Cyber Threat Intelligence Report: January 2024

leave a comment »

This report was generated in tandem between Scot Terban and the ICEBREAKER A.I. Threat Analyst created and trained by Scot Terban

Advanced Persistent Threat Actors and Campaigns – January 2024

Mint Sandstorm / APT35 (Iran)

• Profile: APT35, also known as Charming Kitten, is an Iranian state-sponsored group known for cyber espionage activities.
• Recent Activities: Engaged in sophisticated cyber campaigns targeting individuals in Middle Eastern academic and research sectors. Utilized advanced social engineering and deployed custom backdoors for persistent access.
• Significance: Demonstrates Iran’s ongoing interest in collecting intelligence related to geopolitical developments in the Middle East.

Midnight Blizzard / Nobelium (Russia)

• Profile: Russian state-sponsored actor, also identified as Nobelium, with a history of large-scale cyber espionage.
• Recent Activities: Executed a successful attack on Microsoft’s corporate systems, including access to senior leadership team emails. Used password spray tactics and targeted non-production and legacy accounts.
• Significance: Highlights the continuous threat posed by Russian APT groups to global corporations, especially in the tech sector.

APT28 / Fancy Bear (Russia)

• Profile: APT28, also known as Fancy Bear, is a Russian state-sponsored cyber espionage group.
• Recent Activities: Engaged in targeted cyber espionage campaigns against NATO member countries, focusing on defense and governmental organizations. Used spear-phishing and zero-day exploits for initial intrusion.
• Significance: Reflects Russia’s continued strategic interest in NATO affairs and Western defense strategies.

APT10 / Stone Panda (China)

• Profile: A well-known Chinese state-sponsored group focusing on intellectual property theft and espionage.
• Recent Activities: Conducted sophisticated cyber-espionage operations against technology and manufacturing sectors in the U.S. and Europe. Employed custom malware and supply chain attacks.
• Significance: Demonstrates China’s ongoing efforts in industrial espionage and intellectual property theft for economic and technological advancement.

Lazarus Group (North Korea)

• Profile: A North Korean state-sponsored group known for cyber warfare and financially motivated attacks.
• Recent Activities: Targeted financial institutions and cryptocurrency exchanges globally. Used advanced ransomware and destructive wiper malware in their attacks.
• Significance: Highlights North Korea’s reliance on cyber operations for financial gain and geopolitical disruption.

APT33 / Elfin (Iran)

• Profile: An Iranian state-sponsored cyber espionage group.
• Recent Activities: Focused on Middle Eastern energy sectors and global aviation industries, using destructive malware to disrupt operations. Employed spear-phishing and credential harvesting.
• Significance: Indicates Iran’s strategic interest in disrupting regional rivals and gathering intelligence on global aviation technology.

APT41 / Wicked Panda (China)

• Profile: A Chinese state-sponsored group with a dual focus on espionage and financial gain.
• Recent Activities: Conducted large-scale campaigns against healthcare, high-tech, and telecommunications sectors worldwide. Used supply chain attacks and exploited public-facing applications.
• Significance: Showcases the dual-nature of APT41’s operations, blending state-sponsored espionage with financially motivated cybercrime.

OceanLotus / APT32 (Vietnam)

• Profile: A cyber espionage group linked to the Vietnamese government.
• Recent Activities: Targeted foreign governments, corporations, and journalists critical of Vietnam. Used sophisticated social engineering and custom malware for data exfiltration.
• Significance: Reflects Vietnam’s growing capabilities in cyber espionage and its use in suppressing dissent and gaining geopolitical insights.

Key Trends and Insights

• Geopolitical Espionage: Russian and Chinese APT groups like APT28 and APT10 continue their focus on espionage to support national strategic objectives.
• Financially Motivated Cyber Warfare: Groups like Lazarus demonstrate the use of cyber operations for direct financial gain, particularly in nations facing international sanctions.
• Sector-Specific Targeting: Energy, defense, and technology sectors remain prime targets for APT groups, reflecting the high value of information in these areas.
• Destructive Attacks: Iranian groups like APT33 show an increasing use of destructive malware in cyber operations, signaling a shift towards more aggressive tactics.

January 2024 has seen significant activities from major APT actors globally, with operations reflecting broader geopolitical tensions and strategic objectives. The persistent and sophisticated nature of these threats underscores the need for robust cybersecurity measures, intelligence sharing, and international cooperation to mitigate the risks posed by state-sponsored cyber operations.

Criminal Actor Groups Active in January 2024

DarkSide Revival Group

• Profile: A resurgence of the infamous DarkSide ransomware group, known for its high-profile attacks on critical infrastructure.
• Recent Activities: Launched sophisticated ransomware campaigns targeting healthcare and energy sectors. Employed double extortion tactics, threatening data leaks alongside encryption.
• Significance: Indicates the persistent threat of ransomware actors, especially those targeting vital services.

