eSentire’s Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Ivanti Zero-Day Vulnerabilities Exploited
Bottom Line: Over the past month, sophisticated threat actors have exploited two zero-day vulnerabilities in Ivanti products. Organizations need to apply the relevant mitigations immediately, as well as conduct threat hunts to identify active compromises.
On January 10th , Ivanti, in coordination with Volexity, disclosed two zero-day vulnerabilities that impact Ivanti Connect Secure and Ivanti Policy Secure Gateways. When used in tandem, these vulnerabilities would enable a remote attacker to bypass authentication requirements and execute arbitrary code on vulnerable systems. The two vulnerabilities are tracked as follows:
- CVE-2023-46805 (CVSS: 8.2) – Authentication Bypass in the web component of Ivanti Connect Secure (ICS) 9.x, 22.x and Ivanti Policy Secure
- CVE-2024-21887 (CVSS: 9.1) – Command Injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure
Volexity identified these vulnerabilities and reported them to Ivanti after exploitation was identified in real-world attacks. The earliest signs of exploitation were traced back to early December 2023. In observed attacks, threat actors exploited the vulnerabilities to gain initial access into victim organizations. The threat actors used stolen credentials to pivot internally and log into additional systems via Remote Desktop Protocol (RDP). Webshells, tracked under the name GLASSTOKEN, were then deployed to enable command execution and long-term persistence in victim environments.
In a report from January 12th , Mandiant disclosed five additional custom malware families that were identified during attacks. These include the ZIPLINE backdoor, the THINSPOOL dropper, the LIGHTWIRE webshell, the WIREFIRE webshell, and the WARPWIRE credential harvester.
Security patches to address CVE-2023-46805 and CVE-2024-21887 are not currently available. Ivanti will be releasing patches in a staggered approach on the weeks of January 22nd and February 19th. Until security patches are released, it is critical that organizations apply the relevant mitigations provided by Ivanti. In addition to apply mitigations, it is important to review all potentially impacted systems for signs of compromise. While these mitigations will prevent exploitation of these vulnerabilities, they will not remove persistence mechanisms that were placed on the system prior to mitigation.
eSentire Threat Intelligence Analysis:
Organizations need to take immediate action to addresses CVE-2023-46805 and CVE-2024-21887. At this time, exploitation is limited to a single threat actor group, but as details on the vulnerabilities are now public, there is a high probability that other groups will attempt to develop exploits prior to the release of security patches. Widespread exploitation is expected in the near future, increasing the criticality of applying the relevant mitigations until security patches are available.
The actors behind the recent campaign are tracked under the name UTA0178 by Volexity and UNC5221 by Mandiant. While the group has not been connected to any other known threat actor, Volexity has stated that the threat actors behind this campaign are suspected to be part of a Chinese state-sponsored APT group. The goal of this activity is unclear, but there is a high probability it relates to data theft for espionage purposes.
In response to the disclosure of this information, eSentire released a public advisory on January 11th. Additionally, threat hunts have been performed across eSentire's customer base and infrastructure associated with real-world attacks is blocked via the eSentire Global Block List.
Microsoft Patch Tuesday
Bottom Line: Organizations are strongly recommended to review the full Microsoft release and apply all relevant security patches.
January 10th marked Microsoft’s monthly Patch Tuesday release. This month Microsoft addressed a total of 49 vulnerabilities, out of which only two are rated as critical.
The two critical vulnerabilities are as follows:
- CVE-2024-20674 (CVSS: 9.0) - Windows Kerberos Security Feature Bypass Vulnerability
- The authentication feature could be bypassed as this vulnerability allows impersonation
- CVE-2024-20700 (CVSS: 7.8) - Windows Hyper-V Remote Code Execution Vulnerability
- After gaining access to a restricted network, an attacker may exploit this vulnerability to execute code
Another notable vulnerability from the release is:
- CVE-2024-20677 (CVSS: 8.0) - Microsoft Office Remote Code Execution Vulnerability
- Based on available details, it is believed that an attacker may add an FBX file to a Word document, interacting with this FBX document would enable code execution
eSentire Managed Vulnerability Service (MVS) has plugins in place to identify these vulnerabilities.
eSentire Threat Intelligence Analysis:
It is important that organizations review and action the full Microsoft Patch Tuesday release. Vulnerabilities that are confirmed to be exploited should be prioritized for immediate patching. Similarly, vulnerabilities in Internet-facing applications should be prioritized, as they are more likely to be targeted by threat actors.
