eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
FIN7’s Evolution: Point of Sale Malware to Ransomware and EDR Bypass Tools
Bottom Line: FIN7, a prominent cybercrime group, has evolved from using Point of Sale malware for financial fraud to conducting sophisticated ransomware operations. Their recent development of advanced EDR bypass tools, now being sold to other threat actors, significantly elevates the cyber threat landscape.
On July 17th, SentinelLabs released a report on a notorious cybercrime group, FIN7 (aka Carbanak and Carbon Spider). The group has significantly enhanced its operations by developing sophisticated tools and methods for bypassing Endpoint Detection and Response (EDR) systems.
FIN7 was first known for targeting Point of Sale (PoS) systems to steal payment card data, leading to significant financial losses for affected businesses. Starting in 2020, the group pivoted to ransomware operations, affiliating with notorious Ransomware-as-a-Service (RaaS) groups such as REvil and Conti. Additionally, they launched their own RaaS programs, first under the name DarkSide and later rebranded as BlackMatter.
One of their key innovations is the AvNeutralizer (aka AuKill) tool, designed to disable Endpoint Detection and Response (EDR) systems, facilitating ransomware and other malicious activities. It operates by exploiting Windows built-in drivers, such as "ProcLaunchMon.sys," to bypass security measures and tamper with security solutions. This tool allows attackers to evade detection and maintain persistence within compromised networks. AvNeutralizer's automation capabilities enable efficient, large-scale attacks, enhancing the operational efficiency of cybercriminals. The tool has been found on multiple criminal forums, being sold by various users who are believed to be aliases of FIN7.
Previous research from Prodaft detailed the Checkmarks platform, an automated attack system targeting public-facing Microsoft Exchange servers developed by FIN7. It extensively scans and exploits these servers using the ProxyShell exploit, leveraging vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. The platform also includes an Auto-SQLi module for SQL injection attacks, incorporating SQLMap for vulnerability scanning when initial attempts fail. This module enables remote access to victim systems, tailored for adaptability and expanding the range of exploitable vulnerabilities.
In 2022, numerous intrusions were attributed to the Auto-SQLi module, primarily targeting US companies in the manufacturing, legal, and public sectors. These activities involved the use of PowerShell droppers, which employed multiple layers of obfuscation to execute final payloads. These PowerShell droppers delivered Powertrash loaders from staging servers. The loaders enabled FIN7 to control compromised systems by loading backdoor payloads.
eSentire Threat Intelligence Analysis:
FIN7's activities illustrate the group’s ability to adapt and evolve their methods to maximize financial gain.The transition from PoS malware to sophisticated ransomware operations underscores their technical prowess and strategic acumen in the cybercriminal landscape. The development of tools like AvNeutralizer further enhances their capability to conduct large-scale and highly effective malicious campaigns, posing a significant threat to organizations worldwide.
AvNeutralizer’s availability on dark web forums lowers the barrier for other threat actors, expanding the cyber threat landscape significantly. The widespread availability and advanced capabilities of AvNeutralizer represents a significant escalation in the cyber threat environment, lowering the barrier for other threat actors to launch effective ransomware attacks. The advanced evasion tactics, leveraging existing vulnerabilities and built-in drivers, highlight the need for enhanced security measures. The group's strategic shift towards selling tools indicates an effort to diversify revenue streams, potentially funding further development of more advanced attack methods. The sale of cyber tools in underground markets has been a recurring trend, with groups like the Shadow Brokers previously leaking NSA hacking tools, which were then used in widespread attacks like WannaCry.
FIN7's recent operations underscore the increasing sophistication and commercialization of cybercrime, emphasizing the need for robust, adaptive security measures. The historical patterns of tool leaks and advanced evasion tactics highlight the importance of staying ahead in the cybersecurity arms race. As cybercriminals continue to innovate, defenders must remain vigilant and proactive in implementing advanced security strategies to protect against these evolving threats.
Hackers Use PoC Exploits in Attacks 22 Minutes After Release
Bottom Line: Threat actors have been observed rapidly operationalizing Proof-of-Concept exploit code in attacks within minutes of their release.
On July 11th, Cloudflare released their Application Security report which included a variety of topics, most notably threat actors utilizing Proof-of-Concept (PoC) exploit code in attacks 22 minutes after disclosure. The report highlights the increase in Zero-day exploits as well as the weaponization of disclosed vulnerabilities.
Cloudflare stated that the majority of observations were related to scanning activity, followed by attempts at command injection, and some utilization of publicly available PoC exploit code. These vulnerabilities include Apache CVE-2023-50164 and CVE-2022-33891, Coldfusion CVE-2023-29298, CVE-2023-38203 and CVE-2023-26360, and MobileIron CVE-2023-35082.
The example outlined in their report states that Cloudflare observed exploitation attempts of a JetBrains TeamCity authentication bypass vulnerability, CVE-2024 27198 (CVSS:9.8). The vulnerability was exploited just 22 minutes after PoC exploit code was published.
