eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
ScreenConnect Vulnerabilities Exploited
Bottom Line: Organizations need to immediately apply the relevant security patches for CVE-2024-1709 and CVE-2024-1708, as exploitation is widespread. In addition to applying security patches, organizations should review all ScreenConnect servers for signs of exploitation, as patching the vulnerabilities will not remove previously established persistence mechanisms.
On February 19th, ConnectWise disclosed two critical vulnerabilities in ConnectWise ScreenConnect, tracked as CVE-2024-1709 (CVSS: 10) Authentication bypass, and CVE-2024-1708 (CVSS: 8.4) Path Traversal. Both vulnerabilities impact all ConnectWise ScreenConnect versions prior to 23.9.7. Exploiting these vulnerabilities would allow a remote and unauthenticated threat actor to execute code and directly impact confidential data and critical systems. On February 20th, ConnectWise confirmed that the vulnerabilities were being actively exploited.
In response, eSentire released a security advisory on February 21st, warning of active exploitation and encouraging organizations to prioritize patching. Additionally, eSentire’s Threat Response Unit developed detections for eSentire MDR for Network to identify exploitation attempts, added known malicious IP addresses to the eSentire Global Block List, performed threat hunts, and additionally, eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable ScreenConnect versions.
On February 22nd, Sophos disclosed that they had detected several attacks leveraging these exploits to deliver various malware types, including a ransomware executable built with a leaked LockBit 3 ransomware builder tool. On February 23rd, eSentire’s SOC observed a separate threat actor exploiting the ScreenConnect vulnerabilities and attempting to deliver ransomware.
eSentire Threat Intelligence Analysis:
The recent ConnectWise ScreenConnect vulnerabilities and subsequent attacks underscore a concerning trend in the cybersecurity landscape: the extremely short window between the disclosure of a vulnerability and its active exploitation by threat actors, including ransomware deployment. This rapid transition from disclosure to exploitation highlights the efficiency and vigilance of cybercriminal networks in leveraging newly exposed vulnerabilities to their advantage.
Organizations have a limited timeframe to respond to vulnerability disclosures before they are exploited in the wild. The release of Proof of Concept (PoC) exploit code substantially shortens this window. This puts a significant strain on IT and security teams to act swiftly to mitigate potential threats. The use of sophisticated malware and ransomware as part of the exploitation strategy complicates the response and recovery process. In particular, the deployment of ransomware can have a devastating impact on organizations, leading to operational disruptions and financial losses.
Good patch management is crucial in protecting organizations from the threat posed by the rapid exploitation of vulnerabilities. An effective patch management process encompasses several key components starting with the timely identification and application of patches. This involves staying informed about vulnerability disclosures from software vendors and promptly applying available patches; automated patch management tools can significantly streamline this process by identifying and deploying patches throughout an organization's network. Moreover, the sheer volume of vulnerabilities disclosed necessitates a risk-based prioritization approach, where patches are applied first to vulnerabilities posing the highest risk to the organization's critical systems, especially those with high severity ratings or vulnerabilities currently being exploited. Additionally, patch management must be comprehensive, extending to all software and systems across the organization, including those that are remote or off-premise. Finally, the importance of regular auditing and compliance cannot be overstated. Through consistent reviews of the patch management process, organizations can identify and rectify coverage gaps and ensure adherence to internal policies.
Leak of Chinese APT Tools
Bottom Line: The recent iSoon leaks revealed that Chinese APTs are augmenting their technical capabilities by contracting third-party organizations.
On February 18th, researchers discovered a significant data leak related to iSoon (aka. Anxun Information Technology), a contractor for various Chinese agencies including the Chinese Ministry of Public Security (MPS). iSoon specializes in network penetration and has been implicated in hacking activities against several regions and organizations. The leaks provide an unprecedented glimpse into the activities of a state-affiliated hacking contractor, revealing their involvement in cyber espionage against multiple governments, pro-democracy groups, and educational institutions.
Discovered on GitHub, the leaked documents, contain marketing materials, technical documents, communication between employees and clients, victim data, targeting lists, and details on the cyber tools used, including custom hardware snooping devices and software vulnerabilities exploited for espionage.
