eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Ransomware Operators Exploit ESXi Hypervisor Vulnerability
Bottom Line: Due to the widespread use of VMWare ESXi, vulnerabilities in their products represent a significant opportunity for mass exploitation, which ransomware operators are now actively abusing.
On July 29th, Microsoft released a comprehensive technical report outlining the ESXI hypervisor vulnerability CVE-2024-37085, and its exploitation by threat actors to enable ransomware deployment. CVE-2024-37085 (CVSS: 6.8) is an authentication bypass vulnerability; “A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD” . As ESXi should not be exposed to the Internet, in most situations attackers would need prior access to exploit CVE-2024-37085. Successful exploitation can allow an attacker to perform post-compromise activities including file system encryption and data exfiltration. The vulnerability was initially disclosed by Broadcom on June 25th and is believed to have been exploited as a zero-day prior to patch release.
According to the Microsoft report, the vulnerability was exploited by Storm-0506, a ransomware affiliate group known to deliver the Black Basta ransomware. The group previously deployed Conti ransomware but switched to Black Basta in April 2022. In early 2024, the group was identified targeting a North American based engineering firm. Initial access was gained via a Qakbot malware infection. Threat actors went on to exploit the Windows CLFS vulnerability CVE-2023-28252 to escalate their privileges. Cobalt Strike and Pypykatz (a Python version of Mimikatz) were used to obtain credentials of two domain administrators; the credentials were employed to move laterally across the network via RDP. CVE-2024- 37085 was exploited to create the ESX Admin group, followed by encryption of victim assets.
As CVE-2024-37085 is confirmed to be exploited in ransomware attacks, it is critical that organizations apply the relevant security patches immediately.
eSentire Threat Intelligence Analysis:
The recent exploitation of CVE-2024-37085 by Storm-0506 highlights the criticality of rapidly patching vulnerabilities. While vulnerabilities in Internet-facing applications should be prioritized, internal vulnerabilities still represent a serious risk to organizations, as they may be exploited for a variety of malicious purposes if initial access is gained via other means.
Historically, the targeting of ESXi is not a new trend. The scope of use across organizations, and level of access provided, makes them high value for both state-sponsored and financially motivated threat actors. Outside of Storm-0506 other threat actors known to exploit ESXi environments for encryption include Storm-1175, Octo Tempest, and Manatee Tempest. These attacks have resulted in deployment of Akira, Black Basta, Babuk, Lockbit, and Kuiper ransomware.
Initial access malware remains a major threat in the current landscape. These malware incidents can rapidly escalate from a simple infection to a full network compromise including ransomware deployment. To defend against these threats, it is critical that Endpoint Detection and Response (EDR) capabilities are deployed to all workstations and servers to enable rapid identification and remediation.
The eSentire product suite maintains a wide variety of detections for techniques and tools employed by Storm-0506. The Tactical Threat Response (TTR) team has created new detections for CVE-2024-37085 exploitation and eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices. Additional eSentire MDR for Endpoint and Network detections are available for both Qakbot and Cobalt Strike. BlueSteel, via eSentire MDR for Endpoint, identifies malicious PowerShell activity.
EchoSpoofing Phishing Campaign: Proofpoint Email Routing Flaw Exploited
Bottom Line: Guardio Labs discovered a critical exploit, dubbed EchoSpoofing, in Proofpoint's email protection service. EchoSpoofing enables threat actors to send millions of highly realistic phishing emails, targeting major Fortune 100 companies and posing significant security risks.
Security researchers have disclosed details of a major phishing campaign tracked under the name EchoSpoofing, that involved abusing Proofpoint’s email protection service, in order to impersonate Fortune 100 companies. The issue was discovered after Guardio Labs identified phishing emails that appeared to be from well known brands, that were all properly signed and authenticated. The campaign started in January 2024, distributing an average of 3 million spoofed emails daily and reaching a peak of 14 million emails in early June. Brands impersonated in the phishing emails included Disney, Nike, IBM, and Coca-Cola.
It was possible for threat actors to send these spoofed emails due to a security gap in Proofpoint’s email protection service. The root cause was a “super-permissive misconfiguration flaw” in Proofpoint’s servers ("pphosted.com"), allowing spammers to exploit the email infrastructure. The threat actors established their own SMTP (Simple Mail Transfer Protocol) servers to craft spoofed emails with manipulated headers, which were then sent through Proofpoint's relay servers using compromised or rogue Microsoft Office 365 accounts. Virtual Private Servers (VPS) hosted by OVHCloud and Centrilogic were used to send the spoofed emails.