CVE-2024-20674 stands out as particularly notable. The potential impact to a core authentication protocol and low complexity rating make this a valuable target for adversaries. Additionally, Microsoft credits a lone X (formerly Twitter) user with finding the vulnerability. The account is relatively new, anonymous, and as of patch release had no activity on their account. Anonymous researchers may choose to release their findings at any point since reputational loss is negated by their anonymity. CVE-2024-20674 should be a focus for patching in the near term.
As of the time of writing, no Proof-of-Concept (PoC) exploit code has been made publicly available nor has exploitation in the wild been observed. Applying Microsoft's official patch is the recommended action for these vulnerabilities.
Pro-Ukraine Hackers Breach Russian ISP
Bottom Line: Ukrainian based threat actors have claimed responsibility for a destructive attack against a Russian Internet Service Provider. According to threat actor statements, this activity is a direct response to the recent wiper attack against Ukraine’s largest telecommunications provider, Kyivstar.
On December 12th , Kyivstar was impacted by a cyberattack resulting in the destruction of thousands of virtual servers and PCs, leading to internet and phone outages for 24 million Ukrainians. On January 4th, Illia Vitiuk, the cyber chief of the Security Service of Ukraine (SBU), disclosed additional details on the attack. These details identified the known Russian state-sponsored APT group Sandworm (ELECTRUM, BlackEnergy, Voodoo Bear, IRIDIUM) as the group responsible for the attack. This group has previously targeted critical infrastructure in Ukraine with wiper malware. Sandworm gained initial access to Kyivstar in May 2023; they maintained persistence until December 12th, when destructive wiper malware was deployed. According to the SBU, Russian actors had been attempting to breach Kyivstar since March 2023.
On January 9th , in retaliation for the attack on Kyivstar, a pro-Ukrainian hacktivist group named ‘Blackjack’ executed a cyberattack against the Russian internet service provider M9 Telecom. The attack reportedly destroyed 20 terabytes of data, including the company's official website and cyber protection services, leaving some Moscow residents without internet and television access. The group shared screenshots allegedly proving their access to M9 Telecom’s systems. The images showed account credentials of employees and customers, 50GB of call data, FTP command execution to delete server files, removal of configuration files, the RIPE database and billing portal, a snapshot of the vSphere client, and the dashboard for the Resource Public Key. Additionally, leaked text files contained full names, usernames, email addresses, passwords, and other confidential details.
eSentire Threat Intelligence Analysis:
The Blackjack cyberattacks underscore a strategic shift in warfare tactics, where cyber operations are used to directly impact civilian infrastructure and services. This shift indicates a broader trend in modern conflicts where cyber capabilities are integral to national security strategies. The attack on Kyivstar, a critical communications provider, and the subsequent retaliation against M9 Telecom highlight the vulnerability of civilian digital infrastructure to state-sponsored cyber warfare. This tit-for-tat dynamic could lead to an escalation of cyber hostilities, potentially spilling over into other sectors and nations.
Shortly following the attack on January 9th , a source from Ukraine's law enforcement agencies told Ukrinform, a national news agency in Ukraine, that "[h]ackers from the Blackjack group, who are likely related to the SBU [Security Service of Ukraine], hacked the Moscow-based internet service provider M9com and destroyed its servers." This potential of nation-state actors operating under the guise of an independent hacktivist group to execute cyberattacks serves multiple strategic purposes. Most notably, this allows for plausible deniability and greater operational flexibility while conducting offensive campaigns in foreign states. Additionally, the use of hacktivist groups as a cover can also serve a psychological and propaganda purpose as it portrays a narrative of widespread opposition or resistance, which can be domestically and internationally advantageous. For Ukraine, showcasing that groups like Blackjack are fighting back against Russian aggression can bolster national morale and garner international sympathy.
As the kinetic war in Ukraine shows signs of stagnation, both Russia and Ukraine, along with their respective allies, may increasingly turn to cyber operations to pursue their objectives. Unlike kinetic warfare, cyberattacks can be targeted and discreet, often without the immediate and visible destruction caused by conventional military actions. This characteristic makes cyber warfare an attractive option for continuous engagement in the conflict without crossing certain red lines that might provoke larger-scale military responses. Additionally, as the war prolongs, targeting critical infrastructure and economic systems through cyberattacks becomes a strategic approach to weaken the opponent. Disrupting essential services like telecommunications, financial systems, and energy supplies can have a debilitating impact on the adversary's war effort and home front morale.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
