eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Exploit Code Released for Ivanti Vulnerability
Bottom Line: Ivanti has recently disclosed one maximum severity vulnerability as well as two actively exploited vulnerabilities. Organizations using Ivanti Endpoint Manager (EPM) and Ivanti Cloud Services Appliance (CSA), need to apply the relevant security patches immediately.
On September 10th, Ivanti disclosed a critical vulnerability impacting Ivanti Endpoint Manager (EPM). Ivanti EPM is described as an “all-in-one endpoint management” system for Windows, macOS, Linux, Chrome OS, and IoT devices. The vulnerability, tracked as CVE-2024-29847 (CVSS: 10), is due to a deserialization of untrusted data in the agent portal of Ivanti EPM. Successful exploitation would allow an unauthenticated threat actor to achieve Remote Code Execution (RCE). At the time of writing, there is no evidence of real-world attacks involving this vulnerability.
As of September 16th, technical details and Proof-of-Concept (PoC) exploit code for the vulnerability were publicly disclosed. The release of this information, paired with the potential impact of exploitation, makes it highly probable that threat actors will adopt the exploit for CVE-2024-29847 and employ it in real-world attacks in the near future.
In addition to CVE-2024-29847, Ivanti has confirmed the exploitation of two lower severity vulnerabilities in the Ivanti Cloud Services Appliance (CSA), CVE-2024-8963 (CVSS: 9.4) and CVE-2024-8190 (CVSS:7.2). CVE-2024-8963 is an admin bypass vulnerability that would allow a remote and unauthenticated threat actor to access restricted functionality on vulnerable devices. CVE-2024-8190 is a command injection flaw that can be exploited to enable the execution of arbitrary commands. Ivanti has reported that the two vulnerabilities were chained together in real-world attacks, to allow authentication bypass followed by command execution; additional details on exploitation have not been shared.
Organizations using Ivanti EPM and CSA are strongly recommended to apply the relevant security patches immediately.
eSentire Threat Intelligence Analysis:
With the recent disclosure of two actively exploited vulnerabilities, and one maximum severity vulnerability, it is critical that organizations using Ivanti products ensure that they are up to date on security patches. Vulnerabilities in Ivanti products have been heavily targeted in the past. In early 2024, Ivanti was impacted by three separate zero-day vulnerabilities. The past targeting of Ivanti products may indicate both high attacker interest, as well as experience targeting related software.
EPM’s pervasiveness across networks, and interaction with multiple operating systems, would make any Remote Code Execution (RCE) vulnerability highly valuable to both state-sponsored and financially motivated threat actors. Considering these factors, CVE-2024-29847’s value for initial access into victim organizations, and the availability of PoC exploit code, the eSentire Threat Intelligence team assesses that it is probable CVE-2024-29847 will be exploited by threat actors in the near future.
In response to the release of PoC, eSentire released a security advisory, as well as creating a new eSentire MDR for Endpoint detection. The eSentire Threat Response Unit (TRU) continues to track this vulnerability for additional details and detection opportunities. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify all of the vulnerabilities mentioned in this briefing.
SolarWinds Critical Vulnerability
Bottom Line: SolarWinds has disclosed a simple to exploit vulnerability in SolarWinds Access Rights Manager (ARM). Exploitation may result in in unauthorized access to sensitive data, potential disruption of business operations, and could be harmful to a company’s reputation.
SolarWinds has disclosed a new critical vulnerability impacting SolarWinds Access Rights Manager (ARM). SolarWinds ARM is used by organizations to manage and audit access rights across organizations’ IT infrastructure. The vulnerability, tracked as CVE-2024-28991 (CVSS: 9.0), would enable an authenticated threat actor to abuse the service resulting in Remote Code Execution (RCE). The flaw is due to an issue include of the JsonSerializationBinder class. At the time of writing, there is no indication of attacks exploiting this vulnerability in the wild.
Notably, the vulnerability is reported as requiring authentication to exploit, but the Zero Day Initiative (ZDI) claims “the existing authentication mechanism can be bypassed”. ZDI did not expand on how authentication bypass could be achieved.
Security patches for CVE-2024-28991 were made available along with the release of the vulnerability. Organizations are strongly recommended to apply the relevant security patches before exploitation is identified in the wild.
eSentire Threat Intelligence Analysis:
As SolarWinds products are widely used across enterprises, vulnerabilities in these products may be viewed as especially valuable to threat actors. An unpatched system could result in unauthorized access to sensitive data, potential disruption of business operations, and damage to a company’s reputation.
