Monthly Threat Brief: July 2024

Welcome to the latest edition of the monthly threat brief published by the ConnectWise Cyber Research Unit™ (CRU).

In this threat brief, we will provide raw data statistics, intel on specific threats, and a list of new detection signatures added to the ConnectWise SIEM™ throughout the month of July.

For a more detailed explanation of the overall trends and analysis of these numbers, check out the 2024 MSP Threat Report. For comparison, June’s threat brief can be found here.

July 2024 stats

IOCs

The CRU collects indicators of compromise (IOCs) from public open-source intelligence (OSINT) sources and any cybersecurity incident escalated by the ConnectWise security operations center (SOC). These IOCs are used for automated threat hunting and data enrichment to assist SOC analysts. Below is a summary of the IOCs collected. We intend to launch streaming threat feeds based on this data later this year—stay tuned!

Figure 1: Summary of IOCs collected in July 2024

TTPs

The CRU collects tactics, techniques, and procedures (TTPs) from all incidents escalated by the ConnectWise SOC. This information helps us keep tabs on how threat actor behavior changes. Below are the top 10 MITRE ATT&CK® techniques for June 2024—provided for comparison—and July 2024.

Figure 2: Top 10 MITRE ATT&CK techniques observed in June 2024

Figure 3: Top 10 MITRE ATT&CK techniques observed in July 2024

Latest threats

Each month, we highlight threats that we have seen targeting our MSP partners and their clients.

Malware

Figure 4: Top 5 malware observed in July 2024

Latrodectus

Latrodectus, commonly referred to as BLACKWIDOW or IceNova, is a sophisticated piece of malware often associated with advanced persistent threat (APT) groups. This malware family is known for its ability to conduct extensive cyber-espionage operations, data theft, and surveillance. BLACKWIDOW is designed to infiltrate high-value targets, often within government and corporate sectors, with the aim of exfiltrating sensitive information over extended periods. The malware employs a variety of techniques to evade detection, including advanced obfuscation methods, the use of legitimate software to mask its activities, and leveraging zero-day vulnerabilities to gain and maintain access to targeted systems.

Once deployed, Latrodectus can perform a wide array of malicious activities. These include keylogging, screen capturing, credential theft, and lateral movement within a network to compromise additional systems. The malware often uses encrypted communication channels to exfiltrate data, ensuring that intercepted communications are difficult to analyze. The persistent and stealthy nature of Latrodectus makes it a significant threat, often requiring advanced detection and response strategies to mitigate its impact. Cybersecurity researchers continuously monitor and analyze this malware to develop effective countermeasures and protect against its sophisticated attack vectors.

Gootloader

Gootloader is a sophisticated malware delivery framework known for distributing a variety of malicious payloads, including ransomware and banking trojans like Gootkit. This malware uses advanced social engineering techniques, often leveraging compromised legitimate websites to host and deliver malicious content. Gootloader typically operates through search engine poisoning, where attackers manipulate search engine results to direct victims to malicious websites. These sites appear legitimate and often contain tailored content to deceive users into downloading and executing the malicious payload. Once executed, Gootloader can deliver a range of secondary payloads, enabling threat actors to steal sensitive information, install additional malware, or establish a foothold for further attacks.

AsyncRAT

AsyncRAT is a remote access trojan (RAT) that allows unauthorized individuals to gain remote control over compromised computers. It is a versatile and powerful tool used by cybercriminals to carry out various malicious activities.

AsyncRAT provides a wide range of features, including remote desktop control, file management, keylogging, webcam and microphone access, and the ability to execute arbitrary commands on the compromised system. It can be distributed through various means, such as phishing emails, malicious downloads, or exploiting vulnerabilities in software.

Once a computer is infected with AsyncRAT, the attacker gains complete control over the compromised system, enabling them to steal sensitive information, install additional malware, or use the compromised machine as a launching pad for further attacks. The trojan is designed to remain undetected by antivirus software and employs techniques to evade detection and maintain persistence on the compromised system.

