eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Ransomware Attackers Introduce New EDR Killer To Their Arsenal
Bottom Line: The rise in the adoption of EDR solutions has driven attackers to develop and deploy specialized tools like EDRKillShifter. Attackers are motivated by the need to bypass these advanced tools to ensure the successful execution of their malicious payloads.
Sophos's analysis of EDRKillShifter reveals a sophisticated tool employed by cybercriminals to breach endpoint protection systems and execute ransomware attacks. At the core of EDRKillShifter's operation is a multi-layered decryption process, leveraging vulnerable drivers to deploy malicious payloads. Access to the tool necessitates a specific 64-character password for security.
The decryption process initiates with the tool's execution and the input of the correct password through the command line interface. Following authentication, EDRKillShifter decrypts the embedded BIN component, loads it into memory and executes it, unveiling the final payload typically written in the Go programming language. This final payload manipulates legitimate but vulnerable drivers to evade endpoint protection measures.
EDRKillShifter's BIN component utilizes obfuscation techniques to conceal its operations and hinder reverse engineering efforts. Through precise instruction manipulation during runtime using self-modifying code mechanisms, the tool achieves obfuscation in order to unpack the final payload. This payload further exploits vulnerable drivers embedded in its .data section, where each execution leads to the deployment of a vulnerable driver with a unique name during execution. However, correct execution of the final payload necessitates acquiring the essential privileges to load a driver and deploy the exploit into the \AppData\Local\Temp directory.
By leveraging vulnerable drivers like ThreatFireMonitor and RentDrv2, EDRKillShifter acquires critical privileges to bypass endpoint protection systems. The tactic of downloading vulnerable drivers for exploitation is known as Bring Your Own Vulnerable Driver (BYOVD). This targeted strategy empowers threat actors to compromise security measures, manipulate services, and execute ransomware attacks efficiently.
In a recent incident in May, threat actors attempted to use EDRKillShifter to disable Sophos protection on a specific computer but were unsuccessful in their attempt. Following this, the attackers tried to execute a RansomHub ransomware payload on the compromised system, which was effectively blocked according to the Sophos report.
eSentire Threat Intelligence Analysis:
The rise of underground markets for evading EDR systems highlights the importance of organizations focusing on continuous monitoring, improving cybersecurity practices, and providing thorough employee training to strengthen their security against cyber threats and prevent breaches.
At the core of an operating system like Windows, the kernel serves as the manager of system resources, facilitating crucial communication between software and hardware components. When vulnerable drivers are utilized, they can create opportunities for threat actors to execute malicious code at the kernel level, granting extensive control to attackers. Exploiting vulnerabilities in drivers can provide unauthorized access to critical system elements, particularly within kernel-mode components like kernel-level data structures. In the kernel layer, where code signing and security through obscurity are used to protect against malicious code execution and unauthorized interference, the manipulation of vulnerable drivers can open pathways for compromising essential system elements. This highlights the significance of addressing driver security to prevent malicious actors from compromising the integrity of the operating system at a deep level.
In response to the escalating sophistication of threat actor tactics, eSentire recommends a multi-layered approach to defense. Beyond relying solely on EDR solutions, organizations should implement robust network monitoring tools to detect anomalous behavior, establish comprehensive logging mechanisms to track and analyze system activities, and conduct regular security assessments to identify and address potential vulnerabilities proactively.
Microsoft Patch Tuesday
Bottom Line: August 13th marked Microsoft’s monthly Patch Tuesday release. This month, Microsoft highlighted six zero-day vulnerabilities confirmed to be actively exploited by threat actors. Organizations are strongly recommended to review the full Microsoft release and apply all relevant security patches.
Microsoft's August 2024 Patch Tuesday release featured a total of 90 vulnerabilities, including six actively exploited zero-days, along with a notable critical severity Remote Code Execution (RCE) flaw that impacts Windows systems with IPV6 enabled. This release nearly doubles the number of Microsoft zero-day vulnerabilities for 2024, rising from seven to thirteen.
The six actively exploited zero-day vulnerabilities outlined in the release do not have publicly available Proof-of-Concept (PoC) exploit code; details relating to exploitation have not been shared at this time. The vulnerabilities are as follows:
- CVE-2024-38178 (CVSS:7.5) - Scripting Engine Memory Corruption Vulnerability
- The attack requires an authenticated client to click a link for an unauthenticated attacker to initiate Remote Code Execution (RCE)
- The South Korean National Cyber Security Center (NCSC) and AhnLab disclosed the flaw as being exploited in attacks
- CVE-2024-38193 (CVSS:7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
- This vulnerability allows attackers to gain SYSTEM privileges on Windows hosts
- The flaw was exploited by the Lazarus Group, who integrated it into a rootkit named FudModule to evade detection
- CVE-2024-38213 (CVSS:6.5) - Mark of the Web Security Feature Bypass Vulnerability
- The vulnerability allows attackers to create files that bypass Windows Mark of the Web security alerts
- CVE-2024-38106 (CVSS:7.0) Windows Kernel Elevation of Privilege Vulnerability
- Successful exploitation of this vulnerability requires an attacker to win a race condition
- CVE-2024-38107 (CVSS:7.8) - Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
- The vulnerability gives attackers SYSTEM privileges on Windows devices
- CVE-2024-38189 (CVSS:8.8) - Microsoft Project Remote Code Execution Vulnerability
- Microsoft states that attackers would need to trick a user into opening a malicious
- Microsoft Office Project file (.mpp) on a system which certain policies and settings are disabled
Another notable critical severity vulnerability which does not have PoC exploit code, nor has been utilized in attacks is CVE-2024-38063 (CVSS:9.8). This flaw could allow an attacker to execute arbitrary code on the target machine, potentially leading to a complete system compromise if the attacker escalates privileges or performs additional malicious activities. An attacker can send specially crafted IPv6 packets to the target system, triggering the vulnerability. Though details are limited on how the flaw could be exploited, security researcher Xiao Wei, who discovered the vulnerability, suggests applying the latest Windows updates immediately or disabling IPv6 as a temporary mitigation.
