eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Fortinet Zero-Day Vulnerability
Bottom Line: Exploitation of the Fortinet vulnerability CVE-2024-55591 is ongoing. It is critical that organizations deploy security patches and follow Fortinet’s remediation guidance as soon as possible.
On January 10th, security researchers disclosed a campaign targeting Fortinet FortiGate firewall devices with management interfaces exposed to the Internet. This activity had been ongoing since at least mid-November 2024. At the time of disclosure, the means of initial access had not been identified, but were suspected to related to an undisclosed zero-day vulnerability. Only four days later, Fortinet confirmed an actively exploited critical zero-day vulnerability impacting multiple versions of FortiOS and FortiProxy.
The vulnerability, tracked as CVE-2024-55591 (CVSS: 9.6) is an Authentication Bypass Using an Alternate Path or Channel vulnerability. Exploitation would allow a remote attacker to gain super-admin privileges via crafted requests to the Node.js websocket module. Fortinet states that threat actors have been observed performing various operations, including creating admin and local user accounts with random usernames, adding local users to SSL VPN user groups, modifying configurations such as firewall policies, and using the SSL VPN to establish tunnels into the internal network.
At the time of writing, this activity has not been attributed to a specific threat actor group, and their final objective, outside of establishing a foothold into victim operations, is unclear.
eSentire Threat Intelligence Analysis:
As exploitation has been confirmed, it is critical that organizations using FortiOS and FortiProxy apply the relevant security patches immediately. If patching immediately is not feasible, Fortinet has provided alternative mitigations that may be applied until security patches are implemented.
Impacted organizations are reported to span a number of different industries and locations. This may indicate that exploitation is opportunistic as opposed to targeted. The disclosure of the vulnerability may lead to an increase in exploitation attempts, as threat actors try to infect systems before security patches
are deployed.
In response to the disclosure of CVE-2024-55591, eSentire released an advisory on the topic. eSentire MDR for Log has detections in place to identify exploitation attempts and eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices. Additionally, known malicious IP addresses have been added to eSentire’s Global Blocklist and indicator-based threat hunting is ongoing.
The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities.
Fortinet vulnerabilities have a history of being exploited by threat actors. On October 9th, 2024, a Remote Code Execution (RCE) vulnerability in Fortinet FortiOS, tracked as CVE-2024-23113 (CVSS: 9.8), was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. eSentire has previously published a number of advisories for known exploited Fortinet vulnerabilities including CVE-2022-42475, CVE-2022-40684, and CVE-2023-48788. Past exploitation may indicate that threat actors are already familiar with the platform and have an interest in targeting these devices.
Fasthttp Used in New Bruteforce Campaign
Bottom Line: Fasthttp, a high-performance HTTP server and client library for Go, is being used in an ongoing bruteforce and MFA fatigue campaign, targeting Azure Active Directory, leading to Microsoft 365 account takeovers.
On January 13th, researchers from SpearTip disclosed an ongoing campaign which employs Fasthttp to conduct bruteforce and Multi-Factor Authentication (MFA) fatigue attacks. Fasthttp is a high-performance HTTP server and client library for the Go programming language, for handling HTTP requests with low latency. Threat actors are weaponizing Fasthttp, to automate unauthorized login attempts. This activity has specifically targeted Azure Active Directory Graph API.
This campaign has been ongoing since at least January 6th. In reported activity, threat actors launch automated bruteforce attacks, where repeated password attempts are used to gain access to an account. In cases where accounts are secured with MFA, the threat actors launch automated MFA fatigue attacks. This involves triggering repeated MFA prompts, until the targeted user approves the MFA request, either accidentally or out of confusion.
The final impact of these attacks is in the takeover of Microsoft 365 accounts. This access can lead to data theft, secondary attacks including Business Email Compromise (BEC), or the sale of compromised accounts via darkweb marketplaces. The activity has not been attributed to a specific threat actor group, and the specific actor’s motivations are unclear at this time.
eSentire Threat Intelligence Analysis:
As this is an ongoing campaign, it is critical that organizations validate or implement security controls to prevent successful bruteforce and MFA fatigue attacks. Organizations are encouraged to implement Device Compliance policies and Conditional Access policies to limit access to only compliant devices within specified IP ranges. To prevent MFA fatigue, it is recommended to enforce the use of Multi-Factor Authentication that is fatigue attack resistant, such as number matching. Alternatively, companies may limit the number of MFA push notifications and prompts that can be sent within a specified time period.
