eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Zimbra Vulnerability Exploited
Bottom Line: As exploitation of CVE-2024-45519 has been confirmed, it is critical that organizations using Zimbra mail servers apply the relevant security patches immediately.
On September 27th, Zimbra disclosed a critical vulnerability in Zimbra mail servers. On the same day, Project Discovery released a technical report on the vulnerability and Proof-of-Concept (PoC) exploit code. On October 1st, researchers from Proofpoint announced that exploitation attempts had been identified beginning September 28th.
CVE-2024-45519 (CVSS: 10) is a vulnerability in the postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1, that allows a remote and unauthenticated threat actor to execute commands on a vulnerable Zimbra email server. Successful exploitation may enable “unauthorized access, privilege escalation, and potential compromise of the affected system's integrity and confidentiality”.
CVE-2024-45519 is considered to be simple to exploit. In observed attacks to date, threat actors have sent spoofed emails to organizations using Zimbra. In the CC field of the emails, attackers include base64 strings. When parsed by the email server the commands in the CC field are automatically executed via the sh utility. Post exploitation, webshell deployment for persistent access has been reported.
Since exploitation is ongoing, it is paramount that all organizations using the impacted versions of Zimbra, apply the relevant security patches immediately.
eSentire Threat Intelligence Analysis:
As the vulnerability is being actively exploited by attackers, and PoC exploit code and technical details on how to exploit it exist, it is highly recommended for organizations to apply patches immediately. The availability of PoC exploit code significantly simplifies attacks, and in this case, exploitation is already trivial, meaning that low-skilled threat actors will be able to adopt the exploit and launch attacks quickly.
Exploits for recently released vulnerabilities, also known as “N-day” or “One-day” vulnerabilities, are highly valuable to threat actors, especially if they enable initial access into organizations. The value lays with the availability of unpatched devices. As organizations apply security patches, the value of the vulnerability for opportunistic threat actors will decrease, because the number of devices they can target has been reduced. This creates a scenario where threat actors will attempt to rapidly weaponize vulnerabilities to exploit them before organizations are able to apply the security patches. Managed vulnerability services can greatly assist organizations in both identifying vulnerabilities and prioritizing patching.
eSentire published an advisory on this topic on October 2nd. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices, and eSentire MDR for Network has rules to identify exploitation attempts.
New MedusaLocker Ransomware Variant
Bottom Line: A new variant of MedusaLocker has been observed being distributed by a recently discovered threat actor group. The group's techniques include using publicly known attack tools and Living-Off-the-Land binaries.
On October 3rd, Cisco Talos released a report outlining information on a new variant of MedusaLocker ransomware which they have dubbed BabyLockerKz. They have discovered a financially motivated threat actor, active since 2022, which has been observed delivering the new variant. The threat actor targets organizations worldwide, with a majority being in EU countries until mid 2023, when there was a shift to South American countries.
The threat actor employs several publicly known tools and Living-off-the-Land Binaries (LoLBins) to facilitate credential theft and lateral movement within compromised organizations. These tools are often wrappers for publicly available tools, enhanced with additional functionalities to streamline the attack process. Cisco Talos observed the attacker consistently storing the same set of tools in the same locations on compromised systems, making them easier to identify. The use of a lateral movement tool named "checker" and the consistent PDB path string "paid_memes" are notable indicators of this threat actor.
The threat actors most notable tools and techniques are MIMIK, PTH project, Checker tool, and BabLockerKZ ransomware. MIMIK is a wrapper for the widely known Mimikatz and RClone tools, which can be used to steal credentials and automatically upload them to an attacker-controlled server. The Checker tool is an app that bundles several other freely available applications, such as Remote Desktop Plus, Psexec, and Mimikatz, which can provide access to a host, lateral movement, and credential theft. Lastly PTH project uses the pass-the-hash technique to use NTHLM hashes to authenticate remotely without having to crack the password.
Cisco Talos assesses with medium confidence that the actor is believed to be financially motivated, possibly working as an Initial Access Broker (IAB) or affiliate of a ransomware group. The threat actor consistently compromised many organizations, often more than 100 per month, since at least 2022, which follows in line with what is expected from an IAB or ransomware affiliate.
eSentire Threat Intelligence Analysis:
The discovery of a new MedusaLocker variant highlights the evolving nature of ransomware threats. The successful use of specific tools and techniques, mainly publicly known ones, underscores the threat actors experience with conducting attacks of this nature. As the threat actor has conducted more than 100 attacks per month for multiple years, it displays the professional and highly aggressive nature of the attacks, aligning with what would be expected from a financially motivated actor.
The MedusaLocker family, first observed in 2019, has seen various iterations, each adding new features and capabilities. The trend of continuous evolution is not unique to MedusaLocker, as other ransomware families, have similarly adapted over time. The evolutions in these attacks highlight the need for a defense in depth strategy to be implemented by organizations.
To protect against these threats, organizations should regularly update and apply patches to software and systems, mitigating vulnerabilities that attackers can exploit. Organizations can also provide user awareness training, helping employees identify potentially malicious emails or messages, as well as implementing Multi-Factor Authentication (MFA) to limit the impact of compromised credentials. Conducting regular backups and ensuring they are stored offline can provide a safety net in case of a ransomware attack. Lastly deploying an Endpoint Detection and Response (EDR/XDR) system can help identify and neutralize threats before they can cause significant damage.
