eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Cicada3301 Ransomware
Bottom Line: The emergence of Cicada3301 highlights the growing trend of ransomware groups targeting virtualized environments, specifically VMware ESXi servers, which are critical to many organizations' IT infrastructure.
On August 30th, Truesec released a technical analysis of the Cicada3301 Ransomware-as-a-Service (RaaS) group, which offers an avenue for double extortion to its affiliates with both ransomware and a data leak site. The threat actors deploying the ransomware have targeted Windows and Linux systems, with a specific focus on VMware ESXi servers. The group has been effective since their recent debut in June 2024, claiming more than 20 victims.
Cicada3301 gains access to victim networks through compromised credentials which are either stolen or obtained via brute force attacks facilitated by the Brutus botnet. The ransomware can shut down Virtual Machines (VMs) and allows for customization of its behavior during attacks through several command-line parameters. One of the notable parameters is no_vm_ss which can be used to encrypt files without shutting down running VMs, thereby avoiding immediate detection.
Cicada3301 has several notable similarities to another well-known ransomware, ALPHV (aka BlackCat). The article includes a snapshot of code from Cicada3301 which appears almost identical to ALPHV.
The similarities observed include:
- Both ransomware are written in the Rust programming language
- Use the ChaCha20 algorithm for encryption
- Observed using almost identical commands to shut down a VM and remove snapshots
- Use -ui command parameters to provide a graphic output on encryption
- Similar naming conventions when renaming files (changing “RECOVER-“ransomware extension”- FILES.txt” to “RECOVER-“ransomware extension”-DATA.txt”)
- How the parameter is used to decrypt the ransomware note
To prevent initial access via compromised credentials and bruteforce attacks, organizations are strongly recommended to enforce the use of Multi-Factor Authentication (MFA). The implementation of MFA will limit the value of compromised credentials, as access will not be possible via credentials alone.
eSentire Threat Intelligence Analysis:
The emergence of Cicada3301 highlights the growing trend of ransomware groups targeting virtualized environments, specifically VMware ESXi servers, which are critical to many organizations' IT infrastructure. By focusing on these environments, attackers can maximize disruption, as a successful attack on an ESXi server can potentially disable dozens or even hundreds of VMs, each supporting key business operations.
The parallels observed between ALPHV/BlackCat suggest Cicada3301 may be a rebranded version of the ransomware, or heavily inspired by it, potentially reusing portions of its codebase. This could also suggest that developers of ALPHV may have joined a new group or work alongside them.
Organizations relying on VMware ESXi are at heightened risk as the successful encryption of files on these severs could lead to severe operation disruptions. Organizations are recommended to employ a defense-in-depth strategy to help prevent potential compromises that may lead to ransomware deployment.
eSentire has detections in place to identify Cicada3301 ransomware based off recent observations. eSentire research shows that Cicada3301 ransomware has posted 16 victim organizations to their leak site in August alone. The group’s activity is expected to continue, barring significant law-enforcement intervention.
Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical Issues
Bottom Line: Data back up software, such as Veeam VBR, has a history of being targeted by financially motivated threat actor groups. Organizations utilizing Veeam are strongly encouraged to apply the latest round of security patches immediately.
On September 4th, Veeam disclosed eighteen separate vulnerabilities impacting Veeam Backup & Replication (VBR), Service Provider Console, and One. All of the newly disclosed vulnerabilities are rated as Critical or High severity.
The most concerning vulnerability from the release is CVE-2024-40711 (CVSS: 9.8). This is a Remote Code Execution (RCE) vulnerability, found in VBR versions 12.1.2.172 and earlier. This flaw allows attackers to execute arbitrary code remotely without authentication, posing a significant risk to the security of enterprise backup infrastructures.
Other critical vulnerabilities from the release include:
- CVE-2024-38650 (CVSS: 9.9) – A vulnerability that allows a low privileged attacker to access the NTLM hash of service account on the VSPC server
- CVE-2024-39714 (CVSS: 9.9) – A vulnerability that permits a low privileged user to upload arbitrary files to the server, leading to remote code execution on VSPC server
- CVE-2024-42024 (CVSS: 9.1) - A vulnerability that allows an attacker in possession of the Veeam ONE Agent service account credentials to perform remote code execution on the machine where the Veeam ONE Agent is installed
- CVE-2024-42019 (CVSS: 9.0) - A vulnerability that allows an attacker to access the NTLM hash of the Veeam Reporter Service service account
At the time of writing, there is no indication of publicly available Proof-of-Concept (PoC) exploit code, or real-world attacks involving any of the Veeam vulnerabilities. Security patches for all disclosed vulnerabilities are available, and organizations are strongly recommended to apply the patches before exploitation is identified.
eSentire Threat Intelligence Analysis:
Backup solutions, such as VBR, are viewed as high value targets for threat actors due to the data they store. VBR serves as a cornerstone for data protection and disaster recovery; if threat actors are able to abuse vulnerabilities in the service, they may perform a variety of malicious actions, such as ransomware deployment, data theft for extortion, or malware deployment for persistent access.
