eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
#StopRansomware: BianLian Data Extortion Group
Bottom Line: CISA's latest report on BainLain, a notorious Russian-based extortion group highlights the group pivoting from utilising ransomware and double-extortion tactics to full-fledged extortion, operationalising initial access to corporate systems faster and attempting to avoid EDR detections in the process.
On November 20th, Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) released a joint advisory on the BianLian Ransomware group. The report provides additional information about the Tactics, Techniques, and Procedures (TTPs) obtained as of June 2024 through FBI and ASD’S ACSC investigations.
BianLian is a ransomware developer, deployer and data extortion cybercriminal group. The ransomware group has been active since June 2022, and has a history of targeting critical industry, professional services, and property development organizations in both the U.S. and Australia. Starting in January 2023, the group shifted tactics from ransomware attacks with double extortion, to data extortion only.
In its updated advisory, CISA highlights that the ransomware group gained initial access by exploiting public-facing application of both Windows and ESXi infrastructure, and leveraged the Proxyshell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). They establish Command-and-Control by deploying custom Go-based backdoors. Recent findings suggest they use reverse proxy tools like Ngrok and a modified Rsocks utility to establish SOCKS5 tunnels, concealing the origin of their network traffic. The threat actors manipulate local administrator accounts, including creating new accounts and modifying passwords to maintain access and evade detection.
The group escalates privileges on Windows systems by exploiting vulnerabilities such as CVE-2022-37969. To evade detection, BianLian disables antivirus tools and tamper protection using Powershell and Windows Command Shell, renames binaries to mimic legitimate services, and uses UPX to pack their executables. They conduct network reconnaissance using tools like Advanced Port Scanner and PingCastle, and recent updates indicate an increased reliance on PowerShell scripts for environment discovery, including enumerating running processes, installed software, and local drives.
For credential access, the group uses SessionGopher, to extract session information for Remote Access Tools (RATs). The attackers maintain persistence and move laterally within the network using tools like PsExec, RDP, SMB, and Netlogon exploitation (CVE-2020-1472), while creating domain admin and Azure AD accounts. They have also been observed installing webshells on compromised Exchange servers to ensure ongoing access. Exfiltration methods rely on tools like Rclone, FTP, and Mega file-sharing services.
They issue ransom notes threatening to leak stolen information, providing contact details through Tox messenger and onionmail accounts for victim communication. Additionally, employees of victim organizations have reported receiving threatening phone calls from individuals linked to the group.
eSentire Threat Intelligence Analysis:
CISA’s decision to update the May 2023 #StopRansomware report on BianLian indicates that this group remains an active and concerning threat in the current landscape. eSentire has recently observed an incident where the threat actors claim to be BianLian. Our observation from the incident indicates that the BianLian ransomware group operates under the strategy that data is the primary asset. By focusing on selling stolen data either back to the victim or to third parties, they are trying to create alternative revenue streams. This not only maximizes their profit from a single breach but also reduces the reliance on the victim’s willingness or ability to pay the ransom. This tactic enables them to generate income from a wider pool of potential buyers, including the victim’s competitors or other threat actors interested in utilizing the stolen data.
The shift from traditional ransomware to data exfiltration-only attacks is a notable trend. The ransomware group targets high-value data like Personally Identifiable Information (PII), financial records, and intellectual property. The exposure or sale of sensitive information on the dark web creates a long-lasting consequence of having the data exposed, stolen, or sold to the threat actor groups. This can be a serious threat to the organizations, as stolen data can resurface months or years after the initial breach.
CISA recommends that organizations minimize the risk of being impacted by BianLian ransomware and data extortion by strictly limiting the use of Remote Desktop Protocol (RDP) and other remote desktop services. They advise disabling command-line and scripting activities and permissions, auditing user accounts with administrative privileges, and configuring access controls based on the principle of least privilege. Organizations should also restrict the use of PowerShell and ensure that Windows PowerShell or PowerShell Core is updated to the latest version.
