Monthly Advisory • 10 MIN READ

June 2024 Threat Advisory – Top 5

by Eleanor Barlow • Jun 2024

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of June 2024.

Energy, Software & Pharmaceutical Industries Targeted by Advanced Persistent Threat “LilacSquid”

Threat Reference: Global

Risks: Data Theft

Advisory Type: Threats

Priority: Standard

SecurityHQ is aware of a new data theft campaign attributed to an advanced persistent threat (APT) actor known as “LilacSquid.”

Affected Regions and Sectors

Active since before 2021, researchers believe that LilacSquid’s includes a diverse set of targets.

United States: Information technology organizations building software for research and industrial sectors.

Europe: Energy companies and related industries.

Asia: Pharmaceutical companies and related research institutions.

This variety indicates that the threat actor may be agnostic of industry verticals and is trying to steal data from a variety of sources.

This campaign leverages MeshAgent, an open-source remote management tool. Along with a customized version of QuasarRAT, which Talos have named “PurpleInk.” These tools serve as the primary implants following the successful compromise of vulnerable application servers exposed to the internet.

Threat Actor Origin

LilacSquid has been operational for several years, with confirmed intrusions across multiple regions and sectors. Their tactics and tools exhibit similarities to those used by North Korean APT groups such as Andariel and Lazarus, indicating potential overlaps in techniques and objectives.

Previous compromises of software manufacturers, like the 3CX and X_Trader believed to be carried out by Lazarus, demonstrate that gaining unauthorized long-term access to companies that create and distribute widely used enterprise and industrial software can enable significant supply chain attacks. This strategy can be particularly beneficial for threat actors like LilacSquid, allowing them to expand their range of targets.

Attack Scenario

  1. Initial Compromise: LilacSquid exploits a vulnerability in a web application server and deploys a script to install MeshAgent.
  2. Establishing Foothold: MeshAgent connects to the C2 server, sending reconnaissance data and executing SSF and PurpleInk.
  3. Maintaining Persistence: InkLoader is deployed to ensure malware can re-execute after reboots, with SSF maintaining a secure tunnel.
  4. Data Exfiltration: PurpleInk enumerates files and processes, collecting and transmitting sensitive data through the SSF tunnel to the C2 server.
  5. Lateral Movement: LilacSquid uses MeshAgent and PurpleInk to move laterally, repeating reconnaissance, data collection, and exfiltration on additional systems.

Impact

The operations of LilacSquid can result in substantial data breaches, financial losses, and severe reputational damage. Their proficiency in maintaining long-term access and employing advanced data exfiltration techniques renders them an exceptionally dangerous threat.

Indicators of compromise (IOCs) IP Addresses:

  • 67[.]213[.]221[.]6
  • 192[.]145[.]127[.]190
  • 45[.]9[.]251[.]14
  • 199[.]229[.]250[.]142

Recommendation

  • Regularly update and patch public-facing applications and systems.
  • Implement multi-factor authentication (MFA) for all remote access.
  • Use advanced threat detection and network segmentation.
  • Educate employees on phishing and deploy robust email and web security solutions.
  • Employ endpoint detection and response (EDR) solutions.

Adobe Released Security Updates to Patch Multiple Critical and High Severity Vulnerabilities across Adobe Products

Threat Reference: Global

Risks: Privilege Escalation, Arbitrary Code Execution

Advisory Type: Threats

Priority: Standard

Adobe has released security updates to fix multiple Critical and High severity vulnerabilities across multiple Adobe products. Successful exploitation of these vulnerabilities could lead to privilege escalation, arbitrary code execution, arbitrary file system read and security feature bypass.

