eSentire’s Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Critical Microsoft Outlook Remote Code Execution Vulnerability
Bottom Line: Microsoft has announced the patch release for a critical vulnerability in Microsoft Outlook. Organizations are strongly recommended to review the release and apply security patches for all impacted products.
A new critical Remote Code Execution (RCE) vulnerability in Microsoft Outlook, identified as CVE-2024-21413 (CVSS: 9.8), has been discovered by Check Point researcher Haifei Li. This flaw allows unauthenticated attackers to bypass the Office Protected View and execute code remotely by opening emails with malicious links. Dubbed “MonikerLink” the vulnerability represents a security concern within Outlook’s safeguard feature, which typically aims to protect its users by launching a browser for HTTP or HTTPS links received via email. Outlook also tries to caution users about links that utilize different URI schemes, blocking those that lead to remote SMB shares directly for example. The MonikerLink exploit involves appending an exclamation mark and additional characters to a link within the “file://” protocol, bypassing Outlook's protective measures against such links.
Exploitable via low-complexity attacks requiring no user interaction, CVE-2024-21413, impacts multiple Office products, including Outlook 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise. This vulnerability stems from how links containing an exclamation mark are interpreted as "composite monikers" within Windows, meaning they are processed through the Component Object Model (COM). This results in the application handling the link to operate as a COM server, sometimes executing actions in the background without any visible indication to the user.
Essentially, the MonikerLink bug is a security risk created by using an unsafe API, specifically MkParseDisplayName/MkParseDisplayNameEx. This issue, while identified within Microsoft products, potentially extends to any software that improperly utilizes these APIs. The discovery of the vulnerability in Outlook merely highlights its existence and potential impact.
eSentire Threat Intelligence Analysis:
Organizations need to take immediate action to address CVE-2024-21413, due to the ease of exploitation and the scope of impacted products. The vulnerability is reminiscent of the notorious Log4J vulnerability within the Java ecosystem. However, this new threat affects the Windows/COM ecosystem, indicating a broader impact across various applications beyond Microsoft products. The ease with which this vulnerability can be tested and potentially exploited calls for immediate and proactive measures by QA engineers, security professionals, and developers to identify and mitigate such vulnerabilities in their software.
There has been some controversy surrounding the disclosure of CVE-2024-21413. Microsoft had initially stated that the vulnerability was exploited by threat actors before the patch was released but has since retracted the statement. The eSentire Threat Intelligence team assesses that it is highly likely that real-world exploitation of CVE-2024-21413 will occur in the immediate future.
CVE-2024-21413 was fixed as part of Microsoft’s February Patch Tuesday release. In the February release, Microsoft addressed a total of 74 unique vulnerabilities, five of which are classified as critical, and two that were confirmed to be exploited in real world attacks before public disclosure. Patched alongside CVE-2024-21413 was a critical Microsoft Exchange vulnerability related to an NTLM relay attack, tracked as CVE-2024-21410 (CVSS 9.8), which had been exploited before the patch release. This vulnerability allowed attackers to authenticate with an Exchange server using a pass-the-hash attack with a captured Net-NTLMv2 hash, obtainable through methods like MonikerLink, which induces the target to initiate an SMB connection. Organizations would be remiss to not review the full Patch Tuesday release and prioritize the patching of known exploited vulnerabilities and vulnerabilities in Internet-facing applications.
Volt Typhoon Espionage Operations Targeting U.S. Critical Systems
Bottom Line: Dragos has released additional details relating to the Chinese state-sponsored APT group Volt Typhoon. The group has recently been observed exploiting vulnerabilities in public-facing applications and employing Living Off the Land (LotL) techniques in attacks against organizations in the U.S. and African countries.
This week, researchers from Dragos released a report on new activity attributed to the Chinese state-sponsored APT group Voltzite, better known as Volt Typhoon (aka. Bronze Silhouette, Vanguard Panda, UNC3236). This APT group was first identified in early 2023 and is reported to have continually targeted the United States since. According to Dragos, the group has also recently targeted organizations in multiple African countries. Dragos has observed Volt Typhoon targeting various critical infrastructure industries, including the electric sector, satellite, telecommunications, emergency management, and defense industrial bases.
In observed attacks, the group focuses on slow and stealthy reconnaissance, maintaining persistence in victim networks for months or even years. For initial access into victim organizations, the group exploits a variety of different vulnerabilities in Internet-facing devices. Products known to be targeted by Volt Typhoon include, but are not limited to, Fortinet FortiGuard, PRTG Network Monitor appliances, ManageEngine ADSelfService Plus, FatePipe WARP, Ivanti Connect Secure VPN, and Cisco ASA devices. After access has been established, the group heavily relies on Living Off the Land (LOtL) techniques and compromised credentials to move laterally across the network and steal sensitive data. They have been observed deploying both web shells and the Fast Reverse Proxy (FRP) tool for command and control (C2).
