eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
The Versa Director Zero-Day Exploitation
Bottom Line: The Chinese state-sponsored APT group Volt Typhoon has been observed exploiting a critical Versa Director zero-day vulnerability in attacks against IT, MSPs, and ISPs. Organizations are urged to apply the relevant security patches as soon as possible to minimize the likelihood of compromise.
On August 26th, Versa disclosed a high severity vulnerability in the Versa Director software, a tool used to streamline “design, automation, and delivery of Secure Access Service Edge (SASE) services". The vulnerability, tracked as CVE-2024-39717 (CVSS: 7.2), would allow a threat actor with Provider-Data- Center-Admin or Provider-DataCenter-System-Admin privileges, to upload malicious files. The vulnerability comes from the "Change Favicon" feature, which allows threat actors with administrator privileges to upload malicious files camouflaged as PNG images. The vulnerability impacts Versa Director versions 22.2.3, 22.1.2, and 22.1.3. At the time of disclosure, Versa confirmed that CVE-2024-39717 had been exploited by an Advanced Persistent Threat (APT), but did not provide any additional details.
Only one day later, researchers from Black Lotus Labs released a technical report on exploitation of the vulnerability, attributing known malicious activity, with medium confidence, to the infamous Chinese state-sponsored APT group, Volt Typhoon (Bronze Silhouette). To date, attacks have been confirmed against four U.S. organizations and one non-U.S. target; victim organizations include Internet Service Providers (ISPs), Managed Service Providers (MSPs), and Information Technology (IT) companies. The earliest signs of exploitation have been traced back to June 12th , over two months before a security patch was released.
In observed attacks, CVE-2024-39717 was exploited in order to deliver a custom JAR web shell dubbed VersaMem. Its primary function is to intercept and harvest credentials, enabling unauthorized access. VersaMem operates by hooking and overriding the Versa authentication method, intercepting plain text passwords, encoding them in Base64, and storing them at the location “/tmp/temp.data”. It monitors inbound web requests to the Tomcat web server for actor-defined parameters, such as passwords and malicious modules, and dynamically loads in-memory Java modules. In an attempt to evade detection, the webshell performs all operations in memory, rather than on disk. In order to obfuscate where the attacks originated from, Volt Typhoon employed compromised Small Office/Home Office (SOHO) devices to launch attacks. This is a known tactic that Volt Typhoon has employed in past campaigns.
eSentire Threat Intelligence Analysis:
Volt Typhoon is a highly sophisticated threat group, active since 2021. In this, and previous campaigns, the group has employed novel malware along with exploiting zero-day vulnerabilities. Despite details of this campaign now being public, it is highly probable that similar activity from the group will continue, with a focus on stealth and long-term persistence.
The goal of Volt Typhoon’s recent attacks is not entirely clear. In the past, the group was observed obtaining access to critical infrastructure, in what is believed to be an attempt to preposition themselves for future destructive attacks. In this case, it seems unlikely that destruction was the goal, as no critical infrastructure or government organizations were targeted. It is possible that Volt Typhoon is targeting ISPs, MSPs, and IT organizations in order to steal sensitive data and enable espionage. Alternatively, these organizations may be targeted with the strategic goal of gaining access to their customer base via a supply-chain attack.
In response to this campaign, the eSentire Threat Intelligence team has performed threat hunts based on known Indicators of Compromise (IoCs). eSentire MDR for Network has rules in place to identify the VersaMem webshell. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2024-39717. It should be noted that eSentire is not impacted by the recent Versa Director zero-day vulnerability.
CISA #StopRansomware RansomHub
Bottom Line: The joint advisory from CISA, the FBI, MS-ISAC, and HHS follows the notable attack on Haliburton. RansomHub affiliates make use of tried-and-true tactics as well as known vulnerabilities.
On August 29th, CISA released a #StopRansomware advisory on RansomHub, providing details on the Tactics, Techniques, and Procedures (TTPs) the group utilizes. This is a joint report from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi- State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS).
RansomHub, originally discovered in February 2024, has been observed encrypting and exfiltrating data from at least 210 victims in the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors. RansomHub’s Ransomware-as-a-Service (RaaS) model has been attracting higher level associates from other prominent ransomware variants such as LockBit and ALPHV.
RansomHub affiliates typically compromise internet facing systems and user endpoints, using methods such as phishing emails, exploitation of known vulnerabilities, and password spraying attacks. In observed attacks, they utilize several known tools such as AngryIPScanner, Nmap, PowerShell commands, Mimikatz, Remote Desktop Protocol (RDP), PsExec, AnyDesk, Connectwise, N-able, Cobalt Strike, and Metasploit. The affiliates use these tools to perform network scanning, gather credentials, and move laterally within a network. They have also been observed performing defense evasion techniques such as renaming malicious executables to appear benign, clearing logs, and disabling security products. A notable technique employed by the group is the use of known public exploits to compromise systems.