Notable CVE’s:

  • [Critical] CVE-2024-30299: Improper Authentication
  • [Critical] CVE-2024-30300: Information Exposure
  • [Critical] CVE-2024-34111: Server-Side Request Forgery (SSRF)
  • [Critical] CVE-2024-34102: Improper Restriction of XML External Entity Reference
  • [Critical] CVE-2024-34103: Improper Authentication
  • [Critical] CVE-2024-34104: Improper Authorization
  • [Critical] CVE-2024-34108: Improper Input Validation
  • [Critical] CVE-2024-34109: Improper Input Validation (CWE-20)
  • [Critical] CVE-2024-34110: Unrestricted Upload of File with Dangerous Type
  • [Critical] CVE-2024-34115: Out-of-bounds Write
  • [Critical] CVE-2024-34116: Uncontrolled Search Path Element
  • [High] CVE-2024-20753: Out-of-bounds Read
  • [High] CVE-2024-26029: Improper Access Control
  • [High] CVE-2024-34112: Improper Access Control

Affected versions include Adobe Commerce 2.4.7 and earlier, Magento Open Source 2.4.7 and earlier, Adobe Commerce Webhooks Plugin 1.2.0 to 1.4.0, Adobe FrameMaker Publishing Server Version 2022.2 and earlier, Photoshop version 25.7 and earlier, Adobe Experience Manager (AEM), ColdFusion 2023 version 7 and earlier, ColdFusion 2021 version 13 and earlier, Adobe Substance 3D Stager version 2.1.4 and earlier, and Creative Cloud Desktop Application version 6.1.0.587 and earlier.

SecurityHQ were not able to identify any evidence of this vulnerability being exploited in the wild nor any association with malware variant or Threat Actors.

Recommendation

Update the affected products to their latest available and patchable versions.

Mozilla Released Security Patch to Inform Users About Vulnerabilities in its Products

Threat Reference: Global

Risks: Arbitrary Code Execution

Advisory Type: Threats

Priority: Standard

SecurityHQ has observed that Mozilla has recently fixed multiple high severity vulnerabilities affecting Firefox and Firefox ESR.

  • [High] CVE-2024-5702: Use-after-free in networking – Memory corruption in the networking stack could have led to a potentially exploitable crash.
  • [High] CVE-2024-5688: Use-after-free in JavaScript object transplant – If a garbage collection were triggered at the right time, a use-after-free could have occurred during object transplant.
  • [High] CVE-2024-5687: Incorrect triggering principal in new tabs – A specific sequence of actions could cause an incorrect triggering principal, leading to flawed security checks and misleading information sent to websites.

Successful exploitation of the vulnerability may allow an attacker arbitrary code execution.

Affected versions include Firefox ESR 115.12, and Firefox 127.

SecurityHQ were not able to identify any evidence of these vulnerabilities being exploited in the wild nor any association with malware variant or Threat Actors.

Recommendation

Update the affected products to their latest available and patchable versions.

Microsoft Release June 2024 Patch Tuesday for 49 Flaws, Including 18 Remote Code Execution Vulnerabilities

Threat Reference: Global

Risks: Remote Code Execution, Elevation of Privilege, Information Disclosure and Denial of Service.

Advisory Type: Threats

Priority: Standard

Microsoft has released its Patch Tuesday for June 2024 with security updates for forty-nine flaws with 18 Remote Code Execution Vulnerabilities. Successful exploitation of these vulnerabilities could result in Remote Code Execution, Elevation of Privilege, Information Disclosure and Denial of Service.

Notable CVE’s:

  • [Critical] – CVE-2024-30080 – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
  • [Important] – CVE-2024-37325 – Azure Science Virtual Machine (DSVM) Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-35253 – Microsoft Azure File Sync Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-35254 – Azure Monitor Agent Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-35255 – Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-35252 – Azure Storage Movement Client Library Denial of Service Vulnerability
  • [Important] – CVE-2024-35248 – Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-35249 – Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability
  • [Important] – CVE-2024-35263 – Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
  • [Important] – CVE-2024-30101 – Microsoft Office Remote Code Execution Vulnerability
  • [Important] – CVE-2024-30104 – Microsoft Office Remote Code Execution Vulnerability
  • [Important] – CVE-2024-30103 – Microsoft Outlook Remote Code Execution Vulnerability
  • [Important] – CVE-2024-30100 – Microsoft SharePoint Server Remote Code Execution Vulnerability
  • [Important] – CVE-2024-30102 – Microsoft Office Remote Code Execution Vulnerability
  • [Important] – CVE-2024-30090 – Microsoft Streaming Service Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30089 – Microsoft Streaming Service Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30077 – Windows OLE Remote Code Execution Vulnerability
  • [Important] – CVE-2024-30097 – Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability
  • [Important] – CVE-2024-30052 – Visual Studio Remote Code Execution Vulnerability
  • [Important] – CVE-2024-29060 – Visual Studio Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30085 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30076 – Windows Container Manager Service Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30096 – Windows Cryptographic Services Information Disclosure Vulnerability
  • [Important] – CVE-2024-30070 – DHCP Server Service Denial of Service Vulnerability
  • [Important] – CVE-2024-30063 – Windows Distributed File System (DFS) Remote Code Execution Vulnerability
  • [Important] – CVE-2024-30072 – Microsoft Event Trace Log File Parsing Remote Code Execution Vulnerability
  • [Important] – CVE-2024-30068 – Windows Kernel Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30064 – Windows Kernel Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30084 – Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-35250 – Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30075 – Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability
  • [Important] – CVE-2024-30074 – Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability
  • [Important] – CVE-2024-30099 – Windows Kernel Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30088 – Windows Kernel Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-35265 – Windows Perception Service Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30069 – Windows Remote Access Connection Manager Information Disclosure Vulnerability
  • [Important] – CVE-2024-30095 – Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
  • [Important] – CVE-2024-30094 – Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
  • [Important] – CVE-2024-30062 – Windows Standards-Based Storage Management Service Remote Code Execution Vulnerability
  • [Important] – CVE-2024-30083 – Windows Standards-Based Storage Management Service Denial of Service Vulnerability
  • [Important] – CVE-2024-30093 – Windows Storage Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30065 – Windows Themes Denial of Service Vulnerability
  • [Important] – CVE-2024-30078 – Windows Wi-Fi Driver Remote Code Execution Vulnerability
  • [Important] – CVE-2024-30086 – Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30087 – Win32k Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30091 – Win32k Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30082 – Win32k Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30067 – Winlogon Elevation of Privilege Vulnerability
  • [Important] – CVE-2024-30066 – Winlogon Elevation of Privilege Vulnerability

Affected Products include Windows, Windows Server, Windows Kernel, Visual Studio, Microsoft Office, Microsoft Dynamics, Microsoft Edge, Azure, and Win32k.

Recommendation

Update all the affected products to the latest available patch version.

Check Point Fixes Recently Exploited VPN Information Disclosure Zero-Day Vulnerability (CVE-2024-24919)

Threat Reference: Global

Risks: Information Disclosure

Advisory Type: Threats

Priority: Standard

Check Point has fixed a recently exploited VPN Information Disclosure Zero-Day vulnerability in Security Gateways with IPsec VPN, Remote Access VPN or the Mobile Access blade enabled (CVE-2024-24919). This vulnerability allows an attacker to read sensitive information on Internet-connected Gateways with remote access VPN or mobile access enabled.

Check Point has seen exploitation attempts starting from 30 April 2024 for this vulnerability. Affected Devices include Security Gateways of all versions with the IPsec VPN, Remote Access or Mobile Access software blades are vulnerable. If the user is only using IPsec VPN software blade for Site-to-Site purpose, then Security Gateway is not vulnerable.

Hotfixes are available and can be deployed for following versions:

  1.  Quantum Security Gateway and CloudGuard Network Security: R81.20, R81.10, R81, R80.40
  2. Quantum Maestro and Quantum Scalable Chassis: R81.20, R81.10, R80.40, R80.30SP, R80.20SP
  3. Quantum Spark Gateways: R81.10.x, R80.20.x, R77.20.x

The SecurityHQ team has not observed any publicly available PoC exploit for this vulnerability as of today (30 May 2024).

Recommendation

  • Reset LDAP Account Password of the AD Account of the Security Gateway.
  • Auditing local accounts and remove local accounts that connect to Remote Access VPN with password-only authentication.
  • Configure complex/strong authentication method for Security Gateway.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats, tracking activities of threat-actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.