Monthly Threat Brief: May 2024
Welcome to the latest edition of the monthly threat brief published by the ConnectWise Cyber Research Unit™ (CRU).
In this threat brief, we will provide raw data statistics, intel on specific threats, and a list of new detection signatures added to the ConnectWise SIEM™ throughout the month of May.
For a more detailed explanation of the overall trends and analysis of these numbers, check out our annual and quarterly threat reports. For comparison, April’s threat brief can be found here.
May 2024 stats
IOCs
The CRU collects indicators of compromise (IOCs) from public open-source intelligence (OSINT) sources and any cybersecurity incident escalated by the ConnectWise security operations center (SOC). These IOCs are used for automated threat hunting and data enrichment to assist SOC analysts. Below is a summary of the IOCs collected. We intend to launch streaming threat feeds based on this data later this year—stay tuned!
Figure 1: Summary of IOCs collected in May 2024
TTPs
The CRU collects tactics, techniques, and procedures (TTPs) from all incidents escalated by the ConnectWise SOC. This information helps us keep tabs on how threat actor behavior changes. Below are the top 10 MITRE ATT&CK® techniques for April 2024—provided for comparison—and May 2024.
Figure 2: Top 10 MITRE ATT&CK techniques observed in April 2024
Figure 3: Top 10 MITRE ATT&CK techniques observed in May 2024
Latest threats
Each month, we highlight threats that we have seen targeting our MSP partners and their clients. We see many of the same threats each month. This month, we are looking at the top five malware the ConnectWise SOC observed in May. Several of these have been covered in previous monthly threat briefs, but this edition includes updated IOCs observed in May 2024.
Malware
Figure 4: Top five malware observed in May 2024
NetSupport Manager RAT
NetSupport Manager RAT is a program that enables users to manage and control other computers over a network. It functions as a "remote access trojan," and while it's intended for legitimate uses such as technical support and corporate network management, it can also be misused.
The software offers various features, such as:
- Remote desktop control: Gives an administrator full access to the target computer's screen and inputs
- File transfer: Allows moving files between the computers
- System inventory: Provides details about the target computer's hardware and software
- Hardware and software monitoring: Tracks system performance and installed applications
- Chat functionality: Facilitates communication between the administrator and the target computer user
NetSupport Manager RAT operates by installing a client component on the target computer and a control component on the administrator's computer. These components communicate via a network connection, enabling the administrator to access and control the target computer. However, remote administration tools, including NetSupport Manager RAT, can be used for malicious purposes. Cybercriminals frequently use similar software to infiltrate computers, steal confidential information, or carry out harmful activities without the user's knowledge or consent.
AsyncRAT
AsyncRAT is a remote access trojan (RAT) that allows unauthorized individuals to gain remote control over compromised computers. It is a versatile and powerful tool used by cybercriminals to carry out various malicious activities.
AsyncRAT provides a wide range of features, including remote desktop control, file management, keylogging, webcam and microphone access, and the ability to execute arbitrary commands on the compromised system. It can be distributed through various means, such as phishing emails, malicious downloads, or exploiting software vulnerabilities.
Once a computer is infected with AsyncRAT, the attacker gains complete control over the compromised system, enabling them to steal sensitive information, install additional malware, or use the compromised machine as a launching pad for further attacks. The trojan is designed to remain undetected by antivirus software and employs techniques to evade detection and maintain persistence on the compromised system.
SolarMarker/Jupyter
SolarMarker is a sophisticated malware family first identified in early 2020 that is primarily used for data theft and credential harvesting. It predominantly targets the healthcare, education, and government sectors. SolarMarker is known for its deployment through SEO poisoning, where malicious websites are optimized to rank highly in search engine results, tricking users into downloading the malware disguised as legitimate software or documents. Once installed, SolarMarker operates as a backdoor, enabling threat actors to maintain persistent access to compromised systems.
The malware employs a multi-stage infection process. Initially, a malicious loader downloads and installs the SolarMarker payload. This payload is heavily obfuscated, using advanced techniques to evade detection by antivirus and endpoint protection systems. The final payload can exfiltrate sensitive data, including credentials stored in browsers, email clients, and other applications. SolarMarker's adaptability and persistence mechanisms make it a significant threat, capable of evolving to bypass cybersecurity measures and sustain long-term operations within targeted environments.
