Volt Typhoon is exploiting a flaw in Versa Director
A zero-day in Versa Director (CVE-2024-39717) has been exploited by Volt Typhoon, a Chinese highly sophisticated state actor known for having compromised American military and critical infrastructures. Versa Director is a management tool widely used by ISPs and MSPs, mostly ones providing services to SMBs. The flaw was used to upload backdoor-related files to Versa systems. In response, the company blamed customers who “failed to implement system hardening and firewall guidelines” and left “a management port exposed to the internet”.
Mitigate it
Block access to ports 4566 and 4570, except between the Versa Director nodes for HA-pairing traffic; inspect the /var/versa/vnms/web/custom_logo/ folder for any suspicious files having been uploaded.
RansomHub attacked Halliburton
Ransomhub is apparently behind the recent large ransomware attack on Halliburton, the world's second largest oil service company. The gang is a relatively new Russian double extortion actor, which rapidly became the third most prolific group in the world. In a special advisory about Ransomhub published last week, CISA and the FBI detailed nine vulnerabilities that it leverages for initial access, including flaws in Citrix Netscaler (CVE-2023-3519), FortiOS (CVE-2023-27997), Java OpenWire (CVE-2023-46604), Confluence data centers (CVE-2023-22515), F5 Big-IP (CVE-2023-46747), Fortinet EMS (CVE-2023-48788), Windows Vista servers (CVE-2017-0144) and ZeroLogon vulnerabilities (CVE-2020-1472, CVE-2020-0787).
An Iranian actor focused on vulnerabilities in edge devices
CISA and the FBI warned that the Iranian state actor Lemon Sandstorm (aka UNC757, Fox Kitten) has collaborated with major ransomware groups (such as BlackCat, NoEscape and RansomHouse), that provided encryption operations on networks Lemon Sandstorm compromised. Moreover, they revealed that Lemon Sandstorm is skilled invulnerability exploitation, as it exploited multiple flaws in edge devices for initial access, such as in CheckPoint gateways (CVE-2024-24919), Palo Alto firewalls (CVE-2024-3400), Citrix Netscaler (CVE-2019-19781, CVE-2023-3519), Ivanti VPNs (CVE-2024-21887) and F5 Big-IP (CVE-2022-1388). Lemon Sandstorm is known for targeting healthcare, financial and government organizations in countries such as the US, Israel, Azerbaijan and the UAE.
Microchip's ransomware attack
Play Ransomware has taken credit for the attack on Microchip and published online 5GB of internal files containing business documents and personal information. Microchip is a large American semiconductor company, providing products to 120,000 customers across various industries. As a result, operations at different manufacturing locations have been disrupted. Play, one of the largest ransomware groups, is known for exploiting FortiOS and Microsoft Exchange vulnerabilities.
A zero-day in WPS Office exploited
APT-C-60, a South Korean cyberespionage group, has exploited a zero-day in WPS office (CVE-2024-7262) to deliver a backdoor to users in China and other East Asian countries. Kingsoft, WPS Office distributor, silently patched the flaw last March, but the vulnerability apparently remained vulnerable despite the fix.
Mitigate it
Apply Qualys ID QIDs 380420 and 380422.
North Koreans exploit a Chromium zero-day for cryptomining
Microsoft reported that a Chromium zero-day (CVE-2024-7971) has been exploited by Hidden Cobra (aka UNC4736) to deploy a rootkit. Hidden Cobra is a North Korean state actor mostly targeting financial institutions and individuals managing cryptocurrency. The RCE flaw was activated through a malicious domain, to which victims were redirected through social engineering methods.
Mitigate it
In Defender for Endpoint, ensure that tamper and network protections are turned on; Block access by domains voyagorclub[.]space and weinsteinfrog[.]com.
WhatsUp Gold servers left exploitable
Over 1,200 Internet exposed servers are still vulnerable to a flaw in Progress’s WhatsUp Gold (CVE-2024-4885), a popular networking monitoring tool. The vulnerability, allowing to run arbitrary commands with elevated privileges, was fixed in Mid-August. However, since the upgrade process is manual and complex (it requires to contact Progress’s customer support), many servers were left unpatched. Exploitation attempts were detected in August but to that day, no evidence of actual successful exploitation has been confirmed.
Mitigate it
Monitor exploitation attempts at the'/NmAPI/RecurringReport' endpoint and restrict access to trusted IP addresses on ports 9642 and 9643.
New waves of Confluence vulnerability exploitation
Eight months after being leveraged in massive campaigns, a critical vulnerability in Atlassian Confluence Data centers and servers (CVE-2023-22527) is still under active exploitation. The flaw, for which a new exploit has been recently published, is now utilized in new attack vectors for delivering cryptomining malware. The vulnerability allows unauthenticated attackers to execute template injection, then running arbitrary code on targeted instances.
Mitigate it
Apply Tenable plugins 189636, 114150, 188068.
