eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Cleo Vulnerability Exploited
Bottom Line: The Cleo software vulnerability, known as CVE-2024-50623, is actively being exploited by cyber criminals. Despite an earlier failed patch, Cleo has now issued a new security patch that organizations should apply promptly to prevent exploitation.
CVE-2024-50623 (CVSS: 8.8) is an unrestricted file upload and download vulnerability in the Managed File Transfer software products Cleo Harmony, VLTrader, and LexiCom. It was initially disclosed in October of this year, but on December 9th, Huntress announced that the vulnerability is being actively exploited and noted that the available security patches were ineffective. Since this disclosure, multiple organizations have released updates on the situation; most notably, Cleo released new security patches to address CVE-2024-50623 on December 12th. On December 14th, Cleo assigned a new CVE for the vulnerability, due to the patch bypass. The vulnerability is now tracked as CVE-2024-55956.
The earliest confirmed exploitation occurred on December 3rd. Since that date, exploitation has become widespread. Technical details and Proof-of-Concept (PoC) exploit code for CVE-2024-50623 were released by the company watchTowr on December 11th, simplifying exploitation for even low-skilled threat actors. Currently, there are unconfirmed reports that the Termite ransomware group is employing this vulnerability for initial access into victim organizations. Huntress has also observed exploitation leading to the deployment of a previously unseen malware dubbed Malichus. This is a modular malware that includes two loaders, and a Java based post exploitation framework that functions as a backdoor. Malichus is capable of impacting both Linux and Windows devices, but real-world attacks have only been identified against Windows machines at this time. In an interview with BleepingComputer, the Cl0p data extortion group claimed responsibility for the widespread exploitation of Cleo devices. Proof of these claims were not provided, but Cl0p has a long history of targeting file transfer software, including Accellion FTA (2020), SolarWinds Serv-U FTP (2021), GoAnywhere MFT (2023), and MOVEit MFT (2023). Previous campaigns resulted in the theft of data for extortion purposes.
eSentire Threat Intelligence Analysis:
As widespread exploitation is ongoing, it is critical that organizations using Cleo software apply the December 12th security update (5.8.0.24) immediately. Additionally, organizations are strongly recommended to restrict access to all Cleo software by placing it behind a firewall. Failing to address this vulnerability will result in exploitation leading to malware or a ransomware deployment.
The eSentire Threat Intelligence team assesses that the release of PoC exploit code will lead to an increase in real-world attacks. Threat actors will attempt to exploit CVE-2024-50623/CVE-2024-55956 before organizations have time to apply the new security patches.
In response to confirmation of real-world exploitation of CVE-2024-50623/CVE-2024-55956, eSentire released an advisory on the topic on December 10th. eSentire’s Tactical Threat Response (TTR) team has created detections for both eSentire MDR for Endpoint and Network; these detections have resulted in the identification of multiple incidents which were escalated to the impacted organizations. Additionally, eSentire’s Threat Response Unit (TRU) has performed behavioural and indicator-based threat hunts across the eSentire client base and known malicious IP addresses are blocked via the eSentire Global Block List.
Frequent Freeloader Part II: Secret Blizzard
Bottom Line: The Russian state-sponsored threat actor, Secret Blizzard, is continuing to target organizations associated with Ukraine. Their tactics are making attribution and proactive threat response increasingly challenging.
On December 11th, Microsoft released the second part of the report focusing on the activities of the Russian state-sponsored Advanced Persistent Threat (APT) group Secret Blizzard. Part one of the report focused on the group’s targeting of the Pakistan state-sponsored threat actor Storm-0156, granting Secret Blizzard access to their victim pool and tools. Part two focuses on two other incidents where Secret Blizzard employed the tools of other threat actors to target organizations in Ukraine.
Between March and April 2024, Secret Blizzard was observed using Amadey bot malware, linked to the cybercriminal activity tracked by Microsoft as Storm-1919, to deploy their custom backdoors, Tavdig and KazuarV2, on the devices of Ukrainian military personnel. The primary objective of Storm-1919 is typically to install XMRIG cryptocurrency miners on compromised devices. In January 2024, Secret Blizzard leveraged a PowerShell backdoor used by the Russian threat actor Storm-1837 (aka. Flying Yeti, UAC-0149) to install the two custom backdoors, on targeted Ukrainian devices. Storm-1837 is specifically known for targeting Ukrainian military drone operators.
Secret Blizzard’s campaign involving Amadey malware suggests they either used it as a Malware-as-a- Service (MaaS) or accessed its Command-and-Control (C2) infrastructure to deploy a PowerShell dropper, which activated a connection to their C2. Amadey allowed them to gather victim details, such as administrator status, device name, and antivirus software on the victim devices. The group also deployed their own reconnaissance tool on selected Ukrainian military devices that enumerated details such as “directory tree, system information, active sessions, IPv4 route table, and SMB shares.”. Tavdig backdoor was then deployed via the PowerShell dropper or an executable on selected targets, likely to ensure persistence and install the KazuarV2 payload.
