May 10: Top Threat Actors, Malware, Vulnerabilities and Exploits

Welcome to Picus Security's weekly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our new threat intelligence tool will enable you to identify threats targeting your region and sector, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.

May 10: Latest Vulnerabilities, Exploits and Patches

Here are the top vulnerabilities and exploitations observed in the second week of May.

CVE-2023-23397: APT28 Exploits Microsoft Outlook Flaw to Target Czech and German Entities

A long-term cyber espionage campaign orchestrated by the Russian nation-state actor APT28, also known as Fancy Bear or BlueDelta, has targeted entities in Czechia and Germany by exploiting a critical vulnerability in Microsoft Outlook (CVE-2023-23397) [1]. This vulnerability, now patched, allowed the attackers to escalate privileges and harvest Net-NTLMv2 hashes to authenticate via relay attacks. The Czech Republic's Ministry of Foreign Affairs reported that political entities, state institutions, and critical infrastructure were among the targets, emphasizing the threat to national security and democratic processes. In addition, Germany's federal government confirmed the attack on the Executive Committee of the Social Democratic Party, leading to the compromise of numerous email accounts. This campaign, which began in early 2023, also targeted various sectors including logistics, armaments, aerospace, IT services, and associations across Germany, Poland, Ukraine, and other European countries [2].

APT28, linked to Russia's GRU military intelligence agency, has a history of cyber activities aimed at undermining democratic institutions and processes worldwide. Recent actions include exploiting a Microsoft Windows Print Spooler flaw (CVE-2022-38028) to deploy custom malware named GooseEgg [3]. NATO and the EU have condemned these actions as threats to Allied security, reflecting Russia's ongoing irresponsible cyber behavior. The U.S. Department of State reiterated its commitment to defending its allies and upholding international order in cyberspace.

CVE-2024-3661: Exposing the TunnelVision Vulnerability that Bypasses VPN Encryption

A newly identified cybersecurity threat, termed "TunnelVision," enables attackers to reroute VPN traffic to bypass encrypted tunnels, thereby exposing unencrypted traffic without affecting the apparent security of the VPN connection [4]. Detailed in a report by Leviathan Security, the attack exploits the DHCP option 121, which can be abused to alter routing tables and direct VPN traffic through a malicious gateway instead of the intended secure tunnel. This vulnerability, identified as CVE-2024-3661, has existed since at least 2002 but was only recently brought to light, with no active exploitations reported so far [5].

The attack mechanism involves setting up a rogue DHCP server that configures clients’ systems to use it as a gateway, enabling traffic sniffing as data passes through this controlled gateway. Such vulnerabilities arise due to DHCP's inherent lack of authentication for incoming configurations, which can be manipulated to reroute traffic. The risk is especially pronounced on public networks like those in cafes or airports, where attackers can easily establish a presence. 

To mitigate these risks, researchers have suggested several measures for both users and VPN providers, including isolating network interfaces, configuring VPN clients to reject non-VPN traffic, and avoiding untrusted networks. Notably, Android devices are immune to this specific attack as they do not support DHCP option 121.

May 10: Top Threat Actors Observed In Wild

Here are the top threat actors that were active in the second week of May.

LockBit Ransomware Gang Claims the City of Wichita Breach

• Victim Location: United States

• Victim Sectors: Government

• Victim Organization: City of Wichita 

• Threat Actor: LockBit Ransomware Gang

• Actor Motivation: Financial Gain

• Attack Timeline: May 5, 2024

On May 5, 2024, Wichita, Kansas, the largest city (with a population of 400,000 people) in the state and a significant regional economic and cultural hub, faced a major cybersecurity crisis when the LockBit ransomware gang attacked its IT network, leading to widespread disruptions [6]. This cyberattack forced the shutdown of key city IT systems, including those handling online payments for utilities and fines, as well as affecting public transportation services. In a strategic move to mitigate the spread and impact of the ransomware, city IT specialists promptly took offline affected computer systems involved in service delivery.

