eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
EDR Evasion Testing Reveals Extortion Actor's Toolkit
Bottom Line: The Bring-Your-Own-Vulnerable-Driver (BYOVD) technique is now commonly being employed by threat actors in an attempt to evade or disable EDR solutions. The widespread adoption of EDR is forcing threat actors to adopt bypass techniques to remain relevant in the threat landscape.
On November 1st, Unit42 released a report on a sophisticated extortion toolkit used by threat actors to evade Endpoint Detection and Response (EDR) systems through a vulnerable driver exploit. The investigation into an extortion attempt revealed that a threat actor attempted to bypass Cortex XDR using a custom-built AV/EDR bypass tool. This effort was unsuccessful, but it provided valuable insights into the threat actor's Tactics, Techniques, and Procedures (TTPs) and identity. The actor leveraged a tool that utilized the "Bring Your Own Vulnerable Driver" (BYOVD) technique, which led to the discovery of their operations and identification. Through this investigation, Unit 42 gained access to the actor’s rogue systems, which enabled further inquiry.
The incident began with an extortion attempt, where the attacker gained access to the client’s network through the purchase of Atera Remote Monitoring and Management (RMM) access from an initial access broker. The actor deployed rogue systems within the network to test a new AV/EDR bypass tool that was intended to bypass Cortex XDR. The investigation revealed that the rogue systems were running older versions of Cortex XDR agents. PsExec and Cobalt Strike beacons were deployed to establish persistence and facilitate lateral movement across the network. Tools such as Mimikatz and LSASS process dumps were used to extract credentials. The AV/EDR disabling tool, "disabler.exe," was deployed to bypass security defenses. Data exfiltration was managed using Rclone, targeting critical information for extortion.
The actor leveraged a modified tool "disabler.exe" based on EDRSandBlast. It targets and removes EDR hooks in user-mode and kernel-mode libraries. The tool's functionality is supported by a vulnerable driver, which helps it gain access to the system. Unit 42 was able to identify this tool through forensic analysis of the rogue system and subsequent research into cybercrime forums like XSS and Exploit, where it was being sold. Further investigation led to the discovery of "KernelMode," a user offering subscriptions to the AV/EDR bypass tool. A series of video demonstrations were found on the rogue system, confirming that KernelMode was likely involved in the creation and distribution of the tool.
Files obtained from the rogue system revealed additional personal and professional details about the attacker. A critical file, labeled “P-1 form,” contained transaction data linking the actor to a Kazakhstan- based company. Further analysis of browser history as well as LinkedIn and VKontakte (Russian social networking platform) profiles revealed that an individual named “Andry” was affiliated with this company.
eSentire Threat Intelligence Analysis:
The bypass tactics highlighted in the report reveal a sophisticated strategy where attackers exploit vulnerabilities in legitimate drivers to disable or bypass EDR solutions. By leveraging these trusted driver exploits, attackers can avoid detection and maintain persistence on the compromised systems. Monitoring underground forums can reveals the latest advancements in attack methods, giving investigators an insight into evolving techniques and tools that threat actors are using or developing. This information allows organizations to prepare for potential threats before they are widely deployed.
The presence of rogue machines with older versions of Cortex XDR agents highlights the importance of maintaining visibility over all devices to prevent threat actors from exploiting unauthorized access points. Older software versions, especially in security tools, introduce significant risk as they often lack the latest patches and defenses against new threats. Automating updates across all endpoints is essential to prevent malicious actors from taking advantage of outdated defenses.
In response to the Unit42 report, eSentire’s Threat Intelligence team is performing Indicator-based threat hunts and validating detection coverage. eSentire has previously reported on the malicious use of similar tools by threat actors, such as EDRKillShifter and EDRSilencer, in its TRU Weekly Threat Briefing. The eSentire Threat Response Unit (TRU) is investigating the topic for additional details and detection opportunities.
Maximum Severity Cisco Vulnerability
Bottom Line: Vulnerabilities in Cisco Unified Industrial Wireless Software present an attractive target for threat actors seeking to gain access to organizations' environments. As CVE-2024-20418 is simple to exploit, it is critical that organizations apply the relevant security patches immediately.
