Weekly Threat Briefing: Sept 2 - Sept 6, 2024

Weekly Threat Briefing: Sept 2 - Sept 6, 2024

Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.


Cicada3301 Ransomware

Bottom Line: The emergence of Cicada3301 highlights the growing trend of ransomware groups targeting virtualized environments, specifically VMware ESXi servers, which are critical to many organizations' IT infrastructure.

On August 30th, Truesec released a technical analysis of the Cicada3301 Ransomware-as-a-Service (RaaS) group, which offers an avenue for double extortion to its affiliates with both ransomware and a data leak site. The threat actors deploying the ransomware have targeted Windows and Linux systems, with a specific focus on VMware ESXi servers. The group has been effective since their recent debut in June 2024, claiming more than 20 victims.

Cicada3301 gains access to victim networks through compromised credentials which are either stolen or obtained via brute force attacks facilitated by the Brutus botnet. The ransomware can shut down Virtual Machines (VMs) and allows for customization of its behavior during attacks through several command-line parameters. One of the notable parameters is no_vm_ss which can be used to encrypt files without shutting down running VMs, thereby avoiding immediate detection.

Cicada3301 has several notable similarities to another well-known ransomware, ALPHV (aka BlackCat). The article includes a snapshot of code from Cicada3301 which appears almost identical to ALPHV.

The similarities observed include:

  • Both ransomware are written in the Rust programming language
  • Use the ChaCha20 algorithm for encryption
  • Observed using almost identical commands to shut down a VM and remove snapshots
  • Use -ui command parameters to provide a graphic output on encryption
  • Similar naming conventions when renaming files (changing “RECOVER-“ransomware extension”- FILES.txt” to “RECOVER-“ransomware extension”-DATA.txt”)
  • How the parameter is used to decrypt the ransomware note

To prevent initial access via compromised credentials and bruteforce attacks, organizations are strongly recommended to enforce the use of Multi-Factor Authentication (MFA). The implementation of MFA will limit the value of compromised credentials, as access will not be possible via credentials alone.

eSentire has detections in place to identify Cicada3301 ransomware based off recent observations. eSentire research shows that Cicada3301 ransomware has posted 16 victim organizations to their leak site in August alone. The group’s activity is expected to continue, barring significant law-enforcement intervention.

Learn more in the full threat briefing here.


Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical Issues

Bottom Line: Data back up software, such as Veeam VBR, has a history of being targeted by financially motivated threat actor groups. Organizations utilizing Veeam are strongly encouraged to apply the latest round of security patches immediately.

On September 4th, Veeam disclosed eighteen separate vulnerabilities impacting Veeam Backup & Replication (VBR), Service Provider Console, and One. All of the newly disclosed vulnerabilities are rated as Critical or High severity.

The most concerning vulnerability from the release is CVE-2024-40711 (CVSS: 9.8). This is a Remote Code Execution (RCE) vulnerability, found in VBR versions 12.1.2.172 and earlier. This flaw allows attackers to execute arbitrary code remotely without authentication, posing a significant risk to the security of enterprise backup infrastructures.

Other critical vulnerabilities from the release include:

  • CVE-2024-38650 (CVSS: 9.9) – A vulnerability that allows a low privileged attacker to access the NTLM hash of service account on the VSPC server
  • CVE-2024-39714 (CVSS: 9.9) – A vulnerability that permits a low privileged user to upload arbitrary files to the server, leading to remote code execution on VSPC server
  • CVE-2024-42024 (CVSS: 9.1) - A vulnerability that allows an attacker in possession of the Veeam ONE Agent service account credentials to perform remote code execution on the machine where the Veeam ONE Agent is installed
  • CVE-2024-42019 (CVSS: 9.0) - A vulnerability that allows an attacker to access the NTLM hash of the Veeam Reporter Service service account

At the time of writing, there is no indication of publicly available Proof-of-Concept (PoC) exploit code, or real-world attacks involving any of the Veeam vulnerabilities. Security patches for all disclosed vulnerabilities are available, and organizations are strongly recommended to apply the patches before exploitation is identified.

The prevalence of Veeam, along with the inherent value of backup services, has created an environment where Veeam vulnerabilities are viewed as high value to threat actors. The eSentire Threat Response Unit (TRU) assesses that it is likely threat actors will weaponize the recently disclosed vulnerabilities in the near future. As such, it is critical that organizations apply the relevant security patches as soon as possible.

eSentire Managed Vulnerability Service (MVS) will add the relevant plugins for recently disclosed Veeam vulnerabilities when they become available. eSentire Threat Response Unit (TRU) is also reviewing the impactful Veeam vulnerabilities for new detection opportunities.

Learn more in the full threat briefing here.


Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure

Bottom Line: GRU Unit 29155’s continued cyber operations reflect Russia’s growing reliance on hybrid warfare, combining traditional military operations with cyber-attacks to destabilize adversaries.

On September 5th, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and international partners released a joint cybersecurity advisory warning of attacks targeting critical infrastructure globally.

Threat actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center, Unit 29155 (tracked as Cadet Blizzard, Ember Bear), are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. It should be noted that Unit 29155 operates independently from other well-known GRU-affiliated groups, such as Unit 26165 (aka. APT 28, Forest Blizzard, Fancy Bear) and Unit 74455 (aka. Sandworm, Voodoo Bear).

This group began deploying the destructive WhisperGate malware against several Ukrainian organizations as early as January 13th, 2022. WhisperGate is a multi-stage malware designed to disrupt and destroy targeted systems. It operates by corrupting the Master Boot Record (MBR) of infected machines, rendering them unbootable, while simultaneously deploying a fake ransomware component to obscure its true purpose.

Despite masquerading as ransomware, WhisperGate lacks a recovery mechanism, emphasizing its primary goal of sabotage rather than financial gain, making it particularly dangerous in critical infrastructure attacks.

To gain initial access into victim networks, GRU Unit 29155 actors exploited vulnerabilities in internet-facing systems, particularly weak VPN, and network devices. They used publicly available tools such as Acunetix, MASSCAN, Nmap, and Shodan to conduct reconnaissance, identify open ports, and detect specific vulnerabilities. These tools allowed the attackers to map networks and find entry points, facilitating further exploitation. Once inside, the actors often leveraged stolen credentials to move laterally within compromised environments and escalate privileges.

To mitigate the risks posed by GRU Unit 29155’s cyber activities, organizations should implement several key defenses. First, prioritize patching of known vulnerabilities in internet-facing systems. Then, deploy phishing-resistant Multi-Factor Authentication (MFA) to reduce the risk of credential theft.

Additionally, network segmentation is essential to limit lateral movement if an intrusion occurs and monitoring for unusual activity using advanced Intrusion Detection Systems (IDS) and Endpoint Detection and Response (EDR) tools can help identify potential threats early. Lastly, regular security audits and robust logging practices will further strengthen defenses.

Learn more in the full threat briefing here.


About the eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.

To view or add a comment, sign in

More articles by eSentire

Insights from the community

Others also viewed

Explore topics