eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Cleo Zero-day Vulnerability Updates
Bottom Line: The Cl0p ransomware group has claimed responsibility for recent attacks utilizing a zero-day vulnerability in Cleo's Managed File Transfer software. U.S. agencies are urged to apply patches before January 3rd, 2025, and Cleo is advising customers to promptly upgrade to the latest patch to resolve the vulnerability.
Over the past week, there have been a variety of notable updates relating to the recently exploited Cleo Managed File Transfer software CVE-2024-50623 (CVSS: 8.8). The vulnerability was disclosed in October 2024, and exploitation was confirmed in early December by Huntress Labs. Exploitation of the vulnerability could enable a remote and unauthenticated threat actor to execute code. Huntress also confirmed that the initial security patches were ineffective, and threat actors could exploit fully patched Cleo Harmony, Cleo VLTrader, and Cleo LexiCom software. New security patches to address the vulnerability were released on December 12th. The vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog on December 13th, but the earliest signs of exploitation have been traced back toDecember 3rd. CISA does not provide information on real-world exploitation outside of confirming that the exploit has been employed in ransomware campaigns.
On December 13th, Cleo released a new CVE identifier to classify the vulnerability. CVE-2024-55956 (CVSS:9.8): In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host systemby leveraging the default settings of the Autorun directory. CVE-2024-55956 and CVE-2024-50623 are similar as both are unauthenticated file write vulnerabilities that enable code execution, but the vulnerabilities are due to separate issues in the Synchronization endpoint.
Notably, in an interview with Bleeping Computer, the Cl0p ransomware group, also known as TA505 and FIN11, claimed responsibility for the widespread exploitation of CVE-2024-50623. Cl0p has been active since at least 2020; the group began as a ransomware operation, but over time, they have shifted to data extortion only attacks. The Cl0p group is known for its data theft attacks targeting various Managed FileTransfer (MFT) software. eSentire has not observed proof of Cl0p’s exploitation claims at the time of writing. CL0p has posted victims to their leak site as recently as December 19th, but the means of access to these victims is unknown.
eSentire Threat Intelligence Analysis:
As exploitation is ongoing, it is critical that organizations using Cleo products update to the most recent release (5.8.0.24) immediately. In addition to patching, organizations are strongly recommended to restrict access to all Cleo software by placing them behind a firewall.
While proof of Cl0p’s exploitation claims have not been proven at this time, exploitation matches the group’s modus operandi. The Cl0p ransomware group is known for its data theft attacks targeting various Managed File Transfer software, including Accellion File Transfer Application in 2020, SolarWinds Serv-U FTP in 2021, GoAnywhere MFT in 2023, and the most significant, MOVEit MFT in 2023. These campaigns varied in scope, but all involved exploiting vulnerabilities for initial access into a file share application. Following access, the Cl0p group exfiltrates data, and demands an extortion payment under the threat of publicly releasing stolen data.
eSentire has identified multiple incidents involving exploitation of Cleo vulnerabilities. In response to this threat, the eSentire Threat Intelligence team released an advisory on December 10th. eSentire’s Tactical Threat Response (TTR) team has crafted new detections for both eSentire MDR for Network and Endpoint, and threat hunts have been performed across the eSentire customer base. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to both CVE-2024-55956 and CVE-2024-50623.
NotLockBit: A New Ransomware Threat
Bottom Line: NotLockBit is a new ransomware variant that impersonates LockBit ransomware. This threat stands out as highly notable, as it is capable of targeting both Windows and macOS devices, indicating that the responsible threat actors are sophisticated and well resourced.
On December 18th, Qualys released a report on a new ransomware family, NotLockBit. It is a newly identified ransomware strain that shares several characteristics with the well-known LockBit ransomware. Notably, it is one of the first ransomware families to target both macOS and Windows platforms using an x86_64 Golang binary. The ransomware demonstrates advanced capabilities, including file encryption, data exfiltration, system reconnaissance, and self-deletion. It also employs psychological manipulation tactics, such as defacement, to maximize its impact.
The ransomware is written in the Go programming language. It begins with an initial reconnaissance phase, using the go-sysinfo module to collect detailed system information, which helps tailor the attack based on the victim's environment. The ransomware leverages both AES and RSA encryption algorithms to encrypt files. Critical data, including system configuration, IP addresses, and encrypted keys, are exfiltrated to a remote cloud storage location (e.g. Amazon S3 Bucket). Based on an in-depth investigation by Qualys, the ransomware scans the file system and selectively targets files with specific extensions, such as .csv, .doc, .png, .jpg, .pdf, .txt, .vmdk, and .vmsd, which are typically associated with valuable personal and professional data. NotLockBit employs AES encryption to lock the contents of the targeted files. These encrypted files are first stored in a temporary location and subsequently renamed. To prevent recovery, the original files are deleted, leaving access only possible with the decryption key.
