Monthly Advisory • 10 MIN READ

September 2024 Threat Advisory – Top 5

by Eleanor Barlow • Sep 2024

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of September 2024.

Iranian Threat Actor, Peach Sandstorm, Targets USA and UAE with Tickler Backdoor

Threat Reference: Global

Risks: Remote Code Execution, Privilege Escalation, Backdoor

Advisory Type: Threats

Priority: Standard

Microsoft has identified an Iranian state-sponsored threat actor, Peach Sandstorm, deploying a multi-stage backdoor called “Tickler.” Peach Sandstorm is known for its intelligence-gathering efforts and has a history of cyber operations targeting multiple sectors. The new malware represents an evolution of their capabilities, signaling the group’s increasing sophistication and persistence.

Origin: Peach Sandstorm is believed to operate on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC). The group has been actively involved in cyber espionage operations, primarily to support the interests of the Iranian state by collecting intelligence on specific industries. This latest campaign continues to demonstrate the group’s objectives and methods.

Targeted Sectors and Regions: The campaign primarily focuses on the United States and the United Arab Emirates. Peach Sandstorm continues to target the education sector for infrastructure procurement, while sectors such as federal and state governments, defense, communications equipment, oil and gas, and satellite technology remain critical for intelligence gathering.

Attack Scenario:

  • Initial Access: Peach Sandstorm uses password spray attacks or social engineering on platforms like LinkedIn to target multiple accounts at once, minimizing detection and maximizing access.
  • Payload Delivery: After gaining access, Peach Sandstorm deploys the Tickler backdoor, often hidden in ZIP files containing malicious executables alongside harmless decoy PDFs to evade detection.
  • Execution: The malware uses DLL sideloading for persistence and connects to attacker-controlled C2 servers, frequently hosted on fake Azure subscriptions.
  • Post-Compromise Activity: After execution, Peach Sandstorm moves laterally using SMB exploits and tools like AnyDesk for remote monitoring and persistence.

Peach Sandstorm’s use of fake Azure subscriptions and advanced malware highlights their strategic intelligence-gathering approach, posing a major threat to various sectors.

Indicators of Compromise (IOCs)

  • subreviews.azurewebsites[.]net
  • satellite2.azurewebsites[.]net
  • nodetestservers.azurewebsites[.]net
  • satellitegardens.azurewebsites[.]net
  • softwareservicesupport.azurewebsites[.]net
  • getservicessuports.azurewebsites[.]net
  • getservicessupports.azurewebsites[.]net
  • getsupportsservices.azurewebsites[.]net
  • satellitespecialists.azurewebsites[.]net
  • satservicesdev.azurewebsites[.]net
  • servicessupports.azurewebsites[.]net
  • websupportprotection.azurewebsites[.]net
  • supportsoftwarecenter.azurewebsites[.]net
  • centersoftwaresupports.azurewebsites[.]net
  • softwareservicesupports.azurewebsites[.]net
  • getsdervicessupoortss.azurewebsites[.]net

Recommendations

  1. Enforce strong password policies to prevent weak credentials from being exploited.
  2. Enforce Multi-Factor Authentication (MFA) to protect against unauthorized access via password spray attacks.
  3. Use advanced threat detection and network segmentation.
  4. Educate employees on social engineering risks, especially targeting through platforms like LinkedIn.
  5. Employ endpoint detection and response (EDR) solutions.

VMware Released Security Patches to Address Critical Severity Vulnerabilities Discovered in VMware vCenter Server and Cloud Foundation

Threat Reference: Global

Risks: Remote Code Execution, Privilege Escalation

Advisory Type: Updates/Patches

Priority: Standard

SecurityHQ has observed that VMware recently patched multiple vulnerabilities affecting the VMware vCenter Server and VMware Cloud Foundation.

Successful exploitation of the vulnerabilities could allow attackers to gain full control over the vCenter Server and potentially the entire vSphere environment and escalate their privileges within the vCenter Server environment.

Affected Products include VMware vCenter Server and VMware Cloud Foundation.

Notable CVEs:

  • CVE-2024-38812 [Critical] – A heap overflow vulnerability affecting VMware vCenter Server. This vulnerability could allow a remote attacker with network access to exploit the DCERPC protocol and compromise the vCenter Server.
  • CVE-2024-38813 [Critical] – A privilege escalation vulnerability affecting VMware vCenter Server and Cloud Foundation. This vulnerability could allow a malicious actor with network access to the vCenter Server to escalate their privileges to root by sending a specially crafted network packet.

SecurityHQ were not able to identify any evidence of this vulnerability being exploited in the wild nor any association with malware variant or Threat Actors.

Recommendation

It is recommended to update the affected products to the latest available and patchable versions.

Cicada3301 Ransomware Targeting Windows and Linux Systems

Threat Reference: Global

Risks: Ransomware

Advisory Type: Threats

Priority: Standard

SecurityHQ is aware of a newly identified Rust-based ransomware dubbed Cicada3301. Cicada3301 has gained attention for its sophisticated capabilities and resemblance to the now-defunct BlackCat (aka ALPHV) operation.

First emerging in June 2024, this ransomware operator group has already posted over 150 victims on their leak site, with victims spread across the United States, United Kingdom, and Europe. The ransomware appears to be distributed through opportunistic attacks, exploiting vulnerabilities as the initial access vector.

Cicada3301 primarily targets Windows Systems, Linux/ESXi Hosts, and VMware ESXi Servers.

Origin: Cicada3301 ransomware was first detected in June 2024, with its presence on the RAMP underground forum, where it advertised for potential affiliates to join its ransomware-as-a-service (RaaS) platform. The ransomware’s code and tactics show a strong resemblance to BlackCat, suggesting a possible connection through shared developers, rebranding, or code replication.