APT29 reuses commercial vendors' browser exploits
Google researchers revealed that the Russian state actor APT29 has reused exploits for iOS (CVE-2023-41993, CVE-2021-1879) and Chrome (CVE-2024-5274, CVE-2024-4671), developed by commercial spyware vendors – specifically NSO and Intellexa. Among others, the exploits were utilized in a watering hole campaign against Mongolian government websites, which took place from late 2023 to July 2024.
APT41 targets Asian countries with a 2018 XSS vulnerability
In a new campaign, the Chinese state actor APT41 is exploiting a 2018 cross site scripting (XSS) vulnerability in Windows Authentication Protocol Domain Support (APDS) library to run arbitrary code execution in Microsoft Management Console (MMC). The group leverages the flaw so that opening a malicious MSC file will be enough to trigger an embedded Javascript. Among the victims were Taiwanese government agencies, the Philippine military, and Vietnamese energy organizations.
Ukraine replies to Russian attacks with the same vulnerability
A pro-Ukraine hacktivist group is exploiting a WinRAR vulnerability (CVE-2023-38831) to target Russian and Belarusian companies. Last June, the same vulnerability has been used by the Russian APT Flying Yeti (aka UAC-0149) against Ukrainian civilians. The flaw enables to execute arbitrary code on the system via a malicious crafted RAR file.
European transport agencies under attack
The agency responsible for London’s transport network has been hit by an unattributed cyberattack, which impacted “backroom systems” at its headquarters, At the same time, the German air traffic control agency also suffered from an attack, apparently operated by the Russian GRU-affiliated APT28. Last May, Berlin revealed an APT28-led large cyberespionage campaign against German political parties, which was based on the exploitation of an Outlook vulnerability (CVE-2023-23397).
Mitigate it
Block TCP 445/SMB outbound from your network.
A new ransomware target Windows and ESXi flaws
A new ransomware group named Cicada3301 is exploiting vulnerabilities for initial access and targets both Windows and ESXi systems, especially in SMBs. The group that emerged in June, share diverse similarities with the infamous (and now defunct) BlackCat group.
CBIZ attacked through a web vulerability
A cyberattack against CBIZ, which took place last June, has been enabled through the exploitation of a vulnerability “associated with one of its web pages”. The attack resulted in the leak of information of 36,000 individuals. CBIZ is a large professional services company, providing accounting and tax services, insurance, business advisory, and human resources services.
Microsoft experiments mitigation of CLFS flaws
Microsoft announced an experiment in which it will add a built-in mitigation for eventual exploitations of Windows Common Log File System (CLFS) vulnerabilities. Concretely, the company will add Hash-based Message Authentication Codes (HMAC) in order to detect unauthorized modifications to CLFS logfiles. In the past five years, 24 CLFS flaws have been recorded, with a few being exploited by notorious ransomware groups such as BlackBasta and Nokoyawa.
Ransomware is growing
Different reports show an increase in ransomware operations in 2024. Thenumber of recorded ransomware groups increase from 46 in 2023 to 73 today while the proliferation of Initial Access Brokers lowered the barrier to entry for new ransomware groups and the trend towards vulnerability exploitation continues. Moreover, ransomware attacks against the manufacturing sector are growing, and they now represent 12% of the total number of attacks (compared with 7% last year).
Mitigate it
Sources
- https://krebsonsecurity.com/2024/08/new-0-day-attacks-linked-to-chinas-volt-typhoon/#more-68493
- https://www.securityweek.com/us-government-issues-advisory-on-ransomware-group-blamed-for-halliburton-cyberattack/, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a
- https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf
- https://www.securityweek.com/ransomware-gang-leaks-data-allegedly-stolen-from-microchip-technology/
- https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/
- https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/
- https://www.securityweek.com/critical-flaws-in-progress-software-whatsup-gold-expose-systems-to-full-compromise/
- https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html
- https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/
- https://www.darkreading.com/application-security/hackers-use-rare-stealth-techniques-to-down-asian-military-govt-orgs
- https://securelist.com/head-mare-hacktivists/113555/
- https://therecord.media/german-air-traffic-control-company-deutsche-flugsicherung-cyberattack, https://therecord.media/transport-for-london-cyberattack
- https://blog.morphisec.com/cicada3301-ransomware-threat-analysis
- https://www.bleepingcomputer.com/news/security/business-services-giant-cbiz-discloses-customer-data-breach/
- https://techcommunity.microsoft.com/t5/security-compliance-and-identity/security-mitigation-for-the-common-log-filesystem-clfs/ba-p/4224041
- https://www.infosecurity-magazine.com/news/active-ransomware-groups-surge/, https://www.helpnetsecurity.com/2024/09/03/tim-west-withsecure-ransomware-tactics-shifting/, https://www.trellix.com/advanced-research-center/threat-reports/june-2024/, https://www.threatdown.com/wp-content/uploads/2024/09/2024-TD-State-of-Ransomware-US-3.pdf