The following is a timeline of the events:
- 14:00 UTC: JetBrains releases TeamCity 2023.11.4 update
- 14:59 UTC: JetBrains publicly discloses CVE-2024-27198
- 19:23 UTC: Rapid7 shares a blog, including PoC exploit code
- 19:45 UTC: Cloudflare observes attempted exploitation
eSentire Threat Intelligence Analysis:
The rapid exploitation of CVE-2024-27198 underscores the critical need for immediate and efficient defensive measures in cybersecurity. The short window between disclosure of the PoC exploit code and first observed exploitation highlights the speed that attackers can operationalize public information to capitalize on new vulnerabilities. These types of attacks leave organizations with very little time to respond by applying necessary patches or mitigations, thereby increasing the risk of successful exploitation.
The trend of rapid exploitation of newly disclosed vulnerabilities is not new but has accelerated with the increased availability of automated tools and faster dissemination of PoC exploit code. Organizations are encouraged to implement automated systems for applying patches to minimize the gap between vulnerability disclosure and patch deployment. This implementation can significantly reduce the risk window during which an exploit can be leveraged by attackers.
eSentire’s Threat Intelligence Team released a security advisory regarding CVE-2024-27198 on March 5th. Additionally, eSentire Managed Vulnerability Service (MVS) has plugins in place to identify CVE-2024-27198.
CrowdStrike Outage
Bottom Line: A faulty software update from cybersecurity firm CrowdStrike resulted in widespread outages of Windows systems, disrupting operations in critical sectors globally.
On July 19th, 2024, a software update released by CrowdStrike led to widespread outages across the globe. This update caused a critical conflict with Windows OS, leading to system instability and crashes; specifically, the update inadvertently caused errors in the kernel mode driver, a core component of the
Windows operating system, resulting in systems crashing to a "Blue Screen of Death" (BSOD). This has resulted in operational disruptions in various sectors including aviation, banking, IT, and other critical infrastructure.
At 05:45 EST, CrowdStrike CEO George Kurtz confirmed via a post on X (formerly Twitter) that the widespread Windows system outages were due to a defective update and not a cyberattack. He emphasized that only Windows hosts were affected, while Mac and Linux systems remained unaffected. Kurtz assured that the issue had been identified, isolated, and a fix had been deployed. He directed customers to CrowdStrike’s support portal for ongoing updates and urged them to communicate through official channels to ensure security and stability.
In a tech alert to customers as well as in a public statement, CrowdStrike provided the following workarounds to resolve the issue.
Workaround Steps for individual hosts:
- Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:
- Boot Windows into Safe Mode or the Windows Recovery Environment
- Note: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
- Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it
- Boot the host normally
*Note: Bitlocker-encrypted hosts may require a recovery key.
Additional Workaround for individual hosts:
Customers should restart the impacted host multiple times, forcing a race condition where the channel file which is impacting the issue, will be updated.
Workaround Steps for public cloud or similar environment including virtual:
Option 1:
- Detach the operating system disk volume from the impacted virtual server
- Create a snapshot or backup of the disk volume before proceeding further as a precaution against
unintended changes
- Attach/mount the volume to a new virtual server
- Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Detach the volume from the new virtual server
- Reattach the fixed volume to the impacted virtual server
Option 2:
- Roll back to a snapshot before 0409 UTC.
During the same period as the CrowdStrike update incident, a significant Microsoft 365 outage occurred, affecting numerous users globally. Initially, some speculated a connection between the two events. However, it was confirmed that the Microsoft outage stemmed from an independent issue related to an
Azure configuration change. This change disrupted authentication and access across various Microsoft services, including Teams, Outlook, and SharePoint. Friday morning Microsoft confirmed on X that all impacted Microsoft 365 apps and services were restored.
eSentire Threat Intelligence Analysis:
Addressing the aftermath of the CrowdStrike update-induced system crashes poses a challenge for large organizations. While a manual workaround exists, its scalability is restricted as it requires individual application to each affected system. The necessity for manual fixes means that system administrators must intervene directly on each machine, as CrowdStrike cannot remotely deploy a corrective update to resolve the problem automatically due to the Blue Screen of Death boot loop.
In the wake of the CrowdStrike update incident, threat actors have seized the opportunity to exploit the situation by creating phishing pages that impersonate CrowdStrike support domains. These fraudulent sites aim to deceive users into believing they are accessing legitimate CrowdStrike support resources, potentially leading to further security breaches.
Phishing attacks leveraging such high-profile incidents can be particularly effective, as they prey on the urgency and confusion that typically accompany significant IT disruptions. Users seeking immediate assistance are more likely to fall victim to these scams, inadvertently providing sensitive information or downloading malicious software.
To mitigate this threat, organizations must enhance their phishing detection and response capabilities. Employees should be trained to recognize phishing attempts and verify the authenticity of support communications through official channels. CrowdStrike has advised users to refer to their support portal and official communications for updates, emphasizing the importance of using verified sources to avoid falling prey to these scams.
eSentire’s Threat Intelligence published a security advisory on July 19th highlighting these threats.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
