Weekly News Summary – SOS Intelligence

09 – 15 September 2024

CVE Discussion and Exploitation

Over the past week, we’ve been monitoring our extensive collection of new data to identify discussions about CVEs.

Notable Exploitation of New CVEs by Threat Actor:

1. Cisco ASA SSL VPN Vulnerability (CVE-2024-40200): This RCE vulnerability is being exploited by Chinese and Russian state-sponsored APTs to gain unauthorized access to sensitive data sent over SSL VPNs. Targets include government agencies and critical infrastructure, particularly in APAC, making it a priority for patching.
2. Citrix Gateway RCE Vulnerability (CVE-2024-40321): This flaw, exploited by APT29 (Cozy Bear), allows for remote execution of unauthenticated code. The group has used it to gain persistent access to corporate networks in attacks on multinational corporations and financial institutions, underscoring its rapid adoption by espionage actors.
3. Sophos XG Firewall Vulnerability (CVE-2024-41107): Iranian threat actors have exploited this to bypass security checks and gain a foothold in networks across the MENA region, as part of broader espionage activities targeting government and defense organizations.
4. Zimbra Collaboration Suite Vulnerability (CVE-2024-40998): APT28 (Fancy Bear) actively exploits this flaw to steal sensitive emails and credentials. Zimbra is widely used by universities and government agencies, making this CVE highly dangerous for academic and public institutions.

Key points:

• Cisco ASA SSL VPN And Citrix Gateway These vulnerabilities are widely exploited in cyber espionage campaigns, where state-sponsored actors use these flaws to attack critical infrastructure and government facilities.
• Sophos XG Firewalls And Zimbra Collaboration Suite APT groups are actively exploiting these vulnerabilities, specifically targeting data theft and long-term persistence within sensitive networks, particularly in the Middle East and the academic sector.

Ransomware activity

Over the past week, we recorded 82 ransomware incidents, affecting victims in 23 countries and across 24 industries.

Ransomware Top 5’s

Advances in ransomware tactics:

• Advanced EDR Evasion Techniques: Ransomware operators, particularly RansomHub, have deployed advanced tools such as Kaspersky’s TDSSKiller to bypass endpoint detection and response (EDR) systems. This reflects the increasing use of Bring your own vulnerable driver (BYOVD) strategies increasingly used to disable security measures before ransomware is deployed.
• Focused on virtualized infrastructures:Groups like Storm-0506 and Manatee Tempest have turned their attention to VMware ESXi Hypervisorswhere vulnerabilities such as CVE-2024-37085This allows them to quickly encrypt multiple virtual machines, increasing their attack surface by compromising critical server environments.

Emerging Threat Actors:

• Hellhole: A recently emerged group, Helldown, made a splash by listing 17 victims on its leak site in a short period of time, indicating that it could quickly become a more prominent player. Their focus has been on exploiting unpatched vulnerabilities to target a wide range of victims.
• Manatee storm:This relatively new group is gaining attention for its targeted exploitation of ESXi vulnerabilities, joining the ranks of emerging ransomware gangs that are prioritizing attacks against virtualization technologies.

Top ransomware incidents:

• Storm-0506 (Black Basta) Attack on engineering firm: Storm-0506 carried out a high-profile attack on a North American engineering firm, abusing CVE-2023-28252 (a Windows CLFS vulnerability). The group leveraged advanced credential stealing tools such as Cobalt Strike and Pypykatz to compromise administrative accounts and encrypt virtual machines, leading to widespread operational disruption.
• Meow Ransomware Group Resurrection: The Meow ransomware group has shifted its focus from Russian targets to US entities, marking an uptick in its activity. Using Conti’s leaked ransomware code, Meow has become increasingly active, demonstrating adaptability in its targeting strategy and operational methods.

News overview

Payment provider breach exposes credit card details

On September 10, 2024, payment provider Slim CD announced a significant data breach that affected 1.7 million users. The breach exposed sensitive credit card data, raising concerns about customers’ financial security. Slim CD immediately reported the breach, prompting investigations into how the attackers were able to bypass existing defenses. The company is urging affected customers to closely monitor their financial statements for suspicious activity and is working with cybersecurity experts to harden its systems.

Meta scrapes user data to train AI

On September 12, 2024, Meta (formerly Facebook) admitted to scraping user data, including images and messages, from Australian profiles to train its AI models. Worryingly, this data collection also included content from minors on adult profiles, raising privacy concerns. Australian regulators and privacy advocates have raised concerns about the scale of Meta’s data collection efforts and its lack of transparency. The incident has reignited debates over data privacy and the ethical use of personal information in AI training.

RansomHub: A New Threat in Ransomware

U.S. authorities have issued a joint advisory on the growing threat posed by RansomHub, a ransomware-as-a-service group that has gained prominence in 2024. The group, formerly known as Cyclops and Knight, has attacked more than 200 organizations since February 2024, targeting critical industries such as water, manufacturing and government services. Authorities are advising organizations to implement multi-factor authentication and improve phishing detection to defend against this rapidly evolving threat.

Zero-Day Vulnerabilities in Ivanti EPM

On September 11, 2024, researchers revealed that critical vulnerabilities in Ivanti Endpoint Manager (EPM) were being actively exploited in the wild. These zero-day flaws, rated CVSS 10, allow remote attackers to take full control of affected systems. Ivanti urged organizations to immediately apply patches to mitigate the risk of exploitation. The vulnerabilities have been exploited by both criminal groups and nation-state actors, targeting critical sectors such as healthcare, government, and energy.

AppleCare+ scam exposed

On September 13, 2024, a new scam emerged in which attackers used GitHub repositories to create fake AppleCare+ websites and trick users into providing personal and financial information. The scam involved impersonating legitimate Apple services and offering fraudulent technical support and extended warranties. Security experts warn that this technique, which takes advantage of trusted platforms like GitHub, represents an evolution in phishing tactics. Users are advised to verify the legitimacy of unsolicited AppleCare+ communications and avoid clicking on suspicious links.

Photo by FlyD on Unsplash