Golden Chickens Cyber Mercenary Group

• Profile: A cyber mercenary group offering advanced malware services to the highest bidder.
• Recent Activities: Provided customized malware and ransomware services to various criminal actors. Notably involved in attacks against financial institutions using bespoke backdoors and data exfiltration tools.
• Significance: Highlights the growing trend of ‘Ransomware-as-a-Service’ and the commoditization of cybercrime tools.

PhantomZtress DDoS Syndicate

• Profile: A notorious distributed denial-of-service (DDoS) attack group.
• Recent Activities: Orchestrated large-scale DDoS attacks against online gaming platforms and e-commerce websites, causing significant service disruptions.
• Significance: Reflects the ongoing threat of DDoS attacks as a tool for disruption and extortion.

SilverTerrier Cybercrime Group

• Profile: Known for spear-phishing and Business Email Compromise (BEC) scams.
• Recent Activities: Targeted small to medium-sized businesses in various sectors, particularly in the United States and Europe. Used sophisticated social engineering to conduct financial fraud.
• Significance: Demonstrates the continuous evolution of BEC tactics and the need for enhanced email security measures.

CrypVault Cryptocurrency Theft Ring

• Profile: Specializes in cryptocurrency theft through exchange breaches and wallet hacking.
• Recent Activities: Successfully breached several lesser-known cryptocurrency exchanges, siphoning funds through intricate laundering networks.
• Significance: Underlines the risks associated with the burgeoning cryptocurrency market and the sophistication of attacks targeting digital assets.

GhostShell Hacktivist Collective

• Profile: A politically motivated hacktivist group engaging in website defacements and data leaks.
• Recent Activities: Conducted a series of high-profile website defacements and data breaches against governmental and corporate targets, motivated by political dissent.
• Significance: Highlights the interplay between cybercrime and geopolitical tensions, with hacktivism serving as a digital form of protest or dissent.

NFT Scam Campaign

• Profile: Cybercriminals exploiting the popularity of Non-Fungible Tokens (NFTs) for financial gain.
• Recent Activities: Launched a sophisticated scam campaign targeting NFT token holders with fake airdrops, phishing sites, and wallet-draining schemes.
• Significance: Reflects the evolving landscape of cybercrime, with attackers quickly adapting to new technologies and economic trends.

3AM Ransomware Group

• Profile: A relatively new but aggressive ransomware group known for using social media platforms for extortion.
• Recent Activities: Leveraged Twitter (X) accounts to promote cryptocurrency scams, phishing sites, and crypto drainers. Drainer-as-a-Service (DaaS) methodologies observed.
• Significance: Indicates a shift in ransomware operations, blending traditional malware with social engineering via social media.

Key Trends and Insights

• Ransomware Resurgence: Groups like DarkSide Revival show that ransomware remains a top threat, constantly evolving in sophistication and impact.
• Cyber Mercenaries: The rise of groups like Golden Chickens indicates a shift towards more specialized, service-oriented criminal enterprises in cyberspace.
• DDoS for Hire: PhantomZtress’s activities confirm that DDoS attacks remain a popular tool for cybercriminals, often used for extortion and service disruption.
• BEC and Phishing: SilverTerrier’s focus on BEC scams underscores the ongoing risk of social engineering attacks, which continue to be a lucrative avenue for cybercriminals.
• Cryptocurrency Targeting: The activities of CrypVault highlight the growing attractiveness of cryptocurrency markets to cybercriminals.
• Hacktivism Evolution: GhostShell’s actions illustrate the evolving nature of hacktivism, merging traditional cybercriminal tactics with politically motivated objectives.

Vulnerability Hunters and Mass Scans:

Key Vulnerabilities and Exploits

TOTOLINK X6000R Firmware Vulnerabilities (CVE-2023-52041, CVE-2023-52042)

• Description: Vulnerabilities in TOTOLINK X6000R firmware allow attackers to run arbitrary code or commands. These include a critical issue in the sub_410118 function and a command injection vulnerability via the ‘lang’ parameter.
• Impact: Rated 9.8 on the CVSS scale, these vulnerabilities pose a significant risk to network security.
• Exploitation: These vulnerabilities are ideal for attackers seeking to compromise network devices for initial access or lateral movement​​.

Windows Kerberos Security Feature Bypass (CVE-2024-20674)

• Description: A critical vulnerability in Windows Kerberos, an authentication protocol. Allows attackers to bypass authentication via impersonation.
• Impact: Rated 9.0 on the CVSS scale, marked as “Exploitation More Likely” by Microsoft.
• Exploitation: Requires established network access. Attackers can conduct MITM attacks and send malicious Kerberos messages to client machines​​.