In response to the advisory by CISA, eSentire’s Threat Intelligence team is performing Indicator-based threat hunts and validating detection coverage. eSentire MDR for Endpoint has rules in place to identify TTPs associated with BianLian. The eSentire Threat Response Unit (TRU) is investigating the topic for additional details and detection opportunities.
Palo Alto Networks PAN-OS Vulnerability
Bottom Line: Palo Alto has disclosed CVE-2024-0012, which is under active exploitation by threat actors. In instances of network misconfigurations, the criticality score for the vulnerability is raised. Organizations are strongly encouraged to review eSentire’s advisory on the subject.
This week, Palo Alto disclosed two actively exploited vulnerabilities found in PAN-OS. The most concerning vulnerability is CVE-2024-0012 (CVSS: 9.3); exploitation would allow a remote and unauthenticated threat actor to perform administrative actions, edit configurations, and exploit other authenticated vulnerabilities. To date, real-world exploitation has been limited to cases where the device’s management web interface was exposed to the Internet. Impacted products include PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software on PA-Series, VM-Series, and CN-Series firewalls and on Panorama (virtual and M-Series).
The second vulnerability, tracked as CVE-2024-9474 (CVSS: 6.9), is a privilege escalation flaw. Successful exploitation would allow a threat actor that had already achieved admin access to the management web interface, to perform actions on the firewall with root privileges. The vulnerability impacts PAN-OS 10.1, PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software on PA-Series, VM-Series, and CN-Series firewalls and on Panorama (virtual and M-Series) and WildFire appliances.
Palo Alto stated that exploitation of these vulnerabilities has been observed “against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network”. However, on November 21st, researchers from the Shadowserver Foundation announced that they have identified approximately 2,000 currently compromised Palo Alto devices. Security researchers from Rapid7 have observed exploitation of the vulnerability in a campaign tracked under the name Operation Lunar Peek. CVE-2024-0012 is exploited to achieve initial access, leading to exploitation of CVE-2024-9474 for privilege escalation. Post-exploitation activity includes the deployment of webshells for persistent access.
eSentire Threat Intelligence Analysis:
As exploitation has been confirmed, it is critical that organizations apply the vendor provided security patches for CVE-2024-0012 and CVE-2024-9474. It should be noted that the criticality rating for both vulnerabilities is dependent on device configurations. If organizations restrict access to the management interface to approved IP addresses only, the criticality rating drops significantly. To date, confirmed exploitation has only impacted Internet-facing applications. Organizations are strongly recommended to restrict access to Palo Alto devices, to minimize the attack surface; Palo Alto has provided guidance on securing configurations.
Details on Operation Lunar Peek are still minimal. Attacker goals have not been specified, and the campaign is not attributed to a specific threat actor group at this time. It is probable that early exploitation was limited to a single group. The success of this campaign will attract the attention of other threat actors, and may result in more widespread exploitation, as threat actors attempt to abuse the vulnerabilities before organizations apply security patches.
In response to the disclosure of these vulnerabilities, eSentire released an advisory on November 18th. eSentire’s Tactical Threat Response (TTR) team created new detection for eSentire MDR for Network, within three days of the initial vulnerability disclosure. eSentire’s Threat Intelligence team has performed indicator-based threat hunts across the customer base and known malicious infrastructure is blocked via the eSentire Global Block list. eSentire Managed Vulnerability Service (MVS) has plugins in place to detect vulnerable devices.
DPRK IT Workers Network
Bottom Line: By pretending to be legitimate U.S.-based software and technology consulting firms, North Korean operatives seek to build trust and access sensitive contracts, while bypassing sanctions and avoiding detection.
On November 21st, a report from SentinelOne Labs revealed that the U.S. government recently took down the websites of four companies identified as fronts for threat actors from the Democratic People's Republic of Korea (DPRK). North Korea employs highly skilled IT professionals who engage in various cybercriminal activities that serve the national interests.
The report highlighted that North Korean threat actors impersonated legitimate software companies from around the world, presenting themselves as U.S.-based firms to attract potential victims. The threat actors have also been observed engaging in multiple campaigns where skilled IT personnel impersonate professionals from other countries using fake identities to secure remote jobs, successfully infiltrating organizations. They have also executed campaigns in which the threat actors pose as employers to entice job seekers from the software industry into interview processes, with the aim of delivering malware during these interactions.
