January 2024: Key Threat Actors, Malware and Exploited Vulnerabilities

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, we aim to provide a comprehensive yet digestible analysis of the evolving threat landscape, including insights into the most targeted and at-risk sectors, industries, and regions by cybercriminals in the wild.

Our research is conducted throughout the entire month, utilizing a diverse range of resources that span across threat intelligence and malware dump platforms, blogs, exploit databases, sandboxes, and network data query results. We draw upon this wealth of information to provide you with a holistic understanding of the cyber threat environment, with a particular focus on dissecting malware campaigns, attack campaigns conducted by threat actors and advanced persistent threat (APT) groups, and new malware samples observed in the wild.

By following our monthly threat report, you'll be able to ascertain which threat actors or malware could potentially impact your sector, gauge if your country is being specifically targeted, and understand if there is a surge in threat activity correlated with geopolitical events or state-backed actions. 

Top Five Most Exploited Vulnerabilities in January

In January 2024, the cybersecurity realm saw a remarkable surge in threats, with a focus on exploiting vulnerabilities in technologies from leading vendors. This spike in cyber attacks highlighted the urgent necessity for robust security posture and swift responses to mitigate these vulnerabilities. 

Below is an in-depth analysis of the most critical vulnerabilities targeted during January.

CVE-2023-46805 and CVE-2024-21887: CISA Warns Against Ivanti Zero-Day Vulnerabilities

On January 19, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding two critical zero-day vulnerabilities discovered in Ivanti products: 

• CVE-2023-46805 and 
• CVE-2024-21887. 

Assigned CVSS scores of 8.2 (High) and 9.1 (Critical), these vulnerabilities underscore a significant risk to cybersecurity, marked by their capability for arbitrary command execution. This prompted an emergency directive for immediate mitigation within federal agencies, highlighting the urgent need for action [1]. 

Ivanti's Connect Secure and Policy Secure, widely utilized for securing remote connections and managing network access, are the affected products. Revealed in a security advisory by Ivanti on January 10, 2024, CVE-2023-46805 is an authentication bypass issue, while CVE-2024-21887 is a command injection flaw. Both vulnerabilities can be exploited together to execute remote code on the compromised systems. In addition, the discovery of over 17,000 exposed Connect Secure and Policy Secure gateways online underscores the urgency of addressing these vulnerabilities.

CVE-2023-46805 exploits involve a path traversal flaw in the web component of Ivanti products, specifically through an unauthenticated endpoint, allowing attackers to bypass authentication mechanisms. CVE-2024-21887, on the other hand, leverages a command injection vulnerability, enabling attackers to inject and execute malicious payloads. The combination of these vulnerabilities provides a potent vector for attackers to gain unauthorized access and control over affected Ivanti systems, emphasizing the critical need for organizations to implement suggested mitigations promptly.

To gain a deeper understanding of these two zero-day vulnerabilities, please check out our blog, which showcases example PoCs.

CVE-2023-22527: Critical Atlassian Confluence Remote Code Execution Vulnerability

On January 16, 2024, Atlassian disclosed a critical security flaw, CVE-2023-22527, impacting legacy versions of Confluence Data Center and Confluence Server. This vulnerability, rated at the maximum severity of 9.8 on the CVSS 3.1 scale, stems from an Object-Graph Navigation Language (OGNL) injection flaw. Such vulnerabilities arise in Java-based applications, including Atlassian Confluence, due to insufficient sanitization of user inputs before processing in OGNL expressions. This lapse enables attackers to remotely execute arbitrary code by injecting harmful OGNL expressions, posing a significant security threat [2].

Security researchers observed active exploitation attempts as of January 26, 2024, targeting vulnerable Confluence instances across multiple countries, including China, Singapore, Brazil, the United States, and several others [3]. This global scanning activity underscores the urgency for organizations to secure their instances against such attacks.

Further insights reveal that with a quick search for "services.modules.http.title: Confluence", it is possible to observe more than 4,000 internet-exposed Confluence instances. These instances have been predominantly detected in the United States, Germany, China, Russia, Japan, and the United Kingdom, significantly expanding the potential attack surface. 