NetSupportManager RAT

NetSupport Manager RAT is a program that enables users to manage and control other computers over a network. It functions as a remote access trojan (RAT), and while it’s intended for legitimate uses like technical support and corporate network management, it can also be misused.

The software offers various features, such as:

• Remote desktop control: Gives an administrator full access to the target computer’s screen and inputs.
• File transfer: Allows moving files between the computers.
• System inventory: Provides details about the target computer’s hardware and software.
• Hardware and software monitoring: Tracks system performance and installed applications.
• Chat functionality: Facilitates communication between the administrator and the target computer user.

NetSupport Manager RAT operates by installing a client component on the target computer and a control component on the administrator’s computer. These components communicate via a network connection, enabling the administrator to access and control the target computer. However, remote administration tools, including NetSupport Manager RAT, can be used for malicious purposes. Cybercriminals frequently use similar software to infiltrate computers, steal confidential information, or carry out harmful activities without the user’s knowledge or consent.

Embargo

The Embargo ransomware, written in the Rust programming language, is notable for its use of double extortion tactics. This approach involves exfiltrating sensitive data from a victim’s system before encrypting it and subsequently threatening to publicly release or sell the stolen data if the ransom is not paid. This tactic is designed to increase pressure on the victim to pay the ransom, as the potential data breach can lead to severe reputational damage, legal consequences, and loss of customer trust. The ransomware encrypts files using the ChaCha20 and Curve25519 algorithms, appending the “.564ba1” extension to the encrypted files.

The Embargo ransomware group initially demanded a $1 million ransom and threatened to notify the victim’s clients, employees, partners, investors, stakeholders, and government authorities about the attack if the ransom was not paid. There are also notable similarities in the user interface and log generation structure between Embargo and ALPHV (Blackcat) ransomware, leading to speculation that Embargo might be a rewritten version of ALPHV. To date, Embargo has disclosed details of four victims globally, demonstrating its active and ongoing threat to various industries.

Monthly newsletter summary

The following is a summary of articles shared in the CRU newsletter during the month of July.

IABs targeting SMBs

The digital threat landscape is increasingly intricate, with initial access brokers (IABs) becoming a significant threat to small and midsized businesses (SMBs). IABs exploit network vulnerabilities to gain unauthorized access and then sell this access to other malicious actors, highlighting the urgent need for robust cybersecurity defenses. SMBs are particularly vulnerable due to their limited IT resources and cybersecurity expertise, which can result in weaker cybersecurity postures compared to larger enterprises. Additionally, their roles in larger supply chains make them attractive targets for IABs seeking to compromise broader networks.

IABs distinguish themselves by not directly attacking networks but by selling access to other threat actors. They use sophisticated techniques to remain undetected, with a primary focus on monetizing access rather than causing immediate damage. Notable malware associated with IABs includes SocGholish, which masquerades as legitimate software updates to infect systems, and Gootloader, which uses SEO poisoning to distribute malicious files. Both malware types exploit browser vulnerabilities and social engineering tactics to establish persistence. To defend against IABs, SMBs should implement comprehensive cybersecurity measures, including employee training, regular system updates, advanced detection tools, and a robust incident response plan.

Vulnerability Brief: Progress WhatsUp Gold

On June 8, 2024, the CRU identified multiple vulnerabilities in Progress Software’s WhatsUp Gold versions prior to 2023.1.3. These vulnerabilities, tracked as CVE-2024-4883, CVE-2024-4885, and CVE-2024-5009, could allow attackers to execute arbitrary commands and gain administrator access without authentication. WhatsUp Gold is a network monitoring tool that manages network infrastructure and services, making it a critical component for network visibility and control. Despite a proof-of-concept exploit being publicly disclosed, the CRU has not seen evidence of active exploitation but warns of the high risk of widespread attacks.