FakeUpdates
FakeUpdates, also known as SocGholish, is a prevalent malware campaign that emerged around 2018. It’s characterized by the use of social engineering techniques to trick users into downloading malicious software disguised as legitimate updates. This malware is primarily delivered through compromised websites, where users are prompted with fake update notifications, typically for common software such as Adobe Flash Player or browser updates. These prompts are designed to appear authentic, exploiting users' trust and urgency to keep their software up-to-date.
Once the user initiates the download, the malware installs a backdoor on the system, providing attackers with remote access and control. FakeUpdates is often used as a delivery mechanism for additional payloads, including ransomware, banking trojans, and information stealers. The attackers leverage this access to exfiltrate sensitive data, deploy further malware, or use the compromised systems for broader campaigns.
The widespread use of compromised legitimate websites and the convincing nature of the fake update prompts make FakeUpdates a significant threat, capable of impacting a wide range of users and organizations. Its persistence and adaptability in evading detection underscore the importance of robust cybersecurity practices and user education to mitigate such threats.
Remcos RAT
Remote control and surveillance (Remcos) RAT is a potent remote access trojan used primarily for cyberespionage, surveillance, and data theft. First identified in 2016, Remcos has gained notoriety for its versatility and robust functionality, making it a favored tool among cybercriminals. Distributed through various means, including phishing emails, malicious attachments, and compromised websites, Remcos allows attackers to gain full control over infected systems. Once installed, it operates stealthily, evading detection through techniques such as process hollowing, code injection, and anti-debugging mechanisms.
The capabilities of Remcos RAT are extensive. It enables attackers to perform a wide range of malicious activities, including keystroke logging, screen capturing, audio and video recording, file exfiltration, and password theft. Its command-and-control (C2) communication is often encrypted, enhancing its persistence and evasion techniques. Remcos can also execute remote commands, manipulate files and system settings, and deploy additional malware, making it a versatile tool for both initial compromise and maintaining long-term access to target systems.
New ConnectWise SIEM signatures
Several new ConnectWise SIEM detection signatures were added in May 2024. These include:
- [CRU][Windows] LOLBin Suspicious Sqltoolsps.exe Execution
Techniques detected: [T1127] Trusted Developer Utilities Proxy Execution, [T1059.001] Command and Scripting Interpreter: PowerShell
Description: SqlToolsPS.exe is a tool that ships with installations of MS SQL Server that loads SQL Server cmdlets. Threat actors have been observed using it to bypass typical PowerShell detections. This event notification attempts to audit SqlToolsPS.exe usage outside of normally observed behavior. Particularly concerning behavior would include direct command line invocation by a user. False positives would be expected from execution as a byproduct of other SQL Server processes.
- [CRU][Windows] LOLBin Suspicious Sqlps.exe Execution
Techniques detected: [T1127] Trusted Developer Utilities Proxy Execution, [T1059.001] Command and Scripting Interpreter: PowerShell
Description: Sqlps.exe is a tool that ships with installations of MS SQL Server that loads SQL Server cmdlets. Threat actors have been observed using it to bypass typical PowerShell detections. This event notification attempts to audit Sqlps.exe usage outside of normally observed behavior. Particularly concerning behavior would include direct command line invocation by a user. False positives would be expected from execution as a byproduct of other SQL Server processes.
- [CRU][Windows] Potential Windows Defender Tampering via SystemSettingsAdminFlows.exe
Techniques detected: [T1562.001] Impair Defenses: Disable or Modify Tools
Description: SystemSettingsAdminFlows.exe is a native binary that's executed when changing system settings that require administrator privileges, such as changing Windows Defender settings. Some threat actors have been observed abusing this process to disable Windows Defender settings outside of the context of the system settings menu. This event notification attempts to detect this behavior by looking for SystemSettingsAdminFlows.exe disabling particular Windows Defender settings outside of the settings menu context.
- [CRU][Windows] AutoHotkey Interpreter Executed from Non-Typical Directory
Techniques detected: [T1059.010] Command and Scripting Interpreter: AutoHotKey & AutoIT
Description: AutoHotkey is a scripting language used for Windows automation that depends on an interpreter to execute scripts. Several threat actors have been known to make use of AutoHotkey scripts to deploy malware and have been observed dropping the interpreter outside of expected directories. This detection attempts to alert on this activity and should be verified for potential authorized AutoHotkey usage and investigated for any surrounding suspicious activity.
- [CRU][Windows] Suspicious File Created in Fonts Directory
Techniques detected: [T1036] Masquerading
Description: This alert triggers when a suspicious file type is downloaded into the C:\Windows\Fonts directory. Threat actors have been observed dropping malicious files into this directory. Examine the source of the file and any subsequent execution for validation of this activity.
