eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Embargo Ransomware
Bottom Line: The emergence of the Embargo ransomware group highlights that new players are not only capable of sophisticated attacks such as bypassing or disabling defenses, but are also aiming to compete with established groups, indicating a potential increase in ransomware threats.
On October 23rd, ESET researchers published an in-depth report on Embargo, a relatively new ransomware group, and its set of custom tools to deploy ransomware. The ransomware group's operations were first noted in May 2024 when researchers at Cyble released a report on analysis of observed incident.
Embargo leverages the Rust programming language for its ransomware payloads and custom malware development. Rust's cross-platform capabilities enable the group to target Windows and Linux systems effectively. Embargo is a well resourced threat actor, utilizing its infrastructure for victim communication. This approach enhances operational security and provides victims with flexible communication options, such as through Tox. By offering multiple channels for interaction, Embargo ensures that victims can easily navigate the ransom process, presenting them with various choices for proceeding with payment. The group uses double extortion tactics to increase the probability of ransom payment. As per the statement of an alleged group member, the ransomware group is involved in providing Ransomware-as-a-Service (RaaS).
The group used MDeployer and MS4Killer, two tools written in the Rust language, in attacks against U.S. companies in July 2024. MDeployer serves as the primary malicious loader. Its primary function is to decrypt the MS4Killer payload and the ransomware payload, which are stored in the files b.cache and a.cache, respectively. Once decrypted, these payloads are saved as praxibackup.exe and pay.exe on the victim's system. After successfully executing the ransomware, MDeployer terminates the MS4Killer process, deletes the decrypted payloads along with the driver file dropped by MS4Killer, and then reboots the system to complete the attack cycle. MDeployer was observed to keep logs of error messages while the attack was in progress.
MS4Killer is an EDR bypass tool that exploits a vulnerable driver to turn off security products on the victim's device. Once MDeployer executes this tool, it runs indefinitely on the system, employing the "Bring Your Own Vulnerable Driver" (BYOVD) technique. Researchers noted a resemblance between the code of MS4Killer and a Proof-of-Concept (PoC) from the open-source tool s4killer available on GitHub, which led to its naming as MS4Killer. The EDR bypass tool constantly scans for the running processes and terminates the ones with the names found hardcoded in the binary.
Multiple incidents were observed with variations in the functioning of MDeployer. One such was the DLL variant where MDeployer was compiled as an EXE file. The DLL variant can disable the security solutions. If executed with admin privileges, the DLL version attempts to reboot the system into Safe Mode, ensuring the security solutions are disabled. Another variant of the DLL had the extra functionality of implementing the DLL as a BAT script, which targets a single security solution. It employed a similar method of booting into Safe Mode using a persistence service and then renaming the security software's installation directory. MDeployer features multiple variants of a cleanup routine that are triggered at various times.This occurs after the loader successfully executes the ransomware payload and in the event of any errors during the loader's operation.
eSentire Threat Intelligence Analysis:
Despite its relatively short time in the ransomware space, the Embargo group demonstrates a solid commitment to using custom tools and in-house infrastructure to execute sophisticated campaigns. This approach highlights their ambition to establish a reputation for their unique tactics and techniques. Their continuous focus on innovation and operational efficiency strengthens their position in the RaaS market.
The use of Rust in developing MDeployer and MS4Killer, along with the ransomware payload, clearly demonstrates a broad target range and a carefully planned approach to crafting the RaaS package for affiliates. The numerous variations in MDeployer indicate that the group's developers consistently focus on creating efficient payloads and are adept at modifying the source code when faced with errors or execution failures. Using tools to disable security solutions plays a vital role in deploying ransomware. The Embargo group strongly emphasizes this by utilizing MS4Killer, a DLL variant of MDeployer that exploits Safe Mode, and another DLL variant of MDeployer that can execute BAT script. A similar approach to disabling EDR tools has been observed by other ransomware groups, such as RansomHub group using EDRKillShifter. The EDR detection evasion tools MS4Killer and EDRKillShifter both use the same technique of BYOVD. When exploited, vulnerable drivers provide opportunities for threat actors to execute malicious code at the kernel level, giving attackers significant control. This underscores the importance of addressing driver security to prevent malicious actors from undermining the integrity of the operating system at a fundamental level.
In response to the escalating sophistication of threat actor tactics, eSentire recommends a multi-layered approach to defense. Beyond relying solely on EDR solutions, organizations should implement robust network monitoring tools to detect anomalous behavior, establish comprehensive logging mechanisms to track and analyze system activities and conduct regular security assessments to proactively identify and address potential vulnerabilities.
FortiManager Zero-Day Vulnerability
Bottom Line: CISA has added a critical FortiManager vulnerability to the Known Exploited Vulnerabilities catalog. As exploitation has been confirmed, it is critical that organizations apply the relevant security patches or alternative mitigations immediately.