In January 2024, a Ukrainian military-related device was compromised by the Storm-1837 PowerShell backdoor, which used the Telegram API to execute a cmdlet, granting access to an account on the Mega file-sharing platform. The backdoor deployed a PowerShell dropper similar to the one used in Secret Blizzard’s Amadey campaign. Tavdig backdoor was also found on the device, likely to maintain persistence and install the KazuarV2 payload. Although Microsoft did not directly observe Storm-1837’s PowerShell backdoor installing Tavdig, the close timing between the backdoor's execution and the PowerShell dropper's deployment led Microsoft to assess that Storm-1837 was likely used by Secret Blizzard to deploy the Tavdig.
eSentire Threat Intelligence Analysis:
Both reports published by Microsoft indicate that Secret Blizzard has succeeded in expanding its espionage, potentially obfuscating its campaign goals and making attribution difficult. By co-opting the tools and infrastructure of other threat actors, Secret Blizzard highlights its diversified attack vectors, including watering hole attacks and Adversary-in-the-Middle (AiTM) campaigns.
Although Microsoft has not assessed how Secret Blizzard gained control of the Storm-1837 backdoor or Amadey bots to deploy its own tools onto devices in Ukraine, it is evident that Secret Blizzard’s activities are centered on compromising Ukrainian military assets for espionage purposes. The group is taking extreme measures to gain access, including infiltrating other APT groups, using tools typically employed by financially motivated cybercriminals, and leveraging infections from other Russian APT groups. The threat actor also enhanced these tools with new functionality to make them more suited for the espionage activities targeting Ukrainian military devices. This type of activity is expected to persist as the Russia-Ukraine conflict continues.
The tactics used by Secret Blizzard have the potential to attract attention from other threat actors, who may adopt similar methods. This could create further challenges for defenders in accurately identifying the perpetrators across different incidents. This underscores the importance of improving detection capabilities to identify malicious activities. It is crucial for organizations to conduct thorough investigations and take remediation actions once an APT group attack is identified. To mitigate the impact of such campaigns, organizations must deploy efficient endpoint and network security solutions.
eSentire's Threat Intelligence team is continuously tracking Secret Blizzard’s activities. eSentire Threat Intelligence Team discussed the first part of the report in the Weekly Threat Briefing (Dec 2 - Dec 6). In response to both reports, the eSentire Threat Intelligence team has validated detections related to Secret Blizzard Tactics, Techniques, and Procedures (TTPs); additionally, threat hunts across the customer base have been performed for known Indicators of Compromise (IoCs).
Chinese Firm Sanctioned for Ransomware Attacks
Bottom Line: The U.S. Treasury has sanctioned Chinese firm Sichuan Silence and employee Guan Tianfeng over a widespread 2020 ransomware campaign, compromising more than 23,000 U.S. firewalls, including critical infrastructure.
On December 10th, the U.S. Department of the Treasury announced sanctions against the Chinese cybersecurity company Sichuan Silence Information Technology Company, Limited (Sichuan Silence), and one of its employees, Guan Tianfeng (Guan). According to the Treasury Department, Guan and Sichuan Silence are responsible for the mass exploitation of a Sophos firewall zero-day vulnerability and the deployment of Ragnarok ransomware.
Sichuan Silence is a contractor for various People’s Republic of China (PRC) intelligence services. Their offerings include “computer network exploitation, email monitoring, brute-force password cracking, and public sentiment suppression products and services”. According to the release, Guan is responsible for the discovery of CVE-2020-12271 (CVSS: 10), a SQL injection vulnerability in Sophos XG Firewall devices; exploitation would enable an unauthenticated threat actor to cause Remote Code Execution (RCE). Between April 22-25, Guan exploited the vulnerability to deploy malware to 81,000 firewalls; the malware was used to steal usernames and passwords from infected systems. After the theft of data, Guan went on to deploy the Ragnarok ransomware.
This campaign is reported to have impacted more than 23,000 firewalls belonging to U.S. companies; 36 impacted organizations were considered critical infrastructure. In one case, the impacted company was a U.S. energy provider, and according to the Treasury department, if the attack had not been quickly remediated, it “could have caused oil rigs to malfunction potentially causing a significant loss in human life”.
eSentire Threat Intelligence Analysis:
The exploitation of CVE-2020-12271 had a global impact and attracted significant attention. While the deployment of ransomware was likely financially motivated, it is possible that information stolen was shared with PRC intelligence agencies for espionage purposes. In this case, ransomware would have been a convincing false flag, to hide espionage activity.
Cyberattacks against critical infrastructure, especially disruptive malware like ransomware or wipers, is highly concerning. Disruptions may indirectly result in the loss of human life, such as the 2020 ransomware attack on a German hospital. Attacks against Industrial Control Systems (ICS) may have a more direct impact, such as the failure of safety systems leading to physical breakdowns. Due to the importance of these systems, attacks against them will result in significant law-enforcement attention.
The sanctions against Sichuan Silence and Guan are unlikely to impact their ability to carry out cyberattacks as they are based in China, but this action will impose financial costs and limit travel options going forward. Additionally, the U.S. Department of State has announced a $10 million reward for information related to Sichuan Silence or Guan. The publication of this information, and the large reward, is likely meant to show that direct human attribution for significant cyberattacks is not only possible, but also ongoing. This will be a deterrent for other threat actors that are not protected by their geographic locations.
The eSentire product suite maintains a variety of detections for ransomware and associated tactics. eSentire MDR for Network has rules in place to identify CVE-2020-12271 exploitation attempts, and eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
