eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Four-Faith Industrial Router CVE-2024-12856 Exploited in the Wild
Bottom Line: Threat actors are actively exploiting a high-severity vulnerability (CVE-2024-12856) in Four-Faith industrial routers, leveraging default credentials to launch unauthenticated remote command injection attacks.
A new post-authentication vulnerability, labeled CVE-2024-12856, affecting Four-Faith industrial routers has been identified by VulnCheck. Currently, threat actors in the wild are exploiting this vulnerability using the routers' default credentials to launch unauthenticated remote command injection attacks. The exploitation particularly impacts Four-Faith router models F3x24 and F3x36 and specifically uses the /apply.cgi endpoint. An estimated 15,000 internet-facing devices are found to be potentially vulnerable.
The observed exploitation technique involves manipulating the 'adj_time_year' parameter within the device's system time modification application, employing the operation 'submit_type=adjust_sys_time.' In the reported attack, the threat actor leveraged this vulnerability to start a reverse shell operation using a POST request.
When investigated further, the injection's results can be tracked via the 'ps' command on the device. Importantly, VulnCheck highlights that this vulnerability should not be confused with CVE-2019-12168; while they both operate through the apply.cgi endpoint, they target different underlying components. It should be noted that at the time of writing, no patches have been released to address this particular security vulnerability.
eSentire Threat Intelligence Analysis:
Organizations using Four-Faith routers need to immediately validate that default credentials have been updated. If default credentials are still in place, organizations should investigate the routers for unusual logins.
The emergence of this vulnerability highlights a recurring issue in cybersecurity: many devices continue to operate with default credentials, making them ready targets for threat actors. Moreover, the exploitability of the routers via HTTP extends the scope of threats, particularly with the demonstrated potential for initiating remote command injection attacks.
Given that the attack could lead to a reverse shell operation, attackers are given access to control the compromised routers, manipulate configuration files, explore interconnected networks, and pivot the threats further. With an estimated 15,000 potentially vulnerable devices, the implications of this vulnerability are significant.
In the broader context, this vulnerability aligns with the common trend of exploiting routers – often with default or weak credentials – as initial ingress points. Notably, it shares similarities with CVE-2019-12168, though targeting different components. This cyclical theme underscores the need for consistent scrutiny of router security and stringent password policies, especially for internet-facing devices such as the Four-Faith F3x24 and F3x36 router models.
End-users and companies should proactively reach out to Four-Faith or relevant vendors to stay updated on security patches, affected models, and impacted firmware versions. Ultimately, maintaining a robust stance on router security will help manage the risk posed by this and similar vulnerabilities.
Malicious Chrome Extensions
Bottom Line: A sophisticated supply-chain campaign has recently targeted multiple Chrome extensions, primarily focused on extracting Facebook Ads account data. eSentire recommends constant vigilance, verified vendor practices, and proactive security measures to counter such escalating threats.
A sophisticated cybercampaign was detected and confirmed by cybersecurity firm Cyberhaven on December 27th, 2024. The initial compromise took place three days earlier, on December 24th, when a Cyberhaven employee fell victim to a phishing email. This attack led to the successful breach of a developer's machine through a malicious Google OAuth application named "Privacy Policy Extension". Once the attackers gained control, they leveraged this access to inject a malicious version of the Cyberhaven Chrome extension onto the Google Chrome Web Store.
The malicious version of the extension, labeled as version 24.10.4 comprised of two files: Worker.js and Content.js. The former is a tampered variant of the original Cyberhaven extension, designed to establish communication with a hardcoded Command-and-Control (C2) server and obtain the necessary configuration. Content.js is used to extract user data specific to a website and exfiltrate it to an attacker- controlled webpage.
According to Cyberhaven's investigation, the focus of the threat actors is specifically targeting Facebook Ads accounts. They exfiltrated critical user data, which included sensitive details such as Facebook access tokens, user IDs, in-depth account information, along with business and ad account specifics. The entirety of this stolen information was related uniquely to Facebook users. Interestingly, the malicious coding also included an HTTP POST request to ChatGPT, the purpose of which is still subject to speculation.