The vulnerability exploits a template injection issue within certain Confluence versions, specifically through the text-inline.vm velocity template, by manipulating the 'label' parameter, allowing remote execution of arbitrary code without authentication. Exploitation techniques include overcoming a 200-character limit imposed on OGNL expressions, a restriction bypassed by attackers to execute system commands remotely. This method was documented and demonstrated by security researchers, highlighting the vulnerability's technical nuances and the critical need for mitigation.

Given the critical nature of CVE-2023-22527 and its active exploitation, it's paramount for organizations running outdated Confluence versions to urgently update to the latest, secure releases recommended by Atlassian.

To take a look at the publicly available proof of concept (PoC), check our blog.

CVE-2024-20253: Remote Code Execution (RCE) Vulnerability in Cisco Unified Communications Products

Cisco disclosed a critical vulnerability, CVE-2024-20253, on January 24, 2024, affecting several Cisco Unified Communications Manager and Contact Center Solutions products. Rated with a CVSS score of 9.9 for its critical severity, this remote code execution issue significantly endangers the security of affected systems by allowing unauthenticated, remote attackers to execute arbitrary code. This vulnerability arises from the improper handling of user-supplied data that, when manipulated through a specially crafted message sent to a listening port on an affected device, could allow the attacker to execute commands with web services user privileges. Such exploitation could lead to gaining root access, thereby compromising the entire system.

Contrary to the initial summary, Cisco's advisory does indeed acknowledge that while there are no direct workarounds to completely resolve the vulnerability, a mitigation strategy is recommended [2]. This involves implementing access control lists (ACLs) on intermediary devices to regulate access to the ports of deployed services, effectively narrowing the potential avenues for exploitation. This mitigation technique is aimed at reducing the attack surface by controlling network traffic to and from the vulnerable systems, although it is not a replacement for applying the necessary security updates. 

The affected Cisco products include various versions of the Unified Communications Manager, Unified Communications Manager IM & Presence Service, Unified Communications Manager Session Management Edition, Unified Contact Center Express, Unity Connection, and the Virtualized Voice Browser. 

Cisco has released free software updates to address this vulnerability [2], and organizations are strongly advised to install these updates as soon as possible to mitigate the risk posed by CVE-2024-20253. Implementing the recommended mitigation measures can help protect systems until the updates are applied, but they should not be considered a long-term solution to the underlying security issue.

CVE-2023-34048: vCenter Server Vulnerability Exploited in the Wild

UNC3886, a sophisticated espionage group with links to China, has been exploiting a vulnerability in VMware's vCenter systems identified as CVE-2023-34048 since late 2021, well before it was publicly reported and subsequently patched in October 2023. This group is adept at exploiting zero-day vulnerabilities in technologies lacking Endpoint Detection and Response (EDR) tools.

The attack process employed by UNC3886 is detailed as follows [4]:

• The CVE-2023-34048 vulnerability was exploited to implant a backdoor into the vCenter System.
• The attacker then retrieved clear text credentials for ESXi hosts connected to the vCenter, listing all ESXi hosts and their respective guest VMs.
• Using these credentials, the attacker connected to ESXi hosts from the vCenter server.
• Two backdoors, VIRTUALPITA and VIRTUALPIE, were installed through malicious VIB installations on the ESXi hosts.
• This allowed the attacker to connect directly to the ESXi hosts or VMs via the backdoors.
• Another vulnerability, CVE-2023-20867, was exploited on the ESXi hosts for unauthenticated command execution and file transfers on guest VMs.
• The attacker carried out unauthenticated, privileged commands and transferred files to and from the guest VMs.

The evidence of these intrusions was partly found in the VMware service crash logs, where entries indicated the "vmdird" service crashing moments before the backdoors were deployed. The exploitation of CVE-2023-34048, an out-of-bounds write vCenter vulnerability, was associated with these crashes and allowed for unauthenticated remote command execution.

The core dumps from these crashes, which are typically preserved indefinitely in VMware's default configurations, were often missing, suggesting intentional deletion by the attackers to conceal their presence. To protect against this kind of exploitation, users are advised to upgrade to the latest supported version of vCenter.

CVE-2023-6548 and CVE-2023-6549: Citrix NetScaler Vulnerabilities Actively Exploited

On January 16, 2024, Citrix announced an advisory regarding two zero-day vulnerabilities identified as CVE-2023-6548 and CVE-2023-6549, found within its NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances [5]. 

