Weekly Threat Briefing: March 4 - 8, 2024
Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
This week Check Point Research released a report on "Magnet Goblin", a financially motivated threat actor exploiting 1-day vulnerabilities in public-facing servers as an initial attack vector. Unlike a zero-day vulnerability, a 1-day (aka. n-day) vulnerability is known publicly including by vendors, system administrators, security researchers, and threat actors.
The campaigns attributed to Magnet Goblin have targeted a variety of platforms including Ivanti, Magento, Qlink Sense, and possibly Apache ActiveMQ. Their recent campaigns have deployed a mix of custom malware, including a Linux variant of NerbianRAT, a Linux backdoor MiniNerbian, a JavaScript credential stealer known as WARPWIRE, and commercial Remote Monitoring and Management (RMM) software (ScreenConnect and AnyDesk).
The eSentire Threat Response Unit (TRU) has released numerous security advisories for vulnerabilities exploited by Magnet Goblin including Ivanti (CVE-2023-46805 and CVE-2024-21887, and CVE-2024-21893), Qlik Sense (CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365), and Apache Magento (CVE-2022-24086).
Multiple Authentication Bypass Vulnerabilities Fixed in JetBrains TeamCity Update
On March 4th, JetBrains released TeamCity 2023.11.4 to address two authentication bypass vulnerabilities in the web component of TeamCity. The vulnerabilities, tracked as CVE-2024-27198 (CVSS: 9.8) and CVE-2024-27199 (CVSS 7.3), would allow an unauthenticated attacker with HTTP(S) access to bypass authentication checks and potentially gain administrative control. JetBrains has also provided security patch plugins for older versions as well as confirming that their cloud servers have been patched and were not attacked.
On March 5th, GreyNoise observed active exploitation of CVE-2024-27198. Shortly afterwards on March 7th, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to their Known Exploited Vulnerabilities (KEV) catalog and require federal agencies to patch their instances by March 28th, 2024.
These vulnerabilities have been exploited to deliver Jasmin ransomware and create numerous rogue user accounts. Jasmin Ransomware is an open-source red team tool that mimics WannaCry ransomware and is designed to simulate a real ransomware attack.
Recommended by LinkedIn
On March 5th, 2024, eSentire Threat Response Unit (TRU) released a security advisory warning of active JetBrains TeamCity exploitation. Additionally, eSentire MDR for Network has detections in place to identify CVE-2024-27198 and CVE-2024-27199 exploitation attempts; eSentire Managed Vulnerability Service (MVS) has plugins to identify vulnerable JetBrains TeamCity versions.
BlackCat Ransomware Turns Off Servers
As of March 4th, the infamous Ransomware-as-a-Service (RaaS) group BlackCat (ALPHV) has shut down their negotiation sites and data leak blog. The group posted a law-enforcement banner on their leak site, with claims that the infrastructure has been seized, but international law-enforcement has stated that they were not involved in any recent operations against the group. This has led to speculation that the group shutdown their own infrastructure and posted a fake law-enforcement notice.
The eSentire Threat Response Unit (TRU) assesses that it is probable that the BlackCat ransomware group will continue activity after rebranding, resuming operations at a future date under a new name.
eSentire maintains a wide variety of detections specific to known ransomware techniques, as well as ransomware precursor activity, such as data exfiltration and the deployment of loader malware.
About the eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.