Monthly Threat Brief: June 2024

Posted:
07/22/2024
| By:
Bryson Medlock

Welcome to the latest edition of the monthly threat brief published by the ConnectWise Cyber Research Unit™ (CRU).

In this threat brief, we will provide raw data statistics, intel on specific threats, and a list of new detection signatures added to the ConnectWise SIEM™ throughout the month of June.

For a more detailed explanation of the overall trends and analysis of these numbers, check out the 2024 MSP Threat Report. For comparison, May’s threat brief can be found here.

June 2024 stats

IOCs

The CRU collects indicators of compromise (IOCs) from public open-source intelligence (OSINT) sources and any cybersecurity incident escalated by the ConnectWise security operations center (SOC). These IOCs are used for automated threat hunting and data enrichment to assist SOC analysts. Below is a summary of the IOCs collected. We intend to launch streaming threat feeds based on this data later this year—stay tuned!

24-DMDG-1778-Image-1.png

Figure 1: Summary of IOCs collected in June 2024

TTPs

The CRU collects tactics, techniques, and procedures (TTPs) from all incidents escalated by the ConnectWise SOC. This information helps us keep tabs on how threat actor behavior changes. Below are the top 10 MITRE ATT&CK® techniques for May 2024—provided for comparison—and June 2024.

24-DMDG-1778-Image-2.png

Figure 2: Top 10 MITRE ATT&CK techniques observed in May 2024

24-DMDG-1778-Image-3.png

Figure 3: Top 10 MITRE ATT&CK techniques observed in June 2024

Latest threats

Each month, we highlight threats that we have seen targeting our MSP partners and their clients. We see many of the same threats each month. This month, we are looking at the top five malware the ConnectWise SOC observed in June. Several of these have been covered in previous monthly threat briefs, but this edition includes updated IOCs observed in June 2024.

Malware

24-DMDG-1778-Image-4.png

Figure 4: Top 5 malware observed in June 2024

AsyncRAT

AsyncRAT is a remote access trojan (RAT) commonly used by cybercriminals for unauthorized access and control over victim machines. Written in .NET, this malware facilitates extensive remote administration capabilities, allowing attackers to execute commands, manipulate files, capture keystrokes, take screenshots, and control the system's hardware such as webcams and microphones. AsyncRAT is known for its ease of use, customizable features, and robust evasion techniques, which include encryption and obfuscation to avoid detection by cybersecurity software.

This RAT is often distributed through phishing campaigns, malicious email attachments, and exploit kits, making it a versatile tool in the toolkit of cybercriminals and threat actors. Its popularity stems from its open-source nature and active development community, ensuring continuous updates and enhancements that help it stay ahead of cybersecurity defenses.

24-DMDG-1778-MITRE ATT&CK Techniques-AsyncRAT-1.png

24-DMDG-1778-IOCs-AsyncRAT-1.png

Gootloader

Gootloader is a sophisticated malware delivery framework known for distributing a variety of malicious payloads, including ransomware and banking trojans like Gootkit. This malware uses advanced social engineering techniques, often leveraging compromised legitimate websites to host and deliver its malicious content.

Gootloader typically operates through search engine poisoning, where attackers manipulate search engine results to direct victims to malicious websites. These sites appear legitimate and often contain tailored content to deceive users into downloading and executing the malicious payload. Once executed, Gootloader can deliver a range of secondary payloads, enabling threat actors to steal sensitive information, install additional malware, or establish a foothold for further attacks.

24-DMDG-1778-MITRE ATT&CK Techniques-Gootloader- 2.png

24-DMDG-1778-IOCs Gootloader-2.png

FakeUpdates

FakeUpdates, also known as SocGholish, is a prevalent malware campaign that emerged around 2018, characterized by its use of social engineering techniques to trick users into downloading malicious software disguised as legitimate updates. This malware is primarily delivered through compromised websites, where users are prompted with fake update notifications, typically for common software like Adobe Flash Player or browser updates. These prompts are designed to appear authentic, exploiting users' trust and urgency to keep their software up-to-date.

Once the user initiates the download, the malware installs a backdoor on the system, providing attackers with remote access and control. FakeUpdates is often used as a delivery mechanism for additional payloads, including ransomware, banking trojans, and information stealers. The attackers leverage this access to exfiltrate sensitive data, deploy further malware, or use the compromised systems for broader campaigns. The widespread use of compromised legitimate websites and the convincing nature of the fake update prompts make FakeUpdates a significant threat, capable of impacting a wide range of users and organizations. Its persistence and adaptability in evading detection underscore the importance of robust cybersecurity practices and user education to mitigate such threats.

24-DMDG-1778-MITRE ATT&CK Techniques-FakeUpdates-3.png

24-DMDG-1778-IOCs-FakeUpdates-3.png

Broomstick

Broomstick, also known as Oyster or CleanUpLoader, is a malware backdoor first identified in September 2023. It has been associated with the threat group ITG23 and is typically delivered via a loader that masquerades as legitimate software installers, such as browser or Microsoft Teams installers. The initial infection vector often involves malvertising campaigns that lead users to download these disguised installers​.

Once installed, the Broomstick malware achieves persistence through COM hijacking, misuse of the Windows Disk Cleanup utility, and other similar techniques. The backdoor component, known as Oyster Main, collects system information, communicates with command-and-control (C2) servers, and can execute various commands via cmd.exe. This malware is capable of dropping and executing additional payloads, further expanding its control over the compromised system​​.

