Monthly Advisory • 10 MIN READ
July 2024 Threat Advisory – Top 5
by Eleanor Barlow • Jul 2024
SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of July 2024.
Eldorado Ransomware Emerges: Double Threat to Windows & ESXi Environments
Threat Reference: Global
Risks: Ransomware
Advisory Type: Threats
Priority: Standard
SecurityHQ is aware of the emergence of a Ransomware-as-a-Service (RaaS) known as Eldorado, which is believed to have formed in March.
The gang behind Eldorado has already targeted sixteen companies, primarily in the U.S., spanning across sectors such as real estate, education, healthcare, and manufacturing.
It is a Go-based ransomware with separate variants for Windows and Linux systems. Group-IB’s research indicates that Eldorado is an original development, not based on previously published ransomware builder sources. Researchers at Group-IB have been closely monitoring Eldorado’s activities, noting its promotion on RAMP forums and its search for skilled affiliates. Advertisements of affiliate programs were first shared for Windows as well as Linux, with the purpose of entice experienced partners to join the group. Affiliates of Eldorado are permitted to adapt and modify their attack techniques.
Affected Products include Microsoft Windows (all supported versions), VMware ESXi hypervisors (32-bit and 64-bit variants), and Linux systems.
IP Addresses:173[.]44[.]141[.]152
Attack Scenario
Eldorado affiliates target victim organizations through a typical RaaS model. They gain initial access through various means (e.g., phishing, vulnerabilities) and deploy ransomware to encrypt critical data. The ransomware then extorts a ransom payment for decryption.
- Initial Access – Attackers gain access to a victim’s network through various methods such as phishing or exploiting vulnerabilities.
- Deployment – The Eldorado ransomware variant (Windows or ESXi) is deployed on the compromised system.
- Encryption – The ransomware encrypts files on the infected system and network shares using the ChaCha20 algorithm.
- Extortion – Ransom notes are dropped, demanding payment for decryption.
- Data Leak (Potential) – A data leak site might be used to publish stolen data if the ransom is not paid.
Recommendations
SecurityHQ advises heightened vigilance as Eldorado presents a significant threat to organizations with its ability to encrypt data on both Windows and VMware ESXi environments. The risk of data leaks amplifies the pressure on victims, highlighting the urgent need for robust cybersecurity measures.
- Implement Multi-Factor Authentication to significantly reduce the risk of successful login attempts using stolen credentials.
- Deploy Endpoint Detection and Response (EDR) solutions can help identify and respond to suspicious activity, potentially stopping ransomware deployment.
- Regular data backups stored securely offline are essential for recovery in case of a ransomware attack.
- Prioritize and apply security patches promptly to address vulnerabilities that attackers can exploit.
- Educate employees to identify phishing attempts and other social engineering tactics used to gain initial access.
- Conduct Regular security assessments to identify and address potential weaknesses in your IT infrastructure.
- Paying ransom incentivizes further attacks and does not guarantee data recovery.
New OpenSSH Flaw (CVE-2024-6387) Grants Root Privileges on Linux Servers
Threat Reference: Global
Risks: Arbitrary Code Execution
Advisory Type: Updates/Patches
Priority: Standard
SecurityHQ has observed a newly discovered critical remote code execution vulnerability (CVE-2024-6387) affecting OpenSSH servers on glibc-based Linux systems.
Dubbed “regreSSHion,” this flaw allows unauthenticated attackers to potentially gain root privileges on vulnerable systems.
OpenSSH is a widely used suite of networking utilities based on the Secure Shell (SSH) protocol, essential for secure remote login, server management, and file transfers. The vulnerability was discovered by researchers at Qualys in May 2024. It stems from a signal handler race condition in sshd, the OpenSSH daemon.
An unauthenticated attacker can exploit this vulnerability to execute arbitrary code with root privileges on vulnerable OpenSSH servers. A successful exploit could lead to a complete system takeover.
While the exploitability is considered difficult due to the need for multiple attempts to achieve memory corruption, attackers might leverage automated tools to increase the exploit success rate.
SecurityHQ was not able to identify any evidence of this vulnerability being actively exploited in the wild nor any association with malware variants or Threat Actors.
This vulnerability affects all glibc-based Linux systems running vulnerable versions of OpenSSH prior to version 9.8p1.
Recommendations
- Apply the latest update for the OpenSSH server (version 9.8p1), which addresses this vulnerability.
- Use network-based controls such as firewalls and implement network segmentation to prevent lateral movement.
- If immediate updating is not feasible, set the ‘LoginGraceTime’ to zero in the sshd configuration file. However, be aware that this can expose the server to denial-of-service attacks.