CVE-2024-28991 is especially concerning due to two claims: that authentication can be bypassed, and that the vulnerability is simple to exploit. Simple to exploit vulnerabilities increase the number on threat actors with the technical skill required to exploit a vulnerability. If authentication can be bypassed, threat actors will not need to spend the time or funds to compromise the organization via other means, such as purchasing credentials for darkweb markets. If either of these claims are validated, it will increase the attention from threat actors.
At this time, there is no publicly available Proof-of-Concept (PoC) exploit code for CVE-2024-28991. If PoC is identified, the eSentire Threat Intelligence team assesses that exploitation in the near future is almost certain.
SolarWinds has a long history of being targeted by threat actors. In December of 2020, it was disclosed that a state-sponsored APT group exploited a zero-day vulnerability in the Orion Platform, impacting thousands of SolarWinds customers. More recently, in August 2024, CISA confirmed that threat actors were exploiting a vulnerability in SolarWinds' Web Help Desk (WHD) software only days after it was publicly disclosed. As SolarWinds vulnerabilities have been regularly targeted by threat actors in the past, organizations should prioritize the patching of all known SolarWinds vulnerabilities.
Flax Typhoon: Raptor Train Botnet
Bottom Line: FBI and partners, as well as Lumen Labs, have released simultaneous reports on a botnet attributed to known Chinese state-sponsored threat actors. The botnet was leveraged to obscure attacks against U.S. entities in the military, government, higher education, telecommunications, defense industrial base (DIB) and information technology (IT) sectors.
On September 18th, two separate reports were released on an APT controlled botnet tracked as Raptor Train; the first being a joint report from the Federal Bureau of Investigation (FBI), Cyber National Mission Force (CNMF), and National Security Agency (NSA), and the second coming from Lumen’s Black Lotus Labs. Both reports attribute the activity to the APT group Flax Typhoon (RedJuliette, Ethereal Panda) and provide significant technical details on the campaign. Flax Typhoon is a People’s Republic of China (PRC) threat actor group that has operated since at least mid-2021. The group is reported to have heavily targeted Tiawan in the past, using both custom malware and Living Off the Land (LotL) tools.
Raptor Train is a variant of the Mirai malware and the botnet is made up of compromised small office/home office (SOHO) routers, firewalls, Network-Attached Storage (NAS), and Internet of Things (IoT) devices. The botnet was established in 2020, and to date, has compromised over 200,000 devices total. It was at its largest in June of 2023, with 60,000 actively compromised devices. In order to infect devices to grow the botnet, Flax Typhoon exploited over twenty separate vulnerabilities, including both zero-day and one-day vulnerabilities. A full list of known exploited vulnerabilities is available in the FBI joint report.
According to the FBI, the botnet is used as a proxy to hide the source of activity for Distributed Denial-of- Service (DDoS) attacks and campaigns targeting U.S. networks. Flax Typhoon was identified using the Raptor Train botnet to target, “entities in the military, government, higher education, telecommunications, defense industrial base (DIB) and information technology (IT) sectors”.
According to Black Lotus Labs, the Raptor Train botnet was at least partially disrupted prior to the publication of reports. The company is “null-routing traffic to the known infrastructure points, including their distributed botnet management, C2, payload and exploitation infrastructure."
eSentire Threat Intelligence Analysis:
Sophisticated botnets like Raptor Train, and the use of both zero-day and one-day vulnerabilities, illustrate the lengths that state-sponsored APT groups will go to avoid direct attribution. This is not the first time that Chinese APT groups have employed large botnets in order to obfuscate the source of attacks. In January 2024, U.S. Justice Department confirmed the disruption of the KV Botnet employed by the Volt Typhoon threat actor group to target critical infrastructure. Based on past observations, the level of effort and time to develop Raptor Train, and the sophistication of the campaign, it is highly likely that Flax Typhoon will either restore Raptor Train and continue operations or develop a new botnet to hide their activity.
The ability to obfuscate the source of activity is critical for state-sponsored threat actors. Direct attribution of APT campaigns, especially against government and critical infrastructure, may result in a political response, such as the denigration of international relations or the imposition of costly sanctions. There are multiple examples of cyberattacks leading to sanctions for both the Russian and Chinese governments in response to confirmed cyberattacks. To minimize the likelihood of an international incident, threat actors are directing significant resources into avoiding attribution and providing plausible deniability.
The effort that state-sponsored APTs put into avoiding attribution highlights the key role of intelligence sharing between governments and private organizations. To combat cyber-enabled espionage, private organizations, cybersecurity companies, law-enforcement, and government agencies need to share observations with each other. Information sharing provides partners with ability to better defend against attacks, respond to developing threat actor techniques, and provides an avenue for improved attribution with an increase in overall evidence.
In response to the disclosure of information on Flax Typhoon and the Raptor Train botnet, eSentire’s Threat Intelligence team is performing Indicators-based threat hunts and validating detection coverage.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
