eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
MOVEit Vulnerability Exploited
Bottom Line: As CVE-2024-5806 exploitation attempts have been identified, it is critical that organizations immediately apply the relevant security patches to all vulnerable MOVEit Transfer devices.
On June 25th, a critical vulnerability impacting MOVEit Transfer was publicly disclosed, as well as security patches. CVE-2024-5806 (CVSS:9.1) allows a remote, unauthenticated threat actor to access, modify, and steal sensitive data stored on MOVEit Transfer servers. Proof-of-Concept (PoC) exploit code alongside technical details for the vulnerability were disclosed the same day. CVE-2024-5806 impacts MOVEit Transfer versions “from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.” Upgrading to the latest version of MOVEit Transfer mitigates the vulnerability.
In order to exploit the vulnerability, there are three requirements that an attacker must meet:
- The attacker must know a valid username
- The vulnerable device can be authenticated to remotely
- The SFTP server is Internet-facing
Shortly after the disclosure of the vulnerability, the non-profit organization Shadowserver reported observing exploitation attempts. Post-exploitation activity and attacker objectives have not been released at the time of writing.
A second critical authentication bypass vulnerability was also disclosed on June 25th. CVE-2024-5805 (CVSS: 9.1): An improper authentication vulnerability in Progress MOVEit Gateway (SFTP module) allows authentication bypass. The vulnerability impacts MOVEit Gateway: 2024.0.0. There is currently no indication that CVE-2024-5805 has been exploited in the wild.
The eSentire Threat Intelligence team released an advisory on this topic on June 26th. eSentire’s Tactical Threat Response (TTR) team has created detections for CVE-2024-5806 exploitation attempts and eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices.
eSentire Threat Intelligence Analysis:
As exploitation has been confirmed, it is critical that organizations apply the available security patches immediately. In addition to patching, organizations are recommended to block inbound Remote Desktop Protocol (RDP) access to MOVEit Transfer servers and limit outbound access to only trusted devices. As exploitation of CVE-2024-5806 requires accurate usernames, it is highly likely that threat actors will perform username spraying to identify legitimate accounts. To limit the likelihood of success, organizations should avoid the use of simple or standard usernames, such as Admin.
MOVEit vulnerabilities have been heavily targeted by threat actors in the past. In June 2023, eSentire reported on a CLOP (Lace Tempest) extortion group campaign, which involved exploitation of the MOVEit vulnerability CVE-2023-34362 (CVSS: 9.8). The vulnerability was abused to access vulnerable servers and steal victim data. This data was then used as leverage in extortion schemes. As CLOP proved the potential value of this form of attack against MOVEit devices, it is probable that other threat actors will attempt to imitate the successful campaign by exploiting CVE-2024-5805 or CVE-2024-5806.
CDK Global Impacted by BlackSuit
Bottom Line: CDK Global has been impacted by BlackSuit ransomware; the resulting outages affected 15,000 different North American organizations in the automotive industry.
On June 19th, CDK Global, a major provider of technology solutions for automotive dealerships, experienced a significant operational disruption due to a ransomware attack. The ransomware attack has halted critical services provided by CDK Global, including dealer management systems, Customer Relationship Management (CRM) tools, and other essential software solutions. The attack has forced many dealerships to revert to manual processes, significantly slowing down their operations and affecting sales and service capabilities. The incident reportedly led to a widespread outage that affected over 15,000 car dealerships across the United States and Canada. As of June 27th, restoration efforts are ongoing, with services restored for some, but not all, impacted automotive dealerships.
According to sources familiar with the incident, the attack was carried out by the BlackSuit ransomware group. BlackSuit ransomware emerged in May 2023 as a rebrand of the Royal ransomware gang. This group is known to perform double-extortion, where data is exfiltrated prior to encryption, and stolen data is publicly released via a leak site if an extortion demand is not met. For initial access into organizations, BlackSuit has been identified employing various methods. These include phishing, abuse of Remote Desktop Protocol (RDP), exploitation of vulnerabilities in Internet-facing applications, and purchasing stealer logs and credentials via darkweb marketplaces. Details relating to the breach of CDK Global are still minimal; it is unclear how threat actors gained access to the organization or if data was exfiltrated prior to ransomware deployment.
