eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions
Bottom Line: The rise in the adoption of EDR solutions has likely driven attackers to develop and deploy specialized tools like EDRSilencer. Attackers are motivated by the need to bypass these advanced tools to ensure the successful execution of their malicious activities.
On October 16th, Trend Micro released a report regarding the abuse of the open-source red team tool EDRSilencer, which attackers are using to bypass Endpoint Detection and Response (EDR) capabilities. EDRSilencer is an open-source tool capable of interfering with the EDR solutions by leveraging the Windows Filtering Platform (WFP).
By utilizing EDRSilencer, attackers can disrupt network communications for the EDR processes responsible for generating telemetry and alerts. WFP plays a vital role in the successful disruption of the EDR tool’s communication. WFP is a set of API and system services that provide a platform for creating network filtering applications. The WFP API allows developers to set up firewalls, intrusion detection systems, antivirus software, network monitoring solutions, and parental controls. It also integrates with and supports firewall functionalities like authenticated communication and dynamic configuration. Threat actors utilize this tool to avoid detection, allowing them to remain persistent and execute cyberattacks over an extended period.
With the help of WFP, the tool can dynamically identify the EDR processes for reputed EDR solutions like Carbon Black, Cisco Secure Endpoint, Microsoft Defender for Endpoint, SentinelOne, TrendMicro Apex One, and more. It creates WFP filters to block the outbound network connections on IPv4 and IPv6, preventing EDRs from sending telemetry to their management consoles.
In a previous TrendMicro report, researchers identified a similar tool used being used by threat actors. These attacks resulted in the deployment RansomHub ransomware using the custom-developed tool EDRKillShifter. The tool is designed to load a legitimate but unpatched vulnerable driver, which is subsequently exploited by the threat actor for privilege escalation using publicly available Proof-of-Concept (PoC) exploits. The successful use of tools like EDRKillShifter and EDRSilencer will result in their adoption by additional threat groups.
eSentire Threat Intelligence Analysis:
EDR solutions are among the most effective security tools for detecting and mitigating attempts by adversaries to compromise an organization’s security. In response, adversaries are eager to find ways to evade detection, often developing their own solutions or opting for a simpler approach by utilizing existing open source tools designed for legitimate purposes. Usage of EDRSilencer is a clever choice to efficiently prevent detection for longer periods of time and indicates a notable shift in the tactics used by the threat actors. The tool's open availability allows threat actors to conduct multiple trial-and-error attempts to develop a successful attack. To prevent EDR processes from being disrupted it is critical that organizations employ a layered security approach that includes network and endpoint monitoring, and logging to efficiently detect rogue applications like EDRSilencer.
As the EDRSilencer leverages WFP filter to detect EDR processes, organizations should monitor event logs specifically related WFP policy changes. This way the Windows system will be able to generate the logs when the tool creates filters to block outbound connection to the EDR management console. To avoid greater damage to the network, it is recommended to protect critical assets via network segmentation, to avoid lateral movement. Implementing advanced threat detection and threat hunting strategies can help organizations stay prepared for the latest tactics used by threat actors.
Tools like EDRSilencer can be readily weaponized by adversaries and given the trend of adversaries employing multiple EDR detection evasion solutions, it is likely threat actors will adopt or develop additional EDR bypass solutions.
The eSentire Threat Intelligence team is monitoring any new developments in the tool’s functionality and its malicious use by threat actors. In response to the disclosure of this report, indicator-based threat hunts have been performed across the eSentire customer base. Additionally, eSentire’s Tactical Threat Response (TTR) team has developed new detections for both eSentire MDR for Endpoint and Log.
Fortinet Researchers Disclose Exploitation of CVE-2024-8963 and CVE-2024-8190s
Bottom Line: Vulnerabilities in edge devices present an attractive target for threat actors seeking to gain access to organizations' environments.
Researchers from Fortinet have released a technical report outlining the exploitation of two Ivanti Cloud Services Appliance (CSA) zero-day vulnerabilities and two additional known vulnerabilities. All four vulnerabilities mentioned in this report have now been disclosed along with security patches.
The exploited vulnerabilities are as follows:
- CVE-2024-8963 (CVSS: 9.1) - Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality
- Exploitation confirmed prior to patch release or public disclosure
- CVE-2024-9380 (CVSS: 7.2) - An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution
- Exploitation confirmed prior to patch release or public disclosure
- CVE-2024-8190 (CVSS: 7.2) - An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution
- Publicly disclosed on September 10th, with exploitation confirmed by Ivanti on September 13th
- CVE-2024-29824 (CVSS: 8.8) - An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code
- Publicly disclosed on May 21st, with exploitation confirmed by Ivanti on October 1st
According to Fortinet, threat actors exploited the zero-day vulnerability CVE-2024 8963 for initial access into victim organizations as early as September 4th. They went on to exploit the known command injection vulnerability CVE-2024-8190 to access user credentials. CVE-2024-29824 was exploited to achieve Remote Code Execution (RCE). The report claims exploitation of CVE-2024-9380 was observed but does not provide details on its use. Additionally, in a high-level summary report, Fortinet states that the Ivanti SQL Injection vulnerability CVE-2024-9379 was also exploited in this campaign; but the full report does not mention this vulnerability.
