eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Attackers Pose as Helpful Users on Stack Overflow to Distribute Malware
Bottom Line: Threat actors are impersonating helpful users on online code sharing and troubleshooting communities to socially engineer victims into executing malicious content.
In a recent report released by Sonatype, attackers have been abusing Stack Overflow to spread malware. Attackers are providing seemingly helpful answers to user questions on the forum, promoting a malicious PyPi package which installs a Windows information stealer.
The PyPi package is called “pytoileur”; to trick unsuspecting users into executing the package, it masquerades as an API management tool. In several examples, users appear to be asking questions related to debugging, which are met with responses from the threat actors claiming the malicious package is a solution to their issues.
The pytoileur package contains a setup.py file that pads a base64 encoded command with excess spaces to remain hidden from a user attempting to inspect the code without word wrap enabled. The deobfuscated command downloads a malicious executable from a remote site, which is an information stealer that harvests cookies, passwords, browser history, credit cards, and other data from web browsers.
eSentire recently observed a similar incident where a user attempted to find a solution to a Windows error message and would have been infected with Vidar, however, the Endpoint agent was able to prevent the malware from executing. The user was met with a fake IT support website that provided instructions on how to copy, paste and run a PowerShell script claiming to fix the issue. When executing the script a series of Command-and-Control (C2) domains are interacted with, retrieving multiple scripts and files, ultimately leading to the download and execution of Vidar stealer. Upon further investigation a YouTube video containing comments from bot accounts falsely claiming the solution was effective as well.
eSentire Threat Intelligence Analysis:
The increase in attackers impersonating helpful users within online code sharing and troubleshooting communities highlights the ever-evolving threat landscape that users must be aware of. Attackers leverage the trust built within these communities to avoid suspicion from unsuspecting users, allowing them to trick the users into executing malicious payloads, bypassing possible security measures organizations have.
These types of attacks are not new but have seen an increase recently. For example, Github has been a common place for attackers to create malicious projects masquerading as useful tools for unsuspecting victims to execute. As users that typically execute tools or run code within an organization have elevated eSentire CONFIDENTIAL privileges, these attacks may provide threat actors an easy way into an organization’s network with increased access.
Organizations should provide user awareness training, specifically around code sharing and troubleshooting websites. As most of the observed malware being executed on devices are related to credential stealing, it is important users enable Multi-Factor Authentication (MFA) to prevent account compromises if passwords are stolen.
Threat Actors Target Recent High Severity Check Point VPN Vulnerability
Bottom Line: Exploitation of the high-severity Check Point vulnerability, CVE-2024-24919, has transitioned from limited to widespread attacks. All organizations employing Check Point VPN products need to review devices for impact and ensure security patches are deployed.
According to a new report from researchers at GreyNoise, exploitation of the high-severity Check Point Security Gateway vulnerability, CVE-2024-24919, has transitioned from limited exploitation to widespread attacks. CVE-2024-24919 (CVSS: 8.6), is an information disclosure vulnerability. Exploitation would allow a remote threat actor to read certain information on Check Point Security Gateways which may enable access, lateral movement, and domain admin privileges. The vulnerability was disclosed on May 28th but was exploited as a zero-day vulnerability as early as April 7th, 2024. Functional Proof-of-Concept (PoC) exploit code is widely available.
Beginning June 3rd, and continuing through June 4th, GreyNoise identified a significant increase in attempts to exploit the vulnerability. According to the report, at least 10 separate payloads have been delivered via exploitation to date. GreyNoise does not provide details on the observed payloads or attacker goals.
eSentire has observed at least one instance of exploitation of the vulnerability. In the observed case, threat actors established persistence on the Check Point service account by registering a new Microsoft Multifactor Authenticator device. The attack was disrupted before attacker goals could be ascertained.
Censys released a report showing that as of June 3rd, they have observed a total of 13754 "Censys-visible" CheckPoint VPN gateways vulnerable to CVE-2024-24919. Organizations making use of CheckPoint VPN gateways need to take immediate action to ensure that all vulnerable devices are remediated.
eSentire released an advisory for CVE-2024-24919 on May 29th. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices and eSentire MDR for Network has rules to identify exploitation attempts. Additionally, the eSentire Threat Intelligence team has, and continues to, perform threat hunts based on known Indicators of Compromise (IoCs).
eSentire Threat Intelligence Analysis:
As the exploitation of CVE-2024-24919 has now transitioned from limited to widespread, it is critical that all vulnerable organizations apply the relevant security patches immediately. In addition to patching, organizations are strongly encouraged to review any potentially impacted devices for signs of compromise. While patching will prevent future abuse, any data that was previously compromised is still at risk of use by threat actors. If any signs of compromise are identified, it is critical that organizations reset credentials to minimize the risk of their abuse.
In addition, Check Point has provided recommendations to harden the security of their Gateways:
- Changing the password of the Security Gateway’s account in Active Directory
- Identifying local accounts with password only authentication
- Preventing local accounts from connecting to VPN with password authentication
It is likely that early exploitation in April and May was limited to a single threat actor group; attacks would almost certainly have been carried out in a targeted fashion. Exploitation of CVE-2024-24919 is considered to be simple, additionally, the release of PoC exploit code has further lowered the bar for exploitation. These conditions, paired with the availability of Internet exposed vulnerable devices, have created a scenario where exploitation by even low skilled actors is trivial. It is now certain that a variety of financially motivated threat actors are opportunistically exploiting the vulnerability.