The eSentire Threat Intelligence team is actively tracking this threat and has performed indicator-based threat hunts. Additionally, the eSentire product suite maintains a variety of detections for tools used by the group.
Evil Corp: Behind the Screens
Bottom Line: A joint government report on the Russian based Evil Corp threat actor groups provides new information on attribution, and possible connections to the Russian Federal Security Service (FSB). Evil Corp is a financially motived threat actor group known for the creation and deployment of a wide variety of banking trojans and ransomware variants.
On October 1st, the United Kingdom’s National Crime Agency, the FBI and Australian Federal Police released a joint report on the financially motivated threat actor group Evil Corp (aka. Indrik Spider, Manatee Tempest, DEV-0243). Evil Corp is a Russian based threat actor group that has operated for more than a decade. The group's tactics and techniques have improved and changed over time; early activity was focused on the theft of financial details to enable fraud, while recent activity has centered around ransomware deployment. Evil Corp is responsible for the creation and distribution of various malware and ransomware strains including Dridex, BitPaymer, WasterLocker, Hades, PhoenixLocker, PayloadBIN, and Macaw.
The joint report is focused on attribution of Evil Corp to real-world threat actors. Five members of the group are directly named, all of whom reside in Russia:
Maksim Yakubets is credited with founding and leading the group, as well as performing various other criminal activities prior to Evil Corp. This individual and their connection to Evil Corp is not new; his identity has been public knowledge since at least 2019, and the FBI currently offers a 5 million USD reward for information leading to his arrest.
Aleksandr Ryzhenkov, another member of the group, previously worked with Maksim, when they were both affiliated with a now defunct cybercrime group dubbed The Business Club. He is reported to be second in command of Evil Corp and is an active affiliate member of the LockBit Ransomware-as-a-Service (RaaS) group.
Igor Turashev was considered a core member of the group with significant malware development experience. Turashev is reported to have split from Evil Corp in late 2019, to go on to lead the development of DoppelPaymer ransomware, a ransomware variant that saw significant success in 2020, before rebranding as Grief. He is currently wanted by German authorities for his ransomware activity.
Vitaliy Kovalev is another malware developer known to work for Evil Corp. He is reported to have significantly contributed to the deployment of various malware families including Dyre, Trickbot, and Conti ransomware. He is reported to have worked with other members of the group since at least 2009, and officially joined the Evil Corp precursor group The Business Club between 2011-2014.
Evgeniy Benderskiy is Marksim Yakubets’ father-in-law and has been “a key enabler of Evil Corp’s state relationships.” Benderskiy is reported to be a former member of the Russian Federal Security Service (FSB), Vympel unit. He has used his connections to provide both physical security for group members and dissuade Russian law-enforcement from making arrests. The non-profit OSINT group, Bellingcat, has reported that Benderskiy “has been involved in multiple overseas assassinations on behalf of the Russian state. ”
Law enforcement has taken further steps to highlight Evil Corps criminal activity and limit the ability of the groups’ members to travel internationally and operate clandestinely. The British government has announced sanctions against 15 Evil Corp members. The U.S. Department of Justice unsealed an indictment charging Ryzhenkov and the U.S. Treasury department designated seven individuals, and two entities associated with Evil Corp, as part of the coordinated action against the group. The Australian government added three sanctions against Evil Corp members.
eSentire Threat Intelligence Analysis:
The publication of this attribution information will empower both researchers and law-enforcement to more closely monitor known threat actor activity, ideally allowing for the rapid identification and disruption of future cybercrime activity. This release and sanctions against Evil Corp members are not expected to result in the arrest of members or an immediate decrease in cybercriminal activity. All individuals named in this report reside in Russia; the group does not target Russia or other Commonwealth of Independent States (CIS) countries. By restricting their attacks to other locations, Evil Corp has created a situation where disruption by Russian law-enforcement is extremely unlikely.
It is not clear how intertwined Evil Corp is with the Russian Intelligence apparatus. At the minimum, the Russian government has turned a blind eye to Evil Corp activity, allowing them to target Western organizations with disruptive and costly cyberattacks. While unconfirmed, it is possible that some Evil Corp activity has been at the behest of the Russian government, through directly targeting specific geolocations or industries.
This release shows the ongoing concerted effort by international law-enforcement agencies to disrupt Russian cybercriminal organizations. This week, Europol announced the arrest of four members of the Russian RaaS group LockBit. On October 3rd, Microsoft in coordination with the U.S. Digital Crimes Unit (DCU), announced the disruption of technical infrastructure used by a Russian state actor dubbed Star Blizzard (aka COLDRIVER, Callisto Group). These recent releases may be connected to ongoing geopolitical tensions, such as the Russia/Ukraine war and concerns around cyberattacks targeting the 2024 U.S. elections.
The eSentire Threat Intelligence team assesses it is highly likely that named members of the group will continue conducting cybercrime, either under the name Evil Corp or as affiliates for other Russian criminal groups.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