The situation escalated on May 8, when the LockBit group publicly claimed responsibility for the attack and threatened to release stolen data by May 15 unless a ransom was paid. 

This threat followed shortly after international law enforcement actions targeted the ransomware group’s leader (Dmitry Khoroshev), suggesting that the quick publication of Wichita’s data might be retaliatory. Meanwhile, essential services in Wichita have been significantly hampered; various public facilities, including libraries and transit services, are restricted to non-digital payment methods or offline operations. The city continues to assess the scope of the data breach, and with the known tactics of LockBit involving prior data theft, there is an imminent risk of data exposure if the ransom remains unpaid.

LockBit Admin (a.k.a. LockBitSupp) Identified: 73% Reduction in LockBit Attacks in the UK Since Operation Cronos

The leader of the LockBit ransomware gang, Dmitry Yuryevich Khoroshev, also known as LockBitSupp, has been identified following a law enforcement takedown of the group's infrastructure in February. Khoroshev, a Russian national, now faces international sanctions including asset freezes and travel bans imposed by the UK, US, and Australia as part of Operation Cronos, led by the UK's National Crime Agency (NCA) [7]. 

The US has also unsealed an indictment against him and is offering up to $10 million for information leading to his arrest or conviction [8]. The NCA's Director General emphasized the significance of these sanctions and the ongoing efforts to target LockBit affiliates who have attacked numerous global institutions.

The NCA revealed that between June 2022 and February 2024, LockBit was responsible for over 7,000 attacks, impacting sectors such as healthcare and education across the US, UK, France, Germany, and China. Despite attempts to rebuild, the group's operations have been significantly hampered, with a 73% reduction in the average number of monthly attacks in the UK since February’s actions. The NCA and its partners have obtained over 2,500 decryption keys and are actively supporting LockBit’s victims, having already reached out to nearly 240 victims in the UK. The psychological impact of the law enforcement actions has further diminished LockBit's standing in the cybercriminal community, as noted by cybersecurity experts.

Storm-1849 APT Behind ArcaneDoor Attack Campaign on Cisco Devices

The cyber espionage campaign known as ArcaneDoor, targeting perimeter network devices from multiple vendors including Cisco, is believed to be the work of China-linked actors, specifically a sophisticated state-sponsored group tracked as UAT4356 or Storm-1849 [9]. 

Initiating around July 2023, the campaign's first confirmed attack occurred in early January 2024, utilizing custom malware tools named Line Runner and Line Dancer. The attackers exploited two previously patched vulnerabilities in Cisco Adaptive Security Appliances (CVE-2024-20353 and CVE-2024-20359) to maintain persistence. Analysis indicates a focus on Microsoft Exchange servers and network devices from various vendors, with several attacker-controlled IP addresses linked to Chinese networks, suggesting involvement by a Chinese actor. The campaign aligns with a broader trend of Chinese state-affiliated hackers targeting edge appliances using zero-day flaws to gain covert access and deploy persistent malware.

Medusa Ransomware Demands $3.5 Million from Chemring Group After Alleged Data Breach

• Victim Organization: Chemring Group

• Victim Location: United Kingdom

• Sectors: Defense

• Threat Actor: Medusa Ransomware Gang

• Actor Motivation: Financial Gain

The Medusa ransomware group has claimed responsibility for a cyberattack on the UK-based defense solutions provider Chemring Group, demanding a ransom of $3.5 million and threatening to release 186.78 GB of sensitive data if their demands are not met by May 16, 2024 [10]. The group has provided Chemring with various options, including extending the negotiation period for an additional $1 million or deleting/downloading the stolen data for the full ransom amount. 

Figure: Medusa Blog on Chemring Ransomware Attack [10]

While Chemring Group acknowledges an ongoing investigation into the alleged breach, they have not confirmed any major compromise of their IT systems and suggest the attack may involve a business previously associated with Chemring but no longer connected to their network. This incident follows Medusa's pattern of targeting various sectors and increasing their attacks since launching a dedicated data leak site in February 2023.