On November 6th , Cisco disclosed a maximum severity vulnerability impacting Cisco Unified Industrial Wireless Software for Cisco UltraReliable Wireless Backhaul (URWB) Access Points. The vulnerability is tracked as CVE-2024-20418 (CVSS: 10) - Cisco Injection Vulnerability. The vulnerability is due to improper validation of input in the web-based management interface. In order to exploit CVE-2024-20418 an attacker would send a specially crafted HTTP request to the web-based management interface. Successful exploitation would allow an unauthenticated remote threat actor to execute command injection with root privileges on the underlying operating system.
CVE-2024-20418 impacts Catalyst IW9165D Heavy Duty Access Points, Catalyst IW9165E Rugged Access Points and Wireless Clients, and Catalyst IW9167E Heavy Duty Access Points. It should be noted that the vulnerability only affects impacted software versions if they have the URWB operating mode enabled; Cisco products that are not operating in URWB mode are not affected by this vulnerability. Security patches to address all impacted versions were released on the date of public disclosure.
At the time of writing, there is no indication that CVE-2024-20418 has been exploited in real-world attacks; additionally, publicly available Proof-of-Concept (PoC) exploit code has not been identified.
eSentire Threat Intelligence Analysis:
CVE-2024-20418 is a maximum severity, simple to exploit vulnerability, found in Cisco Unified Industrial Wireless Software for Cisco UltraReliable Wireless Backhaul (URWB) Access Points. Organizations need to prioritize this vulnerability for immediate patching, as it will attract significant attention from both security researchers and threat actors. Successful exploitation would allow threat actors to perform a wide variety of malicious actions, including malware deployment, information theft, or ransomware campaigns. There are no alternative mitigations available at this time, increasing the importance of quickly applying security patches.
The eSentire Threat Intelligence team assesses that the release of PoC exploit code or technical details for CVE-2024-20418 will result in widespread exploitation shortly after publication.
The eSentire Threat Response Unit (TRU) is actively tracking this topic for additional details and detection opportunities. Plugins for eSentire Managed Vulnerability Service (MVS), to identify devices vulnerable to CVE-2024-20418, will be released in the near future.
Chinese APT: Five Years of Activity
Bottom Line: Chinese APT activity is expected to continue at high volumes using a variety of Tactics, Techniques, and Procedures (TTPs). To defend against similar activity, it is critical that organizations regularly scan for vulnerabilities, ensure security patches are up to date, and deploy an EDR product across all workstations and servers to identify malware and post intrusion activity.
On October 31st, Sophos published a report detailing a five-year investigation into a series of sophisticated cyberattacks orchestrated by Chinese state-sponsored groups, including Volt Typhoon, APT31, and APT41/Winnti against Sophos perimeter devices. The comprehensive investigation from 2018 to 2024 reveals the evolution of these Advanced Persistent Threat (APT) groups. Over time, they have adapted from noisy to stealthy operations, running opportunistic campaigns that exploit zero-day vulnerabilities and deploying Operational Relay Box (ORB) networks, enhancing their operational security. The threat actor activities signify a shift to targeted attacks against critical infrastructure, ultimately aiming to disrupt national security and conduct espionage against victim nations.
The threat actors launched their first attack against a Sophos facility, the headquarters of Cyberoam, an India-based subsidiary, in December 2018. They used a novel technique to pivot into cloud infrastructure by leveraging a misconfigured Amazon Web Services Systems Manager Agent (SSM Agent). Cyberoam was targeted by the threat actor in 2020 where they exploited a zero-day vulnerability (CVE-2020-29574). By exploiting this SQL injection vulnerability, to execute arbitrary commands.