To mitigate these risks, it is essential to update WhatsUp Gold to version 2023.1.3 immediately. ConnectWise partners should ensure network configurations allow IDS sensors to monitor all relevant segments and deploy active detections for potential exploitation. On the host side, partners should confirm that the ConnectWise SIEM™ log shipper is up-to-date and configured to detect threats, including monitoring for suspicious processes and directories that might be used for webshells. These steps are crucial for maintaining network security and preventing potential exploitation of the identified vulnerabilities.

Fake IT Support Website

Cybercriminals have launched a campaign involving fake IT support websites designed to exploit users seeking solutions for the Windows error code 0x80070643. These fraudulent sites, which appear to offer fixes for the error, trick users into running malicious PowerShell scripts or importing harmful registry files. The scripts then download Vidar, an information-stealing malware that collects sensitive data such as credentials, financial information, and personal details. This stolen data is used for identity theft, financial fraud, or sold on dark web markets.

The campaign’s reach is amplified through compromised YouTube channels that promote these fake IT support sites, lending them an air of credibility. To protect against this threat, users should verify the legitimacy of IT support sources, avoid executing scripts from untrusted sites, use robust cybersecurity software, and keep their systems updated. Education on the risks of following unverified advice is also crucial. This situation underscores the need for vigilance and caution when seeking online technical support to avoid falling victim to such deceptive schemes.

D-Link Vulnerability Exploited in the Wild

The D-Link DIR-859 routers have reached their end-of-life and no longer receive cybersecurity updates, leaving them vulnerable to a serious flaw in the “fatlady.php” file. This path traversal vulnerability affects all firmware versions and allows attackers to leak session data, escalate privileges, and gain full control over the router through the admin panel. By manipulating URL paths, attackers can access sensitive configuration files and user credentials, leading to significant information disclosure and potential control over the device.

Security researchers at GreyNoise have detected active exploitation of this vulnerability, with hackers targeting the “DEVICE.ACCOUNT.xml” file to extract critical user information. The compromised routers can be used for further malicious activities, such as launching additional attacks, eavesdropping on network traffic, or joining a botnet. Since the DIR-859 routers will not receive patches, users are advised to replace them with supported models. Interim measures include disabling remote administration, segmenting the network, monitoring traffic for unusual activities, and using strong passwords. The situation underscores the need for timely updates and vigilant network cybersecurity practices.

Update on CrowdStrike Outage Impact

Following the recent CrowdStrike/Microsoft outage, phishing campaigns have emerged, exploiting the incident to deceive users. Attackers are using domains like “crowdstrikebluescreen[.]com” and “fix-crowdstrike-apocalypse[.]com” to create fake CrowdStrike support pages. These sites prompt users to download fraudulent updates after making payments with Bitcoin or other cryptocurrencies. Users are cautioned to verify URLs and avoid downloading software from untrusted sources to protect against these phishing schemes.

The outage, attributed to a defect in a CrowdStrike update affecting Windows hosts, is considered one of the largest IT disruptions in history. While Mac and Linux systems remain unaffected, the issue has caused widespread problems, including disruptions to transportation and financial services globally. CrowdStrike has confirmed that this is not a security incident or cyberattack and has deployed a fix for the issue. Organizations are advised to communicate with CrowdStrike through official channels and stay informed through their support portal.

Exploitation of CrowdStrike Update Flaw by Cybercriminals

Recent cyberattacks exploited a faulty update from CrowdStrike’s Falcon sensor, leading to significant disruptions. Attackers deployed various types of malware, including Remcos RAT, SmokeLoader, and destructive data-wiping tools disguised as legitimate CrowdStrike updates. These payloads were distributed via phishing emails that directed victims to fake CrowdStrike portals. The Remcos RAT facilitates remote control and data exfiltration, SmokeLoader acts as a downloader for additional malware, and the data-wiping tools erase critical files, rendering systems inoperable.

