eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Critical ServiceNow Vulnerabilities Actively Exploited
Bottom Line: Critical vulnerabilities in ServiceNow are being actively exploited, allowing attackers to execute unauthorized code and gain full database access. It is critical organizations apply patches immediately.
On July 10th, ServiceNow, a widely used enterprise service management platform, released updates for CVE-2024-4879 (CVSS: 9.3), CVE-2024-5217 (CVSS: 9.2), and CVE-2024-5178 (CVSS: 6.9). Both CVE-2024-4879 and CVE-2024-5217 are input validation vulnerabilities that enable an unauthenticated, remote attacker to execute arbitrary code within the Now Platform. This access could potentially result in compromise, data theft, and disruption of business operations. CVE-2024-5178 enables users with administrative privileges to gain unauthorized access to sensitive files on the web application server.
On July 11th, Assetnote published a technical analysis explaining how to exploit the vulnerabilities. These vulnerabilities can be chained together to first establish remote code execution, then to access sensitive information including usernames and password hashes. Shortly following release, Proof-of-Concept (PoC) exploit code and vulnerability scanners began being published on GitHub. Attackers have been able to leverage the PoC exploit code with the scanners to gain access to multiple ServiceNow instances. Assetnote also highlights that self-hosted instances are at a higher level of risk due to poor patching practices and possible misconfigurations allowing for attackers to leverage vulnerable instances.
On July 24th, Resecurity released a report where they identified an ongoing campaign leveraging PoC code to exploit the vulnerabilities, gathering ServiceNow data from organizations. Resecurity states that they have observed attackers targeting government agencies, data centers, energy providers, and software development firms across various geographies. They highlight that some of the affected organizations were not aware of the released patch, in some cases using outdated or poorly maintained instances by their developers and software engineers.
The ongoing exploitation observed by Resecurity utilizes a payload injection to check for a specific result in the server response. This is followed by a second stage payload that checks the database contents. If successful, the attacker dumps the user lists and account credentials. Resecurity states that in most cases, the passwords were hashed, however in some instances the plaintext credentials were exposed.
eSentire Threat Intelligence Analysis:
The identified vulnerabilities in ServiceNow (CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217) pose a substantial threat to enterprise security across various industries. ServiceNow's extensive use as a critical enterprise service management platform means that the exploitation of these vulnerabilities can lead to significant disruptions and data breaches. Industries such as government, energy, data centers, and software firms are particularly at risk, as these sectors rely heavily on ServiceNow for their operational workflows and data management.
The rapid exploitation of these vulnerabilities has been significantly accelerated by the availability of exploits and scanning tools on platforms like GitHub. The open dissemination of these tools has lowered the barrier for attackers, enabling less sophisticated threat actors to launch successful attacks. This widespread availability has resulted in a surge of attacks targeting various sectors, demonstrating how quickly vulnerabilities can be weaponized once publicized.
On July 26th, eSentire published a security advisory regarding the ongoing exploitation of the ServiceNow vulnerabilities. eSentire’s Threat Response Unit (TRU) has developed detections to identify vulnerability exploitation attempts. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify all three vulnerabilities.
As updates are available it is highly recommended any organization using ServiceNow, especially self-hosted instances, apply patches immediately.
Indictment Sheds Light on North Korean Group’s Use of Ransomware to Fund Espionage Operations
Bottom Line: Recent reports provide insight into North Korean actor Andrariel’s (a.k.a. Onyx Sleet, APT45) use of ransomware attacks against the healthcare sector. Funds from these attacks were subsequently used in intelligence gathering operations against military and defense organizations.
On July 24th, 2024, a grand jury in Kansas City, Kansas returned an indictment charging a North Korean national with their involvement in various attacks against U.S. hospitals and healthcare providers. The indictment links the attacks to Andrariel (Onyx Sleet, Silent Chollima and APT45), a unit within North Korea’s primary military intelligence agency the Reconnaissance General Bureau (RGB).
In their press release, the U.S. Department of Justice (DOJ) describes how Andariel actors used Maui ransomware to extort U.S. based hospitals and other healthcare providers throughout 2021 and 2022. Ransom payments were laundered and used to purchase internet infrastructure (such as virtual private servers) which was subsequently used in intelligence gathering operations. These victims include NASA, various U.S. Air Force bases, U.S. and South Korean defense companies and a Chinese energy company.
