eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Supply Chain Compromise Affecting XZ Utils Data Compression Library
Bottom Line: A supply chain attack has resulted in the insertion of a malicious backdoor in the XZ Utils Library. This attack leads to a critical vulnerability (CVE-2024-3094) in Linux distributions, prompting the need to downgrade to unaffected versions or apply recommended mitigations.
On March 29th, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the open-source community, reported on a critical vulnerability impacting XZ Utils, a general-purpose data-compression library included in many Linux distributions. Tracked as CVE-2024-3094 (CVSS: 10), the vulnerability stems from a supply chain compromise which resulted in malicious code being included in versions 5.6.0 and 5.6.1 of the XZ libraries.
The malicious code modifies the build process of liblzma, a component of XZ Utils, resulting in a compromised liblzma library. The malicious build interferes with authentication in sshd via systemd. The Secure Shell (SSH) protocol is a common method for securely connecting to remote systems; sshd is the service that allows access. In an attack scenario, a threat actor could use this interference to break the sshd authentication, enabling them to execute code on the system remotely as root.
The attack began with the creation of the GitHub account JiaT75 (Jia Tan) in 2021, which initially contributed to related projects before targeting XZ Utils. In January 2023, Jia Tan merged their first commit to the XZ project and continuing to make commits throughout 2023. In February and March 2024, JiaT75 issued commits for versions 5.6.0 and 5.6.1 of XZ Utils, introducing the backdoor. To avoid detection, “the malicious injection present in the XZ versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present” states Red Hat. In the following weeks, Tan and others made requests to the developers of Ubuntu, Red Hat, and Debian to merge the updates into their operating systems.
The backdoor in XZ Utils was discovered by Andres Freund, a Principal Software Engineer at Microsoft. While performing system benchmarking on a Debian system, Andres observed abnormally high CPU utilization by sshd processes. This led to the finding that liblzma was responsible for the CPU usage. Initially thought to be a Debian specific compromise, Andres shortly discovered the true source of issue, the upstream XZ repository and XZ tarballs (TAR archives) were backdoored. Thanks to these efforts, the impact of this malicious code was notably limited, affecting only a few “bleeding-edge” Linux distributions such as the upcoming Fedora Linux 40, Fedora Rawhide developer distribution, Debian Unstable, and Kali Linux.
On April 1st, eSentire’s Threat Intelligence team released a public security advisory on the XZ Utils Supply Chain Compromise to raise awareness of the situation and provide recommendations to those impacted.
eSentire Threat Intelligence Analysis:
This incident serves as a stark reminder of the ongoing vulnerabilities in open-source projects, especially those with widespread usage. Despite the successful interception of this backdoor, the episode underscores the continuous need for vigilance and robust security protocols in software development and maintenance.
The backdoor's early identification by a Microsoft engineer highlights the crucial role of ongoing security audits and community vigilance in open-source software. The proactive response from the affected distributions, coupled with the targeted nature of the compromise, helped to prevent a broader impact on more stable and widely used releases.
The potential involvement of state-sponsored threat actors in this exploit is under scrutiny, with experts and former government cyber security professionals expecting investigations from U.S. intelligence agencies. The complexity of the XZ exploit suggests state sponsorship, drawing comparisons to significant Russian cyber operations like the SolarWinds espionage campaign in 2020.
Given the methodical approach to this attack, spanning over two years of trust-building and strategic code contributions, the incident raises questions about other potential undiscovered vulnerabilities within critical software infrastructure, highlighting the challenges in securing open-source ecosystems.
This incident prompts a critical reassessment of open-source software security, which forms the backbone of the digital economy yet often relies on the under appreciated efforts of individual volunteers. In the case of XZ, there is some evidence suggesting that it was targeted due to its developer publicizing concerns about being overworked.
The XZ backdoor incident emphasizes the critical importance of community vigilance, comprehensive security practices, and the support for open-source maintainers to safeguard against sophisticated cyber threats. It also calls for a broader dialogue on bolstering open-source security to prevent such vulnerabilities from being exploited in the future.
Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
Bottom Line: The exploitation of Ivanti vulnerabilities by both financially motivated criminals and state- sponsored APTs signifies a concerted effort to leverage zero-day flaws for espionage and financial gains.
Google Cloud’s (Mandiant) latest report outlines multiple Chinese-nexus threat actor groups that are confirmed to have exploited various Ivanti vulnerabilities since early 2024. The report focuses on Chinese state-affiliated threat actor groups and financially motivated cybercriminals that were identified exploiting three separate Ivanti zero-day vulnerabilities beginning in January 2024. The Ivanti vulnerabilities outlined in this report are as follows:
- CVE-2023-46805 (CVSS: 8.2) – Authentication Bypass in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure
- CVE-2024-21887 (CVSS: 9.1) – Command Injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure
- CVE-2024-21893 (CVSS: 8.2) - Server-Side Request Forgery vulnerability in Ivanti Connect Secure and Ivanti Policy Secure and Ivanti Neurons for ZTA
Chinese affiliated APT groups known to exploit the vulnerabilities include UNC5221, UNC5266, UNC5291 (Volt Typhoon), and UNC5530. UNC5221 was identified exploiting Ivanti vulnerabilities during the pre-disclosure timeframe since early December 2023; their activities accelerated following public disclosure of the vulnerabilities on January 10th, 2024. UNC5266 was identified deploying the Sliver C2 framework after exploitation; attacks resulted in the delivery of various malware types including the WARPWIRE credential stealer, and TERRIBLETEA, a Go-based backdoor with extensive capabilities. UNC5291 was observed exploiting Ivanti vulnerabilities to target academic, energy, defense, and healthcare organizations; this group has a history of targeting US critical infrastructure.
Mandiant provides details on one financially motivated threat actor group that was observed exploiting these vulnerabilities, tracked as UNC5337. This group exploited CVE-2023-46805 and CVE-2024-21887, as early as January 2024, to deliver the SPAWN malware toolset on compromised Ivanti devices. The SPAWN suite is comprised of distinct components like SPAWNSNAIL and SPAWNMOLE, functioning together as a stealthy backdoor. UNC5337's tactics include persistent access and log tampering to avoid detection. While only one financially motivated group is mentioned in this report, it is almost certain that other threat actors were and are continuing to target Ivanti devices for financial gain.
Patches, mitigations, and an integrity checker tool have been available since January and February 2024. It is critical that organizations ensure all impacted devices are updated and reviewed for signs of exploitation.
eSentire Threat Intelligence Analysis:
The deployment of custom malware and lateral movement techniques highlights the advanced capabilities of these actors and the ongoing threat to edge appliances. Multiple Chinese APT groups exploited these vulnerabilities as zero-days, before their public disclosure or patching, showing significant technical capabilities. Discovering vulnerabilities and developing exploits requires time, expertise, and resources, as such, these zero-day vulnerabilities are generally only exploited by highly advanced criminal groups and state-sponsored actors. The cybercriminal group UNC5337 exploited the Ivanti vulnerabilities the same month that they were disclosed. Threat actors frequently target recently disclosed vulnerabilities, as there is a higher probability that organizations have not yet applied the relevant security patches.
As threat actors attempt to rapidly develop exploits, it is critical that organizations apply the relevant security patches as soon as possible, to minimize the likelihood of successful exploitation. In the event of zero-day vulnerabilities, it is important that organizations follow a defence-in-depth approach to security, that includes a combination of Endpoint, Logging, and Network monitoring. Endpoint monitoring is especially critical, as initial exploitation of a zero-day vulnerability is unlikely to be detected, but follow-on malicious actions may still be identified.
eSentire has closely monitored and responded to a series of critical zero-day vulnerabilities within Ivanti products, marking a concerted effort to mitigate risks and safeguard clients against potential exploits. eSentire’s Threat Intelligence team has published a total of four security advisories specific to Ivanti vulnerabilities (CVE-2023-38035, CVE-2023-46805 and CVE-2024-21887, CVE-2023-46805 and CVE-2024- 21887 Update, and CVE-2024-21893) throughout 2023 and 2024 along with a fifth advisory covering Volt Typhoon Activity and discussing Ivanti vulnerabilities in our February 2024 TRU Intelligence Briefing.
