Cybersecurity Threats Affecting Businesses in March 2024

The global cyber threat level has continued to increase as a function of general global political unrest around the middle east, Ukraine and China-Taiwan. The number of cybersecurity incidents continues to rise and their impact continues to increase. Organizations of all sizes and in all sectors need to increase their awareness of both the overall threat environment and threats specifically relevant to their organization or industry. Threat hunting, offered as part of Marcum Technology’s Managed Security Services, can help provide this visibility in identifying potential risks to an organization.

Below are the top seven threats that emerged over the past month.

Connectwise and F5 software Flaws Exploited

A China-linked threat group has leveraged security flaws in Connectwise ScreenConnect and F5 BIG-IP software. The group has exploited these flaws to deliver custom malware capable of delivering additional backdoors on compromised Linux hosts. The group Uteus (aka Uetus or UNC5174) is described as a “former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China’s Ministry of State Security (MSS) focused on executing access operations” as per reporting from Mandiant.

Microsoft announces deprecation of 1024-bit RSA keys in Windows

Microsoft has announced that RSA keys shorter than 2048 bits will soon be deprecated in Windows Transport Layer Security (TLS) to provide increased security. Rivest–Shamir–Adleman (RSA) is an asymmetric cryptography system that uses pairs of public and private keys to encrypt data, with the strength directly related to the length of the key. The longer these keys, the harder they are to crack.

1024-bit RSA keys have approximately 80 bits of strength, while the 2048-bit key has approximately 112 bits, making the latter four billion times longer to factor. Experts in the field consider 2048-bit keys safe until at least 2030. RSA keys are used in Windows for several purposes, including server authentication, data encryption, and ensuring the integrity of communications. Microsoft’s decision to move the minimum requirement for RSA keys to 2048 bits or longer for certificates used in TLS server authentication is important to protect organizations from weak encryption.

Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool

Fortra has released details of a now-patched critical security flaw impacting its FileCatalyst file transfer solution that could allow unauthenticated attackers to gain remote code execution on susceptible servers. Tracked as CVE-2024-25153, the shortcoming carries a CVSS score of 9.8 out of a maximum of 10.

“A directory traversal within the ’ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ’uploadtemp’ directory with a specially crafted POST request,” the company said in an advisory last week.

“In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.”

The vulnerability, the company said, was first reported on August 9, 2023, and addressed two days later in FileCatalyst Workflow version 5.1.6 Build 114 without a CVE identifier. Fortra was authorized as a CVE Numbering Authority (CNA) in early December 2023.

Security researcher Tom Wedgbury of LRQA Nettitude has been credited with discovering and reporting the flaw. The company has since released a full proof-of-concept (PoC) exploit, describing how the flaw could be weaponized to upload a web shell and execute arbitrary system commands.

Also resolved by Fortra in January 2024 are two other security vulnerabilities in FileCatalyst Direct (CVE-2024-25154 and CVE-2024-25155) that could lead to information leakage and code execution.

With previously disclosed flaws in Fortra GoAnywhere managed file transfer (MFT) coming under heavy exploitation last year by threat actors like Cl0p, it’s recommended that users have applied the necessary updates to mitigate potential threats.

MSIX Installer Use Increasing

In the ever-evolving threat landscape, a new malware delivery tool is rising to prominence as part of numerous campaigns: MSIX installers are seeing much more use of late. MSIX is a Windows app package installation format that IT teams and devs are relying on more to deliver standardized application packages at the enterprise level.

In each incident observed, SEO poisoning and malicious advertising was used to trick victims into downloading the malware while believing they were downloading legitimate software like Teams, Zoom, etc.

In one incident, the MSIX-PackageSupportFramework tool was used to create the files which, when opened, activate the “StartingScriptWrapper.ps1” component of the package, launching an embedded PowerShell script. This then uses injection to execute PowerTrash and Carbanak malware which deliver the NetSupport Manager RAT. Metadata in these have association to “Crosstec Corporation” rather than the expected “NetSupport Corporation.”

Another incident saw the use of Advanced Installer to create MSIX files, which is a utility for making software packages. An important issue to note is that the legitimate installer, AiStub.exe, is received as legitimate, but then executes the malicious payloads it contains.

The ability to amplify the area of effect is also obvious too. Picture a configuration repository in the IT department where a malicious MSIX file is placed, replacing the department’s actual file with a clone that only differs in that it contains a malicious payload. Any update or new machine setup that is performed using that file will automatically spread the malware to whichever machines receive the file.

This is in addition to the above stated method where users are tricked into downloading this malware while believing it is a package of useful work-related and productivity tools.

The bottom line is that, as always, the best defense is proper user training and software policies that ideally allow only a set suite of products on machines, with approvals required to add new software. One of the most dangerous attitudes an organization can have is to simply allow its users to download software from the internet with little oversight. This one simple change can negate much of the threat posed by these campaigns.