CVE-2023-6548, an authenticated remote code execution (RCE) vulnerability, poses a medium severity threat that allows attackers with low-level privileges to execute arbitrary code if they have access to the NetScaler IP (NSIP), Subnet IP (SNIP), or Cluster Management IP (CLIP) with access to the appliance's management interface. On the other hand, CVE-2023-6549, a high-severity denial of service (DoS) vulnerability, affects appliances configured as a Gateway or AAA virtual server, potentially allowing attackers to disrupt service operations.

These vulnerabilities are particularly concerning as they have been exploited in the wild, underscoring the urgency for affected organizations to apply the necessary patches. Following the disclosure of a critical flaw named "CitrixBleed" (CVE-2023-4966) in October, which was widely exploited, these new vulnerabilities mark the second and third zero-day vulnerabilities in Citrix NetScaler appliances disclosed in the last four months. 

Citrix has responded by releasing patches for the affected products and versions, advising customers to update their appliances to the fixed versions as soon as possible [6]. To mitigate the risk of exploitation, Citrix also strongly recommends isolating network traffic to the appliance’s management interface and ensuring that the management interface is not exposed to the internet, alongside upgrading appliances from the now End Of Life (EOL) version 12.1 to a supported version that addresses these vulnerabilities.

Top Three Most Active Malware in January

In January, the cybersecurity landscape has been particularly troubled by the sophistication of malware such as the Phemedrone Stealer, Androxgh0st, and the NSPX30 backdoor, all of which have demonstrated advanced techniques for evasion, data harvesting, and exploiting network vulnerabilities. These threats underline the critical need for up-to-date defenses against sophisticated malware campaigns that can bypass standard security protocols and compromise sensitive information.

CVE-2023-36025: Phemedrone Malware Campaign Targets Microsoft Defender SmartScreen Vulnerability

The Phemedrone Stealer campaign has been leveraging CVE-2023-36025, a vulnerability that allows bypassing Windows Defender SmartScreen, to conduct defense evasion and payload delivery since its discovery [7]. This vulnerability enables attackers to execute malicious scripts without triggering SmartScreen's warning mechanisms, a critical security feature in Windows environments designed to block unrecognized applications and files that may be harmful.

The exploitation process of CVE-2023-36025 by the Phemedrone Stealer is outlined as follows:

• Attackers craft malicious .url files that exploit CVE-2023-36025 to bypass SmartScreen protections.
• These .url files, hosted on cloud services, are designed to entice users into downloading and executing them.
• Upon execution, the .url file downloads a .cpl file from an attacker-controlled server, avoiding detection by SmartScreen.
• The .cpl file executes a DLL, which then uses PowerShell to download and execute the next stage of the malware from GitHub.
• Phemedrone Stealer harvests sensitive information from the compromised system, including data from web browsers, cryptocurrency wallets, and various messaging applications.
• The stolen data is prepared for exfiltration and sent to the attackers through Telegram, utilizing validated API tokens for secure communication.

The discovery of CVE-2023-36025's exploitation highlights the sophistication of the Phemedrone Stealer campaign and its ability to bypass advanced security measures like Windows Defender SmartScreen. Microsoft issued a patch for CVE-2023-36025 in November 2023, and the vulnerability was subsequently added to the Known Exploited Vulnerabilities (KEV) list by CISA, emphasizing the importance of timely updates and patches in defending against such threats. Users and organizations are advised to ensure their systems are updated to mitigate the risk posed by CVE-2023-36025 and similar vulnerabilities.

Androxgh0st Malware Is Targeting Cloud Services

The Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to the threat posed by Androxgh0st malware on January 16, 2024 [8]. This malware specifically targets .env files, which are often used to store sensitive configuration data for cloud services such as AWS, Office 365, SendGrid, and Twilio. Androxgh0st exploits critical vulnerabilities to further compromise web applications and establish botnets.

Key exploits utilized by Androxgh0st include the PHPUnit CVE-2017-9841, allowing arbitrary command execution through malicious HTTP POST requests, the Laravel CVE-2018-15133, which enables remote code execution by abusing XSRF token values, and the Apache CVE-2021-41773, a path traversal vulnerability used to access credentials and execute code remotely.