The eSentire Threat Intelligence team has been actively tracking Volt Typhoon since the group was initially disclosed in early 2023. The eSentire product suite has a variety of detections for known Volt Typhoon malware, tools, and techniques. Additionally, eSentire released an advisory on recent Volt Typhoon activity, including eSentire response actions and recommendations, on February 9th 2024.
eSentire Threat Intelligence Analysis:
This report builds on multiple recent disclosures related to the Volt Typhoon threat actor group. On February 2nd, the U.S. Justice Department announced the disruption of a Volt Typhoon botnet, that was being used to target U.S. critical infrastructure. On February 7th, CISA, NSA, and FBI, along with Five Eyes intelligence partners, published a joint advisory related to a five year long Volt Typhoon intrusion. The group remains highly active despite the current attention on them; Dragos makes reference to multiple campaigns from the group as recently as January 2024. eSentire assesses that similar activity, targeting both government agencies and private organizations across critical infrastructure industries, should be expected going forward.
Government sources have described Volt Typhoon activity as attempting to establish long-term persistence in critical infrastructure with the goal of launching disruptive or destructive attacks in the event of future conflict. Dragos has not identified “actions or capabilities designed to disrupt, degrade, or destroy ICS/OT assets or operations”, but they do note that the continued targeting of critical infrastructure and theft of data may enable the creation of an “ICS-capable disruption tool”. The disruption of any critical infrastructure is highly concerning, as it will impact vital services and drain response resources
ALPHV Blackmails Canadian Pipeline
Bottom Line: The ALPHV/BlackCat ransomware group's recent attack on Canada's Trans-Northern Pipelines, claiming the theft of 190 GB of critical data, underscores the escalating threat ransomware poses to critical infrastructure globally.
On February 13th, ALPHV (aka. BlackCat) added Trans-Northern Pipelines, a Canadian oil distributor, to its leak site, claiming to have stolen 190 GB of data and threatening to leak it unless a ransom is paid. While technical details of this incident remain largely undisclosed, a spokesperson for Trans-Northern confirmed they “experienced a cybersecurity incident in November 2023 impacting a limited number of internal computer systems.” They also stated, “We have worked with third-party, cybersecurity experts and the incident was quickly contained. We continue to safely operate our pipeline systems. We are aware of posts on the dark web claiming to contain company information, and we are investigating those claims.”
This incident echoes the 2021 Colonial Pipeline attack, with the potential for a significant impact on critical infrastructure. In the Colonial Pipeline attack, backend IT systems were attacked resulting in the pipeline being shut off which led to fuel shortages and long lines at gas stations on the eastern coast of the United States.
eSentire Threat Intelligence Analysis:
The targeting of Trans-Northern Pipelines by ALPHV highlights the strategic selection of ransomware victims within critical infrastructure sectors. The broader implications of attacks on critical infrastructure include potential disruptions to energy supplies and economic stability. The repeated targeting of such sectors underscores the importance of strengthening cybersecurity measures and fostering collaboration among international partners.
The incident involving Trans-Northern Pipelines, where data exfiltration was used for extortion without the deployment of ransomware, is a growing trend among cybercriminals. This approach focuses on stealing sensitive information and threatening its release unless a ransom is paid. This differs from traditional ransomware attacks that involve encrypting the victim's data to render it inaccessible. This method offers attackers several advantages. Firstly, it bypasses the need to develop and/or deploy complex ransomware, reducing the risk of detection by cybersecurity defenses. Data exfiltration for extortion can be quicker and less technically challenging, appealing to a broader range of cybercriminals. Secondly, this approach directly targets an organization's fear of reputational damage and legal repercussions associated with the public disclosure of sensitive data, potentially making victims more likely to pay the ransom. This shift reflects an adaptation to the increasing robustness of backup and recovery solutions that organizations have implemented in response to traditional ransomware attacks. As businesses become better at restoring encrypted data, attackers are finding new leverage by threatening the public release of stolen information.
Targeting pipelines and other critical infrastructure components with cyberattacks poses significant threats to national security and public safety and invariably draws heightened attention from law enforcement and security agencies worldwide. When attackers target such essential services, it signals a bold move against a nation's assets, often prompting a swift and coordinated response from various sectors of government, including intelligence and military agencies. Law enforcement agencies, alongside national cybersecurity organizations, prioritize these incidents due to their potential to cause immediate harm and long-term geopolitical instability. Moreover, the targeting of critical infrastructure is increasingly seen not just as a criminal activity but as a matter of national security. Consequently, such incidents may trigger legal and diplomatic actions against states or organizations believed to be sponsoring or harboring cybercriminals. In response to the recent attack, the U.S. government has placed a bounty of 10 million USD for information that leads to the identification/location of the leader of the ALPHV ransomware group; in addition, a 5 million USD bounty is available for any information leading to the arrest of ALPHV members.
The compromise of Trans-Northern Pipelines serves as a critical reminder of the vulnerabilities within critical infrastructure to attacks. It underscores the importance of adopting comprehensive cybersecurity frameworks and proactive defense strategies to protect against such threats.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