The attacks occurred during a major disruption at CrowdStrike, impacting millions of Windows systems globally. Threat actors used sophisticated spear-phishing techniques with realistic domains and websites to deceive targets, emphasizing the need to verify the authenticity of updates and communications. The involvement of the pro-Iranian hacktivist group Handala, which targeted Israeli companies, highlights the geopolitical aspect of these threats. This incident underscores the importance of robust cybersecurity practices, regular security training, and stringent update verification to prevent such exploitation.

FIN7: “EDR-Killer” For Sale

FIN7, a notorious Russian cybercrime group active since 2013, has developed a sophisticated tool named “AvNeutralizer,” designed to disable endpoint detection and response (EDR) systems. This tool allows attackers to evade detection within compromised networks and has been linked to BlackBasta ransomware operations since 2022. The existence of AvNeutralizer underscores the need for a comprehensive and multi-layered cybersecurity approach to combat advanced threats effectively.

In addition to using AvNeutralizer, FIN7 is now selling it to other threat actors. Since early 2023, ransomware-as-a-service (RaaS) payloads like AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit have employed this tool, potentially escalating cyberattack frequencies. This commercialization highlights the importance of not solely relying on EDR systems for cybersecurity. Organizations should adopt a layered cybersecurity strategy, including EDR, SIEM systems, a 24/7 SOC, secure access service edge (SASE) frameworks, and regular backups, to enhance overall defense and adapt to the evolving threat landscape.

AI in Cyberthreats

Recent advancements in artificial intelligence (AI), particularly with generative AI systems like ChatGPT, have brought significant developments and new cybersecurity challenges. Generative AI models, capable of creating human-like text and other media, are being rapidly adopted not only by major tech companies but also by a wide range of developers working with both open and closed-source models. This growth has highlighted the need for robust cybersecurity measures, as these AI models are susceptible to issues like data leakage and misinformation. For instance, the difficulty in removing data from models can expose sensitive information, and vulnerabilities such as training data poisoning can lead to harmful outputs.

Moreover, the rise of deepfakes and AI chatbots tailored for malicious purposes, such as WormGPT, underscores the evolving threat landscape. Deepfakes can create convincing fake media, complicating the detection of fraud and impersonation, while malicious AI tools can automate and enhance cyber-attacks. To counter these threats, it’s crucial for organizations to implement layered security strategies, including regular verification of information and employing advanced threat detection tools. Staying vigilant and informed about the capabilities and limitations of AI technologies is essential for mitigating these emerging risks.

New ConnectWise SIEM signatures

Several new ConnectWise SIEM detection signatures were added in July 2024. These include:

• [EA][CRU][Windows] Combined Detection: Suspicious winlogon VolatileNotification Registry SetValue and Unsafe DLL Load to LogonUI (CVE-2022-22047)

Techniques detected: [T1112] Modify Registry, [T1574] Hijack Execution Flow

Description: This sequence addresses the vulnerability CVE-2022-22047, which involves both suspicious registry modifications and unsafe DLL loading behavior. It monitors for the creation of “VolatileNotifications” within the registry by winlogon.exe, which is indicative of an attempt to exploit this vulnerability. Concurrently, it detects abnormal DLL loads to LogonUI.exe from paths other than “C:\Windows\System32”, suggesting an attacker may be trying to escalate privileges by loading a custom DLL.

• [Windows] Wscript.Shell CreateShortcut in temp or startup directory

Techniques detected: [T1037] Boot or Logon Initialization Scripts

Description: Creating a shortcut using a Wscript COM object is a tactic that has been observed in malware. Any shortcuts created this way in the startup directory or pointing to temp directories should be investigated for malicious activity.

• [Enhanced Alert][Windows] Powershell Executed via JavaScript File in Temp Directory

Techniques detected: [T1059.001] Command and Scripting Interpreter: PowerShell, [T1059.007] Command and Scripting Interpreter: JavaScript

Description: This alert identifies wscript executing a JavaScript file, resulting in PowerShell attempting to retrieve and execute subsequent payloads, leading to Koi Loader loading Koi Stealer. Koi Stealer is designed to steal sensitive user information.

