eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Microsoft Patch Tuesday Release
Bottom Line: July 9th marked Microsoft’s monthly Patch Tuesday release. This month, Microsoft highlighted four zero-day vulnerabilities, two of which are confirmed to be actively exploited by threat actors. Organizations are strongly recommended to review the full Microsoft release and apply all relevant security patches.
On July 9th, Microsoft released their monthly Patch Tuesday vulnerability updates. The updates include a total of 142 vulnerabilities, 4 of which are marked as zero-days, 2 of which are actively exploited in the wild. Organizations are strongly recommended to apply the updates immediately.
The four zero-day vulnerabilities are as follows:
- CVE-2024-38080 (CVSS:7.8) - This vulnerability allows an unauthenticated attacker to leverage Windows Hyper-V to elevate privileges to SYSTEM level
- The vulnerability has been actively exploited in the wild
- CVE-2024-38112 (CVSS:7.5) - A Windows MSHTML Platform Spoofing vulnerability
- The vulnerability has been actively exploited in the wild
- CVE-2024-35264 (CVSS:8.1) - A .NET and Visual Studio Remote Code Execution (RCE) vulnerability which requires an attacker to win a race condition
- CVE-2024-37985 (CVSS:5.9) - Systematic Identification and Characterization of Proprietary Prefetchers
- An attacker who successfully exploited this vulnerability could view heap memory from a privileged process running on the server
- Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment
Following the release of Microsoft's Patch Tuesday, Check Point Research released a technical report the same day providing information on how CVE-2024-38112 is being actively exploited by attackers. Attackers leverage the vulnerability by creating a specially crafted Windows Shortcut (url) file disguised as a PDF document. Once interacted with by the user, the url file will exploit CVE-2024-38112 to navigate to an attacker-controlled website. An HTML Application (hta) file disguised as a PDF document will be downloaded from the website. Once the file is executed, attackers then have entry to the victim's device.
Details surrounding the remaining zero-day vulnerabilities are limited, with no information provided for the active exploitation of CVE-2024-38080. eSentire’s Threat Intelligence team continues to track this release for notable updates. In response to the Patch Tuesday disclosure, eSentire’s Threat Intelligence team has validated that eSentire Managed Vulnerability Service (MVS) plugins exist for all newly disclosed zero-day vulnerabilities and detect vulnerable devices.
eSentire Threat Intelligence Analysis:
Microsoft's comprehensive response to these vulnerabilities through its Patch Tuesday updates emphasizes the critical importance of regular and thorough security practices, including vulnerability management and the prompt application of patches.
The use of MSHTML to trick users into downloading and executing malicious files is not a new concept but appears to continue to be a threat as the files for Internet Explorer remain on Windows. As exploitation of CVE-2024-38112 occurred prior to patches being released, mitigation opportunities were limited. In situations such as zero-day exploitation, EDR solutions may act as a stop-gap measure, where the exploit is not identified, but the follow-on malicious activity can be detected.
As a user is required to interact with a .url file to exploit CVE-2024-38112, organizations can provide security awareness training to help employees identify any suspicious or malicious files. Due to CVE-2024-35264 and CVE-2024-37985 requiring additional steps, including winning a race condition, to perform the exploits, it is unlikely they will be leveraged by attackers in the wild.
RockYou2024: Compilation of 10 billion Leaked Passwords
Bottom Line: Recent data breaches have been added to the original RockYou2021 dataset. The posting, dubbed RockYou2024, will enable a variety of attacks involving the abuse of valid credentials.
On July 4th, researchers from Cybernews reported on the discovery of a breach compilation containing nearly 10 billion clear text passwords. The collection of passwords is dubbed RockYou2024; it was sharedon cybercrime forums by a user with the moniker ObamaCare. The shared file contains 9,948,575,739 unique plaintext passwords. The passwords included in this compilation are all from previous breaches; no new or unreported breaches are included.
The vast majority of passwords included in the breach were part of the RockYou2021 compilation. This initial compilation included 8.4 billion passwords. ObamaCare added 1.6 billion passwords made up of other breaches that have occurred post-2021. Additionally, according to a post by ObamaCare, some passwords from RockYou2021 had only been previously shared in their encrypted state, and that he had “cracked” them and shared the clear-text version.
Cybernews has released a password checker tool, allowing users to test if their password is included in the breach. Password checking tools should be used with caution, as they may be abused by threat actors to steal additional passwords or may unintentionally leak sensitive inputs. Their use should be restricted to passwords that are no longer in use and are not used across multiple accounts.
eSentire Threat Intelligence Analysis:
Despite the passwords in RockYou2024 not being from new or undisclosed breaches, it is still highly concerning. Threat actors will weaponize the compilation to perform credential stuffing attacks, attempting to breach valid accounts that use old passwords. If combined with other breach information, leaked details may enable spear-phishing or other targeted attacks. Additionally, it is probable that threat actors will use the attention this breach has generated to perform other cyberattacks or fraud, such as hosting malicious versions of the compilations, sharing fake password checkers, or extortion enabled by social engineering involving old but legitimate passwords.
To best defend against the abuse of valid credentials, organizations are recommended to enforce the use of strong and unique passwords. Password managers may aid users in generating and using unique and long passwords, as they only need to remember one master password. Enforcing the use of Multi-Factor Authentication (MFA) will significantly reduce the value of compromised credentials. Alternatively, the implementation of passkey authentication removes the requirement of passwords all together.