In conjunction with the above indictment CISA, Microsoft and Google Mandiant released reports providing insights into North Korean aligned actors with a focus on the RGB 3rd Bureau/APT45/Andariel/Onyx Sleet. Common Tactics, Techniques and Procedures (TTPs) for this group include initial access via n-day vulnerabilities followed by deployment of custom malware including RATs and ransomware. They are also known to leverage off-the-shelf tooling such as Remote Monitoring and Management (RMM) tools and open-source offensive security tooling.
eSentire Threat Intelligence Analysis:
Recent reports on North Korean threat group APT45 (Andariel, Onyx Sleet) suggest a focus on financially motivated attacks in conjunction and support of intelligence gathering activities. Mandiant assesses APT45 “…is distinct from other North Korean operators in its suspected interest in ransomware”. This assessment is echoed by Microsoft in their analysis and the DOJ indictment, which convincingly links ransomware and intelligence gathering attacks based on shared personas, internet infrastructure and cryptocurrency transactions. North Korean aligned threat groups pose a concern not only for Government and Defense industries, but Manufacturing, Healthcare and Finance. Organizations should account for this in their threat modelling and review the advisories from CISA, Microsoft and Mandiant accordingly for actionable steps to reduce risk.
North Korean Fake IT Worker Infiltration Attempt
Bottom Line: A North Korean agent, posing as a software engineer with a stolen U.S. identity, attempted to infiltrate KnowBe4. The incident underscores the sophistication of state-sponsored cyber threats, leveraging advanced social engineering and AI to breach corporate defenses.
On July 23rd, KnowBe4 released a blog post detailing a recent security incident in which a North Korean operative attempted to infiltrate KnowBe4 by posing as a U.S.-based IT worker. This individual utilized a stolen identity, supplemented with an AI-enhanced photograph, to successfully pass background checks and interview processes. Upon being hired, the operative received a company-provided Mac workstation, which they promptly attempted to compromise with malware. The malware deployment was detected by the company’s Endpoint Detection and Response (EDR) software, which immediately flagged the suspicious activity.
KnowBe4’s Security Operations Center (SOC) responded swiftly, contacting the new hire whose inconsistent and evasive responses raised further suspicion. This led to the involvement of an external cybersecurity firm Mandiant as well as the FBI, both of which confirmed the individual’s North Korean origins. The operative used Virtual Private Networks (VPNs) to mask their true location and leveraged a Raspberry Pi device to facilitate malware downloads.
Adding to the complexity of this infiltration attempt is the concept of "IT mule laptop farms." In this scenario, the fake worker requests that their workstation be sent to an address that is essentially a farm of such devices. These farms, located inside the U.S. (or other target countries), facilitate the operatives' ability to VPN into the company network from their actual location, often in North Korea or across the border in China. They typically work night shifts to align with U.S. daytime hours, maintaining the illusion of being a U.S.-based employee. The operatives perform real work, earning salaries that are substantially redirected to fund North Korea's illicit programs.
eSentire Threat Intelligence Analysis:
This incident exemplifies the lengths state-sponsored groups will go to in order to compromise high-value targets. Threat actors are adapting to stronger cybersecurity defenses. As a result, actors are exploiting the opportunities of remote work to become an insider threat and establish persistent access. The use of AI-enhanced imagery and stolen identities reveals an advancement in social engineering tactics, complicating the detection of fraudulent applicants during recruitment processes. This case exemplifies the risks associated with insider threats and highlights the importance of comprehensive cybersecurity measures.
Organizations should regularly audit devices for suspicious remote activity, improve vetting processes to verify physical locations, and scrutinize resumes for career inconsistencies. Video interviews focusing on the specifics of candidate’s work and flagging discrepancies such as different shipping addresses for laptops, can help identify potential threats. Enhanced background checks, more thorough reference verifications, and continuous monitoring for unauthorized access attempts are also critical. Strengthening access controls and authentication processes, along with conducting regular security awareness training, can further mitigate risks.
Be alert for the use of VOIP numbers and lack of digital footprints in provided contact information, discrepancies in personal details such as address and date of birth, conflicting personal information like marital status, and sophisticated use of VPNs or virtual machines to access company systems. Attempts to execute malware and subsequent cover-up efforts are significant red flags. Additionally, continuous monitoring through advanced EDR solutions is crucial for detecting and responding to anomalies in real-time.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
