September 2024 Novel Threat Tactics, Notable Vulnerabilities, and Current Trends

Threat Intelligence, Vulnerabilities and Trends, and Engineering Insights for September 2024

Every month, the Pondurance team hosts a webinar to keep clients current on the state of cybersecurity. In September, the team discussed threat intelligence, notable vulnerabilities and trends, security operations center (SOC) updates, and SOC engineering insights.

Threat intelligence 

The Assistant Vice President (AVP) of Digital Forensics and Incident Response (DFIR) highlighted a few vulnerabilities that the DFIR team has experienced. He explained that, in the past month, there have been a record number of ransomware attacks and an all-time peak in business email compromise attacks for an overall volume of activity that he hasn’t seen before. He discussed the details of three specific attacks:

• SonicWall virtual private networks (VPNs). The threat actor group Akira has enumerated users on the internet that have a SonicWall VPN and is continuously exploiting those users. The AVP of DFIR recommended that SonicWall VPN users — with single-factor authentication or multifactor authentication (MFA) — need to apply the patch. He also suggests that organizations with a SonicWall VPN sitting in a closet or back room should turn off that device.

• CrushFTP. A zero-day vulnerability was exploited against CrushFTP and rapidly progressed into a preransomware event, demonstrating that exploits don’t only happen on popular or common products.

• SQL injection. When people think about SQL injection exploits, they think about protecting the app on the internet. In reality, during a SQL injection exploit, the threat actor is not landing on the app but is landing on the SQL server. From there, the attack happens very rapidly. The threat actor bypasses the endpoint detection and response (EDR) device and focuses on the ESXi hypervisor as the way to get to the data server. 

The best way to catch the threat actor in a SQL injection exploit is during the data exfiltration phase. During the attack, the team sees threat actors choosing to bypass EDR and using common IT tools, such as Cloudflare, CTERA, Splashtop, and Level. During exfiltration, the team sees the use of file transfer tools, such as Restic and Rclose. In particular, threat actors are targeting files using “file server” or “vault” in the naming conventions.  

Vulnerabilities and trends

The Vulnerability Management Program (VMP) Team Lead reviewed notable vulnerabilities from August. As many as 5,200 vulnerabilities were disclosed, which is about 3,000 vulnerabilities more per month than ever before. Twenty-two of those vulnerabilities were high risk, and 13 of those 22 were known to be exploited in the wild on products including Microsoft, SolarWinds, Google Chrome, Versa Director, Apache, WordPress, and Avanti. Notably, the Google Chrome vulnerability in August was the 10th zero-day vulnerability affecting Google Chrome.

The VMP Team Lead talked in detail about two exploitations by state-sponsored threat actors and one AVTech vulnerability:

• A North Korea-backed group exploited a pair of vulnerabilities for financial gain. The first one was a type confusion vulnerability (CVE-2024-7971) in the V8 JavaScript engine of Chromium where the user was tricked into navigating to a malicious URL. The second vulnerability (CVE-2024-38106) was chained together with the first one, placing JavaScript code onto the system and then launching other scripts that download and deploy FudModule rootkit to targeted users in the cryptocurrency industry.

• A China-backed group exploited an unrestricted file upload vulnerability (CVE-2024-39717) on Versa Director software. During an attack, the threat actor simply renames a malicious file as .png so that the software identifies it as an image file and uploads it into the compromised system. To execute this difficult exploit, the threat actor must gain preaccess. Then, the threat actor can deploy a web shell, which provides persistence and then access into the network. This exploit is intended to cause chaos in a nation’s or an organization’s infrastructure.

• The AVTech IP camera vulnerability (CVE-2024-7029) involved a command injection flaw in the brightness function of the camera’s firmware. This exploit does not target the security camera user. Instead, the Corona Mirai malware botnet loads and connects to the command and control servers where the connection is left open. Later, the camera is instructed to conduct a distributed denial-of-service attack to take over devices that can be used to attack third-party organizations. AVTech will not release a patch, so the best mitigation approach is to replace the security system. 

