Threat Briefing — Sept 27, 2024

Weekly Threat Briefing - Sept 23- Sept 27

TLP: CLEAR - This information may be shared publicly

7 minutes read
eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.

Recent Threat Intelligence Advisories

Noteworthy News

Storm-0501: Ransomware Attacks Expanding to Hybrid Cloud Environments

Bottom Line: Storm-0501 has been observed employing attack methods leading to the compromise of hybrid cloud environments. With hybrid cloud environments becoming more prevalent, it increases the challenge of securing resources across multiple platforms for organizations.

On September 26th, Microsoft released a report outlining a recent campaign conducted by Storm-0501. The group was observed launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environments which resulted in data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment.

Storm-0501 is a threat actor that has been active since as early as 2021, where they were initially observed deploying ransomware in attacks that targeted U.S. school districts, leaking sensitive information for extortion purposes. The threat actor has since shifted into more opportunistic attacks, operating as a Ransomware-as-a-Service (RaaS) affiliate deploying multiple ransomware payloads such as Hive, BlackCat (ALPHV), Hunters International, Lockbit, and Embargo ransomware. They have also recently been observed targeting hospitals in the US.

Storm-0501 previously gained initial access through intrusions conducted by access brokers such as Storm-0249 and Storm-0900, that leveraged compromised credentials or exploiting known vulnerabilities to gain access. In the most recent campaign, the threat actor was observed exploiting known vulnerabilities in Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion 2016 application (possibly CVE-2023-29300 or CVE-2023-38203) for initial access. Microsoft states that the initial access techniques were combined with insufficient operational security practices by the targets, which allowed for the threat actors to gain elevated privileges on a victim's device.

Once on a system, the threat actor leveraged the elevated privileges to gain access to more accounts within the network, conduct reconnaissance, and established persistence before moving onto the next stage. They utilized tools such as Impacket's Secrets Dump Module, Cobalt Strike, Rclone, and AADInternals. Once established in a network, the group exfiltrated sensitive data and deployed ransomware.

The most notable attack method that was observed, is the shift from on-premises to cloud. Microsoft states the threat actor was observed using Microsoft Entra ID credentials stolen from earlier in the attack, to move laterally from the on-premises to cloud environment where they then established persistent access to the network through a backdoor.

eSentire Threat Intelligence Analysis:

The rise of ransomware attacks such as Storm-0501 onto hybrid cloud environments underscores the ever-evolving threat landscape that threatens organizations globally. As digital transformation increases and organizations move more of their operations to the cloud, the expansion of these threats presents a considerable challenge. If this trend persists, businesses stand to risk not only financial losses, but reputational damage and potential downtime as well.

Organizations are recommended to adopt a defense in depth strategy, which includes a Zero Trust security framework, which fundamentally presumes a breach, verifying every access request rigorously, regardless of its origin. Furthermore, regular monitoring of networks to detect unusual sign-ins or abnormal behaviors can help prevent a potential breach. Following this, regularly updating security patches ensures known vulnerabilities in the system can't be exploited.

Historically, the rapid evolution in ransomware techniques mirrors hat of previous cybersecurity threats. As protection strategies and technologies improve, so too do the methods employed by attackers. Ransomware attacks are becoming more complex and targeted, focusing on high-value entities like hybrid cloud environments instead of individual systems.

Unauthenticated RCE Flaws in CUPS Printing Systems

Bottom Line: Due to an inadvertent leak of details related to the CUPS printing system for Linux, Proof-of-Concept exploit code has been released. Mitigation options should be exercised until patches are made available.

On September 26th, details of four critical and high severity vulnerabilities impacting Linux devices were leaked on GitHub by the creator of CUPS. CUPS is the standard printing system for Linux, macOS, and UNIX systems. The security researcher Simone Margaritelli discovered the vulnerabilities and reported them to the relevant companies to allow for remediation. On September 23rd, Margaritelli announced the existence of the vulnerabilities but did not include technical details. Full details on the vulnerabilities were released ahead of schedule on September 26th, due to a series of bug fixes posted to GitHub, that could enabled threat actors to reverse engineer the fixes to identify the vulnerabilities.

The newly disclosed vulnerabilities are as follows:

These vulnerabilities could be exploited together to allow a remote and unauthenticated threat actor to bypass authentication requirements and execute code. The vulnerable component of CUPS is enabled in some UNIX systems but is generally not enabled by default. Margaritelli states that the vulnerabilities may impact GNU/Linux distributions, some BSDs, Google Chromium/ChromeOS, Oracle Solaris, and possibly more.

As the disclosure of these vulnerabilities occurred ahead of the planned release, security patches to address them are not yet available. Until security patches are released, organizations using CUPS are recommended to disable and remove “cups-browsed” from vulnerable systems and block all traffic to UDP port 631.

eSentire Threat Intelligence Analysis:

Exploitation of these vulnerabilities has not been identified at the time of writing. The eSentire Threat Intelligence team assesses that there is a high probability that these vulnerabilities will be exploited in real- world attacks in the near future. The ability to execute code and bypass authentication in widely used software will be viewed as high value for threat actors. Additionally, the release of technical details and Proof-of-Concept (PoC) exploit code significantly lowers the barriers of exploitation for even low-skilled threat actors.