While email security has vastly improved over the past decade, user training to identify potentially malicious emails is still critical, as threat actors discover new techniques and vulnerabilities to bypass modern detections. In response to the EchoSpoofing campaign, Proofpoint introduced the 'X- OriginatorOrg' header to help verify the email source and filter out non-legitimate and unauthorized emails.
eSentire Threat Intelligence Analysis:
The EchoSpoofing phishing campaign notably involved the impersonation of major brands. By masquerading as these trusted brands, the attackers significantly increased the likelihood of the phishing emails being opened, thereby increasing the success rate of the attack. While the phishing emails in this campaign were more convincing than standard emails, user-education remains an effective security measure.
While not an end-all solution to the threat of phishing, Multi-Factor Authentication (MFA) will significantly reduce the value of compromised credentials. As attackers cannot log into an account without the secondary authentication method, there are still significant barriers to overcome for threat actors attempting to employ the compromised credentials. Alternatively, the implementation of passkey authentication removes the requirement of passwords all together.
The direct goal of this campaign was theft of victim credentials. At this time, it is unclear how the credentials would be used in later attacks. It is possible that the threat actors behind EchoSpoofing planned to use the credentials in their own attacks, but due to the scale of phishing activity, it is more likely that impacted credentials will be sold via dark web marketplaces. If your organization is determined to be impacted, it is critical to reset passwords.
CrowdStrike Outage: Phishing and Malware Threats Targeting Users
Bottom Line: Threat actors opportunistically exploit major news events, such as the recent CrowdStrike outage, to launch phishing campaigns and deploy malware.
On July 19th, 2024, CrowdStrike experienced a Falcon sensor outage impacting Windows systems, which threat actors have exploited to target CrowdStrike customers. Attackers have used phishing domains mimicking CrowdStrike to distribute malware, leveraging phishing emails with malicious attachments like MSI files masquerading as a Falcon sensor update to deploy information stealers such as Lumma Stealer.
Lumma Stealer is a commodity information stealer capable of collecting data from web browsers including credentials, cookies, autofill data, and browser-extension information. Notably, the same Command-and- Control (C2) domain identified in the phishing campaign was observed in a voice phishing (vishing) campaign where the threat actors impersonated a help desk operator using Microsoft Teams. At the time of writing, this activity has not been associated with a named threat actor.
In an additional campaign, a previously unidentified information stealer, now tracked as Daolpu, utilized fraudulent recovery documents to trick users into downloading the stealer that collects sensitive data. Simultaneously, the Remcos Trojan was deployed under the guise of a CrowdStrike hotfix, providing remote access to compromised systems. Another threat actor used the same hotfix lure to deploy a Python-based information stealer, dubbed Connecio. These attacks exploited the trust in CrowdStrike's name to deceive users into downloading malicious files by employing advanced social engineering techniques, including spam floods and impersonation of CrowdStrike support, to increase credibility and efficacy.
eSentire Threat Intelligence Analysis:
Threat actors have demonstrated the ability to swiftly operationalize news events, leveraging current headlines to craft topical phishing lures. The increasing sophistication and targeting of phishing attacks highlight the persistent threat to both individual and organizational cybersecurity. Additionally, the use of legitimate-themed lures indicates that attackers are leveraging trusted brands to increase their attack success rates.
The combination of opportunistic news events and widely available malware, such as information stealers, allows threat actors to quickly create effective, high-impact campaigns. When a notable event occurs, like the CrowdStrike outage, attackers can rapidly exploit the situation by leveraging the event's notoriety to enhance the credibility of their phishing attempts and social engineering tactics. Commodity malware, which is easily accessible and customizable, enables these actors to swiftly deploy attacks with minimal effort. This approach not only broadens the potential victim pool but also increases the likelihood of successful compromises.
The exploitation of the CrowdStrike outage underscores the need for heightened vigilance, user education, and robust security measures to mitigate the risks posed by sophisticated threat actors. For further details, refer to CrowdStrike Blog posts on the Falcon sensor issue, fake recovery manuals, fake hotfixes, Lumma Stealer campaigns, and CERT-IN advisories.
Additionally, on Friday, July 19th, eSentire’s Threat Intelligence team published a security advisory warning of Potential Threats Stemming from CrowdStrike Outage.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