Following Ivanti’s April 2nd disclosure of four new vulnerabilities impacting Connect Secure and Policy Secure gateways (CVE-2024-21894, CVE-2024-255052, CVE-2024-22053, and CVE-2024-22023), Ivanti’s CEO, Jeff Abbott, released an open letter discussing the organization’s commitment to security. The decision by Ivanti to undertake a comprehensive security overhaul was brought on by a multitude of emerging vulnerabilities within its products which resulted in a number of high-profile infections impacting government and critical infrastructure entities. Among several changes was a commitment to adopting Secure-By-Design principles. This reflects an industry-best practice of integrating security considerations throughout the software development lifecycle and is vital for pre-empting vulnerabilities and ensuring that products are inherently resilient against emerging threats.
Ivanti's solutions are widely used across various sectors for secure access and management of IT systems. The vulnerabilities present a direct risk, offering attackers potential access points into the networks of critical infrastructure providers. Despite Ivanti's significant efforts to overhaul its security practices in response to critical vulnerabilities, it remains imperative that organizations proactively manage their own cybersecurity posture. Implementing best practices such as defense-in-depth and robust vulnerability management processes, ensures that potential threats can be identified and mitigated effectively. Organizations must remain vigilant, continuously monitor their environments for signs of compromise, and apply security patches promptly to protect against emerging threats.
AT&T Data Breach
Bottom Line: The US-based telecommunications company AT&T confirmed the legitimacy of a data breach that appeared on dark web markets approximately two weeks ago. Stolen data may result in future attacks, such as spear-phishing and financial fraud. AT&T customers are urged to monitor their accounts for suspicious activity.
On March 30th, 2024, the US-based telecommunications company AT&T confirmed that private data belonging to the company is currently being shared online via dark web marketplaces. The leak of data impacts “7.6 million current AT&T account holders and approximately 65.4 million former account holders”. At this time, it is unclear whether AT&T was breached, leading to the loss of customer data, or if a third-party was compromised, but AT&T has stated that there is currently no indication of unauthorized access.
According to the AT&T disclosure, the data of 73 million current and former AT&T customers includes diverse personal information. The data leak involves Social Security Numbers (SSNs), names, email addresses, mailing addresses, phone numbers, dates of birth, and AT&T account numbers and passcodes. The most recent data from the breach dates back to 2019.
In response to the discovery of this data, AT&T is “communicating proactively with those impacted and will be offering credit monitoring at our expense where applicable”. Additionally, passcodes have been reset for all confirmed impacted active clients. AT&T customers are strongly advised to review account activity and set up fraud alerts via credit bureaus. AT&T’s investigation into this incident is ongoing at the time of writing.
eSentire Threat Intelligence Analysis:
AT&T has a history of significant breaches. In 2023, a cyberattack on a third-party vendor resulted in data theft impacting 9 million AT&T customers. In August 2022, researchers discovered a data-dump with information on over 23 million current and former AT&T customers. Going back another year, in 2021, a threat actor posted data on over 70 million AT&T customers, although AT&T denied that data was taken from their systems. Telecommunication companies represent high value targets for both financially motivated threat actors and state-sponsored APT groups. These companies hold significant amounts of customer data, that may be used for espionage purposes, sold to other threat actors, or employed in future attacks.
Due to the breadth of stolen information, eSentire's Threat Intelligence team assesses it is almost certain that AT&T data will be incorporated into future attacks, including fraud, phishing, spear-phishing, and other email-based attacks. AT&T customers, both current and former, should take steps to ensure their security, including enable Multi-Factor Authentication (MFA) wherever possible, monitoring accounts, and following best practices regarding email security. End-users should be aware of all unprompted email communication in relation to this breach, as threat actors often use similar topics as a lure to steal credentials or deliver malware.
Organizations are encouraged to take a proactive approach to the risk of breaches. Dark web monitoring services can assist organizations in identifying breach data and preparing a response/notifying impacted clients. eSentire’s Dark Web Monitoring Service has captured the recent AT&T data breach.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