May 10: Latest Malware Attacks

Here are the malware attacks and campaigns that were active in the second week of May and newly disclosed information regarding attacks that happened in Q1 2024.

More Information on MITRE NERVE Breach: Chinese State-Sponsored Attackers Used ROOTROT Webshell 

The MITRE Corporation has provided new insights into a sophisticated cyberattack targeting its NERVE [11]. Initial signs of this intrusion trace back to December 31, 2023, with the attack surfacing publicly last month. The attackers exploited two Ivanti Connect Secure zero-day vulnerabilities, identified as CVE-2023–46805 and CVE-2024–21887, to gain access and maneuver within MITRE's network using a compromised administrator account on VMware infrastructure [12].

The attackers utilized a Perl-based web shell known as ROOTROT for initial access, which is linked to a China-nexus cyber espionage group dubbed UNC5221 [13]. This group is also associated with other malicious web shells like BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE [14]. Following the deployment of ROOTROT, the attackers profiled the NERVE environment, established control over the VMware infrastructure, and deployed additional malicious tools including a Golang backdoor named BRICKSTORM and a previously undocumented web shell called BEEFLUSH.

These tools facilitated persistent access, enabling the attackers to execute commands, manipulate SSH, run suspicious scripts, and communicate with command-and-control servers. Further complicating the intrusion, the threat actor deployed another web shell, WIREFIRE (also known as GIFTEDVISITOR), following the public disclosure of the vulnerabilities on January 11, 2024, to support covert communication and data exfiltration. The attackers attempted lateral movement within MITRE's systems and maintained persistence within the NERVE network until mid-March 2024, although attempts to move laterally into MITRE’s corporate systems were blocked.

DocGo Data Breach 2024: Hackers Access Patient Records as Cyber Threats to Healthcare Increase

• Victim Organization: DocGo

• Victim Location: United States, United Kingdom

• Sectors: Healthcare

• Actor Motivation: Financial Gain

DocGo, a provider of mobile medical and ambulance services in the US and UK, recently reported a cybersecurity breach affecting its US ambulance transportation operations [15]. The incident, detailed in an SEC filing [16], involved unauthorized access to a limited number of healthcare records, although the company indicated there were no material or financial losses as a result. Upon detecting the breach, DocGo quickly implemented containment measures, launched a comprehensive investigation with the help of third-party cybersecurity experts, and notified law enforcement.

Despite the breach, DocGo's operations have remained fully functional, and the company does not anticipate any significant impact on its financial health or operational results. As part of their response, DocGo has managed to secure the compromised systems and has found no evidence of ongoing unauthorized activity. They are currently notifying affected users as their investigation continues.

This breach is part of a larger trend of increasing cyber attacks on the healthcare sector, highlighted by a joint advisory (on February 27, 2024) from the FBI, CISA, and the Department of Health and Human Services about threats like the BlackCat ransomware gang, which has been particularly active in targeting healthcare systems. For instance, earlier this year, BlackCat was responsible for significant breaches at Change Healthcare (resulted in $22 million deposit in Bitcoin) and NextGen Healthcare, underscoring the critical vulnerabilities within the healthcare industry's cybersecurity defenses.

References

[1] 2024 newsroom May 04, “Microsoft Outlook Flaw Exploited by Russia’s APT28 to Hack Czech, German Entities,” The Hacker News, May 04, 2024. Available: https://thehackernews.com/2024/05/microsoft-outlook-flaw-exploited-by.html. [Accessed: May 09, 2024]

[2] S. Zurier and M. Britton, “Czechia, Germany targeted by long-term APT28 cyberespionage campaign,” SC Media, May 06, 2024. Available: https://www.scmagazine.com/brief/czechia-germany-targeted-by-long-term-apt28-cyberespionage-campaign. [Accessed: May 09, 2024]