The ransomware alters the desktop wallpaper to display a ransom note, increasing its visibility on all affected systems and psychological pressure on victims. It also ensures that it leaves no trace behind by triggering self-deletion, removing shadow copies, and erasing any residual files to prevent easy recovery of encrypted data. Similar to the original LockBit group, NotLockBit exfiltrates victim data, in order to perform the Double Extortion technique.
eSentire Threat Intelligence Analysis:
NotLockBit ransomware highlights an evolution in ransomware tactics, mimicking LockBit to hide attribution while also targeting both Windows and macOS. Ransomware attacks have commonly been observed in infrastructures running Windows or Linux operating systems, as these platforms hold a large share of the market for corporate devices. With the emergence of a new ransomware variants like NotLockBit, it may suggest the start of more aggressive ransomware campaigns targeting Mac devices. The rise of ransomware variants capable of compromising multiple operating systems, indicates that threat actors are attempting to impact as many devices as possible, regardless of the underlying operating system.
The defacement is an effective psychological tactic because it makes the attack highly visible. The victim constantly sees the ransom demand, increasing the likelihood of paying the ransom. The visual impact of this tactic, particularly in high-pressure environments like businesses or governments, may accelerate decision-making, reducing the time taken to initiate ransom payments. Such tactics increase the chances of success for cybercriminals by exploiting human emotions and urgency. Additionally, NotLockBit’s self-deletion mechanism ensures it leaves no traces after its operation, making detection, analysis, and recovery efforts more difficult. This technique prevents traditional forensics tools from identifying how the ransomware infiltrated the system and how it spread, making it harder to contain the threat and preventfurther exploitation. To mitigate the risk of ransomware attacks, organizations must prioritize keeping all systems fully patched and updated, establish a routine backup schedule, implement effective endpoint and network monitoring solutions, and develop and deploy a comprehensive incident response plan.
In response to these observations, eSentire's Threat Intelligence team is performing Indicator-based threat hunts and validating detection coverage. The eSentire’s Threat Response Unit (TRU) is investigating the topic for additional details and detection opportunities.
Mobile Communications Best Practice Guidance
Bottom Line: The U.S. Cybersecurity and Infrastructure Security Agency has released guidance on mobile security practices in response to increased state-sponsored attacks on telecoms.
On December 18th, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance on best security practices for mobile communications. This guidance was drafted in response to a recent increase in People’s Republic of China (PRC) state-sponsored attacks against telecommunication organizations. CISA specifically notes that the included recommendations are valuable for all mobile phone users, but individuals at high risk of targeting, such as government officials and senior political staff, are strongly encouraged to implement the recommendations.
The full report includes eight general recommendations for all mobile users, as well as specific recommendations for both Apple and Android devices. The eight general recommendations are as follows:
-
Use only end-to-end encrypted communications
-
Enable Fast Identity Online (FIDO) phishing resistant authentication
-
Migrate away from Short Message Service (SMS)-based MFA
-
Use a password manager
-
Password managers allow for more complex passwords, as the user only needs to remember one primary password, to access their password vault
-
CISA lists the following password managers: Apple Passwords app, LastPass, 1Password, Google Password Manager, Dashlane, Keeper, and Proton Pass
-
Set a Telco PIN
-
Regularly update software
-
Opt for the latest hardware version from your cell phone manufacturer
-
Do not use a personal Virtual Private Network (VPN)
-
Use of a personal VPN shifts visibility of activity from an Internet Service Provider (ISP) to the VPN provider; in the event that a user employs a non-reputable VPN, their data may be stolen
-
Free personal VPN services should be avoided
-
This advice is only applicable to personal VPN services; this advice is not relevant to corporate VPN requirements
eSentire Threat Intelligence Analysis:
This guidance by CISA was released in direct response to PRC threat actors targeting U.S. based telecommunication organizations. The release of this report shows that U.S. government agencies are treating the recent attacks as highly concerning. The Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberge, has confirmed that at least eight U.S. telecoms have been recently breached by APT groups like Storm-0227, Salt Typhoon, Volt Typhoon, Liminal Panda, Mulberry Typhoon, and Flax Typhoon. Telecommunication organizations hold a variety of sensitive data on users, including location information and call and text data, making them a valuable target for intelligence gathering. By switching from SMS communication to an encrypted chat application, threat actors would not be able to gather any details related to messaging, in the event of a telecom compromise.
Mobile devices hold large amounts of sensitive user information. The widespread adoption of smartphones has resulted in some users switching from a home computer to only their mobile device. In these cases, a mobile device may be targeted to gather user passwords, personal information including financial data, and live location information. For a state-sponsored APT group, this level of information will only be valuable if it relates to a high-profile target, such as a politician or government employees. In the case of financially motivated crime, mobile devices may store a trove monetizable data.
High-profile individuals, such as executives and individuals working on classified information, are strongly encouraged to apply the mobile device recommendations. While these recommendations are directed towards individuals more likely to be targeted by sophisticated threat actors, they are still valuable for all mobile device users. Implementing these suggestions will help prevent financially motivated threat actors from compromising mobile devices.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
