eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
New High Severity OpenSSH RCE Vulnerability
Bottom Line: Qualys has confirmed the existence of a high-severity Remote Code Execution (RCE) vulnerability, impacting OpenSSH. Despite significant exploitation barriers, there are reports of targeted exploitation attempts.
On July 1st, researchers from Qualys disclosed a high severity vulnerability impacting OpenSSH. OpenSSH is a suite of networking tools based on the Secure Shell (SSH) protocol. The vulnerability is tracked as CVE-2024-6387 (CVSS: 8.1) and is colloquially referred to as regreSSHion. The name regreSSHion was chosen for this vulnerability as it is considered a regression vulnerability, meaning that it has been patched in previous versions but was reintroduced in later updates.
CVE-2024-6387 is a race condition vulnerability found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. A remote and unauthenticated threat actor may abuse the vulnerability to allow for Remote Code Execution (RCE) with root privileges. The vulnerability impacts OpenSSH servers on Linux from version 8.5p1 up to but not including 9.8p1.
In their report, Qualys states they have developed a working exploit for the vulnerability but will not share it publicly. Since the publication, multiple Proof-of-Concept (PoC) exploits have been released, with varying quality. The eSentire Threat Intelligence team is aware of, but has not validated, claims that exploitation attempts have been identified in the wild. According to public reporting, attacks have primarily targeted Chinese based organizations.
As PoC exploit code is available, and there are early reports of attacks, organizations are recommended to ensure that security patches addressing CVE-2024-6387 are deployed. eSentire MDR for Network has rules in place to detect exploitation attempts and eSentire Managed Vulnerability Service (MVS) has plugins to identify vulnerable devices. The Tactical Threat Response (TTR) team is actively investigating this vulnerability for new detection opportunities.
eSentire Threat Intelligence Analysis:
As OpenSSH provides an entry point into organization’s networks and has historically been secure, any vulnerability impacting the software is highly valuable for attackers. Vulnerabilities impacting OpenSSH have been relatively rare, as such, CVE-2024-6387 is garnering significant attention.
Despite the attention that the vulnerability is receiving, the eSentire Threat Intelligence team assesses that it is unlikely CVE-2024-6387 will see widespread exploitation. Qualys states regreSSHion is hard to exploit and requires multiple attempts to achieve the necessary memory corruption. On average, it takes roughly 10,000 exploitation attempts, in a lab setting, for successful exploitation to occur. In a real-world attack scenario, the number of attempts may be much higher. Additionally, there are limits to the number of exploit attempts possible due to the login timeout, meaning that a successful exploit may take over 24 hours to achieve. These requirements make attacks both slow and noisy, increasing the likelihood they will be identified by defenders.
Although the vulnerability has a high barrier for exploitation, it is possible that state sponsored threat actors will dedicate the resources to create working PoC code as OpenSSH has a critical role in securing entry to an organizations network. As updates are available, organizations using OpenSSH should apply patches immediately.
TeamViewer Breach Update
Bottom Line: TeamViewer has confirmed that the recent breach only impacted internal employee data. To date, there is no indication that the attack impacted customer data or production environments.
On June 26th, TeamViewer identified suspicious activity in its corporate IT environment, which has been attributed to APT29. TeamViewer engaged Microsoft for their incident response process where they confirmed the attack was limited to their internal corporate IT environment. They stated attackers did not have access to the separate product environment, the TeamViewer connectivity platform, nor any customer data.
TeamViewer disclosed that according to current findings, the attacker was able to leverage a compromised employee account to copy employee directory data such as names, corporate contact information, and encrypted employee passwords. The employees have been informed as well as the relevant authorities.
On July 4th, TeamViewer released an update regarding the breach, confirming their previous statements that the attack was limited to the corporate IT environment. The findings confirm that the software solutions are unaffected and secure. TeamViewer has conducted remediation measures, verifying there was no suspicious activity on their internal corporate IT environment after the attack was blocked upon detection.