The threat actors copied the content from the websites of legitimate software development and consulting organizations around the globe to build their sites for the front companies mentioned in the SentinelOne report. While the websites featured identical content from the original company websites, they included additional information aimed at suggesting that these companies were U.S.-based. They also included contact details on the websites, expecting victims to reach out to them. After identification of these front companies, the U.S. government agencies disrupted these websites and seized the domains associated with the companies. The SentinelOne Labs team found connections between the four websites, suggesting that the DPRK front companies likely originated from China.
Outside of Sentinel One, there have been various recent reports on related DPRK activity. Unit 42 identified two campaigns linked to North Korean state-sponsored threat actors: "Contagious Interview," (tracked as CL-STA-0240) where they pose as employers to lure software developers into installing malware such as BeaverTail and InvisibleFerret, and "Wagemole," (tracked as CL-STA-0241) which involves seeking unauthorized employment for financial gain and espionage. Recently, the Unit 42 researchers identified a North Korean IT worker activity cluster (tracked as CL-STA-0237) involved in phishing campaign. The cluster compromised a US-based small-and-medium-sized business (SMB) IT services company to apply for jobs and conduct the malware operations. They secured employment at a major tech company in 2022, gaining access to sensitive systems, including SSO accounts. On July 23rd, KnowBe4 released a blog disclosing information on a North Korean fake IT worker that attempted to infiltrate their organization. Before identification, the attacker was able to perform several actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software.
eSentire Security Operations Center (SOC) has observed incident where BeaverTail and InvisibleFerret malware were identified impacting a customer. Such incidents indicate that the DPRK threat actors’ malicious campaigns are active, and continuous monitoring is essential to detect these activities proactively.
eSentire Threat Intelligence Analysis:
With skilled personnel in fields of software development, blockchain, and cryptocurrency, the North Korean regime is effectively implementing various IT Worker schemes. North Korean threat actors are known to be financially motivated and involved in espionage activities. While North Korea faces multiple global sanctions from countries like the United States, it chooses to sponsor highly skilled threat actors to carry out cyberattacks and engage in espionage activities, and using the revenue gained to fund state programs, including weapons development.
The impersonation of U.S. tech firms reflects a strategic tactic for conducting cybercriminal activities that serve the nation’s interests. Front companies have been playing key roles in hiding the activities of the real organizations and manage payments for them. The North Korean front companies facilitated money laundering by transferring the earnings of DPRK workers to Chinese bank accounts. These payments are typically processed using cryptocurrency, making the transactions difficult to trace, and the funds are ultimately used to finance various national initiatives. The connection between the DPRK's front companies and China underscores the complexity of the campaign and the extensive network of adversaries involved.
The campaigns such as Contagious Interview and Wagemole exploit both employee and employer sentiment in the market for financial gains. The Contagious Interview utilizes a set of sophisticated malware such as BeaverTail and InvisibleFerret to steal victim information. This suggests that the North Korean threat actors are capable of crafting effective social engineering campaigns as well as develop advanced malware. The KnowBe4 incident emphasizes the need for thorough due diligence during employee recruitment. Organizations should conduct thorough background checks for new hires, continuously monitor for unauthorized access, and strengthen access controls, along with providing regular security awareness training to mitigate threats from remote IT worker schemes. Job applicants should verify the legitimacy of companies offering interviews and ensure that interviewers are genuine representatives, exercising caution when downloading unfamiliar communication software or software packages.
Organizations should implement robust monitoring and detection solutions to identify malicious programs on their systems and enforce strict policies that permit software downloads only from trusted sources.
eSentire MDR Product Suite has variety of detections in place to identify activities associated with BeaverTail and InvisibleFerret. eSentire's Threat Intelligence team has published two TRU Positive blogs on the BeaverTail malware, titled “Bored BeaverTail Yacht Club – A Lazarus Lure” and “Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2”
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
