eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Critical Flaw Found in Fluent Bit
Bottom Line: As Proof-of-Concept exploit code has been released for a critical Fluent Bit vulnerability (CVE-2024-4323), organizations need to review their environments and toolchains for potential impact and apply the available security patches as soon as possible.
On May 20th, researchers from Tenable released a technical report outlining a newly discovered critical vulnerability in Fluent Bit. Fluent Bit is a lightweight, open-source data collector and processor known for its ability to efficiently handle large amounts of log data from diverse sources; it is used by the majority of major Cloud providers including Amazon, Google, and Microsoft. The vulnerability, referred to as “Linguistic Lumberjack”, and tracked as CVE-2024 4323 (CVSS: 9.8), impacts Fluent Bit versions 2.0.7 through 3.0.3. Exploitation may result in Denial-of-Service (DoS), information disclosure, and under certain conditions, Remote Code Execution (RCE) leading to full device compromise.
Tenable has released functional Proof-of-Concept (PoC) exploit code for Denial-of-Service attacks involving CVE-2024-4323. Exploitation of CVE-2024-4323 in the wild has not been identified at the time of writing.
A security patch to address this issue has been released. The issue was fixed by properly validating the data types of the values in the "inputs" array sent to the "traces" endpoint.
eSentire released an advisory for CVE-2024-4323 on May 22nd. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices. The eSentire Threat Response Unit (TRU) is actively reviewing available PoC exploit code for detection opportunities. Lastly, eSentire has coordinated with the relevant vendors to ensure remediation steps have been taken and eSentire is not impacted.
eSentire Threat Intelligence Analysis:
This vulnerability is highly concerning due to the widespread use of Fluent Bit, the potential impact of attacks, and the release of PoC exploit code. Fluent Bit has over 10 million daily deployments and more than three billion downloads total, making it extremely common across all industries. The release of PoC exploit code significantly increases the likelihood of real-world exploitation. While only Denial of Service is currently possible through the Tenable PoC release, it is probable that threat actors will employ the PoC as a starting point to build an exploit that enables full Remote Code Execution.
As a fix is available on the Fluent Bit GitHub repository, it is highly recommended any organization using the service upgrade to the latest release immediately. If updates cannot be applied, it is recommended to review any applicable configurations in your environment that allow access to Fluent Bit's monitoring API to ensure that only authorized users and services are able to query it. Additionally, organizations are recommended to review products and vendors for potential impact, ensuring that all impacted Cloud vendors have applied the update.
Microsoft Phases Out VBScript
Bottom Line: As Microsoft has begun the process of depreciating VBScript, threat actors will be forced to alter their Tactics, Techniques, and Procedures (TTPs) to enable the successful deployment of malware.
This week, Microsoft announced the plan to slowly depreciate the use of Visual Basic Script (VBScript) for Windows. VBScript is a lightweight scripting language in Windows OS used for automating tasks and controlling applications on Windows-based systems. The language has been actively supported for over 30 years. Microsoft states that VBScript is being removed in favor of more powerful and versatile scripting languages such as JavaScript and PowerShell. This will impact organizations that rely on VBScript. Additionally, the change will impact threat actors that employ VBScript for malware delivery.
The depreciation is set to take place in three phases over a period of years. Phase One will occur in late 2024; VBScript will only be available as a pre-installed feature on-demand for Windows 11 version 24H2. During Phase Two, currently planned for 2027, VBScript will be disabled by default, meaning organizations will need to specifically enable the scripting language. In Phase Three VBScript will be fully disabled and not available for use. Microsoft has not announced a date for implementation of Phase Three.
Microsoft has recommended that organizations begin the process of replacing VBScript, to minimize the future impact of the depreciation. In place of VBScript, Microsoft recommends JavaScript for its cross- browser capabilities and PowerShell for its use in automation tasks.
eSentire Threat Intelligence Analysis:
Microsoft’s decision to depreciate VBScript will directly impact threat actors and the overall threat landscape. Malware authors that currently rely on VBScript for malware deployment will be forced to spend both resources and time to shift over to other scripting languages. While there will be a short-term impact to threat actors, the change is not expected to lead to have long term effects, as alternative scripting languages are already heavily used by a wide range of threat actors; these include, but are not limited to Lua, AutoIT, JavaScript, Batch, and PowerShell.