The documents show victims of iSoon’s operations include government entities, telecommunications firms, medical organizations, and academic sectors in countries such as Pakistan, Kazakhstan, Kyrgyzstan, Malaysia, Mongolia, Nepal, Turkey, India, Egypt, France, Cambodia, Rwanda, Nigeria, Hong Kong, Indonesia, Vietnam, Myanmar, Philippines, and Afghanistan. A few notable victims include the Ministry of Foreign Affairs (Myanmar), the National Taiwan University Hospital, the National Intelligence Agency (Thailand), the Punjab Anti-Terrorism Center (Pakistan), the Chinese University of Hong Kong, and the Paris Institute of Political Studies (France).
Additionally, the iSoon leaks revealed a detailed inventory of products and tools employed by the organization in its cyber espionage activities, shedding light on the sophisticated arsenal at its disposal.
Among the disclosed assets were customized malware variants, surveillance tools, and network penetration software designed to infiltrate, monitor, and extract data from targeted systems. A few noteworthy examples include a "Twitter Public Opinion Guidance and Control System," custom hardware disguised as Xiaomi battery packs for "WiFi Proximity Attack Systems," an "Email Analysis Intelligence Decision-Making Platform," and an "Automated Penetration Testing Platform" which combines public hacking tools into a Software-as-a-Service (SaaS) platform.
The leaks also reveal the potential link between iSoon and various Advanced Persistent Threat (APT) groups, including the notorious APT41. APT41 is known for its sophisticated cyber operations targeting industries worldwide to fulfill both state-sponsored espionage objectives and financial gain. Other notable threat actors potentially connected to iSoon include POISON CARP and JACKPOT PANDA. POISON CARP (aka. Evil Eye, Earth Empusa) is a threat actor group known for its targeted phishing campaigns against the Uyghur community. This group's operations are characterized by the use of sophisticated social engineering techniques and zero-day exploits aimed at compromising the devices of activists, journalists, and dissidents. In 2021 members of Canada’s Uyghur community were targeted by this group through Facebook with the goal of deploying spyware. JACKPOT PANDA has been implicated in attacks targeting entities that are either engaged in or support online gambling operations in East and Southeast Asia.
The eSentire Threat Intelligence team is actively reviewing this leak and tracking related information for potential detection opportunities.
eSentire Threat Intelligence Analysis:
The leaked iSoon documents underscore the sophistication and breadth of China’s cyber espionage efforts, revealing a complex ecosystem of state-sponsored activities. They highlight the reliance on independent contractors like iSoon for conducting espionage, indicating a layered approach to cyber operations that involves both direct state action and outsourced activities.
The iSoon leak has significantly enhanced understanding of Chinese cyber operations, paralleling the impact of major disclosures like the NTC Vulkan, Snowden, and Shadow Brokers leaks. These revelations offer unprecedented insights into the tools, targets, and tactics of the Chinese Ministry of Public Security and its reliance on contractors for cyber espionage. By exposing the sophisticated nature of state-affiliated cyber activities, the iSoon leak underscores the complex relationship between national security, intelligence operations, and global cyber threats. This landmark disclosure prompts a re-evaluation of cybersecurity defenses and policies worldwide, mirroring the transformative effect of past intelligence leaks on the global stage.
While several potential threat actors could be responsible for the leak, the evidence suggests an insider threat is the most likely scenario. The nature and specificity of the leaked information suggest intimate knowledge of iSoon's internal operations, projects, and even the minutiae of daily workflows. A disgruntled current or former employee would possess both the access and the motivation to execute such a calculated disclosure of proprietary and potentially damaging information. The precision with which the data was selected for release indicates a motive beyond financial gain or public exposure; suggesting a personal vendetta or a desire to inflict reputational harm on iSoon and, by extension, the Chinese government's cyber operations. The leak comprises not just random documents but a curated selection of materials that expose operational tactics, target profiles, and even the outcomes of specific espionage campaigns. Choosing to leak the data via a public GitHub repository aligns with an individual seeking to maximize visibility and expose iSoon’s activities to the widest possible audience, including international cybersecurity communities. Additionally, throughout the leaked chat messages, disgruntled employees continually complain about pay, threatening to leave the company in search of other work.
Other potential threat actors such as such as rival contractors, foreign intelligence agencies, or hacktivist groups cannot be entirely ruled out, however, these actors would likely have different objectives and operational tactics. For instance, a rival contractor or a foreign intelligence service would likely opt to silently exploit the obtained information for competitive or strategic advantage rather than publicly disclose it. Similarly, hacktivist groups typically claim responsibility for their actions as part of their modus operandi to draw attention to their causes, which has not been observed in this case.
