Weekly Threat Briefing: December 16 - 20, 2024

Weekly Threat Briefing: December 16 - 20, 2024

Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.


Cleo Zero-day Vulnerability Updates

Bottom Line: The Cl0p ransomware group has claimed responsibility for recent attacks utilizing a zero-day vulnerability in Cleo's Managed File Transfer software. U.S. agencies are urged to apply patches before January 3rd, 2025, and Cleo is advising customers to promptly upgrade to the latest patch to resolve the vulnerability.

Over the past week, there have been a variety of notable updates relating to the recently exploited Cleo Managed File Transfer software CVE-2024-50623 (CVSS: 8.8). The vulnerability was disclosed in October 2024, and exploitation was confirmed in early December by Huntress Labs. Exploitation of the vulnerability could enable a remote and unauthenticated threat actor to execute code.

Huntress also confirmed that the initial security patches were ineffective, and threat actors could exploit fully patched Cleo Harmony, Cleo VLTrader, and Cleo LexiCom software. New security patches to address the vulnerability were released on December 12th.

The vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog on December 13th, but the earliest signs of exploitation have been traced back to December 3rd. CISA does not provide information on real-world exploitation outside of confirming that the exploit has been employed in ransomware campaigns.

On December 13th, Cleo released a new CVE identifier to classify the vulnerability. CVE-2024-55956 (CVSS:9.8): In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host systemby leveraging the default settings of the Autorun directory.

CVE-2024-55956 and CVE-2024-50623 are similar as both are unauthenticated file write vulnerabilities that enable code execution, but the vulnerabilities are due to separate issues in the Synchronization endpoint.

Notably, in an interview with Bleeping Computer, the Cl0p ransomware group, also known as TA505 and FIN11, claimed responsibility for the widespread exploitation of CVE-2024-50623. Cl0p has been active since at least 2020; the group began as a ransomware operation, but over time, they have shifted to data extortion only attacks.

The Cl0p group is known for its data theft attacks targeting various Managed FileTransfer (MFT) software. eSentire has not observed proof of Cl0p’s exploitation claims at the time of writing. CL0p has posted victims to their leak site as recently as December 19th, but the means of access to these victims is unknown.

eSentire has identified multiple incidents involving exploitation of Cleo vulnerabilities. In response to this threat, eSentire's Threat Response Unit (TRU) team released an advisory on December 10th. eSentire’s Tactical Threat Response (TTR) team has crafted new detections for both eSentire MDR for Network and Endpoint, and threat hunts have been performed across the eSentire customer base. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to both CVE-2024-55956 and CVE-2024-50623.

Learn more in the full threat briefing here.


NotLockBit: A New Ransomware Threat

Bottom Line: NotLockBit is a new ransomware variant that impersonates LockBit ransomware. This threat stands out as highly notable, as it is capable of targeting both Windows and macOS devices, indicating that the responsible threat actors are sophisticated and well resourced.

On December 18th, Qualys released a report on a new ransomware family, NotLockBit. It is a newly identified ransomware strain that shares several characteristics with the well-known LockBit ransomware. Notably, it is one of the first ransomware families to target both macOS and Windows platforms using an x86_64 Golang binary.

The ransomware demonstrates advanced capabilities, including file encryption, data exfiltration, system reconnaissance, and self-deletion. It also employs psychological manipulation tactics, such as defacement, to maximize its impact.

The ransomware is written in the Go programming language. It begins with an initial reconnaissance phase, using the go-sysinfo module to collect detailed system information, which helps tailor the attack based on the victim's environment. The ransomware leverages both AES and RSA encryption algorithms to encrypt files.

Critical data, including system configuration, IP addresses, and encrypted keys, are exfiltrated to a remote cloud storage location (e.g. Amazon S3 Bucket). Based on an in-depth investigation by Qualys, the ransomware scans the file system and selectively targets files with specific extensions, such as .csv, .doc, .png, .jpg, .pdf, .txt, .vmdk, and .vmsd, which are typically associated with valuable personal and professional data. NotLockBit employs AES encryption to lock the contents of the targeted files.

These encrypted files are first stored in a temporary location and subsequently renamed. To prevent recovery, the original files are deleted, leaving access only possible with the decryption key.

The ransomware alters the desktop wallpaper to display a ransom note, increasing its visibility on all affected systems and psychological pressure on victims. It also ensures that it leaves no trace behind by triggering self-deletion, removing shadow copies, and erasing any residual files to prevent easy recovery of encrypted data. Similar to the original LockBit group, NotLockBit exfiltrates victim data, in order to perform the Double Extortion technique.

In response to these observations, eSentire's Threat Response Unit (TRU) team is performing Indicator-based threat hunts and validating detection coverage. The eSentire’s Threat Response Unit (TRU) is investigating the topic for additional details and detection opportunities.

Learn more in the full threat briefing here.


Mobile Communications Best Practice Guidance

Bottom Line: The U.S. Cybersecurity and Infrastructure Security Agency has released guidance on mobile security practices in response to increased state-sponsored attacks on telecoms.

On December 18th, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance on best security practices for mobile communications. This guidance was drafted in response to a recent increase in People’s Republic of China (PRC) state-sponsored attacks against telecommunication organizations.

CISA specifically notes that the included recommendations are valuable for all mobile phone users, but individuals at high risk of targeting, such as government officials and senior political staff, are strongly encouraged to implement the recommendations.

The full report includes eight general recommendations for all mobile users, as well as specific recommendations for both Apple and Android devices. The eight general recommendations are as follows:

  1. Use only end-to-end encrypted communications: CISA specifically calls out using Signal or other similar encrypted chat applications for sensitive communications.
  2. Enable Fast Identity Online (FIDO) phishing resistant authentication: FIDO authentication is the strongest form of Multi-Factor Authentication; CISA recommends using hardware keys such as Yubico or Google Titan.
  3. Migrate away from Short Message Service (SMS)-based MFA: SMS-based MFA is generally considered to be the simplest form of MFA for threat actors to bypass; SMS messages are not encrypted, and SMS MFA has frequently been bypassed via SIM Swapping attacks.
  4. Use a password manager: Password managers allow for more complex passwords, as the user only needs to remember one primary password, to access their password vault. CISA lists the following password managers: Apple Passwords app, LastPass, 1Password, Google Password Manager, Dashlane, Keeper, and Proton Pass.
  5. Set a Telco PIN: Telco PINs are an additional verification step that can be enabled to prevent SIM Swapping attacks.
  6. Regularly update software: Organizations should consider implementing a vulnerability management system to help identify and prioritize the patching of vulnerabilities.
  7. Opt for the latest hardware version from your cell phone manufacturer: According to CISA, “Newer hardware often incorporates critical security features that older hardware cannot support”.
  8. Do not use a personal Virtual Private Network (VPN): Use of a personal VPN shifts visibility of activity from an Internet Service Provider (ISP) to the VPN provider; in the event that a user employs a non-reputable VPN, their data may be stolen. Free personal VPN services should be avoided. This advice is only applicable to personal VPN services; this advice is not relevant to corporate VPN requirements

Learn more in the full threat briefing here.


About the eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.

To view or add a comment, sign in

Explore topics