This announcement is comparable to Microsoft’s decision in 2023 to block Visual Basic for Applications (VBA) Macros from the Internet by default. VBA Macros had become a very common distribution method for both malware and ransomware. The change briefly impacted threat actor groups, before a shift to other delivery methods. Attackers were observed shifting from Macro laden emails for delivery, to alternative methods, such as Drive-By-Downloads leading to the deployment of LNK files.
eSentire frequently observed malware incidents involving VBScript. These include defunct malware types, like Emotet and Qakbot, as well as more prevalent malware families such as DarkGate, GuLoader, and Lokibot.
The disruption to malware operations will be a positive change, but it is important that organizations begin transitioning away from VBScript in the near future, to avoid being negatively impacted by the change.
London Drugs Update
Bottom Line: The LockBit ransomware attack on London Drugs highlights the escalating threat of ransomware to critical retail and healthcare infrastructure. As of May 23rd, LockBit has begun leaking data stolen during the attack.
On April 28th, the Canadian pharmaceutical company London Drugs disclosed that the company had been impacted by a cybersecurity incident. The attack resulted in phone line outages and the closure of all 79 stores in Western Canada. Third-party cybersecurity experts were engaged to assist with containment, remediation, and to conduct a forensic investigation. London Drugs began gradually reopening on May 4th with some remaining closed until May 7th; pharmacies at all locations were operating a few days later.
On May 21st, the LockBit ransomware gang claimed responsibility for the April cyberattack on London Drugs. The group has posted London Drugs on their leak site, threatening to publish stolen data after negotiations allegedly failed. The group was demanding a ransom of $25 million by May 23rd.
London Drugs confirmed they had received a ransom demand but stated “London Drugs is unwilling and unable to pay ransom to these cybercriminals. We acknowledge these criminals may leak stolen London Drugs corporate files, some of which may contain employee information on the Dark Web.” They continued by saying “[a]t this stage in our investigation, we are not able to provide specifics on the nature or extent of employee personal information potentially impacted. Our review is underway, but due to and the extent of system damage caused by this cyber incident, we expect this review will take some time to perform.”
On May 22nd, London Drugs was removed from LockBit’s leak site but was quickly relisted before the countdown expired. As of the evening of May 23rd, LockBit has begun sharing London Drugs data via their leak site. According to public reports, the leaked data may include employee information.
London Drugs states that it has notified all employees of the leak and provided 24 months of credit monitoring and identity theft protection services, regardless of whether or not their information is confirmed to be compromised.
eSentire Threat Intelligence Analysis:
This ransomware attack on London Drugs underscores the ongoing threat posed by ransomware groups targeting organizations across sectors globally. The use of data theft as leverage by the LockBit group highlights a concerning trend where threat actors employ extortion tactics to pressure victims into paying ransoms. This tactic, known as double extortion, is where ransomware groups not only encrypt data but also exfiltrate sensitive information before encrypting it, threatening to release this stolen data if the victim does not pay the ransom, thereby adding additional pressure on organizations to comply with their demands.
The decision by London Drugs to refuse the ransom demand from the LockBit ransomware group was possibly influenced by revelations from Operation Cronos. This international law enforcement operation disrupted LockBit's operations and uncovered that the group had been retaining victim data even after receiving ransom payments. This contradicts the group's claims that paying the ransom would guarantee the deletion of stolen data. Given this context, London Drugs’ decision to refuse payment aligns with a growing recognition that paying ransoms does not ensure data protection and can perpetuate criminal activities. The failure of LockBit to honor their commitments, even after receiving payments, serves as a critical lesson for organizations facing similar threats.
As data stolen from London Drugs is now being released, all potentially impacted individuals need to be on high alert for potential scams and cyber attacks. The release of personal details will enable threat actors to craft targeting phishing emails and potentially perform a variety of other financially motivated scams. Both employees and London Drugs customers are urged to exercise caution surrounding unexpected emails during this period.
For more information on law enforcement action against LockBit, eSentire’s Threat Intelligence team discussed this topic in the May 10th edition of the Weekly Threat Briefing. Additionally, in the May 3rd edition of the Weekly Threat Briefing, eSentire’s Threat Intelligence team covered the initial disclosure of the London Drugs breach and assessed “it is highly probable that London Drugs was impacted by a ransomware attack.”
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