According to SpearTip, the success rate of this activity is just under 10%. Over 40% of attacks outright fail, while 21% lead to account lockouts due to existing security controls, 10% are prevented by strong MFA, and 17% are detected due to policy violations. Well only 10% of executed attacks result in account compromise, this is likely a high overall number of impacted accounts, as Fasthttp is being employed to automate the attacks and carry them out at a rapid pace. The threat actors behind this campaign are attempting to innovate, despite the attack types being well known. The eSentire Threat Intelligence team assesses that there is a high probability that other threat actors will adopt use of Fasthttp, due to the success and publication of this campaign.
eSentire has observed activity that matches the description shared by SpearTip. In response to this campaign, eSentire released an advisory on January 17th. The Tactical Threat Response team has updated eSentire MDR for Log detections to identify related activity. Additionally, threat hunts for this activity are ongoing and known malicious IP addresses are blocked via eSentire MDR for Endpoint.
FBI Operation Mass Deleted Chinese Malware
Bottom Line: The FBI successfully carried out a mass deletion operation of PlugX, a malware linked to Chinese APTs, from over 4,000 U.S.-based computers. While this action impacts the campaign’s current operational capacity, the use of PlugX is expected to continue.
On January 15th, the U.S. Department of Justice (DoJ) confirmed via released court documents that the FBI carried out an operation to mass-delete PlugX, a malware associated with Chinese APTs, from U.S. computers. PlugX malware has been in active use since at least 2012; it is reported to have been employed by a variety of Chinese state-sponsored APT groups. According to the DoJ, the variant of PlugX removed during this operation was attributed to the known APT group Mustang Panda (aka. Twill Typhoon, TA416, RedDelta, BRONZE PRESIDENT).
PlugX is a modular Remote Access Trojan (RAT) that can be used to execute a variety of commands on victim systems resulting in keylogging, screen capture, managing processes and services etc. After initial access is achieved, PlugX maintains persistence on victims' devices by creating registry keys. The PlugX malware has infected over 45,000 U.S.-based computers, as evidenced by their interaction with the Command-and-Control (C2) server since September 2023. Victims of this malware include organizations across government, private, and non-governmental sectors worldwide. Notable targets have included European shipping companies, European governments, Chinese dissident groups, and organizations across the Indo-Pacific region.
The FBI operation has been ongoing since August 2024 and concluded on January 3rd. The U.S. operation was part of a larger international effort to disrupt PlugX, led by French law-enforcement and the cybersecurity company Sekoia. In total, the FBI deleted PlugX from 4,258 U.S.-based computers.
eSentire Threat Intelligence Analysis:
While the Department of Justice (DoJ) states that PlugX has been used since 2012, previous reports have traced it back to 2008. The malware has been updated many times since its initial release, and while it is commonly used by Chinese APT groups, there is speculation that the tool was leaked in 2015, allowing other threat groups to adopt it. In 2020, Chinese APT groups updated the malware to spread via compromised USB devices. Despite this significant law-enforcement action against PlugX, it is almost certain that the malware will still be employed by both financially motivated threat actors and state-sponsored APT groups.
The DOJ’s efforts to remove PlugX malware from U.S.-based systems marks a significant step in combating these critical threats. However, a recently published report from Recorded Future on RedDelta reveals the resilience and adaptability of Chinese state-sponsored actors. Since 2023, RedDelta has continually evolved its infection chain, transitioning from Windows shortcut (LNK) files to Microsoft Management Console Snap-In Control (MSC) files, and most recently, using a spearphishing link to get the victim to load HTML files hosted on Microsoft Azure. Their use of Cloudflare’s CDN to proxy Command-and-Control (C2) traffic further complicates identification, allowing malicious activity to blend with legitimate network traffic. This shows that while certain strains or instances of PlugX may have been disrupted, Chinese state-sponsored APTs continue to evolve and deploy different variants of malware in other regions, especially targeting nations in Asia and Southeast Asia.
eSentire has identified the deployment of PlugX malware in various incidents throughout 2024 and maintains rules for both eSentire MDR for Network and Endpoint.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