The iSoon leaks emphasizes the need for robust defense mechanisms and international cooperation to counter state-sponsored cyber threats. They also highlight the evolving landscape of cyber warfare, where commercial entities play a key role in state-sponsored espionage activities.
Police Arrest LockBit Ransomware Members and Release Decryptor
Bottom Line: Based on eSentire research, LockBit has been the most prevalent ransomware group since 2020. A recent takedown by international law enforcement has disrupted the group’s infrastructure; the eSentire Threat Intelligence team assess that the group will probably rebuild and continue operations in 2024. *NOTE - two days after this briefing was written, continued LockBit activity was confirmed.
Lockbit ransomware is a prolific and sophisticated ransomware group that was initially observed in late 2019. Following the retirement of other ransomware groups, Lockbit rose to prevalence and since then, Lockbit has impacted a wide range of victims across various countries and industries.
On February 20th, 2024, a taskforce operating under the name of Operation Cronos, comprised of law enforcement organizations from Australia, Canada, Finland, France, Germany, Japan, Netherlands, New Zealand, Poland, Sweden, Switzerland, Ukraine, United Kingdom, and the United States announced the disruption of the Lockbit ransomware gang’s operations. As part of this announcement, Lockbit’s servers in several countries were taken down, two arrests were made, over 200 cryptocurrency accounts were frozen, 14,000 accounts related to exfiltration or infrastructure have been identified, and the United Kingdom’s National Crime agency has taken control of Lockbit’s remaining infrastructure.
Law enforcement organizations have begun analyzing data retrieved from Lockbit’s servers. This has led to the location of over 1000 decryption keys, which may allow law enforcement to render decryption services to some Lockbit victims. A decryption tool was also released through the No More Ransom website. Information on Lockbit affiliates has also been uncovered, which law enforcement states will be used to target those that have worked with Lockbit.
Additional information related to Lockbit’s operations will likely continue to be released as the investigation unfolds.
eSentire Threat Intelligence Analysis:
The disruption of LockBit's operations showcases the effectiveness of international collaboration in the fight against ransomware. By targeting the infrastructure that supports LockBit's activities, law enforcement not only hinders the group's ability to operate but also sends a strong message to other ransomware operators. The provision of decryption keys further shifts the balance, empowering victims to recover without succumbing to ransom demands.
The strategic impact of law enforcement operations like these extends beyond immediate disruption. They contribute to a broader effort to undermine the ransomware ecosystem, deter potential cybercriminals, and elevate cybersecurity awareness among potential targets. This operation also highlights the evolving tactics of law enforcement in adapting to the challenges posed by ransomware and other forms of cybercrime.
However, despite the significant disruption Operation Cronos caused LockBit, the ransomware group will likely reemerge and continue its operations. This potential resurgence could materialize through rebranding under a new name, similar to how the DarkSide ransomware gang rebranded as BlackMatter, or returning under the same moniker, akin to Qakbot malware operators returning after law enforcement brought down their infrastructure. This flexibility showcases the adaptability and persistence of sophisticated cybercrime organizations in the face of legal and cybersecurity pressures.
LockBit's operations, having garnered over $120 million in ransom payments from more than 2,000 victims, underscores the highly lucrative nature of the ransomware for capable threat actors. This substantial financial success not only highlights the effectiveness of LockBit's ransomware-as-a-service (RaaS) model but also reflects the thriving economy built on supporting all facets of cybercrime. Rebranding or retiring from the scene may result in another up-and-coming ransomware actor taking over any affiliates or other service providers left behind by Lockbit.
The successful disruption of the LockBit ransomware group by international law enforcement is a commendable victory in the ongoing battle against cybercrime. However, organizations must continue to adhere to stringent security protocols and implement comprehensive cybersecurity measures. This is crucial not only to guard against the resurgence of LockBit but also to protect against the myriad of other ransomware gangs operating globally. The fight against ransomware demands constant vigilance and proactive defense strategies to navigate the ever-evolving threat landscape.
For more information on ransomware groups and the current threat landscape, see the recently released eSentire report Ransomware Readiness: How SMBs Can Prepare for the Rising Threat of Ransomware-as-a-Service, Initial Access Brokers, and Credential Theft.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