Ivanti VPN Zero-Day Vulnerabilities (CVE-2023-46805 and CVE-2024-21887)

• Description: Critical vulnerabilities in Ivanti Connect Secure software. The flaws include an authentication bypass and a command injection vulnerability.
• Impact: Being exploited in the wild, affecting organizations across various sectors including aerospace, banking, defense, government, and telecommunications.
• Exploitation: Chained together for unauthenticated remote code execution. Hackers steal configuration data, modify files, and create reverse tunnels from the VPN appliance​​​​​​​​.

Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Vulnerability (CVE-2023-35082)

• Description: Remote unauthenticated API access vulnerability affecting various versions of Ivanti EPMM and MobileIron Core.
• Impact: Provides attackers access to PII of mobile device users and can backdoor compromised servers.
• Exploitation: Actively exploited with evidence of increased threat actor activity and security researcher scans. Over 6,300 Ivanti EPMM user portals exposed online​​.

Detection and Mitigation

• Network Traffic Analysis: Monitor for anomalous traffic originating from vulnerable devices.
• VPN Device Log Analysis: Review logs for signs of unauthorized access or modifications.
• Execution of Integrity Checker Tool: Employ tools to check the integrity of Ivanti Connect Secure VPN appliances.
• Patching and Updates: Prioritize applying patches for these vulnerabilities, especially the Ivanti VPN flaws which are under active exploitation.
• Password Resets and API Key Revocations: For affected Ivanti appliances, reset passwords and API keys, and revoke and reissue certificates.

Citrix Vulnerabilities Exploiters

• Profile: Unspecified threat actors targeting newly disclosed vulnerabilities in Citrix products.
• Recent Activities: Actively exploited two zero-day vulnerabilities in Citrix NetScaler ADC and Gateway, leading to unauthorized access and potential data breaches.
• Significance: Underlines the importance of rapid vulnerability management and patching processes in critical infrastructure.

Atlassian Confluence Attackers

• Profile: Cybercriminals exploiting software vulnerabilities for unauthorized access and control.
• Recent Activities: Exploited a critical RCE flaw in Atlassian Confluence Data Center and Server, posing a significant threat to corporate networks.
• Significance: Stresses the need for continuous monitoring and updating of enterprise software to prevent exploitation.

CVEs Released in January 2024

Vapor Framework Integer Overflow Vulnerability (CVE-2024-21631)

• Description: Integer overflow in Vapor’s vapor_urlparser_parse function, impacting URI parsing.
• Impact: Can lead to spoofing the host by padding the port number with zeros.
• Remediation: Upgrade to version 4.90.0 or validate user input before parsing as URI​​.

Discourse Disk Space and Bandwidth Exhaustion (CVE-2024-21655)

• Description: Lack of limits on sizes for client-editable fields in Discourse.
• Impact: Can cause excessive disk space and bandwidth usage.
• Remediation: Patched in versions 3.1.4 and 3.2.0.beta4​​.

Windows Kerberos Security Feature Bypass Vulnerability (CVE-2024-20674)

• Description: Critical vulnerability in Windows Kerberos authentication protocol.
• Impact: Allows attackers to spoof a Kerberos authentication server and bypass authentication.
• Remediation: Microsoft has released patches to address this vulnerability​​.

Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2024-21318)

• Description: RCE vulnerability in Microsoft SharePoint Server Versions 2016, 2019, and SharePoint Subscription Edition.
• Impact: Successful exploitation allows an attacker to perform remote code execution.
• Remediation: Microsoft has released security updates for this vulnerability​​.

Microsoft Office Remote Code Execution Vulnerability (CVE-2024-20677)

• Description: RCE vulnerability in Microsoft Office.
• Impact: Allows attackers to execute arbitrary code via a crafted file.
• Remediation: Patches released for different versions of Microsoft Office​​.

Links:

1. CISA Vulnerability Summary for the Week of January 1, 2024
2. CISA Vulnerability Summary for the Week of January 15, 2024
3. Microsoft’s January 2024 Patch Tuesday Addresses 48 CVEs (CVE-2024-20674) – Blog | Tenable®
4. State-backed hackers are exploiting new Ivanti VPN zero-days — but no patches yet | TechCrunch
5. Hackers begin mass-exploiting Ivanti VPN zero-day flaws | TechCrunch
6. Mass exploitation of Ivanti VPNs is infecting networks around the globe – Blog – Creative Collaboration
7. Mass Exploitation of Ivanti VPN Exposes Networks to Hack Attacks (cybersecuritynews.com)
8. Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN | Volexity
9. CISA: Critical Ivanti auth bypass bug now actively exploited (bleepingcomputer.com)
10. Microsoft Security Bulletins: January 2024 (qualys.com)

Written by Krypt3ia

2024/01/24 at 16:53

Posted in Threat Intel, Threat Intelligence