On October 23rd, Fortinet disclosed a critical zero-day vulnerability impacting multiple versions of FortiManager. On the same day, CISA added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog, confirming its abuse in real-world attacks. The vulnerability, tracked as CVE-2024-47575 (CVSS:9.8), is due to missing authentication for a function in the FortiManager fgfmd daemon. Exploitation would allow a remote and unauthenticated threat actor to execute arbitrary code or commands via specially crafted requests.
According to multiple sources including Fortinet, real-world attacks have resulted in the theft of sensitive files which contain IPs, credentials, and configuration details. Follow on attacks employing the stolen data have not been reported at this time. According to Google Mandiant, exploitation has been ongoing since late June 2024. Based on observed indicators across incidents, it appears that only a single threat group exploited CVE-2024-47575 as a zero-day vulnerability; Mandiant tracks this threat cluster under the moniker UNC5820.
eSentire has observed multiple instances of CVE-2024-47575 being exploited by threat actors. As security patches are now available, it is critical that organizations apply them immediately, to limit the likelihood of compromise. If patches cannot be rapidly applied, organizations should implement the alternative mitigations provided in the official Fortinet advisory.
eSentire Threat Intelligence Analysis:
As exploitation of CVE-2024-47575 occurred approximately five months prior to public disclosure and the release of security patches, organizations are recommended to identify signs of compromise in the network. In the meantime, it is critical that security patches are deployed to prevent future exploitation. While exploitation prior to patch release is believed to be limited to a single group, the public disclosure of the vulnerability is likely to result in its exploitation by additional groups in the near future.
In attacks observed to date, the threat actor’s final goal is not known. The theft of data including credentials and configuration details could be used for secondary attacks or be sold on darkweb markets. As attacks involved a zero-day vulnerability and went undetected for nearly five months, it is probable that the responsible threat group is sophisticated and technically capable.
eSentire published an advisory for CVE-2024-47575 on October 23rd. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices, malicious infrastructure is blocked via the eSentire Global Block List, and the eSentire Threat Response Unit (TRU) has performed indicator-based threat hunts across the client base. Additionally, TRU is in the process of deploying new detections to identify exploitation attempts. Information on this vulnerability was shared with eSentire via an intelligence-sharing partner prior to public disclosure, allowing for threat hunting before the release of security patches.
Strategic Information Attacks for Catastrophic Effect
Bottom Line: Strategic Information Attacks are concerning as they act as an avenue for hybrid-threats to escalate conflicts without the need for kinetic attacks relying on a blend of cyber and information warfare.
On October 24th, Recorded Future’s Insikt Group released a long-form strategic report on the state tactic of Strategic Information Attacks (SIAs), which combine “psychological attacks” with cyberattacks to “inflict overwhelming damage to its adversaries during strategic conflict”. The term Strategic Information Attack was coined by Recorded Future to describe the combination of influence operations, coupled with cyberattacks against critical infrastructure, in the context of a large scale war. Influence operations mentioned in this report are meant to “shape the information space in Moscow’s favor”, destabilizing an adversary’s internal political sphere. The “technical attacks” (aka cyberattacks) target both private and public critical infrastructure with the goal of disrupting services. These attacks are meant to be highly disruptive, potentially involving wiper malware, and are most likely to target communication infrastructure and power grids.
Recorded Future provides a scenario on what SIAs would look like in the context of a campaign by the Russian state. In an SIA scenario, Recorded Future speculates that Russian actors would launch a large-scale disinformation campaign meant to exacerbate societal divisions to deteriorate domestic confidence in critical infrastructure. This would be followed by cyberattacks against communications, energy, and financial infrastructure from both Russian state-sponsored APT groups and Russian-non-state cyber actors, causing widespread and prolonged service outages.
The evolution of modern warfare makes both cyberattacks and information operations key aspects of conflict. Organizations operating in critical infrastructure sectors will need to ensure robust security controls are in place to defend against state-sponsored attacks. To minimize the effectiveness of future SIAs, governments and private organizations will need to closely coordinate to combat influence operations and raise public awareness of the threat.
eSentire Threat Intelligence Analysis:
The goal of Strategic Information Attacks goes beyond just impacting critical infrastructure. They act as an avenue for the adversarial governments to escalate conflict without kinetic attacks, leading to a destabilization of the targeted country. This allows for de-escalation via peace negotiations on the adversaries’ terms; this is a strategy referred to as “escalate to de-escalate”.
Recorded Future frames SIAs in the context of Russian aggression, but this tactic could, and likely will, be adopted by a variety of countries, such as North Korea and Iran. According to Recorded Future, any SIAs against Western critical infrastructure would be an indicator that the Russian government is in direct conflict with Western countries.
While similar tactics have been observed in the Russia-Ukraine conflict, Recorded Future states that the scale and impact of activity observed to date do not meet the requirements of an SIA. It is probable that the Ukraine conflict has been used as a testing ground for this and similar Russian hybrid-warfare tactics.
The eSentire Threat Response Unit is actively tracking state-sponsored APTs attributed to various countries to validate detections against the Tactics, Techniques, and Procedures (TTPs) known to be used.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