Vulnerabilities similar to CVE-2024-40711 have been exploited by groups like CLOP, who aim to exfiltrate as much data as possible, and then threaten to release the information if an extortion demand is not met. Additionally, backup solutions have often been the target for major ransomware groups. In 2023, Cuba ransomware was targeting organizations in the United States and Latin America, with attacks involving exploitation of a VBR vulnerability. Veeam has a history of being targeted by sophisticated threat actors; the financially motived threat actor group FIN7 (Carbon Spider, ELBRUS, Sangria Tempest) was observed targeting Veeam software in April 2023.
The prevalence of Veeam, along with the inherent value of backup services, has created an environment where Veeam vulnerabilities are viewed as high value to threat actors. The eSentire Threat Intelligence team assesses that it is likely threat actors will weaponize the recently disclosed vulnerabilities in the near future. As such, it is critical that organizations apply the relevant security patches as soon as possible.
eSentire Managed Vulnerability Service (MVS) will add the relevant plugins for recently disclosed Veeam vulnerabilities when they become available. eSentire’s Tactical Threat Response (TTR) team is reviewing the impactful Veeam vulnerabilities for new detection opportunities.
Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
Bottom Line: GRU Unit 29155’s continued cyber operations reflect Russia’s growing reliance on hybrid warfare, combining traditional military operations with cyber-attacks to destabilize adversaries.
On September 5th, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and international partners released a joint cybersecurity advisory warning of attacks targeting critical infrastructure globally. Threat actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center, Unit 29155 (tracked as Cadet Blizzard, Ember Bear), are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. It should be noted that Unit 29155 operates independently from other well-known GRU-affiliated groups, such as Unit 26165 (aka. APT 28, Forest Blizzard, Fancy Bear) and Unit 74455 (aka. Sandworm, Voodoo Bear).
This group began deploying the destructive WhisperGate malware against several Ukrainian organizations as early as January 13th, 2022. WhisperGate is a multi-stage malware designed to disrupt and destroy targeted systems. It operates by corrupting the Master Boot Record (MBR) of infected machines, rendering them unbootable, while simultaneously deploying a fake ransomware component to obscure its true purpose. Despite masquerading as ransomware, WhisperGate lacks a recovery mechanism, emphasizing its primary goal of sabotage rather than financial gain, making it particularly dangerous in critical infrastructure attacks.
To gain initial access into victim networks, GRU Unit 29155 actors exploited vulnerabilities in internet-facing systems, particularly weak VPN, and network devices. They used publicly available tools such as Acunetix, MASSCAN, Nmap, and Shodan to conduct reconnaissance, identify open ports, and detect specific vulnerabilities. These tools allowed the attackers to map networks and find entry points, facilitating further exploitation. Once inside, the actors often leveraged stolen credentials to move laterally within compromised environments and escalate privileges.
To mitigate the risks posed by GRU Unit 29155’s cyber activities, organizations should implement several key defenses. First, prioritize patching of known vulnerabilities in internet-facing systems. Then, deploy phishing-resistant Multi-Factor Authentication (MFA) to reduce the risk of credential theft. Additionally, network segmentation is essential to limit lateral movement if an intrusion occurs and monitoring for unusual activity using advanced Intrusion Detection Systems (IDS) and Endpoint Detection and Response (EDR) tools can help identify potential threats early. Lastly, regular security audits and robust logging practices will further strengthen defenses.
eSentire Threat Intelligence Analysis:
The emergence of Cadet Blizzard marks a significant step in Russia's hybrid warfare, as GRU Unit 29155 combines physical and digital tactics in unprecedented ways. By developing their own cyber team distinct from units like Fancy Bear and Sandworm, the GRU demonstrates an intent to streamline operations and enhance their disruption capabilities. The focus on targeting critical infrastructure, particularly during the WhisperGate campaign, highlights a tactical shift towards destructive, politically motivated attacks. Historically, Russia has used similar hybrid tactics, as seen in the NotPetya operation.
As the 2024 U.S. presidential election approaches, federal agencies like the DOJ, FBI, and CISA are ramping up efforts to prevent foreign interference. These agencies are focused on combating influence campaigns, such as those seen in previous elections involving actors from Russia, Iran, and other states. Through initiatives that include indictments against foreign-controlled media outlets, public awareness campaigns, and collaborations with international partners, they are working to secure the electoral process. The goal is to safeguard democratic institutions and ensure voters are well-informed about foreign influence tactics.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