[3] A. Owda, “APT28 Deploys ‘GooseEgg’ in Attacks Exploiting the Windows Print Spooler Vulnerability, CVE-2022-38028,” SOCRadar® Cyber Intelligence Inc., Apr. 24, 2024. Available: https://socradar.io/apt28-deploys-gooseegg-in-attacks-exploiting-the-windows-print-spooler-vulnerability-cve-2022-38028/. [Accessed: May 09, 2024]

[4] C. Martin, “CVE-2024-3661: TunnelVision - How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak — Leviathan Security Group - Penetration Testing, Security Assessment, Risk Advisory,” Leviathan Security Group - Penetration Testing, Security Assessment, Risk Advisory, May 06, 2024. Available: https://www.leviathansecurity.com/blog/tunnelvision. [Accessed: May 09, 2024]

[5] B. Toulas, “New attack leaks VPN traffic using rogue DHCP servers,” BleepingComputer, May 07, 2024. Available: https://www.bleepingcomputer.com/news/security/new-tunnelvision-attack-leaks-vpn-traffic-using-rogue-dhcp-servers/. [Accessed: May 09, 2024]

[6] B. Toulas, “City of Wichita breach claimed by LockBit ransomware gang,” BleepingComputer, May 08, 2024. Available: https://www.bleepingcomputer.com/news/security/city-of-wichita-breach-claimed-by-lockbit-ransomware-gang/. [Accessed: May 09, 2024]

[7] Operation Cronos - what have we learnt?, (May 08, 2024). Available: https://www.youtube.com/watch?v=JWC3gqvgqy4. [Accessed: May 09, 2024]

[8] “US Charges LockBit Ransomware Mastermind, Offers $10M Reward.” Available: https://www.occrp.org/en/daily/18706-us-charges-lockbit-ransomware-mastermind-offers-10m-reward. [Accessed: May 09, 2024]

[9] 2024 newsroom May 06, “China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices,” The Hacker News, May 06, 2024. Available: https://thehackernews.com/2024/05/china-linked-hackers-suspected-in.html. [Accessed: May 09, 2024]

[10] J. Alan, “Medusa Ransomware Claims UK-based Defense Solutions Provider Chemring Group as Victim,” The Cyber Express, May 09, 2024. Available: https://thecyberexpress.com/medusa-ransomware-chemring-group-data-breach/. [Accessed: May 09, 2024]

[11] “Chinese Hackers Deployed Backdoor Quintet to Down MITRE,” May 07, 2024. Available: https://www.darkreading.com/cloud-security/chinese-hackers-deployed-backdoor-quintet-to-down-mitre. [Accessed: May 09, 2024]

[12] L. Crumpton, “Advanced Cyber Threats Impact Even the Most Prepared,” MITRE-Engenuity, Apr. 19, 2024. Available: https://medium.com/mitre-engenuity/advanced-cyber-threats-impact-even-the-most-prepared-56444e980dc8. [Accessed: May 09, 2024]

[13] 2024 newsroom May 07, “China-Linked Hackers Used ROOTROT Webshell in MITRE Network Intrusion,” The Hacker News, May 07, 2024. Available: https://thehackernews.com/2024/05/china-linked-hackers-used-rootrot.html. [Accessed: May 09, 2024]

[14] 2024 newsroom Feb 01, “Warning: New Malware Emerges in Attacks Exploiting Ivanti VPN Vulnerabilities,” The Hacker News, Feb. 01, 2024. Available: https://thehackernews.com/2024/02/warning-new-malware-emerges-in-attacks.html. [Accessed: May 09, 2024]

[15] S. Sharma, “DocGo says hackers stole patient data in a recent cyberattack,” CSO Online, May 08, 2024. Available: https://www.csoonline.com/article/2099328/docgo-says-hackers-stole-patient-data-in-a-recent-cyberattack.html. [Accessed: May 09, 2024]

[16] “Website.” Available: https://www.sec.gov/ix?doc=/Archives/edgar/data/1822359/000182235924000037/dcgo-20240507.htm