eSentire Threat Intelligence Analysis:
Microsoft's comprehensive response to these vulnerabilities through its Patch Tuesday updates emphasizes the critical need for regular and thorough security practices, including vulnerability management and the prompt application of patches. The notable increase in actively exploited zero-day vulnerabilities underscores the importance of a defense in depth strategy as attackers may be able to exploit vulnerabilities before they are known about publicly and before fixes are available.
eSentire assesses it is likely CVE-2024-38063 will have PoC exploit code available in the near future due to the severity of the vulnerability and the increasing use of IPv6 in organizations’ network environments. The difficulty of exploitation is unknown due to the lack of details surrounding the vulnerability.
eSentire’s Threat Intelligence team continues to track this release for notable updates. eSentire Managed Vulnerability Service (MVS) currently has plugins in place to identify devices impacted by the listed vulnerabilities.
Hackers Leak 2.7 Billion Data Records
Bottom Line: The leak from National Public Data highlights the importance of cyber security when handling high amounts of sensitive data. As the records contain personal information, including social security numbers, it is highly likely the data will be utilized to conduct identity theft.
On August 11th, news broke of a massive data leak involving 2.7 billion records exposed on a hacking forum. The leak revealed sensitive personal information, including names, Social Security Numbers (SSNs), and addresses. The data is believed to have originated from National Public Data, a company that compiles personal information from public sources for background checks and other uses.
In April, a threat actor known as USDoD was claiming to be selling 2.9 billion records containing personal information from individuals in the U.S., UK, and Canada which was allegedly stolen from National Public Data. The threat actors were attempting to sell the data for $3.5 million USD.
Since the initial listing, various threat actors have released partial copies of the data; on August 6th, a threat actor known as "Fenice" posted the most complete version of stolen National Public Data for free on the Breached hacking forum. They stated in a post that the data breach was conducted by another threat actor named "SXUL" instead of USDoD. The data consists of two text files totaling 277GB and containing nearly 2.7 billion plaintext records instead of the original 2.9 billion. It has been reported that USDoD was a broker or middleman for the initial posting and that SXUL was responsible for the compromise.
The leaked data contains first and last names, Social Security Numbers (SSNs), current and former addresses, as well as additional information like other names associated with the person. Previously leaked samples of the data also included phone numbers and email addresses, which were not present in the 2.7 billion record leak. It's important to clarify that an individual may have multiple records in the breach, one for each address they've been associated with. Consequently, the actual number of affected people is significantly lower than the 3 billion figure that has been reported. Some individuals reported to BleepingComputer that their Social Security Numbers were linked to people they don’t know, indicating that not all the data is accurate. Additionally, the information may be outdated, as none of the checked records included current addresses, suggesting the data might be from an old backup.
National Public Data stated that "the information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es)". They believe the breach is associated with a threat actor "that was trying to hack into data in late December 2023”. The company confirmed if significant developments occur, they "will try to notify" the impacted individuals.
In the wake of the data breach, multiple class-action lawsuits have been filed against Jerico Pictures, allegedly doing business as National Public Data. Plaintiffs in these suits argue that the company failed to adequately safeguard sensitive personal information, including Social Security Numbers and addresses, leading to widespread exposure of private data. The lawsuits claim that Jerico Pictures did not implement sufficient security measures to prevent unauthorized access, resulting in significant harm to the affected individuals. Additionally, the plaintiffs allege that the company did not properly notify those impacted by the breach in a timely manner, further exacerbating the risks.
eSentire Threat Intelligence Analysis:
The leak of 2.7 billion records, including SSNs, presents significant risks for identity theft and fraud. This breach highlights persistent flaws in how companies collect, store, and protect sensitive information, particularly when data is scraped from public sources.
Historically, such breaches have led to long-term impacts on victims, including credit fraud, identity theft, and phishing attacks. Large-scale data breaches, such as the Equifax breach in 2017, have prompted both consumer protection initiatives and discussions about improving cybersecurity measures. The recurring nature of these incidents suggests that while technology has advanced, the approach to data protection remains insufficient, particularly when dealing with massive datasets involving millions of individuals. The scale of this leak is alarming and serves as a reminder of the ongoing challenges in protecting personal information in the digital age.
To mitigate risks, individuals should immediately monitor their credit reports, consider placing a credit freeze, and be vigilant against phishing attempts. Organizations should prioritize encrypting sensitive data, implementing stricter access controls, and regularly updating and securing their databases to prevent future breaches. Additionally, this incident underscores the importance of holding companies accountable for failing to safeguard personal data, which could lead to broader regulatory changes in data protection practices.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
