June Cyber Threat Download™

Each month, the Pondurance team of experts in threat intelligence, incident response, security operations, vulnerability management, and compliance share insights with our clients and partners to help them stay on top of recent trends in cybersecurity and take action to prevent harm to their organizations. Please feel free to share this information with colleagues and other interested parties on social media. 

DFIR insights

Once an organization has an incident response plan in place, it's important for the key players involved in the plan to stay informed about what to do if a cyber event occurs. The digital forensics and incident response (DFIR) team shared two questions that it wants every client to consider:

1. What is your remediation policy? This question surfaced in May as a client was attacked by a lone wolf threat actor who stole the organization's data. Stealing data isn't an uncommon action for a threat actor, but the way the threat actor did it was unusual. The threat actor logged in to the network through an exploit in the firewall and immediately had access to tools that a threat actor had introduced during a ransomware attack in 2023. In the recent attack, the threat actor used those old tools to reinfect the network, steal the same data, and gather the credentials — all without having to introduce any new tools to do it. Removing tools after an attack must be part of the remediation effort. 

2. Is your call sheet up to date? In two recent cases, the managed service provider (MSP) and/or managed detection and response provider attempted to contact individuals on the call list during an attack, and in both cases, the individuals didn't properly respond to prevent the attack. In fact, in one case, the MSPs didn't even realize they were on the call list, and client-specific individuals on the call list didn't respond for three days. The team provided details about the cases, illustrating why it's important for key players to know how the process works.

In addition, the team discussed an FBI public service announcement released in May that warns Americans about how threat actors are using a new phishing-as-a-service kit known as Kali365. The Linux tool allows threat actors to obtain Microsoft 365 access tokens and bypass multifactor authentication (MFA) protocols. To execute the attack, a threat actor sends a phishing email to a victim with instructions to visit a legitimate Microsoft verification page and enter the device code. When the victim enters the code, the threat actor can access Microsoft 365 services on his own device without needing a password or completing any additional MFA challenges. In the wild, threat actors are using Cloudflare to hide the final destination. The team recommends that clients stay vigilant about any new devices added to the Microsoft 365 environment.

Notable vulnerabilities

As many as 5,872 newly disclosed vulnerabilities were reported in April, and the vulnerability management team expects the number of vulnerabilities to steadily increase over the next 12 months. Of those 5,872 vulnerabilities, there was known exploitation of 37 of them, including Microsoft, Adobe, ScreenConnect, and Apache. Online proof-of-concept codes were made available for 24 of the vulnerabilities, increasing the likelihood that threat actors will exploit the products.

The team spotlighted an authentication bypass vulnerability for OpenPrinting CUPS, versions 2.4.16 and earlier, an open source printing system for Linux. For the exploit, a threat actor crafts an improper page-border value that contains embedded newline characters. These newline characters survive the checks and parsing that occur as the page-border value is ingested in the system, and the second line is treated as a trusted scheduler control record. Then, the threat actor sends a follow-up print job that triggers execution of an existing system binary, the printer executes as an /lp user, and the threat actor sends an anonymous print job to shared printer queues. Next, a privilege elevation vulnerability allows the attacker to elevate from the compromised /lp user to the root user. A successful exploit allows the threat actor to gain complete control over the system running the print service.

During Microsoft Patch Tuesday in April, as many as 164 reported vulnerabilities were addressed, with eight critical vulnerabilities and two zero-day exploits. The team recommends that organizations apply timely patches following the Microsoft Patch Tuesday announcements.

In May, 130 reported vulnerabilities were disclosed during Microsoft Patch Tuesday, including 30 critical vulnerabilities, many of which were remote code execution vulnerabilities for  operating systems and applications that end users use in their everyday jobs. There were no zero-day vulnerabilities in May. 

The team also discussed several strategies that allow clients to harden their networks and make it more difficult for threat actors to gain access and conduct malicious activity. These strategies include applying vendor updates or hotfixes, reducing external exposure, prioritizing authentication and access control failures, containing remote code execution risk, limiting path traversal and file upload impact, hardening user-facing applications and endpoints, protecting credentials and sensitive data, and monitoring for exploitation and post-compromise activity. 

Isolation actions

One of the most important actions the security operations center (SOC) team can take is to remediate actions when it identifies them with high confidence. The team uses host isolation and account isolation actions to help with detected malicious activity. These actions are fully customizable services offered by Pondurance based on a client's risk tolerance.

Host isolation occurs when the team cuts off all activity to the internet and other devices to prevent lateral movement or the spread of a cyber incident. The team's default approach to host isolation is conservative to minimize disruption to the environment while still effectively containing threats. The team tailors its response based on client preferences, as clients can define whether the team isolates immediately or contacts the client's team first and under what circumstances. To make the best decisions, the team asks that clients provide naming conventions and asset context so that analysts can act confidently and appropriately in any situation. The team discussed a few scenarios where clients would want to use host isolation including ransomware events, credential dumping, privilege escalation, and potentially unwanted applications.

With account isolation, the team terminates all open, active sessions for an impacted user and resets the user's password. The team's default approach to account isolation is more aggressive than with host isolation. Clients can designate specific accounts to contact before taking any action, and the team requests a safelist of accounts, such as C-suite or executive accounts, that it can handle with an alternative workflow to avoid disrupting VIP personnel. The team discussed scenarios that may be ideal for account isolation including insider threat, impossible travel, privilege escalation, email account compromise, credential theft indicators, and suspicious MFA activity.

Device code phishing

Increasingly, the detection engineering team sees threat actors using device code phishing to gain access to accounts. Device code phishing is an MFA attack that doesn't steal a user's password. With device code phishing, the threat actor uses his own device to ask Microsoft or Google for an open authorization login. Microsoft or Google reply with a device code, expecting a legitimate user to log in and input the code. Instead, the threat actor logs in on his own device and operates as the user, as authorized by the user. 

By default, the network will allow added devices, and the action can't be turned off or blocked unless the client sets up a conditional access policy. The team strongly recommends that clients audit the device codes on the environment before blocking the device code sign-ins. Because many users don't know that this feature occurs by default, the team plans to introduce new clients to this feature as part of the onboarding process.

About the Pondurance threat intelligence team

The Pondurance threat intelligence team consists of cybersecurity experts across our organization dedicated to providing exceptional threat intelligence research and insights to optimize the efficacy of proactive threat prevention efforts, as well as threat detection and response. By monitoring emerging cybersecurity trends and collaborating with our SOC, we provide real-time insights and actionable intelligence. Through knowledge sharing and advisory posts, we empower organizations to strengthen their cybersecurity posture and foster a more secure digital landscape.