APT29, also known as Cozy Bear or Midnight Blizzard, is a Russian Advanced Persistent Threat (APT) group associated with Russia's Foreign Intelligence Service (SVR). Renowned for its sophisticated cyberespionage capabilities, APT29 has been linked to numerous high-profile cyberattacks, targeting governmental, diplomatic, IT, think-tank, and energy sectors globally. Notable incidents include the 2016 Democratic National Committee breach, the 2020 SolarWinds attack, and a recent breach of Microsoft's corporate email environment. The group's methods often involve spear-phishing, malware deployment, and exploitation of zero-day vulnerabilities, highlighting their advanced operational capabilities.
eSentire covered the initial disclosure of the TeamViewer breach in the June 28th edition of Weekly Threat Briefing.
eSentire Threat Intelligence Analysis:
The recent TeamViewer breach highlights the importance of Network segmentation as a critical component of a robust cyber defense strategy. By isolating the corporate IT environment, production environment, and connectivity platform, they reduced the risk of unauthorized access and lateral movement within their network. This segmentation ensures that even if one segment is compromised, it does not easily propagate to other critical systems. Applying the principle of least-privilege, only providing accounts necessary permissions, serves a critical role in mitigating additional malicious activity if an account is compromised.
Organizations should perform risk assessments for all vendors, most notably if the product is related to remote access or authentication as they can be leveraged to easily compromise networks. It is important to consider the vendors history relating to cyber attacks, and if their security stance has significantly improved post compromise. For example, LastPass suffered back-to-back compromises, leading to some users losing overall trust in their product.
Although the attack was attributed to APT29, additional details regarding how attribution was made have not been shared at this time. On January 19th, Microsoft released a statement regarding a compromise of their corporate systems. The attack was attributed to APT29, also sharing a commonality with the TeamViewer breach as an account compromise had been the entry point for attackers.
Insider Threats to 2024 U.S. Elections
Bottom Line: As the U.S. presidential election approaches, government agencies are warning of insider threats to the election process.
In an effort to protect the integrity of the 2024 U.S. election cycle, the Federal Bureau of Investigation (FBI), in coordination with the Department of Homeland Security’s (DHS) Office of Intelligence and Analysis (I&A), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Election Assistance Commission (EAC) released guidance to help election officials defend against insider threats. An insider threat is defined as “an individual or group who uses their authorized access or special knowledge to cause harm to an organization or entity.” Examples of insiders include current or former employees, contractors, volunteers, or others with privileged access.
U.S. agencies highlighted a few recent examples of insider threats against election infrastructure. One case involved a temporary election worker using an unauthorized flash drive to extract voter registration data. Another incident saw a county clerk and subordinate granting unauthorized access to voting machines, disabling security cameras, and providing false credentials. A third example reported an unauthorized laptop connected to a government network during a primary election, with the election data later appearing publicly. Additionally, two county officials allowed unauthorized users to access election systems during an audit, leading to the machines' decertification.
While current insider threats have been domestic, foreign adversaries have shown interest in U.S. elections since 2016. These adversaries may exploit insider access through various means to disrupt election processes and undermine confidence in election integrity. They could leverage insiders' ideological views, providing financial incentives, or using coercion to gain their cooperation. By gaining such insider access, foreign actors could potentially disrupt election operations, spread misinformation, and create doubt about the security and fairness of the electoral process, damaging public trust in democratic institutions.
eSentire Threat Intelligence Analysis:
The increasing sophistication and frequency of insider threats pose significant challenges to the security and integrity of U.S. elections. These threats can undermine public confidence in democratic processes and lead to severe disruptions if not effectively managed.
The history of targeting election infrastructure, coupled with heightened geopolitical tensions, has created an environment ripe for attacks against election systems. Since 2016, U.S. elections have been a focal point for both domestic and foreign adversaries seeking to influence outcomes and undermine public confidence.The 2016 U.S. presidential election, marked by significant foreign interference, set a precedent for how vulnerable election systems can be to cyber and insider threats. Increased geopolitical tensions further exacerbate this risk. Global conflicts, economic sanctions, and ideological differences incentivize state and non-state actors to destabilize perceived adversaries. Domestically, polarizing political landscapes and contentious social issues make election systems prime targets for those seeking to exploit or amplify divisions.
In their report, the FBI, DHS, CISA, and EAC provide guidance on mitigating the risk of insider threats; these recommendations are applicable to all organizations, not just those involved in elections. Key strategies include implementing Standard Operating Procedures (SOPs), access control systems, chain of custody procedures, zero trust security, continuous monitoring, and routine audits. SOPs ensure consistency in tasks, while access control systems should follow the principle of least-privilege by limiting individuals’ access to data and facilities only to those systems essential to perform their job functions. Chain of custody procedures track asset movement, and zero trust security operates on the principle of "always verify." Continuous monitoring and routine audits help detect and address potential threats, ensuring security measures are effective, thereby safeguarding assets, maintaining operational integrity, and upholding public trust.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