This campaign resulted in the deployment of webshells and a rootkit for persistence. Fortinet does not speculate on the final goal of this activity.
eSentire Threat Intelligence Analysis:
Organizations need to prioritize the rapid identification and patching of vulnerabilities in Internet-facing applications and known exploited vulnerabilities. Ivanti has recently faced multiple zero-day vulnerabilities and confirmed exploitation of publicly disclosed vulnerabilities. Organizations using Ivanti products are strongly recommended to ensure they are up to date on security patches.
In the case of zero-day vulnerabilities, where security patches are not available at the time of exploitation, Endpoint Detection and Response (EDR) solutions can act as a temporary mitigation. While the exploitation will not be prevented, follow-on malicious activity will be identifiable.
Notably, Fortinet states in the title of their report that this activity is suspected to stem from a “Nation-State Adversary”. The sophistication required to identify and exploit multiple zero-day vulnerabilities and chain them together with previously disclosed vulnerabilities, speaks to the technical abilities of the threat group that carried out this campaign. The heavy targeting of Ivanti vulnerabilities may indicate that the currently unknown threat actor will continue to research Ivanti vulnerabilities and target their products in the future.
The eSentire Threat Intelligence team has tracked the related vulnerabilities in this report since their initial disclosure by Ivanti. eSentire MDR for Network has rules in place to identify the abuse of CVE-2024-8963, CVE-2024-8190, and CVE 2024-29824. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify all of the vulnerabilities mentioned. Additionally, indicator-based threat hunts have been performed across eSentire customer base.
Iranian Cyber Actors Compromise Critical Infrastructure Organizations
Bottom Line: Five Eyes Signals Intelligence agencies have disclosed ongoing attempts by Iranian threat actors to gain access to critical infrastructure organizations, including healthcare, government, information technology, engineering, and energy.
On October 16th, CISA, in coordination with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC), released a joint cybersecurity advisory (AA24-290A) regarding Iranian threat actors targeting multiple critical infrastructure sectors. According to the report, beginning in October 2023, CISA and partners have observed Iranian-based threat actors employing bruteforce attacks and Multi-Factor Authentication (MFA) fatigue to gain access to victims. Targeted critical infrastructure sectors include healthcare, government, information technology, engineering, and energy. The goal of these compromises is believed to be information theft, with the goal of selling stolen data or access to other criminals on darkweb forums.
In observed attacks, threat actors perform bruteforce type attacks, such as password spraying, for initial access to victim organizations. If the organization has app-based MFA enabled, attackers used MFA Bombing (aka. MFA fatigue), to trick users into authenticating. MFA Bombing is a simple technique where threat actors continually prompt MFA, until the user accepts the prompt out of either confusion or frustration.
Once access is achieved, Iranian threat actors have been observed employing Remote Desktop Protocol (RDP) is employed for lateral movement. Open-source tools are used to exfiltrate victim credentials, allowing for further access. In some cases, the threat actors exploited the Windows vulnerability CVE- 2020-1472 (Zerologon) to escalate their privileges. The Cobalt Strike red-team tool is deployed to enable Command and Control (C2) communication.
The goal of this activity is reported to be the theft of information, leading to data being sold via darkweb marketplaces for financial gain.
eSentire Threat Intelligence Analysis:
While there are a variety of techniques to bypass MFA, such as MFA bombing, this security control is still highly valuable. The adoption of user training and technical controls can greatly minimize the likelihood of threat actors bypassing authentication. Users should be made aware of MFA bombing and report any unexpected authentication requests to security teams. It should be noted, that only mobile app-based MFA is vulnerable to MFA bombing. For more information on “phishing-resistant” MFA options, refer to CISA’s report, Implementing Phishing-Resistant MFA.
CISA does not attribute the activity outlined in this report to a specific group. Based on the details shared, the attacks are believed to be financially motivated and do not include espionage, indicating cybercriminals as opposed to state sponsored actors. It is possible that state-sponsored threat actors are moonlighting in cybercrime, or attacks are meant to raise funds for the state. CISA has previously identified Iranian state-sponsored threat actors enabling ransomware attacks for financial gain, but this activity is believed to have been carried out without the permission of Iranian authorities.
The eSentire Threat Intelligence team is tracking shared Indicators of Compromise via eSentire’s Threat Intelligence Platform (TIP). eSentire MDR for Network and Endpoint detect a variety of tools known to be employed by Iranian threat actors, and eSentire MDR for Log identifies impossible travel and unusual logins.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