The eSentire Threat Intelligence team released an advisory on this topic on June 25th. eSentire MDR for Endpoint maintains a variety of rules to detect ransomware and common ransomware precursor activity. Additionally, the eSentire product suite includes an array of detections for known BlackSuit Tactics, Techniques, and Procedures.
eSentire Threat Intelligence Analysis:
The attack against CDK Global has exposed the risks of critical dependencies within the automotive industry. The reliance on a sole digital solution, acting as a single point of failure, means that any disruption can have immediate and widespread consequences. Outside of the direct impact of the ransom, the corresponding down time will lead to significant financial losses, and the impacted organization risks reputational damage.
According to individuals with knowledge of the incident, the BlackSuit group demanded a ransom in the tens of millions of dollars; the specific amount has not been disclosed. CDK publicly stated on June 22nd that full restoration is expected in several days, as opposed to weeks. This has led to speculation that CDK Global paid the ransom, as the average recovery time from a ransomware attack without paying the ransom is approximately three weeks. Despite this speculation, a spokesperson declined to comment on a potential ransom payment. It should be noted that paying a ransom demand does not guarantee the decryption of data or the deletion of stollen information. Additionally, some organizations that have paid ransom demands, have later reported being targeted again by ransomware actors. Due to these concerns, many government organizations, including CISA, do not recommend paying ransom or extortion demands.
While the initial access method employed by BlackSuit to access CDK Global has not been publicly disclosed, the eSentire Threat Intelligence team was able to identify a large number of CDK domains in credential logs being sold online. These credential logs may be purchased and could be employed to access CDK, assuming that the credentials remain valid. Organizations may employ a Dark Web Monitoring Service in order to identify previously compromised credentials and rotate them before abuse occurs.
TeamViewer Breach
Bottom Line: Remote Monitoring and Management (RMM) tools are high value targets for threat actors. The recent breach of TeamViewer illustrates the interest that sophisticated threat actors have in similar products.
On June 26th, TeamViewer identified suspicious activity in its corporate IT environment, which has been attributed to APT29. TeamViewer has engaged a 3rd party incident response team, and current findings indicate the attack was confined to the Corporate IT environment; there is no evidence of compromise to the product environment or customer data. TeamViewer stated the attack was “tied to credentials of a standard employee account within our Corporate IT environment.” They are continuing to provide updates via their Trust Center.
APT29, also known as Cozy Bear or Midnight Blizzard, is a Russian Advanced Persistent Threat (APT) group associated with Russia's Foreign Intelligence Service (SVR). Renowned for its sophisticated cyberespionage capabilities, APT29 has been linked to numerous high-profile cyberattacks, targeting governmental, diplomatic, think-tank, and energy sectors globally. Notable incidents include the 2016 Democratic National Committee breach, the 2020 SolarWinds attack, and a recent breach of Microsoft's corporate email environment. The group's methods often involve spear-phishing, malware deployment, and exploitation of zero-day vulnerabilities, highlighting their advanced operational capabilities.
eSentire Threat Intelligence Analysis:
This breach highlights the persistent threat from sophisticated actors and the need for robust defense measures, such as enhanced monitoring, network segmentation, regular incident response drills, and employee cybersecurity training.
Network segmentation, as implemented by TeamViewer, is a critical component of a robust cybersecurity strategy. By maintaining strict separation between the corporate IT, production environment, and the TeamViewer connectivity platform, the risk of unauthorized access and lateral movement within the network is significantly reduced. This segmentation ensures that even if one segment is compromised, the threat actor cannot easily propagate to other critical systems. As part of a comprehensive defense-in-depth approach, segmentation provides multiple layers of security, enhancing the overall resilience against sophisticated cyber threats like those posed by APT29. This strategy not only protects sensitive data but also helps in quickly isolating and addressing breaches, minimizing potential damage and operational impact.
The attribution of the attack to APT29 within a single day is unusually swift, prompting some to raise concerns about the accuracy of this assessment. Misattribution may provoke unwarranted geopolitical tensions and misguide defense strategies. Furthermore, the complexity of APT attacks often involves sophisticated techniques that can obscure the true origin, making false flag operations a significant concern. In such operations, attackers deliberately leave misleading clues to point investigators toward a different source, complicating the attribution process. This underscores the importance of thorough investigation and corroboration in cyber threat attribution to avoid these pitfalls and ensure effective responses.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
