Weekly Threat Briefing: December 9 - 13, 2024
Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Cleo Vulnerability Exploited
Bottom Line: The Cleo software vulnerability, known as CVE-2024-50623, is actively being exploited by cyber criminals. Despite an earlier failed patch, Cleo has now issued a new security patch that organizations should apply promptly to prevent exploitation.
CVE-2024-50623 (CVSS: 8.8) is an unrestricted file upload and download vulnerability in the Managed File Transfer software products Cleo Harmony, VLTrader, and LexiCom. It was initially disclosed in October of this year, but on December 9th, Huntress announced that the vulnerability is being actively exploited and noted that the available security patches were ineffective.
Since this disclosure, multiple organizations have released updates on the situation; most notably, Cleo released new security patches to address CVE-2024-50623 on December 12th. On December 14th, Cleo assigned a new CVE for the vulnerability, due to the patch bypass. The vulnerability is now tracked as CVE-2024-55956.
The earliest confirmed exploitation occurred on December 3rd. Since that date, exploitation has become widespread. Technical details and Proof-of-Concept (PoC) exploit code for CVE-2024-50623 were released by the company watchTowr on December 11th, simplifying exploitation for even low-skilled threat actors. Currently, there are unconfirmed reports that the Termite ransomware group is employing this vulnerability for initial access into victim organizations.
Huntress has also observed exploitation leading to the deployment of a previously unseen malware dubbed Malichus. This is a modular malware that includes two loaders, and a Java based post exploitation framework that functions as a backdoor. Malichus is capable of impacting both Linux and Windows devices, but real-world attacks have only been identified against Windows machines at this time. In an interview with BleepingComputer, the Cl0p data extortion group claimed responsibility for the widespread exploitation of Cleo devices.
Proof of these claims were not provided, but Cl0p has a long history of targeting file transfer software, including Accellion FTA (2020), SolarWinds Serv-U FTP (2021), GoAnywhere MFT (2023), and MOVEit MFT (2023). Previous campaigns resulted in the theft of data for extortion purposes.
The eSentire’s Threat Response Unit (TRU) assesses that the release of PoC exploit code will lead to an increase in real-world attacks. Threat actors will attempt to exploit CVE-2024-50623/CVE-2024-55956 before organizations have time to apply the new security patches.
In response to confirmation of real-world exploitation of CVE-2024-50623/CVE-2024-55956, eSentire released an advisory on the topic on December 10th. eSentire’s Tactical Threat Response (TTR) team has created detections for both eSentire MDR for Endpoint and Network; these detections have resulted in the identification of multiple incidents which were escalated to the impacted organizations.
Additionally, eSentire’s Threat Response Unit (TRU) has performed behavioural and indicator-based threat hunts across the eSentire client base and known malicious IP addresses are blocked via the eSentire Global Block List.
Frequent Freeloader Part II: Secret Blizzard
Bottom Line: The Russian state-sponsored threat actor, Secret Blizzard, is continuing to target organizations associated with Ukraine. Their tactics are making attribution and proactive threat response increasingly challenging.
On December 11th, Microsoft released the second part of the report focusing on the activities of the Russian state-sponsored Advanced Persistent Threat (APT) group Secret Blizzard. Part one of the report focused on the group’s targeting of the Pakistan state-sponsored threat actor Storm-0156, granting Secret Blizzard access to their victim pool and tools. Part two focuses on two other incidents where Secret Blizzard employed the tools of other threat actors to target organizations in Ukraine.
Between March and April 2024, Secret Blizzard was observed using Amadey bot malware, linked to the cybercriminal activity tracked by Microsoft as Storm-1919, to deploy their custom backdoors, Tavdig and KazuarV2, on the devices of Ukrainian military personnel. The primary objective of Storm-1919 is typically to install XMRIG cryptocurrency miners on compromised devices.
In January 2024, Secret Blizzard leveraged a PowerShell backdoor used by the Russian threat actor Storm-1837 (aka. Flying Yeti, UAC-0149) to install the two custom backdoors, on targeted Ukrainian devices. Storm-1837 is specifically known for targeting Ukrainian military drone operators.
Recommended by LinkedIn
Secret Blizzard’s campaign involving Amadey malware suggests they either used it as a Malware-as-a- Service (MaaS) or accessed its Command-and-Control (C2) infrastructure to deploy a PowerShell dropper, which activated a connection to their C2. Amadey allowed them to gather victim details, such as administrator status, device name, and antivirus software on the victim devices.
The group also deployed their own reconnaissance tool on selected Ukrainian military devices that enumerated details such as “directory tree, system information, active sessions, IPv4 route table, and SMB shares.”. Tavdig backdoor was then deployed via the PowerShell dropper or an executable on selected targets, likely to ensure persistence and install the KazuarV2 payload.
In January 2024, a Ukrainian military-related device was compromised by the Storm-1837 PowerShell backdoor, which used the Telegram API to execute a cmdlet, granting access to an account on the Mega file-sharing platform. The backdoor deployed a PowerShell dropper similar to the one used in Secret Blizzard’s Amadey campaign. Tavdig backdoor was also found on the device, likely to maintain persistence and install the KazuarV2 payload.
Although Microsoft did not directly observe Storm-1837’s PowerShell backdoor installing Tavdig, the close timing between the backdoor's execution and the PowerShell dropper's deployment led Microsoft to assess that Storm-1837 was likely used by Secret Blizzard to deploy the Tavdig.
eSentire's TRU team is continuously tracking Secret Blizzard’s activities. We discussed the first part of the report in the Weekly Threat Briefing (Dec 2 - Dec 6). In response to both reports, eSentire's TRU team has validated detections related to Secret Blizzard Tactics, Techniques, and Procedures (TTPs); additionally, threat hunts across the customer base have been performed for known Indicators of Compromise (IoCs).
Chinese Firm Sanctioned for Ransomware Attacks
Bottom Line: The U.S. Treasury has sanctioned Chinese firm Sichuan Silence and employee Guan Tianfeng over a widespread 2020 ransomware campaign, compromising more than 23,000 U.S. firewalls, including critical infrastructure.
On December 10th, the U.S. Department of the Treasury announced sanctions against the Chinese cybersecurity company Sichuan Silence Information Technology Company, Limited (Sichuan Silence), and one of its employees, Guan Tianfeng (Guan). According to the Treasury Department, Guan and Sichuan Silence are responsible for the mass exploitation of a Sophos firewall zero-day vulnerability and the deployment of Ragnarok ransomware.
Sichuan Silence is a contractor for various People’s Republic of China (PRC) intelligence services. Their offerings include “computer network exploitation, email monitoring, brute-force password cracking, and public sentiment suppression products and services”.
According to the release, Guan is responsible for the discovery of CVE-2020-12271 (CVSS: 10), a SQL injection vulnerability in Sophos XG Firewall devices; exploitation would enable an unauthenticated threat actor to cause Remote Code Execution (RCE). Between April 22-25, Guan exploited the vulnerability to deploy malware to 81,000 firewalls; the malware was used to steal usernames and passwords from infected systems. After the theft of data, Guan went on to deploy the Ragnarok ransomware.
This campaign is reported to have impacted more than 23,000 firewalls belonging to U.S. companies; 36 impacted organizations were considered critical infrastructure. In one case, the impacted company was a U.S. energy provider, and according to the Treasury department, if the attack had not been quickly remediated, it “could have caused oil rigs to malfunction potentially causing a significant loss in human life”.
The eSentire product suite maintains a variety of detections for ransomware and associated tactics. eSentire MDR for Network has rules in place to identify CVE-2020-12271 exploitation attempts, and eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices.
About the eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.