ObamaCare is a known threat actor with a history of sharing stolen data on criminal forums. According to Cybernews, the threat actor has previously shared information stolen from a law firm, online casino, and Rowan College at Burlington County. Based on their history, and the level of attention that this breach has caused, it is highly probably that ObamaCare will continue to release breach compilations in the future.
Disruption of Russian AI-Driven Disinformation Campaign
Bottom Line: A joint advisory by the FBI, Cyber National Mission Force (CNMF), and other international partners has revealed that Russian state-sponsored actors are using AI-enhanced software called Meliorator for foreign malign influence operations.
On July 9th, The U.S. Federal Bureau of Investigation (FBI) and Cyber National Mission Force (CNMF), in partnership with the Netherlands General Intelligence and Security Service (AIVD), Netherlands Military Intelligence and Security Service (MIVD), the Netherlands Police (DNP), and the Canadian Centre for Cyber Security (CCCS) released an advisory warning social media companies that Russian state-sponsored actors have been leveraging the covert “Meliorator” software for foreign influence activity benefiting the Russian Government. Additionally, The U.S. Justice Department (DoJ) announced the seizure of two domains and the search of 968 social media accounts used by Russian actors.
This law enforcement operation targeted disinformation campaigns run by Russia's Federal Security Service (FSB) and RT News; a state-run Russian news organization based in Moscow. These campaigns employed Artificial Intelligence (AI) to create realistic social media profiles to disseminate pro-Russian content, spreading disinformation by posing as U.S. citizens. The content included justifications for the Ukraine conflict and attempts to undermine the U.S. democratic process.
In early 2023, a Russian FSB officer, with approval and funding from the Kremlin, established a Private Intelligence Organization (P.I.O.) involving employees from RT. The P.I.O.'s true mission was to further the objectives of the FSB and the Russian government by spreading disinformation through social media accounts created by the bot farm. According to affidavits, an FSB Officer and other P.I.O. members used the social media bot farm to spread Russian government narratives on X (formerly Twitter) in October and November 2023. Examples of this activity include:
- A fake U.S. constituent shared a video of Putin justifying Russia’s actions in Ukraine.
- A purported Minneapolis resident posted a video of Putin discussing Poland, Ukraine, and Lithuania as “gifts” from WWII.
- A supposed resident of “Gresham” claimed fewer foreign fighters were with Ukrainian forces than reported and shared Putin’s assertion that the Ukraine war defines the “New World Order.”
The core of this disinformation campaign was the Meliorator software, an AI-enhanced tool used by RT affiliates. Meliorator was designed to create realistic and authentic-looking social media personas en masse. These personas were then deployed across platforms like X to propagate disinformation. The software's administrator panel, Brigadir, served as the primary user interface, allowing operators to manage the fake personas, referred to as "souls," and the automated actions or "thoughts" these bots would perform. Taras, the backend component of Meliorator, contained JSON files that controlled the bots' actions, including tools to aggregate databases and automation scripts necessary for persona creation and activity.
The capabilities of the Meliorator software are quite extensive. It’s capable of generating profiles with AI-created photos, detailed biographies, and political leanings, enabling bots to blend seamlessly into social media. These bots could create original posts, comment, like, and share content to amplify false narratives that supported Russian state interests. Additionally, the software included mechanisms to bypass social media verification processes, including scraping email verification codes and changing user agent strings to avoid detection.
eSentire Threat Intelligence Analysis:
The involvement of state actors like the FSB highlights the geopolitical dimension of cyber operations, where technology is weaponized to influence global narratives. The use of AI significantly increases the sophistication and reach of disinformation campaigns, making detection and mitigation more challenging. By leveraging emerging technologies, these campaigns aim to influence public opinion and disrupt democratic processes on a global scale.
The use of media and propaganda to influence public opinion is not new; this modern use of AI in disinformation campaigns is reminiscent of Cold War-era propaganda tactics, though significantly more advanced. During the Cold War, both the U.S. and the Soviet Union engaged in extensive information warfare to influence global public opinion. Today, the integration of AI in these efforts highlights the evolving nature of cyber threats and the need for updated defense strategies.
The use of AI-powered tools by Russian state-sponsored adversaries to create and manage online identities poses significant implications for the U.S. presidential election. The capabilities these technologies provide can influence public opinion, spread misinformation, and potentially sway electoral outcomes. As the election approaches, the risk of such sophisticated disinformation campaigns intensifies, highlighting the urgent need for robust detection mechanisms and collaborative efforts to protect the democratic process.
Commercially available AI tools like OpenAI's ChatGPT, Google's Gemini, and Microsoft's Copilot incorporate robust safeguards to prevent abuse. However, state-sponsored threats possess the resources to develop their own AI tools without such protections. This disparity allows these actors to create sophisticated disinformation and cyber-attack mechanisms with fewer constraints. The recent breach of OpenAI by a lone actor, highlights potential for state-sponsored actors to target AI organizations to enhance their capabilities. By infiltrating AI companies, they can gain insights and potentially leverage advanced AI technologies for malicious purposes, further escalating the threat landscape.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
