak site as recently as December 19th, but the means of access to these victims is unknown.
eSentire has identified multiple incidents involving exploitation of Cleo vulnerabilities. In response to this threat, eSentire's Threat Response Unit (TRU) team released an advisory on December 10th. eSentire’s Tactical Threat Response (TTR) team has crafted new detections for both eSentire MDR for Network and Endpoint, and threat hunts have been performed across the eSentire customer base. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to both CVE-2024-55956 and CVE-2024-50623.
NotLockBit: A New Ransomware Threat
Bottom Line: NotLockBit is a new ransomware variant that impersonates LockBit ransomware. This threat stands out as highly notable, as it is capable of targeting both Windows and macOS devices, indicating that the responsible threat actors are sophisticated and well resourced.
On December 18th, Qualys released a report on a new ransomware family, NotLockBit. It is a newly identified ransomware strain that shares several characteristics with the well-known LockBit ransomware. Notably, it is one of the first ransomware families to target both macOS and Windows platforms using an x86_64 Golang binary.
The ransomware demonstrates advanced capabilities, including file encryption, data exfiltration, system reconnaissance, and self-deletion. It also employs psychological manipulation tactics, such as defacement, to maximize its impact.
The ransomware is written in the Go programming language. It begins with an initial reconnaissance phase, using the go-sysinfo module to collect detailed system information, which helps tailor the attack based on the victim's environment. The ransomware leverages both AES and RSA encryption algorithms to encrypt files.
Critical data, including system configuration, IP addresses, and encrypted keys, are exfiltrated to a remote cloud storage location (e.g. Amazon S3 Bucket). Based on an in-depth investigation by Qualys, the ransomware scans the file system and selectively targets files with specific extensions, such as .csv, .doc, .png, .jpg, .pdf, .txt, .vmdk, and .vmsd, which are typically associated with valuable personal and professional data. NotLockBit employs AES encryption to lock the contents of the targeted files.
These encrypted files are first stored in a temporary location and subsequently renamed. To prevent recovery, the original files are deleted, leaving access only possible with the decryption key.
The ransomware alters the desktop wallpaper to display a ransom note, increasing its visibility on all affected systems and psychological pressure on victims. It also ensures that it leaves no trace behind by triggering self-deletion, removing shadow copies, and erasing any residual files to prevent easy recovery of encrypted data. Similar to the original LockBit group, NotLockBit exfiltrates victim data, in order to perform the Double Extortion technique.
In response to these observations, eSentire's Threat Response Unit (TRU) team is performing Indicator-based threat hunts and validating detection coverage. The eSentire’s Threat Response Unit (TRU) is investigating the topic for additional details and detection opportunities.
Mobile Communications Best Practice Guidance
Bottom Line: The U.S. Cybersecurity and Infrastructure Security Agency has released guidance on mobile security practices in response to increased state-sponsored attacks on telecoms.
On December 18th, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance on best security practices for mobile communications. This guidance was drafted in response to a recent increase in People’s Republic of China (PRC) state-sponsored attacks against telecommunication organizations.
CISA specifically notes that the included recommendations are valuable for all mobile phone users, but individuals at high risk of targeting, such as government officials and senior political staff, are strongly encouraged to implement the recommendations.
The full report includes eight general recommendations for all mobile users, as well as specific recommendations for both Apple and Android devices. The eight general recommendations are as follows:
About the eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.