eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
Bottom Line: A financially motivated threat actor, tracked as “Magnet Goblin,” has demonstrated the ability to rapidly exploit vulnerabilities in public-facing servers shortly after disclosure. Organizations need to prioritize vulnerabilities that have a high likelihood of exploitation and implement detective controls to bridge the gap between vulnerability release and patch deployment.
This week Check Point Research released a report on "Magnet Goblin", a financially motivated threat actor exploiting 1-day vulnerabilities in public-facing servers as an initial attack vector. Unlike a zero-day vulnerability, which is a security flaw that is unknown to the organizations responsible for maintaining the product, a 1-day (aka. n-day) vulnerability is known publicly including by vendors, system administrators, security researchers, and threat actors. This actor has been notably quick to adopt such vulnerabilities, with instances of adopting exploits within a single day of Proof-of-Concept (PoC) publication.
The campaigns attributed to Magnet Goblin have targeted a variety of platforms including Ivanti, Magento, Qlink Sense, and possibly Apache ActiveMQ. Their recent campaigns have deployed a mix of custom malware, including a Linux variant of NerbianRAT, a Linux backdoor MiniNerbian, a JavaScript credential stealer known as WARPWIRE, and commercial Remote Monitoring and Management (RMM) software (ScreenConnect and AnyDesk).
eSentire’s Threat Intelligence team has released numerous security advisories for vulnerabilities exploited by Magnet Goblin including Ivanti (CVE-2023-46805 and CVE-2024-21887, and CVE-2024-21893), Qlik Sense (CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365), and Apache Magento (CVE-2022-24086).
eSentire Threat Intelligence Analysis:
Magnet Goblin activity highlights the critical requirement organizations have to identify and patch vulnerabilities as soon as possible. Modern threat actors understand that there is a limited time between vulnerability disclosure and the majority of potential targets applying security patches. As such, vulnerabilities are rapidly weaponized by capable actors and used in real-world attacks. This is especially true for vulnerabilities in Internet-facing products, that could be exploited to enable initial access. Vulnerability management services can greatly assist organizations in identifying vulnerable devices and prioritizing patching requirements.
In the case of Magnet Goblin, the group does not appear to be sophisticated enough to develop their own exploits for new vulnerabilities. As such, the group relies on publicly available PoC exploit code to enable attacks. The release of PoC code should be treated as an indicator that widespread attacks exploiting the vulnerability are imminent, and immediate patching is required.
The malicious use of Remote Monitoring and Management (RMM) tools by Magnet Goblin is notable. RMM tools such as ScreenConnect and AnyDesk are seeing increased use by threat actors, especially ransomware groups, to enable lateral movement and payload delivery. This approach allows threat actors to blend in with normal administrative activities, making detection significantly more challenging. Organizations can minimize the risk associated with RMM tools by maintaining a list of allowed tools and blocking others within their infrastructure.
The emergence of Magnet Goblin as a significant threat actor exploiting 1-day vulnerabilities in publicly facing servers demands increased attention from cybersecurity teams. Organizations should prioritize the security of their exposed services, adopting a proactive posture to anticipate and mitigate attacks leveraging newly disclosed vulnerabilities.
Multiple Authentication Bypass Vulnerabilities Fixed in JetBrains TeamCity Update
Bottom Line: The active exploitation of CVE-2024-27198 in JetBrains TeamCity represents a critical security threat with the potential for supply chain compromise. Organizations using TeamCity must immediately patch this vulnerability and monitor for signs of exploitation.
On March 4th, JetBrains released TeamCity 2023.11.4 to address two authentication bypass vulnerabilities in the web component of TeamCity. The vulnerabilities tracked as CVE-2024-27198 (CVSS: 9.8) and CVE-2024-27199 (CVSS 7.3), would allow an unauthenticated attacker with HTTP(S) access to bypass authentication checks and potentially gain administrative control. JetBrains has also provided security patch plugins for older versions and confirmed that their cloud servers have been patched and were not attacked.
On March 5th, GreyNoise observed active exploitation of CVE-2024-27198. Shortly afterwards on March 7th, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to their Known Exploited Vulnerabilities (KEV) catalog and required federal agencies to patch their instances by March 28th, 2024.