TicTacToe Dropper

The FortiGuard team recently analyzed a group of malware droppers named ’TicTacToe,’ which was used to deliver various final-stage payloads throughout 2023. These droppers employ multiple stages of obfuscated payloads, which load reflectively into memory. Final-stage payloads include Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos. The droppers are delivered via phishing emails as .iso file attachments to evade antivirus detection. The malware’s extraction process is complex, involving layers of DLL files and obfuscation. The analysis revealed a consistent pattern in the dropper’s behavior.

The first dropper sample, ’ALco.exe,’ extracts a .NET PE DLL file named ’Hadval.dll,’ obfuscated with DeepSea 4.1. The extracted DLL then decompresses a gzip blob, revealing another DLL file, ’cruiser.dll,’ protected by SmartAssembly. This DLL creates a copy of the executable in the temp folder and extracts the stage 4 payload, ’Farinell2.dll.’ Multiple variants with different final payloads were observed.

Another dropper variant, ’IxOQ.exe,’ shares similarities with the first variant but uses simple obfuscation for hexadecimal strings in resource objects. This dropper also extracts a 32-bit .NET PE DLL file named ’Discompard.dll,’ recognized as the ’Zusy Banking Trojan.’

A third dropper, dropping AgentTesla malware, follows a similar pattern, with stage 2 payload ’Pendulum.dll’ and stage 3 payload ’cruiser.dll.’ The final payload is identified as AgentTesla.

The dropper is not attributed to a single threat actor group but is likely sold as a service. Samples from early 2023 contain the string ’TicTacToe,’ while later campaigns use different unique strings, suggesting ongoing development to evade string-based analysis. Understanding the dropper’s operation can help organizations prevent the execution of various final-stage payloads.

Insidious Tauras aka Volt Typhoon

The threat posed by Insidious Taurus (also known as Volt Typhoon) has been recognized by U.S. and international governmental bodies as a cyber threat group originating from the People’s Republic of China (PRC). Marcum Technology is following up on our last report on the group from July 2023.

FBI Director Christopher Wray has characterized Insidious Taurus as “the defining threat of our generation,” emphasizing its significance. In response to this threat, the U.S. government, alongside international allies, has issued two Joint Cybersecurity Advisories (CSAs). These advisories shed light on Insidious Taurus’s tactics, such as utilizing small office/home office (SOHO) network devices to obfuscate their actions and employing pre-compromise reconnaissance techniques to gain access to victim environments.

The first CSA, released on May 24, 2023, highlights Insidious Taurus’s use of living-off-the-land techniques and network administration tools to conceal their activities. The second CSA, issued on Feb. 7, 2024, expands on these tactics, revealing their exploitation of vulnerabilities in public-facing network appliances and their focus on obtaining administrator credentials.

Efforts to disrupt Insidious Taurus’s operations have been made, including a court-authorized operation that dismantled a botnet comprising hundreds of U.S.-based SOHO devices infected with the KV-botnet, a tool used by Insidious Taurus and other threat actors. However, Insidious Taurus persists as a formidable threat, often targeting critical infrastructure.

To combat this threat, cybersecurity experts recommend proactive measures such as updating internet-facing devices, implementing multifactor authentication, and enhancing logging capabilities to detect suspicious activities. Detailed guidance on these measures can be found in the Joint CSAs, which will be continuously updated as new information emerges.

CHAVECLOAK

A new threat actor has been observed using a malicious PDF file to distribute a well-known banking trojan called “CHAVECLOAK”. This process includes the pdf downloading a ZIP file and using side-loading techniques to execute the malware. At this time, the CHAVECLOAK trojan is specifically designed to target users in Brazil, but experts believe there is a possibility that it was recently updated to target users in other countries, including the United States.

The PDF seems innocent enough, instructing users to click a button within the file to read and sign attached documents. However, embedded in the button is a malicious downloader link which reveals the decoded URL. Upon decompression of the link, an MSI file is revealed and the more damaging portion of the attack chain begins.

This MSI file contains multiple other files, including TXT files in multiple different languages and a malicious DLL named “Lightshot.dll.” This file is deployed by another file found in the group, “Lightshot.exe.” This is what deploys the sideloading techniques that allow the legitimate .exe file to run malicious code under the guise of a benign process.

This malware is then capable of stealing victim credentials by blocking the victim’s screen, logging keystrokes, and displaying deceptive pop-up windows. The malware also monitors access to specific financial portals, encompassing traditional banking institutions and even cryptocurrency platforms. After obtaining this data from the system, the malware communicates with a server and uploads the stolen information to specific folders depending on the context of the data.

CHAVECLOAK is an example of threat actors using multiple techniques to infiltrate systems and wreak havoc. From malicious PDFs to DLL sideloading and pop-ups, these actors are using everything at their disposal to obtain this sensitive information. At this time CHAVECLOAK has not been seen in the United States, but with associated files discovered written in English, it may only be a matter of time before threat actors set their sights on the USA.

If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.