Weekly Threat Briefing: Oct 14-18, 2024

Weekly Threat Briefing: Oct 14-18, 2024

Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.


Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions

Bottom Line: The rise in the adoption of EDR solutions has likely driven attackers to develop and deploy specialized tools like EDRSilencer. Attackers are motivated by the need to bypass these advanced tools to ensure the successful execution of their malicious activities.

On October 16th, Trend Micro released a report regarding the abuse of the open-source red team tool EDRSilencer, which attackers are using to bypass Endpoint Detection and Response (EDR) capabilities. EDRSilencer is an open-source tool capable of interfering with the EDR solutions by leveraging the Windows Filtering Platform (WFP).

By utilizing EDRSilencer, attackers can disrupt network communications for the EDR processes responsible for generating telemetry and alerts. WFP plays a vital role in the successful disruption of the EDR tool’s communication. WFP is a set of API and system services that provide a platform for creating network filtering applications. The WFP API allows developers to set up firewalls, intrusion detection systems, antivirus software, network monitoring solutions, and parental controls. It also integrates with and supports firewall functionalities like authenticated communication and dynamic configuration. Threat actors utilize this tool to avoid detection, allowing them to remain persistent and execute cyberattacks over an extended period.

With the help of WFP, the tool can dynamically identify the EDR processes for reputed EDR solutions like Carbon Black, Cisco Secure Endpoint, Microsoft Defender for Endpoint, SentinelOne, TrendMicro Apex One, and more. It creates WFP filters to block the outbound network connections on IPv4 and IPv6, preventing EDRs from sending telemetry to their management consoles.

In a previous TrendMicro report, researchers identified a similar tool used being used by threat actors. These attacks resulted in the deployment RansomHub ransomware using the custom-developed tool EDRKillShifter. The tool is designed to load a legitimate but unpatched vulnerable driver, which is subsequently exploited by the threat actor for privilege escalation using publicly available Proof-of-Concept (PoC) exploits. The successful use of tools like EDRKillShifter and EDRSilencer will result in their adoption by additional threat groups.

Learn more in the full threat briefing here.


Fortinet Researchers Disclose Exploitation of CVE-2024-8963 and CVE-2024-8190s

Bottom Line: Vulnerabilities in edge devices present an attractive target for threat actors seeking to gain access to organizations' environments.

Researchers from Fortinet have released a technical report outlining the exploitation of two Ivanti Cloud Services Appliance (CSA) zero-day vulnerabilities and two additional known vulnerabilities. All four vulnerabilities mentioned in this report have now been disclosed along with security patches.

The exploited vulnerabilities are as follows:

  • CVE-2024-8963 (CVSS: 9.1) - Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionalityExploitation confirmed prior to patch release or public disclosure
  • CVE-2024-9380 (CVSS: 7.2) - An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code executionExploitation confirmed prior to patch release or public disclosure
  • CVE-2024-8190 (CVSS: 7.2) - An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code executionPublicly disclosed on September 10th, with exploitation confirmed by Ivanti on September 13th
  • CVE-2024-29824 (CVSS: 8.8) - An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary codePublicly disclosed on May 21st, with exploitation confirmed by Ivanti on October 1st

According to Fortinet, threat actors exploited the zero-day vulnerability CVE-2024 8963 for initial access into victim organizations as early as September 4th. They went on to exploit the known command injection vulnerability CVE-2024-8190 to access user credentials. CVE-2024-29824 was exploited to achieve Remote Code Execution (RCE). The report claims exploitation of CVE-2024-9380 was observed but does not provide details on its use. Additionally, in a high-level summary report, Fortinet states that the Ivanti SQL Injection vulnerability CVE-2024-9379 was also exploited in this campaign; but the full report does not mention this vulnerability.

This campaign resulted in the deployment of webshells and a rootkit for persistence. Fortinet does not speculate on the final goal of this activity.

Learn more in the full threat briefing here.


Iranian Cyber Actors Compromise Critical Infrastructure Organizations

Bottom Line: Five Eyes Signals Intelligence agencies have disclosed ongoing attempts by Iranian threat actors to gain access to critical infrastructure organizations, including healthcare, government, information technology, engineering, and energy.

On October 16th, CISA, in coordination with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC), released a joint cybersecurity advisory (AA24-290A) regarding Iranian threat actors targeting multiple critical infrastructure sectors. According to the report, beginning in October 2023, CISA and partners have observed Iranian-based threat actors employing bruteforce attacks and Multi-Factor Authentication (MFA) fatigue to gain access to victims. Targeted critical infrastructure sectors include healthcare, government, information technology, engineering, and energy. The goal of these compromises is believed to be information theft, with the goal of selling stolen data or access to other criminals on darkweb forums.

In observed attacks, threat actors perform bruteforce type attacks, such as password spraying, for initial access to victim organizations. If the organization has app-based MFA enabled, attackers used MFA Bombing (aka. MFA fatigue), to trick users into authenticating. MFA Bombing is a simple technique where threat actors continually prompt MFA, until the user accepts the prompt out of either confusion or frustration.

Once access is achieved, Iranian threat actors have been observed employing Remote Desktop Protocol (RDP) is employed for lateral movement. Open-source tools are used to exfiltrate victim credentials, allowing for further access. In some cases, the threat actors exploited the Windows vulnerability CVE- 2020-1472 (Zerologon) to escalate their privileges. The Cobalt Strike red-team tool is deployed to enable Command and Control (C2) communication.

The goal of this activity is reported to be the theft of information, leading to data being sold via darkweb marketplaces for financial gain.

Learn more in the full threat briefing here.


About the eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.

To view or add a comment, sign in

More articles by eSentire

Insights from the community

Others also viewed

Explore topics