These vulnerabilities have been exploited to deliver Jasmin ransomware and create numerous rogue user accounts. On March 5th, the director of threat hunting at CrowdStrike, Brody Nisbe, reported on X (formerly Twitter) that they observed multiple instances of JetBrains TeamCity exploitation leading to a suspected modified version of Jasmin Ransomware. Jasmin Ransomware is an open-source red team tool that mimics WannaCry ransomware and is designed to simulate a real ransomware attack. LeakIX, a security misconfiguration search engine, also reported on X that CVE-2024-27198 was being exploited to create hundreds of accounts for later use. LeakIX also stated that over 1700 vulnerable servers were identified with over 1400 showing clear signs of rouge user creation. They advised that “if you were/are still running a vulnerable system, assume compromise.”
eSentire Threat Intelligence Analysis:
JetBrains TeamCity is a Continuous Integration and Continuous Delivery (CI/CD) solution that helps developers automate the building and testing of products. Successful exploitation could compromise the CI/CD environment and enable attackers to tamper with software builds and conduct further attacks downstream in the supply chain. Vulnerabilities in such important software components are highly attractive to cybercriminals looking to exploit them for financial gain or disruptive purposes.
While patches are available, the window between vulnerability disclosure and exploitation is shrinking, highlighting the need for automated vulnerability management systems and proactive security measures. Organizations must prioritize security updates for critical and high-severity vulnerabilities as well as vulnerabilities in public-facing infrastructure. Employing a continuous monitoring solution to detect and respond to threats swiftly is key in mitigating risk should an organization be exploited.
On March 5th, 2024, eSentire’s Threat Intelligence team released a security advisory warning of active JetBrains TeamCity exploitation. Additionally, eSentire MDR for Network has detections in place to identify CVE-2024-27198 and CVE-2024-27199 exploitation attempts; eSentire Managed Vulnerability Service (MVS) has plugins to identify vulnerable JetBrains TeamCity versions.
The active exploitation of CVE-2024-27198 and CVE-2024-27199 serves as a crucial reminder of the importance of maintaining up-to-date security measures. Organizations using JetBrains TeamCity must take immediate action to apply the updates and review their security posture to prevent potential breaches and ensure the integrity of their development processes.
BlackCat Ransomware Turns Off Servers
Bottom Line: The BlackCat ransomware group's recent decision to shut down its servers, following allegations of scamming an affiliate out of a $22 million ransom payment, is a significant event that raises speculation on whether this represents an exit scam or a precursor to a potential rebranding.
As of March 4th, the infamous Ransomware-as-a-Service (RaaS) group BlackCat (ALPHV) has shut down its negotiation sites and data leak blog. The group posted a law-enforcement banner on their leak site, with claims that the infrastructure has been seized, but international law enforcement has stated that they were not involved in any recent operations against the group. This has led to speculation that the group shut down their infrastructure and posted a fake law-enforcement notice.
In late January 2024, BlackCat breached Change Healthcare. Change Healthcare offers software to pharmacies and insurance companies; the ransomware attack resulted in widespread outages impacting various U.S. healthcare organizations. According to public reporting, the organization paid a $22 million USD ransom, in return for decryption of their data.
The timing of this breach, along with affiliate claims, and cryptocurrency transfers has led to speculation that the BlackCat group was not disrupted by law enforcement but is performing an exit scam. Exit scams are common amongst criminal groups and dark web markets; these scams involve suddenly stopping operations, and not paying out affiliates or other criminal service providers. A BlackCat affiliate member claimed responsibility for the attack against Change Healthcare. The affiliate member stated that, despite performing the attacks which resulted in a ransom payment, they never received their share of the funds. Based on currently available details, it is highly probable that the BlackCat group has performed an exit-scam, after a major payment.
eSentire maintains a wide variety of detections specific to known ransomware techniques, as well as ransomware precursor activity, such as data exfiltration and the deployment of loader malware.
eSentire Threat Intelligence Analysis:
The eSentire Threat Intelligence team assesses that it is probable that the BlackCat ransomware group will continue activity after rebranding, resuming operations at a future date under a new name. This would not be the first time the group has shut down, only to continue operations under a new name. BlackCat is only the latest evolution of a group first tracked as DarkSide, which shut down their operations in 2021, after the Colonial Pipeline breach. The group then operated under the name BlackMatter for a short period before transitioning to the BlackCat ransomware group. If the BlackCat group chooses to continue operations, rebranding is likely a requirement. As the group is accused of defrauding their affiliate members, continued operation as a RaaS group would be difficult, due to a mistrust by other criminal actors.
BlackCat likely chose to post a law-enforcement banner on their leak site due to recent law-enforcement attention on ransomware groups, such as LockBit. The LockBit group was targeted by international law enforcement, leading to the disruption of infrastructure and the arrest of two members. A similar operation briefly impacted the BlackCat group in December 2023, but like LockBit, infrastructure was rebuilt, and ransomware activity continued only a short time after.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