In September, 79 vulnerabilities were reported and addressed during Microsoft Patch Tuesday. Among those 79, four were actively exploited zero-day vulnerabilities, and seven had a critical severity level. The VMP Team Lead briefly discussed a handful of the critical Microsoft patches.  

To lessen the likelihood of a successful attack, the team recommends that organizations focus their efforts on applying the Microsoft patches as they are released, addressing any vulnerabilities on internet-connected devices and systems, and updating end-user software, such as Adobe Acrobat, Google Chrome, Microsoft Word, and Excel. 

SOC updates

The SOC Director discussed recent cybersecurity trends that the SOC team observed in August. 

Credential stuffing attacks. These attacks are on the rise. During an attack, the threat actor takes a large number of usernames and passwords, finds a login page on the internet, and blasts every single username and password combination on that login page. Specifically, Okta and Microsoft 365 have built-in protections against credential stuffing attacks. Okta uses dynamic zones so that a user can determine which particular geographic locations should be blocked or allowed on the network. Microsoft 365 uses risk-based conditional access and smart lockout features to provide protection.

Ransomware. These attacks are still trending steady. Many of the ransomware incidents involve manual deployment of ransomware where the threat actor gets access to the network, then pushes the ransomware out. The good news is that manual deployment allows the team to get in front of the threat actor to minimize impact from the action.

Social engineering help desk calls. The SOC is experiencing a slight drop-off in these attacks but still sees enough of them to label the activity as steady. As usual, the team recommends organizations use strict verification procedures and continue user awareness training.

Phishing emails are prevalent, with the majority linking to credential harvesting pages. As more companies use MFA, threat actors are making adjustments, employing adversary-in-the-middle attacks and adding MFA to their fake login pages. Once gaining access, threat actors focus on mailboxes and access files like SharePoint. As a result, the team looks for new inbox rules or modification of existing inbox rules to stay ahead of possible attacks. Enabling MFA and offering user awareness training are the best ways to combat phishing threats.

SOC engineering insights

The Senior Manager of SOC Engineering started by briefly reinforcing the importance of disclosing crown jewels, such as hosts, IP addresses, VIP lists, and honey tokens. He also introduced a new countermeasure on the Pondurance platform for network sensors. For clients using a network sensor, Impossible Travel will help Pondurance detect a user account compromise or phishing incident. If a threat actor attempts to access the service or gain access through a VPN from multiple data points, Pondurance can promptly inform the client about it.

Next up, the Detection Engineer reviewed three examples of phishing emails with varying levels of sophistication. He pointed out the red flags that tell the user the email is possibly a malicious phishing scam including:

• No links, follow-ups, or attachments. In this type of email, the threat actor simply wants the user to reply as requested.

• Poor grammar. Misspellings, typos, and grammatical errors have always been signs of a phishing email. Today, ChatGPT and other artificial intelligence (AI) tools have lessened the number of obvious language blunders in phishing emails.

• Unfamiliar logo or letterhead. If the logo or letterhead does not look familiar, it could be generated by AI. If something doesn’t look right, stop to check it out.

• Suspicious domain name. Closely check the domain name to make sure it is the actual, legitimate name of the company.

• Banking information. If the email includes a bank account number or routing number, make sure it is a match by doing an online search for the numbering convention of the named bank. The team thoroughly investigates any suspicious money transactions — far beyond what is expected of any client — but the team still recommends clients do their due diligence.

• Questionable PDF. If a PDF doesn’t seem quite right, a look at the metadata can provide details about how the PDF was created. 

• Dubious email signature. Check the sender’s name, title, and street address. Google Street View can show the user if the given address corresponds to an actual physical address. 

The team suggests methods to stop phishing including taking no action when unsure about email authenticity, verifying with the established chain of command or security department before providing information or taking next actions, and reporting any suspicious emails. The team recommends user awareness training for all employees, plus additional training for the accounting, finance, and human resources departments. Also, organizations should establish processes, follow the processes, and practice the processes by conducting tabletop exercises and penetration testing.

Next month

The Pondurance team will host another webinar in October to discuss new cybersecurity activity. Check back next month to read the summary.