Generally, the responsible disclosure of vulnerabilities involved researchers and businesses working together to identify the vulnerabilities, develop detections, and then publicly disclose the issue. In this case, Margaritelli states that they have released information outside of standard disclosure due to a failure by developers to fully acknowledge the vulnerabilities and address them, as well as inadvertently sharing technical information via GitHub, prior to the disclosure. The relationship between businesses and vulnerability researchers is important, as properly executing responsible disclosure practices ensures that relevant information is shared along with security patches. Failure to follow these principles by either businesses or researchers may create scenarios where threat actors are empowered with information, while there is no simple fix for impacted organizations to apply.

eSentire Managed Vulnerability Service (MVS) will add the relevant plugins as they become available. The eSentire Threat Response Unit (TRU) is investigating the topic for additional details and detection opportunities.

Chinese APT Targets U.S. Internet Service Providers

Bottom Line: Chinese state-sponsored threat actors continue to target both government and private organizations across the United States. These attacks may result in major impacts including the theft of trade secrets, espionage, and attacks against downstream customers.

On September 26th, the Wall Street Journal (WSJ) reported that an Advanced Persistence Threat (APT) group affiliated with the People’s Republic of China (PRC) has compromised “a handful of U.S. internet- service providers in recent months” . According to “people familiar with the matter”, the goal of this activity is to gather sensitive information, likely for espionage related purposes. The WSJ claims that the campaign is tracked under the name Salt Typhoon; Salt Typhoon is the Microsoft naming convention for a known Chinese APT group also referred to as FamousSparrow and GhostEmperor. The article states that "Investigators are exploring whether the intruders gained access to Cisco System routers, core network components that route much of the traffic on the internet". Cisco has stated that there is no indication at this time that Cisco routers are involved in the breaches. Microsoft has declined to comment on this topic but is reported to be leading the investigation into what data may have been stolen.

A spokesperson from the Chinese embassy in Washington has released a public statement. They claim that cybersecurity firms and U.S. spy agencies are, “secretly collaborating to piece together false evidence” of Chinese state-sponsored cyber espionage campaigns.

Details surrounding this campaign are currently minimal, and there is a high probability that additional information will be released over the coming weeks. The eSentire Threat Intelligence team continues to track this topic for additional details and detection opportunities.

eSentire Threat Intelligence Analysis:

Internet Service Providers represent a wealth of data for espionage motivated threat actor groups. Compromises may allow for the monitoring of individuals and organizations, as well as the theft of information related to telecommunications technology. As ISPs can provide an avenue for attackers to conduct monitoring of sensitive information, a single breach can have significant downstream affects, targeting specific organizations or individuals that will likely not be aware.

The successful compromise of multiple U.S. ISPs demonstrates the level of sophistication and strategic planning that can be performed by state-sponsored APT groups. This is not the first time that Chinese APT groups have targeted critical U.S. infrastructure. According to FBI Director Christopher Wray, “The PRC has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage, and that its plan is to land low blows against civilian infrastructure to try to induce panic and break America’s will to resist” . This activity is becoming increasingly common; in February of this year, CISA and other U.S. government agencies confirmed that the Chinese APT group Volt Typhoon had been identified targeting critical infrastructure in the U.S. and its territories. The goal of this activity is believed to have been pre-positioning for future destructive attacks. Only one week ago, CISA disclosed the disruption of a Chinese botnet attributed to Flax Typhoon, which was being used to mask the source of attacks targeting U.S. networks. These sophisticated campaigns are expected to continue throughout the year, requiring organizations to proactively implement defense in depth security practices, including regular vulnerability audits and patching, the deployment of endpoint monitoring across all workstations and servers, implementation of security controls including Multi-Factor Authentication, as well as network monitoring and logging.

It is important to consider the source of breaking news, especially for highly technical topics. While Wall Street Journal is a trusted source for breaking news, their cybersecurity reporting, in this case, lacks important clarity. The report states that the campaign is tracked as Salt Typhoon. They go on to later state that the activity may have been carried out by APT40. It should be noted that Salt Typhoon is the naming convention Microsoft uses for the GhostEmperor/FamousSparrow Chinese APT group. Whereas APT40 is tracked by Microsoft as Gingham Typhoon. It is suspected that this campaign is attributed by Microsoft to Salt Typhoon, as Microsoft is reported to be the organization carrying out related investigations. Due to the limited public details and vague reporting, there are still many outstanding questions related to the recent cyber attacks against U.S. ISPs.

About the threat briefings:

The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.

eSentire Threat Response Unit (TRU)
eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.

Previous Briefings