New IDS signatures added in May 2024:
[ConnectWise CRU] MALWARE Echo Checkin
[ConnectWise CRU] MALWARE LoaderVB PDB Path
[ConnectWise CRU] ZZZPHP ISSESSION adminid Authentication Bypass
[ConnectWise CRU] ZZZPHP Template Code Injection M1
[ConnectWise CRU] ZZZPHP Template Code Injection M2
[ConnectWise CRU] ZZZPHP Template Code Injection M3
[ConnectWise CRU] Shopware PHP Object Instantiation
[ConnectWise CRU] Shopware PHP XXE Injection
[ConnectWise CRU] HUNTING Command Substitution in HTTP URI
[ConnectWise CRU] HUNTING Command Substitution in HTTP Headers
[ConnectWise CRU] HUNTING Template Injection M1
[ConnectWise CRU] HUNTING Template Injection M2
[ConnectWise CRU] HUNTING Template Injection M3
[ConnectWise CRU] HUNTING Template Injection M4
[ConnectWise CRU] MALWARE Goldoon SystemInfo
[ConnectWise CRU] MALWARE Goldoon Heartbeat Packet
[ConnectWise CRU] MALWARE Goldoon Data Packet
[ConnectWise CRU] MALWARE Goldoon Command Packet
[ConnectWise CRU] MALWARE Goldoon HTTP Server Response
[ConnectWise CRU] Tinyproxy HTTP Connection Headers Use-After-Free (CVE-2023-49606)
[ConnectWise CRU] Tinyproxy HTTP Connection Headers Use-After-Free (CVE-2023-49606)
[ConnectWise CRU] HUNTING Potential JSON Smuggling Whitespace Characters Inbound
[ConnectWise CRU] HUNTING Potential JSON Smuggling Whitespace Characters Outbound Response
[ConnectWise CRU] Potential Oracle BI Publisher Authentication Bypass in XML Service (CVE-2024-21082)
[ConnectWise CRU] Potential Oracle BI Publisher Remote Code Execution by ScriptEngine Injection (CVE-2024-21083)
[ConnectWise CRU] Potential Oracle BI Publisher Unauthenticated Blind Server-Side Request Forgery (CVE-2024-21084)
[ConnectWise CRU] HUNTING Java ScriptEngine Code Injection
[ConnectWise CRU] HUNTING XML External Entities Abuse
[ConnectWise CRU] WolfSSL Default TLS Certificate
[ConnectWise CRU] MALWARE Astaroth Stealer Outbound
[ConnectWise CRU] HUNTING UTF-8 Encoded VBScript HTTP Outbound Response M1
[ConnectWise CRU] HUNTING UTF-8 Encoded VBScript HTTP Outbound Response M2
[ConnectWise CRU] Citrix Netscaler ADC and Gateway Out-Of-Bounds Memory Read (CVE-2023-6549)
[ConnectWise CRU] F5 Central Manager Unauthenticated OData Injection (CVE-2024-21793)
[ConnectWise CRU] F5 Central Manager Unauthenticated SQL Injection (CVE-2024-26026)
[ConnectWise CRU] Confluence Data Center and Server Authenticated RCE (CVE-2024-21683)
[ConnectWise CRU] Potential PDF.js Arbitrary Javascript Execution Inbound (CVE-2024-4367) M1
[ConnectWise CRU] Potential PDF.js Arbitrary Javascript Execution Inbound (CVE-2024-4367) M2
[ConnectWise CRU] Potential PDF.js Arbitrary Javascript Execution Outbound Response (CVE-2024-4367)
[ConnectWise CRU] Fortinet FortiSIEM Command Injection (CVE-2023-34992)
[Connectwise CRU] Fluent Bit Memory Corruption Linguistic Lumberjack (CVE-2024-4323)
[Connectwise CRU] Fluent Bit API Memory Corruption Linguistic Lumberjack (CVE-2024-4323)
[ConnectWise CRU] Jetbrains TeamCity Authentication Bypass (CVE-2024-23917)
[ConnectWise CRU] Flowmon Unauthenticated Command Injection (CVE-2024-2389)
[ConnectWise CRU] Check Point Security Gateways Arbitrary File Read (CVE-2024-24919)
[ConnectWise CRU] QNAP QTS Authenticated Remote Code Execution (CVE-2024-27130)