Reference: https://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer  Script block logging must be enabled. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.4

• [O365][MDI] Suspected Golden Ticket usage

Techniques detected: [T1558.001] Steal or Forge Kerberos Tickets: Golden Ticket

Description: Microsoft Defender for Identity required. These alerts detect a “golden ticket” (ticket-granting ticket) in use, indicating an actor has already compromised the KRBTGT account and is able to access any resource in the domain. https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts

• [O365][MDI] AD FS Distributed Key Manager Key Read

Techniques detected: [T1606.002] Forge Web Credentials: SAML Tokens

Description: Microsoft Defender for Identity required. This alert detects anyone reading the distributed key manager (DKM) key, which can be used to decrypt SAML tokens and access any federated service. They can also choose the user to impersonate to avoid raising suspicion. https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts#suspected-ad-fs-dkm-key-read-external-id-2413

• [O365][MDI] User requested Kerberos service ticket (potential Kerberoasting)

Techniques detected: [T1558.003] Steal or Forge Kerberos Tickets: Kerberoasting

Description: Microsoft Defender for Identity required. This alert detects users requesting Kerberos service tickets for potential Kerberoasting. Keberos tickets with weak encryption are vulnerable to brute force, allowing attackers to extract plaintext credentials. https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts#suspected-kerberos-spn-exposure-external-id-2410

• [Windows] Powershell process specifying window size

Techniques detected: [T1059.001] Command and Scripting Interpreter: PowerShell

Description: Setting a small PowerShell window size has been observed as a tactic to hide malicious activity. Investigate surrounding activity for signs of compromise.

• [O365] User compromised via a known AitM phishing kit

Techniques detected: [T1557] Adversary-in-the-Middle

Description: This alert identifies instances where an Office365 user account may have been compromised through a known adversary-in-the-middle (AitM) phishing kit. AitM phishing kits are sophisticated tools used by attackers to intercept and manipulate communications between users and legitimate services, often capturing credentials and session tokens. We recommend that you promptly investigate this alert, as an attacker might already be using the stolen credentials to move laterally in the network.

• [Palo] Potential Malicious DNS Query Sinkholed

Techniques detected: [T1071.004] Application Layer Protocol: DNS, [T1568.002] Dynamic Resolution: Domain Generation Algorithms

Description: This detection identifies instances where a Palo Alto firewall has identified and sinkholed a potentially malicious DNS query. Such events may indicate attempts to connect to malicious domains associated with various threats.

New IDS signatures added in July 2024:

[ConnectWise CRU] EXPLOIT Progress WhatsUp Gold Privilege Escalation (CVE-2024-5009)

[ConnectWise CRU] EXPLOIT Progress WhatsUp Gold Pre-Auth RCE (CVE-2024-4883)

[ConnectWise CRU] EXPLOIT Progress WhatsUp Gold Pre-Auth RCE (CVE-2024-4885)

[ConnectWise CRU] GeoServer GeoTools API XPath RCE (CVE-2024-36401) M2

[ConnectWise CRU] GeoServer GeoTools API XPath RCE (CVE-2024-36401) M1

[ConnectWise CRU] POLICY Fortra FileCatalyst Workflow Anonymous Logon Enabled

[ConnectWise CRU] Fortra FileCatalyst Workflow Unauthenticated SQLi (CVE-2024-5276)

[ConnectWise CRU] EXPLOIT MOVEit Transfer SFTP Authentication Bypass (CVE-2024-5806)

[ConnectWise CRU] POLICY Vulnerable OpenSSH Server Version (CVE-2024-6387)

[ConnectWise CRU] POLICY Vulnerable OpenSSH Server Version (CVE-2024-6387)