Cyber Threats Facing the 2024 Paris Olympics
Bottom Line: The scope and attention that the Olympic games receive makes the event a high-value target for threat actors of varying motivations. Organizations are advised to have a heightened security standard during the 2024 Paris Olympic games.
This week, Microsoft, Recorded Future, and Mandiant all released reports detailing the range of cyber threats facing the 2024 Paris Olympic Games. For state-sponsored actors, cybercriminals, and hacktivists, the high-profile nature of the event makes it an attractive target for espionage, influence operations, disruptive cyberattacks, and financial gain.
The games face significant state-sponsored threats from Russia, China, Iran, and North Korea, with each nation employing different tactics based on their geopolitical interests. Russia is expected to be the most active, with a history of disruptive cyberattacks, such as the GRU's 2018 Pyeongchang Winter Olympics incident and the 2016 Rio de Janeiro Olympics hack-and-leak campaign. Russian actors will likely continue to use AI-generated disinformation, false-flag operations, and Olympic-themed lures for espionage. China, while less likely to engage in disruptive attacks, is expected to focus on intelligence gathering through Olympic-themed infrastructure and lures. Iran is anticipated to conduct espionage against organizations and individuals associated with the Games, using intrusion attempts and AI-generated content to further its influence. North Korea, although primarily focused on revenue generation, may support Russian operations or conduct intelligence-gathering campaigns, leveraging its close relationship with Russia.
Cybercriminal threats to the Paris Olympics include ransomware attacks, phishing scams, and the activities of Initial Access Brokers (IABs). Ransomware groups are likely to target critical sectors such as government, healthcare, transportation, and hospitality, employing tactics like double extortion. Historical incidents, such as the 2024 ransomware attacks on Gravelines and Hospital Simone Veil, highlight the potential for significant disruptions. IABs may exploit vulnerabilities in corporate networks, selling access on dark web forums using methods like infostealer malware and credential stuffing. Phishing and smishing campaigns will increase as the event approaches, using Olympic-themed lures to harvest credentials and Personally Identifiable Information (PII).
Hacktivist threats are expected to intensify, driven by ideological motivations and geopolitical tensions. Pro-Russian hacktivists, including groups like the Cyber Army of Russia Reborn, NoName057(16), and Anonymous Sudan, are likely to launch DDoS attacks and website defacements in response to perceived anti-Russian actions and France's support for Ukraine. Middle Eastern-nexus hacktivists, motivated by Israel's participation and France's support for Israel, will likely target French entities with similar tactics. Groups such as Turk Hack Team, AnonGhost Indonesian, Garnesia Team, and LulzSec have historically targeted French government entities and are expected to exploit the Olympics to gain notoriety and spread fear. These attacks, while often low impact, can cause significant reputational damage and disrupt event logistics.
State-sponsored influence operations will be crucial in undermining the 2024 Paris Olympics. Russian influence campaigns will likely focus on discrediting the Games, highlighting France's alleged unpreparedness and security risks, as well as promoting anti-Russian bias narratives. Iran is expected to leverage the event to advance its anti-Israel agenda, using AI-generated content and covert influence networks to target audiences susceptible to opposing Israel's participation. China, while primarily promoting pro-China messaging, may engage in influence operations defending its athletes against doping accusations. These malign influence activities will employ a combination of overt state media and covert operations, aiming to erode public confidence, amplify geopolitical tensions, and disrupt the Games' smooth execution.
eSentire Threat Intelligence Analysis:
The diverse threats facing the 2024 Paris Olympics highlight the complexities of securing a global event. The convergence of state-sponsored espionage, cybercriminal activities, hacktivist disruptions, and influence operations poses significant risks to public confidence, event logistics, and the host nation's reputation.
Several historical incidents highlight the persistent and evolving nature of cyber threats to international sporting events. The GRU's 2018 attack on the Pyeongchang Winter Olympics with the Olympic Destroyer malware disrupted internal servers and caused significant logistical challenges. This attack demonstrated the capacity of state actors to execute highly disruptive cyber operations targeting global events. Similarly, the 2016 hack-and-leak campaign by Russian hackers against the World Anti-Doping Agency (WADA) revealed private medical information of athletes, aiming to discredit Western competitors and retaliate against doping sanctions. The use of AI-generated content in influence campaigns, as seen in Russia's "Olympics Has Fallen" disinformation effort, represents a significant evolution in propaganda tactics, utilizing advanced technologies to lend credibility to false narratives. These precedents emphasize the ongoing and adaptive nature of cyber threats, necessitating robust and dynamic defense strategies.
To mitigate the risks posed by the diverse and sophisticated cyber threats to the 2024 Paris Olympics, a multi-faceted and proactive approach is essential. Enhanced cybersecurity measures should be implemented across all critical infrastructure sectors, including multi-layered security protocols, regular vulnerability assessments, and advanced threat detection systems. Additionally, awareness and training programs are crucial; in educating staff, volunteers, and stakeholders about phishing, social engineering tactics, and other cyber threats.
Countering disinformation by providing accurate and timely information through official channels as well as engaging with social media platforms to swiftly identify and remove false content, will further bolster the integrity and security of the event. These combined strategies will help safeguard the 2024 Paris Olympics, ensuring the event's safety, integrity, and success.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