Microsoft Released July 2024 Patch Tuesday for 139 Flaws with 59 Remote Code Execution Vulnerabilities
Threat Reference: Global
Risks: Remote Code Execution, Privilege Escalation, Information Disclosure and Denial of Service.
Advisory Type: Updates/Patches
Priority: Standard
Microsoft has released its Patch Tuesday for July 2024, with security updates for 139 flaws with 59 Remote Code Execution Vulnerabilities. Successful exploitation of these vulnerabilities could result in Remote Code Execution, Privilege Escalation, Information Disclosure and Denial of Service.
Affected Products include Windows, Windows Server, Windows Kernel, Visual Studio, Microsoft Office, Microsoft Dynamics, Microsoft Edge, Win32k, and Azure.
Notable CVE’s
[Critical] – CVE-2024-38060 – Windows Imaging Component Remote Code Execution Vulnerability
[Critical] – CVE-2024-38074 – Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
[Critical] – CVE-2024-38076 – Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
[Critical] – CVE-2024-38077 – Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
For the full list of Important CVEs, go here.
Recommendation
Update all the affected products to the latest available patch version.
Fortinet Has Released Security Patches to Address Multiple High Severity Vulnerabilities
Threat Reference: Global
Risks: Remote Code Execution (RCE), Sensitive Information Disclosure, Insufficient Session Expiration, Cross-Site Request Forgery (CSRF)
Advisory Type: Updates/Patches
Priority: Standard
Fortinet Has Released Security Updates to fix multiple high severity vulnerabilities affecting its products. Successful exploitation of these vulnerabilities could lead to remote code execution, sensitive information disclosure, insufficient session expiation, and Cross-Site Request Forgery (CSRF).
Affected Products
FortiExtender 7.4.0 through 7.4.2
FortiExtender 7.2.0 through 7.2.4
FortiExtender 7.0.0 through 7.0.4
FortiADC 6.0 to 7.4.0
FortiAIOps 2.0
Notable CVE’s
[High] – CVE-2024-23663 – An improper access control vulnerability [CWE-284] in FortiExtender authentication component may allow a remote authenticated attacker to create users with elevated privileges via a crafted HTTP request.
[High] – CVE-2023-50178 – An improper certificate validation vulnerability [CWE-295] in FortiADC may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and various remote servers such as private SDN connectors and FortiToken Cloud.
[High] – CVE-2024-27784 – Multiple Exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] may allow an authenticated attacker to retrieve sensitive information from the API endpoint or logs.
[High] – CVE-2024-27782 – Multiple insufficient session expiration vulnerabilities [CWE-613] in FortiAIOps may allow an attacker to re-use stolen old session tokens to perform unauthorized operations via crafted requests.
[High] – CVE-2024-27783 – Multiple cross-site request forgery (CSRF) vulnerabilities [CWE-352] in FortiAIOps may allow an unauthenticated remote attacker to perform arbitrary actions on behalf of an authenticated user via tricking the victim to execute malicious GET requests.
Recommendation
Update all the affected products to the latest available patch version.
Adobe Released Security Update to Fix Multiple Critical Severity Vulnerabilities in Adobe Products
Threat Reference: Global
Risks: Arbitrary Code Execution
Advisory Type: Updates/Patches
Priority: Standard
Adobe has released a patch to fix multiple critical severity vulnerabilities in Adobe products. Successful exploitation of these vulnerabilities could lead to Arbitrary Code Execution.
Affected Products include Adobe Bridge, Adobe InDesign, and Adobe Premiere Pro.
SecurityHQ has not observed any publicly available exploit for the mentioned vulnerabilities, and neither has seen exploitation by threat actor or malware variants.
Notable CVE’s
[Critical] – CVE-2024-34139 – Adobe Bridge versions 14.0.4, 13.0.7, 14.1, and earlier have an Integer Overflow vulnerability, potentially leading to arbitrary code execution.
[Critical] – CVE-2024-20782 – Adobe InDesign Desktop versions ID19.3, ID18.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
[Critical] – (CVE-2024-20781, CVE-2024-20783, CVE-2024-20785) – Adobe InDesign Desktop versions ID19.3, ID18.5.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
[Critical] – CVE-2024-34123 – Adobe Premiere Pro versions 23.6.5, 24.4.1 and earlier are affected by an Untrusted Search Path vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by inserting a malicious file into the search path, which the application might execute instead of the legitimate file.
Recommendation
Update all the affected products to the latest available patch version.
Threat Intelligence for the Future
SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats, tracking activities of threat-actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.
For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.