On August 21st, Halliburton company, in an SEC filing, disclosed that they were aware an "unauthorized third party gained access to certain of its systems". Five days after the filing, Halliburton sent an email to suppliers providing additional information stating that the company took systems offline to protect them and is working with Mandiant to investigate the incident. The company provided a list of Indicators of Compromise (IoCs) within the email, one of which being a RansomHub ransomware encryptor. At the time of writing there has not been additional details released regarding the incident.
eSentire Threat Intelligence Analysis:
The success observed by RansomHub from its recent conception in February 2024, highlights the significant threat the ransomware and its affiliates pose to organizations. As affiliates utilize known exploits as a method for initial access, it underscores the importance of implementing a patch management system to ensure attackers cannot leverage known vulnerabilities.
The TTPs described in the report do not indicate that RansomHub affiliates or the malware variant itself are using novel techniques, instead sticking to known tooling, vulnerabilities, and methods to extort their victims. These methods can be prevented through a defense-in-depth strategy, with an emphasis on ensuring systems are up to date, employees are able to identify potentially malicious emails, and ensuring Multi-Factor Authentication (MFA) is enabled.
The migration of high-level affiliates from other known groups may indicate the operator of RansomHub having a better business model, operational security, or simply being a lesser-known ransomware, possibly avoiding law enforcements focus. It is likely RansomHub will remain a prominent ransomware variant for the remainder of 2024, likely continuing throughout 2025.
Based on eSentire research, RansomHub is currently the most active ransomware group, posting a high number of victims to their leak site over the past month. The eSentire product suite includes a large number of detections for known RansomHub TTPs. Additionally, eSentire Managed Vulnerability Service (MVS) has plugins in place for commonly exploited vulnerabilities.
Iran-based Cyber Actors Enabling Ransomware Attacks on U.S. Organizations
Bottom Line: The joint FBI advisory on Pioneer Kitten highlights the persistent threat posed by Iranian cyber actors, who combine state-sponsored espionage with financially motivated cybercrime.
On August 28th, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) released a joint Cybersecurity Advisory (CSA) warning of Iranian-state-sponsored threat actors targeting U.S. and foreign organizations across various sectors, including education, healthcare, and defense. The activity in this report is attributed to the Iranian state-sponsored APT group Pioneer Kitten (Fox Kitten, UNC757, Parisite, RUBIDIUM, Lemon Sandstorm). According to CISA, the group has previously referred to themselves as Br0k3r, and more recently used the moniker “xplfinder.”
These actors primarily target internet-facing vulnerabilities in networking devices, such as Citrix Netscaler ADC, Fortinet VPN, and Palo Alto firewalls, to gain initial access into victim networks. They then collaborate with ransomware affiliates, such as NoEscape and ALPHV (BlackCat), to monetize their access. Their involvement goes beyond simply selling access; they are actively engaged in the planning and execution phases of ransomware attacks, working closely with these groups to maximize the impact on the victims and strategize extortion techniques. The Iranian actors also partake in data exfiltration before encrypting networks, ensuring they can further leverage the stolen data in double extortion tactics.
Moreover, the group has been involved in hack-and-leak campaigns, most notably the Pay2Key operation, which targeted Israeli organizations for information operations rather than finical gain. These campaigns are often driven by geopolitical motives and serve to amplify Iran’s strategic objectives by combining cyber operations with information warfare. The advisory also notes that these actors intentionally obscure their Iranian origins, maintaining anonymity and misleading their ransomware affiliates about their true identity and location.
eSentire Threat Intelligence Analysis:
The involvement of Iranian state-sponsored actors in both espionage and cybercrime reflects an increasingly intertwined threat landscape where state-sponsored groups blur the lines between geopolitical objectives and financial gain. The collaboration with ransomware affiliates like NoEscape and ALPHV (BlackCat) is particularly concerning, as it represents a tactical evolution. These partnerships allow state actors to profit from their operations while simultaneously achieving strategic goals, such as disrupting critical infrastructure or sowing chaos in adversarial nations.
The deliberate obfuscation of their Iranian origins complicates attribution and allows these actors to operate with a degree of plausible deniability, reducing the risk of direct retaliation. This tactic of masking their identity while engaging in financially motivated activities is reminiscent of other Advanced Persistent Threats (APTs), such as China's APT41 which has been known to conduct cybercrime alongside state- sponsored espionage.
The dual threat posed by these actors necessitates a multifaceted defense strategy. Organizations must prioritize patch management, particularly for internet-facing systems, and enhance monitoring to detect lateral movement and privilege escalation. In addition, implementing zero-trust architectures can help limit the damage if an initial breach occurs.
In response to the CISA joint advisory, eSentire has blocked known malicious infrastructure via the eSentire Global Block list. The Threat Intelligence team is actively tracking Pioneer Kitten for additional details and detection opportunities.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