Deeper investigations into the campaign have uncovered that Cyberhaven was just one of many targets. ExtensionTotal's independent analysis, identified a total of 35 Chrome extensions as part of this campaign. These findings clearly illustrate the widespread nature of the attack. Unfortunately, several of these compromised extensions still exist in their vulnerable state on the Google Chrome Store. This lingering presence has the potential to continue posing risks to unsuspecting users who might download and install these malicious extensions.
eSentire Threat Intelligence Analysis:
The aim was to gain unauthorized access to critical developer platforms in order to serve trojanized copies of legitimate extensions. The stolen information, primarily Facebook Ad accounts data, could be either directly monetized on the dark web or retained for orchestrating additional attacks. The targeting of Facebook Ad accounts is not unusual. eSentire has previously observed malware such as DuckTail stealing similar data, which could later be used to fraudulently post Facebook advertisements.
These attacks represent a rising tide of supply chain threats that exploit the trust relationship between software vendors and their users. In most instances, compromises arise from updates that, on the surface, appear entirely legitimate, making the investigative process even more complex and challenging.
In response, eSentire has undertaken proactive measures such as incorporating known malicious IP addresses to its Global Block list, performing thorough threat hunts for established Indicators of Compromise (IoCs), and alerting potentially impacted clients about the incident. Threat hunting performed by eSentire resulted in the identification of a large number of malicious Chrome extensions; impacted organizations were directly notified by eSentire’s SOC. Organizations should also ensure that an Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) solution are deployed to identify and investigate suspicious activities.
This incident establishes an escalating trend in the cyber security landscape, signifying a pivot towards targeting extension developers for orchestrating cyber espionage and rampant data harvesting activities. Companies are advised to stay vigilant, enforce stringent security protocols, and consistently monitor their networks to thwart such evolving threats.
U.S. Treasury Department Breach
Bottom Line: The U.S. Treasury Department has been breached by threat actors associated with the People's Republic of China. While the breach has now been remediated, the threat actors were able to exfiltrate sensitive date, likely for espionage purposes.
On December 30th, the U.S. Treasury Department disclosed that threat actors associated with the People’s Republic of China (PRC) compromised a third-party cybersecurity provider and used this access to steal sensitive government documents. According to the public disclosure, the Treasury Department was notified on December 8th, by the software provider that threat actors had used a compromised vendor key to access a “cloud-based service used to remotely provide technical support” for Treasury employees. Using the unspecified Remote Monitoring and Management (RMM) tool, the threat actors were able to remotely access employee workstations and exfiltrate unclassified documents. While the specific RMM tool was not named in the release, it is likely BeyondTrust Remote Support.
According to reporting from the Washington Post, U.S. officials have now stated that the threat actors were actively targeting the Treasury Department’s Office of Foreign Assets Control (OFAC). OFAC administers and enforces trade and economic sanctions.
While currently unconfirmed, there is speculation that a recent breach at BeyondTrust is related to the Treasury Department breach. On December 24th, BeyondTrust Identified a security incident involving “a limited number of Remote Support SaaS customers”. During the investigation, two separate previously unknown vulnerabilities in Remote Support were identified, and security patches were released. In response to the incident, BeyondTrust notified impacted clients, reset API keys, and engaged a third party cybersecurity company to investigate. Due to the details of both reports and the overlapping timeline of events, it is probable that BeyondTrust was targeted by PRC actors to gain access to the Treasury Department.
eSentire Threat Intelligence Analysis:
The new details on the targeted nature of this attack reveal potential motivations of the threat actors. OFAC represents a high-value target for state-sponsored APT groups, as a breach could reveal information on citizens and organizations that the U.S. is considering sanctioning. This would provide adversarial governments with a strategic advantage in both negotiations and economic planning.
The specific threat actor responsible for the breach has not been named at the time of writing. Chinese APT groups have been highly active targeting the U.S. in recent months. Last week, U.S. government officials confirmed that a ninth U.S. telecommunications company was impacted by a Chinese cyber-espionage campaign. Anne Neuberger, the deputy national security advisor for cyber and emerging technologies, stated that one discovered compromise impacted an administrator account that had access to over 100,000 routers, which could provide attackers a wide range of victim data. Neuberger also shared that a “large number of individuals were affected by geolocating around the Washington, DC, and Virginia area — but fewer than 100 individuals’ phone calls and texts were hacked”. The recently impacted telecom has not been specifically named.
Lumen, Verizon, and AT&T all confirmed that they had been impacted by Chinese APTs in November of 2024. The companies were only able to publicly confirm that the breaches had been fully remediated in late December and early January.
Technical details related to the Treasury breach are still minimal. The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