The malware is known for extracting sensitive information from Laravel .env files, deploying webshells, and exploiting exposed credentials and APIs. To protect against these threats, organizations are urged to patch the identified vulnerabilities in PHPUnit, Laravel, and Apache. Additionally, it is recommended to secure .env files, ensure Laravel applications are not in debug mode, remove sensitive information from .env files, and revoke any exposed credentials.

To learn more about PoC exploits, visit our blog here.

Sophisticated NSPX30 Backdoor Being Used by BlackWood APT Group

The Blackwood APT, a Chinese-aligned cyberespionage group, has been utilizing sophisticated malware known as NSPX30 to target entities within China, Japan, and the United Kingdom [9]. Blackwood's method of attack is particularly insidious as it involves hijacking the update mechanisms of legitimate software. This adversary-in-the-middle approach allows the group to substitute authentic software updates with malicious payloads. NSPX30 is not just a singular piece of malware but a multistage implant that encompasses a dropper, installer, loaders, orchestrator, and a backdoor, each playing a role in the infection chain and ensuring persistence on the compromised systems.

The malware's capabilities are extensive, including traditional spying functions like keylogging and screenshot capture, as well as advanced functionalities such as whitelisting itself in anti-malware solutions prevalent in China. The infection process typically starts with the malware masquerading as an update from a legitimate server. For example, an update request by Tencent QQ software is intercepted, leading to the downloading of "Tencentdl.exe," which in turn writes the "minibrowser_shell.dll" dropper to disk. This dropper then loads additional malicious components that facilitate further exploitation and data exfiltration.

Despite the malware's complexity and the stealth with which it operates, the initial delivery mechanism of NSPX30 by Blackwood APT remains elusive. ESET researchers speculate that the group might employ network implants on vulnerable network appliances, like routers, to breach target networks initially. This technique bears resemblance to other China-aligned threat actors and suggests a high level of sophistication in Blackwood's operational tactics. As the malware can use legitimate network infrastructure, such as Baidu's, to download components or exfiltrate data, it cleverly camouflages its malicious traffic, thereby complicating efforts to track and mitigate its activities.

References

[1] H. C. Yuceel, “Ivanti CVE-2023-46805 and CVE-2024-21887 Zero-Day Vulnerabilities Actively Exploited,” Jan. 20, 2024. Available: https://www.picussecurity.com/resource/blog/ivanti-cve-2023-46805-and-cve-2024-21887-zero-day-vulnerabilities. [Accessed: Feb. 02, 2024]

[2] H. C. Yuceel, “CVE-2024-20253: Cisco Unified Comms Remote Code Execution Vulnerability,” Jan. 26, 2024. Available: https://www.picussecurity.com/resource/blog/cve-2024-20253-cisco-unified-comms-remote-code-execution-vulnerability. [Accessed: Feb. 02, 2024]

[3] “Active Exploitation of Atlassian Confluence RCE Vulnerability (CVE-2023-22527),” Cyble, Jan. 30, 2024. Available: https://cyble.com/blog/exploitation-of-atlassian-confluence-rce-vulnerability-cve-2023-22527/. [Accessed: Feb. 02, 2024]

[4] “Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021,” Mandiant, Oct. 03, 2021. Available: https://www.mandiant.com/resources/blog/chinese-vmware-exploitation-since-2021. [Accessed: Feb. 02, 2024]

[5] “CVE-2023-6548, CVE-2023-6549: Zero-Day Vulnerabilities Exploited in Citrix NetScaler ADC and NetScaler Gateway,” Tenable®, Jan. 16, 2024. Available: https://www.tenable.com/blog/cve-2023-6548-cve-2023-6549-zero-day-vulnerabilities-netscaler-adc-gateway-exploited. [Accessed: Feb. 02, 2024]

[6] “NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549.” Available: https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549. [Accessed: Feb. 02, 2024]

[7] “CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign,” Trend Micro, Jan. 12, 2024. Available: https://www.trendmicro.com/en_ae/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html. [Accessed: Feb. 02, 2024]

[8] “Known Indicators of Compromise Associated with Androxgh0st Malware.” Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a

[9] Help Net Security, “Blackwood APT delivers malware by hijacking legitimate software update requests,” Help Net Security, Jan. 25, 2024. Available: https://www.helpnetsecurity.com/2024/01/25/blackwood-apt-nspx30/. [Accessed: Feb. 02, 2024]