24-DMDG-1778-MITRE ATT&CK Techniques -Broomstick-4.png

24-DMDG-1778-IOCs-Broomstick-4.png

Matanbuchus

Matanbuchus, also known as BelialDemon, is a sophisticated malware-as-a-service (MaaS) platform primarily used to deliver second-stage payloads such as Cobalt Strike beacons. Initially discovered in mid-2021, Matanbuchus is notable for its loader capabilities, which enable threat actors to execute custom DLLs directly into memory, thereby evading traditional endpoint cybersecurity mechanisms. It is marketed on underground forums with a focus on ease of use, allowing even relatively inexperienced cybercriminals to deploy complex attacks.

The malware employs several advanced evasion techniques, including anti-debugging measures, sandbox detection, and process injection. Matanbuchus is often distributed via phishing campaigns, leveraging malicious documents or links to compromise targets. Once executed, it establishes persistence on the victim's system and facilitates the download and execution of additional malicious components, enhancing the attackers' ability to conduct further exploitation, data exfiltration, or lateral movement within the compromised network.

24-DMDG-1778-MITRE ATT&CK Techniques 5.png

24-DMDG-1778-IOCs-Matanbuchus-5.png

New ConnectWise SIEM signatures

Several new ConnectWise SIEM detection signatures were added in June 2024. These include:

  • [Palo] Potential Malicious DNS Query Sinkholed

Techniques detected: [T1568.002] Dynamic Resolution: Domain Generation Algorithms, [T1071.004] Application Layer Protocol: DNS

Description: This detection identifies instances where a Palo Alto firewall has identified and sinkholed a potentially malicious DNS query. Such events may indicate attempts to connect to malicious domains associated with various threats.

  • [Enhanced Alert][Windows] Powershell Executed via JavaScript File in Temp Directory

Techniques detected: [T1059.001] Command and Scripting Interpreter: PowerShell, [T1059.007] Command and Scripting Interpreter: JavaScript

Description: This alert identifies wscript executing a JavaScript file resulting in PowerShell attempting to retrieve and execute subsequent payloads leading to Koi Loader loading Koi Stealer. Koi Stealer is designed to steal sensitive user information. Reference: https://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer  

Script block logging must be enabled. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.4

  • [CRU][Windows] Rubber Ducky Device Detected

Techniques detected: [T1200] Hardware Additions

Description: This alert triggers when a USB device is plugged in with the default vendor ID (VID) for Rubber Ducky Devices.

  • [CRU][Windows] LOLBin Suspicious pcalua.exe Activity

Techniques detected: [T1202] Indirect Command Execution

Description: Program Compatibility Assistant Service (pcalua.exe) is a Windows service designed to identify and address compatibility issues with older programs. Threat actors can alternatively execute commands and bypass cybersecurity restrictions by proxying commands through pcalua.exe.

  • [CRU][Cisco] WebVPN Plug-in Installation Command

Techniques detected: [T1133] External Remote Services

Description: Cisco ASA devices contain functionality which allows for a WebVPN plug-in to be automatically installed on device reboot. WebVPN plug-ins are Java applets which can be installed manually via the command-line or the Adaptive Security Device Manager (ASDM) too.

Since WebVPN plug-ins are not frequently installed, the observance and notification of a new plug-in should be confirmed as valid and approved.

  • [CRU][Windows] InternetShortcut Creation in Command Line

Techniques detected: [T1059.003] Command and Scripting Interpreter: Windows Command Shell

Description: In a scenario aimed at achieving persistence on a compromised device, a threat actor or malware may opt to create an InternetShortcut file (.url) instead of directly downloading the resource remotely. For example, such a technique could be used in the Windows Startup folder, a common location where applications and scripts are automatically launched during system boot, ensuring that the malicious payload is executed persistently without requiring constant interaction from the user.

New IDS signatures added in June 2024:

[ConnectWise CRU] Progress Telerik Report Server Authentication Bypass (CVE-2024-4358)

[ConnectWise CRU] Progress Telerik Report Server Deserialization (CVE-2024-1800)

[ConnectWise CRU] XWiki Remote Code Execution (CVE-2024-31984)

[ConnectWise CRU] Wordpress Unauthenticated Arbitrary SQL Execution (CVE-2024-27956)

[ConnectWise CRU] Zyxel NAS NsaRescueAngel Backdoor Account (CVE-2024-29972)

[ConnectWise CRU] Zyxel NAS Python Code Injection (CVE-2024-29973)

[ConnectWise CRU] Zyxel NAS Persistent Remote Code Execution (CVE-2024-29974)

[ConnectWise CRU] Zyxel NAS Local Privilege Escalation (CVE-2024-29975)

[ConnectWise CRU] Zyxel NAS Privilege Escalation and Information Disclosure (CVE-2024-29976)

[ConnectWise CRU] EXPLOIT PHP-CGI Argument Injection (CVE-2024-4577)

[ConnectWise CRU] Apache HugeGraph RCE (CVE-2024-27348)

[ConnectWise CRU] Oracle Weblogic IIOP Post-Deserialization (CVE-2023-21839)

[ConnectWise CRU] Oracle Weblogic IIOP Post-Deserialization (CVE-2023-21931)

[ConnectWise CRU] Fortra FileCatalyst Workflow Anonymous Logon

[ConnectWise CRU] Fortra FileCatalyst Workflow Unauthenticated SQLi (CVE-2024-5276)

[ConnectWise CRU] MALWARE 8=x InfoStealer Checkin M1

[ConnectWise CRU] MALWARE 8=x InfoStealer Checkin M2

[ConnectWise CRU] Windows Wi-Fi Driver Remote Code Execution (CVE-2024-30078)

[ConnectWise CRU] SecurEnvoy MFA Unauthenticated LDAP Injection (CVE-2024-37393)

[ConnectWise CRU] Veeam Recovery Orchestrator Authentication Bypass (CVE-2024-29855)

[ConnectWise CRU] MALWARE zzhbot CnC Activity

[ConnectWise CRU] INFO Out-of-Band Interaction Domain (ptt-responder .io)