In 2020, the attackers started building ORB networks, using compromised devices as relay points to launch further attacks. In April 2020, the attackers launched the "Asnarök" attack, exploiting an SQLi vulnerability (CVE-2020-12271) impacting Sophos XG Firewall devices. The vulnerability was exploited to gain root access to the device via a command injection flaw, which also served as a privilege escalation method. Soon after this, the threat actors exploited a zero-day, buffer overflow and remote code execution vulnerability (CVE-2020-15069) in Sophos XG Firewall. Combining local privilege escalation technique with web shell deployment on WAN facing web portals, the exploit established a covert entry point for further unauthorized access. The year 2022 saw exploitation of the vulnerability CVE-2022-1040 impacting Sophos firewall. In September 2022, CVE-2022-3236 impacting the newer versions of Sophos firewall was exploited to gain initial access.
At the same time as the exploitation of the mentioned zero-day vulnerabilities, the attackers also developed and launched new malware, including rootkits and in-memory droppers. During the Cyberoam intrusion activity in 2018, a complex rootkit named CloudSnopper was launched. The rootkit was capable of bypassing AWS security measures. In 2020, the Asnarök attack involved installation of Asnarök trojan on victim devices. In August 2020, investigation of exploitation of CVE-2020-15069 led to identification of a rootkit, “libxselinux[.]so”, which was attributed to the threat actor group Winnti. The investigations on incidents involving CVE-2022-1040, disclosed a new rootkit libsophos[.]so, later dubbed as Pygmy Goat.
From 2021, attackers moved away from widespread, indiscriminate activity to more focused, "hands-on-keyboard" attacks targeting specific entities. These targets include government agencies, critical infrastructure, research and development organizations, healthcare providers, retail, finance, military, and public-sector organizations, mainly in the Asia-Pacific region. Chinese state-sponsored APT groups remain highly active, carrying out targeted attacks against a wide variety of both industries and geographic locations.
eSentire Threat Intelligence Analysis:
The Sophos report highlights the critical need for patching zero-day vulnerabilities in essential devices, such as edge network devices. Neglecting this can allow threat actors to infiltrate an organization’s network, potentially resulting in significant damage. With the shift of Chinese APTs toward targeted attacks, it is vital for governments to bolster the security of their critical infrastructure. The evolving Techniques, Tactics, and Procedures (TTPs) used by adversaries enable them to execute sophisticated cyberattacks, utilizing advanced malware designed to evade detection and maintain long-term control over compromised devices.
This year witnessed multiple cyber-attacks led by the Chinese APTs such as Volt Typhoon and Salt Typhoon. In June 2024, Singapore Telecommunications Ltd. (Singtel), was breached by the Chinese state-sponsored APT group Volt Typhoon (BRONZE SILHOUETTE, Vanguard Panda, DEV-0391). On November 8th , TrendMicro published a report on prolonged activity of the APT group Salt Typhoon as the group employed stealthy attack techniques in the cyber-attacks against government agencies and tech industry. In early October of 2024, the group was reported to have compromised major telecommunications providers including AT&T and Verizon Communications. The eSentire Threat Intelligence team assesses that it is highly probable that Chinese APTs will continue targeting telecommunications organizations for espionage through 2025.
Edge network devices are high-value targets that adversaries use for both initial access and persistence. Vulnerabilities in the perimeter devices are a favourable target for the threat actors. The Sophos investigation sheds light on the quick operationalization of the zero-day vulnerabilities in compromising the firewall devices. On October 31st, Microsoft released a report on a network of compromised devices tracked as CovertNetwork-1658. Multiple Chinese threat actors were found using credentials acquired from CovertNetwork-1658’s password spray operations. Thus, the threat actors use edge devices as ORB network to obfuscate the true origin of attacks.
Chinese APT activity is anticipated to remain elevated, employing a diverse range of TTPs. Organizations must prioritize regular vulnerability scanning and ensure that security patches are consistently applied to mitigate the risks associated with such threats. Additionally, implementing Endpoint Detection and Response (EDR) solutions across all workstations and servers is essential for detecting malware and monitoring post-intrusion activities. eSentire Threat Intelligence team tracks the activities of the APTs mentioned in the report and maintains a variety of detections for the TTPs of known Chinese state- sponsored APT groups.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