Attack Scenario:

  1. Initial Access: Cicada3301 gains access to the target system by exploiting vulnerabilities, often through opportunistic attacks aimed at small and medium-sized businesses (SMBs).
  2. Credential Use: The ransomware’s executable contains compromised user credentials, which are utilized to execute PsExec, a legitimate tool that allows remote program execution on the system.
  3. Encryption Deployment: Cicada3301 uses the ChaCha20 encryption algorithm to encrypt files on the target system, rendering the affected data inaccessible to the user.
  4. Service and File Manipulation: The ransomware employs fsutil to handle symbolic links, IISReset.exe to stop IIS services, and deletes shadow copies to disable the system’s recovery options.
  5. System Disruption: To maximize disruption, Cicada3301 adjusts the MaxMpxCt value to support higher traffic volumes, clears event logs using wevtutil, and halts locally deployed virtual machines (VMs) as well as various backup and recovery services.
  6. File Targeting: The ransomware specifically targets and encrypts files with 35 different extensions, including those related to documents, images, and databases, making them inaccessible.
  7. EDR Evasion: Cicada3301 leverages EDRSandBlast, a tool that exploits a vulnerable signed driver, to bypass endpoint detection and response (EDR) systems, evading detection and blocking efforts.

Recommendations

  1. Ensure all systems, particularly those running Windows and Linux/ESXi, are up to date with the latest security patches.
  2. Deploy robust endpoint detection and response (EDR) solutions capable of identifying and blocking suspicious activities, especially those involving legitimate tools like PsExec.
  3. Maintain regular, offline backups of critical data. Test restoration processes frequently to ensure data can be recovered in the event of an attack.
  4. Implement network segmentation to limit the lateral movement of ransomware within your environment.
  5. Conduct regular cybersecurity awareness training for employees, focusing on phishing prevention and the importance of reporting suspicious activities.
  6. Develop and regularly update an incident response plan that includes specific procedures for ransomware attacks.

Cisco Fixes Critical & High Vulnerabilities in Multiple Cisco Products.

Threat Reference: Global

Risks: Privilege Escalation, Unauthorized Access, Arbitrary Code, CSRF

Advisory Type: Updates/Patches

Priority: Standard

SecurityHQ has observed Cisco addressing two critical and two high vulnerabilities affecting Cisco Smart Licensing Utility, Cisco Meraki Series, and Cisco other products respectively.

Affected Products include Cisco Smart Licensing Utility, Cisco Meraki Series, Cisco IOS Software, Cisco Catalyst SD-WAN Controller, Cisco ASA, Cisco FDM, Cisco FMC, Cisco FTD, Cisco ISE, Cisco Nexus Series, and Cisco System Architecture Evolution (SAE) Gateway.

Notable CVEs:

  • [Critical] – CVE-2024-20439 – A vulnerability in Cisco Smart Licensing Utility allows an unauthenticated, remote attacker to log in with administrative privileges using an undocumented static credential.
  • [Critical] – CVE-2024-20440 – A vulnerability in Cisco Smart Licensing Utility allows an unauthenticated, remote attacker to access sensitive information due to overly verbose debug logs. By sending a crafted HTTP request, the attacker could obtain log files containing credentials for API access.
  • [High] – CVE-2024-20430 – A vulnerability in Cisco Meraki SM Agent for Windows allows a local attacker to execute arbitrary code with SYSTEM privileges by exploiting improper directory search path handling during startup.
  • [High] – CVE-2024-3596 – The RADIUS protocol (RFC 2865) is vulnerable to forgery attacks, allowing a local attacker to modify valid responses (Access-Accept, Access-Reject, or Access-Challenge) using a chosen-prefix collision attack on the MD5 Response Authenticator.

SecurityHQ has observed a publicly available exploit for the CVE-2024-3596 vulnerability but has not identified any exploits for the other vulnerabilities mentioned above. Additionally, SecurityHQ has not found any association with specific threat actors or malware variants.

Recommendation

It is recommended to update all the affected products to the latest available patch version.

Microsoft’s Sept 2024 Patch Tuesday Highlights 79 Flaws with 23 Remote Code Execution Vulnerabilities

Threat Reference: Global

Risks: Remote Code Execution, Privilege Escalation, Security Feature Bypass, Information Disclosure, Denial of Service and Spoofing

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released its Patch Tuesday for September 2024 with security updates for 79 flaws with 23 Remote Code Execution Vulnerabilities. Successful exploitation of these vulnerabilities could result in Remote Code Execution, Privilege Escalation, Security Feature Bypass, Information Disclosure, Denial of Service, and Spoofing.

Affected Products include Windows, Windows Server, Windows Kernel, Microsoft Office, Microsoft Outlook, Microsoft Dynamics, Microsoft SharePoint, SQL Server, Windows Kerberos, and Azure.

Notable CVEs:

  • [Critical] – CVE-2024-38216 – Azure Stack Hub Elevation of Privilege Vulnerability
  • [Critical] – CVE-2024-38220 – Azure Stack Hub Elevation of Privilege Vulnerability
  • [Critical] – CVE-2024-38194 – Azure Web Apps Elevation of Privilege Vulnerability
  • [Critical] – CVE-2024-43464 – Microsoft SharePoint Server Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-38018 – Microsoft SharePoint Server Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-38119 – Windows Network Address Translation (NAT) Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-43491 – Microsoft Windows Update Remote Code Execution Vulnerability

Recommendation

It is recommended to update all the affected products to the latest available patch version.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats and tracking activities of threat actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.