March Cyber Threat Download™

Each month, the Pondurance team of experts in threat intelligence, incident response, security operations, vulnerability management, and compliance share insights with our clients and partners to help them stay on top of recent trends in cybersecurity and take action to prevent harm to their organizations. Please feel free to share this information with colleagues and other interested parties on social media. 

Threat trends

Our team has noted certain trends in recent attack methods focused on intrusion, operational disruption, or financial harms to organizations. The following trends are increasing or steady in frequency, as these types of attack continue to prove successful for malicious threat actors.

• Ransomware. As usual, these attacks are still the most prevalent threat on the internet. The team is seeing manual deployment of ransomware — versus automated deployment — where the threat actor has to break into the network and stage, deploy, and execute the ransomware. Manual deployment allows minutes to tens of minutes for the team to get out in front of an attack. Recently, a new ghost ransomware has been seen in the wild.

• Phishing emails. These attacks are trending up, particularly with tax season in full swing and government actions making headlines. Most phishing emails link to credential harvesting webpages, with successful attacks resulting in Office 365 mailbox access where the threat actors create mailbox rules to cover their tracks. To reduce the risk of phishing threats, the team recommends enabling multifactor authentication (MFA) and offering user awareness training to all employees.

• Credential stuffing attacks. These attacks, also known as brute force attacks, are trending steady. Okta and Microsoft 365 have immediate countermeasures to deploy against credential stuffing attacks. Okta uses adaptive MFA with behavioral detection and dynamic zones, and Microsoft 365 uses Azure Active Directory Identity Protection, which includes conditional access and smart lockout features. Also, Pondurance can take proactive action to restrict an account, for a quicker response time.

Social engineering help desk calls are trending way down. In fact, the team hasn’t seen or heard of any help desk call compromise in recent months. The lack of attacks may be due to user awareness training and more robust help desk validation processes. 

Incident response learnings

As a recent exploit, lone wolf actors have recently been using email bombing in their ransomware and data exfiltration efforts. In this social engineering attack, a threat actor sends hundreds to thousands of spam emails to a target user. Then, 15-20 minutes later, the threat actor, posing as an IT person, contacts the user using one of three methods:

• Microsoft Quick Assist. The user launches Quick Assist (Ctrl+Win+Q), a legitimate tool that can bypass endpoint detection and response, and provides a code to grant a remote session on the computer. Then, the threat actor loads a fake page for the unwitting user to click on. Once the user clicks on the page, the threat actor runs a tool such as FileZilla to remotely exfiltrate the closest file share — in 24 minutes or less! One month later, the user will receive an extortion email.

• Run command. The user enables Run command (Win+R), a legitimate tool that allows the user to quickly open a program, file, or folder by typing in a command (Ctrl+V). In an email bombing attack, the threat actor hijacks the user’s clipboard so that the typed command is automatically copied to the clipboard. From there, it installs a backdoor on the backend.

• Phone call. The user receives an email with a phone number to a fake call center. Once on the call, the user receives instructions to download a tool such as Zoho Assist or ScreenConnect to allow remote management.

Exploitation of virtual private network (VPN) logins, particularly SonicWall and Fortinet, is a common theme right now. The team sees threat actors using valid username-password combinations to log in to VPNs. In most cases of exploitation, MFA or single sign-on that enforces MFA is available but not implemented. Once the threat actors directly log on to the VPN, they use attacks such as Kerberoasting to exploit service accounts and then log on via remote desk protocol to any servers they can access. With these VPN exploit cases, the team often finds that VPN logs are only retained for a span of 24 hours to seven days. Instead, the team recommends that clients preserve and centralize their logs.

The use of the Godzilla web shell is currently a trending form of exploitation. Godzilla opens a shell code launcher with commands written to memory — rather than written to disks or logs as with JavaScript and PowerShell — and performs process injection to launch shell code within that process. The threat actors use Advanced Encryption Standard to create the web shell and can launch any sort of shell code to pull off the attack. Then, they install remote monitoring and management tools, bring in tools like Advanced IP Scanner, and steal the service accounts and exfiltrate data.

Notable vulnerabilities

Approximately 4,000 vulnerabilities were disclosed in January, and this number is expected to slowly increase over time. As many as 33 of the 4,000 disclosed vulnerabilities were high risk, and five were actively exploited. There was one proof-of-concept exploit impacting Windows lightweight directory access protocol discovered on the internet. 

As many as 159 reported vulnerabilities were addressed during Microsoft Patch Tuesday in January. Among those 159, 10 were critical, and eight were zero days. Three of the zero days are particularly notable:

• Fortinet authentication bypass vulnerability. Exploitation of this vulnerability initially occurs through the JavaScript console interface. From there, the threat actor creates a new administrator account with VPN access, modifies existing accounts, makes changes to the firewall settings, and adds a VPN tunnel into the internal network. The threat actor also may steal credentials through DCSync.

• Ivanti Connect Secure vulnerability. This buffer overflow vulnerability, exploited by China-based espionage groups, targets particular industries. The exploitation begins with automated scanning to find vulnerable devices that are accessible over the internet. Once a device is accessed, the threat actor disables the SELinux security module running in the Linux kernel. The threat actor remounts some file systems for write access, which allows downloading and installation of additional malware. The threat actor may also deploy web shells to gain control over the compromised systems.

• GFI KerioControl product vulnerability. This carriage return line feed vulnerability can occur when user input is not sanitized correctly, meaning the line feed characters are not removed. For the exploit, the threat actor crafts a malicious URL and sends a phishing email to the product administrator. Once the product administrator clicks on the link, a malicious disk image file uploads to the system and lands in the software updates folder of the carrier control product, ultimately granting root access to the firewall system.

In February, 67 reported vulnerabilities were addressed during Microsoft Patch Tuesday. Of those 67, three were critical vulnerabilities, and four were known zero days, including two escalation of privileges vulnerabilities, a hash disclosure vulnerability, and a security feature bypass vulnerability. The team recommends maintaining an ongoing, robust patching program to address these issues.

Focus on device code phishing attacks

Device code phishing is a relatively new MFA bypass technique being used by Storm-2372, a Russia-backed group of threat actors. The group is targeting the IT, defense, higher education, telecommunications, and energy sectors, primarily in the United States and Europe. 

A device code phishing attack begins with a social engineering campaign using a third-party messaging app, such as Telegram, Signal, or Microsoft Teams, to build a rapport between the user and threat actor. The ultimate goal is to convince the user to accept an invitation to an online meeting. Once the user accepts the invitation, the threat actor requests a device code from the meeting service and sends the code to the user. Then, the user is taken to a legitimate device code authentication page to log in with credentials and enter the threat actor-generated code. The threat actor captures the authentication tokens and uses them to access the user’s account. Now, with full access to the compromised account, the threat actor can gather sensitive data for use in future attacks and extortions and send additional phishing emails from the account to lure potential new victims.

To prevent device code phishing attacks, organizations should offer user awareness training to all employees, require MFA to disrupt the entering of a device code, and monitor login data for all user accounts.

About the Pondurance threat intelligence team

The Pondurance threat intelligence team consists of cybersecurity experts across our organization dedicated to providing exceptional threat intelligence research and insights to optimize the efficacy of proactive threat prevention efforts, as well as threat detection and response. By monitoring emerging cybersecurity trends and collaborating with our security operations center, we provide real-time insights and actionable intelligence. Through knowledge sharing and advisory posts, we empower organizations to strengthen their cybersecurity posture and foster a more secure digital landscape.