Every month, the Pondurance team hosts a webinar to keep clients current on the state of cybersecurity. In May, the team discussed threat intelligence, vulnerabilities and trends, threat hunting, and the product road map.

Threat Intelligence

The Senior Digital Forensics and Incident Response (DFIR) Consultant discussed trends from the first quarter that have continued through April, including ransomware, business email compromise (BEC), lone wolf extortion attacks, and the aftermath of the ConnectWise ScreenConnect vulnerability. 

Ransomware threats have not slowed down, and most ransomware cases the team works on stem from virtual private network (VPN) vulnerabilities. Potentially, any VPN can be compromised, so organizations must ensure that controls such as multifactor authentication (MFA) are in place. The team also sees targeted data exfiltration in nearly every ransomware case. In addition, threat actors are using remote monitoring and management and legitimate tools such as AnyDesk, TeamViewer, and ConnectWise ScreenConnect for persistence. The Senior DFIR Consultant suggested that this trend is largely due to the success that next-generation endpoint detection and response (EDR) solutions have had catching malware.

BEC attacks have changed, primarily due to MFA. Now, the team sees more attacker-in-the-middle phishing, where threat actors insert themselves in email conversations between two users, intercepting all emails and adding malicious links and information. The team also sees BECs becoming part of a larger phishing campaign, using all mailbox users as access brokers to gain access to data and even selling access to those accounts. Dwell time for BECs is less than 24 hours, so the team suggests keeping a close eye on inbox rules creation, sign ins, and possible travel. 

Lone wolf extortion attacks saw a slight uptick in April. These individual threat actor exploits are usually simple attacks such as tech support scams leading to data exfiltration or the exploitation of a simple web app vulnerability. 

In addition, the team is still seeing the aftermath of the on-premise ConnectWise ScreenConnect vulnerability that was first exploited in February and has been heavily leveraged by threat actors.

Vulnerabilities and Trends

The Vulnerability Management Program (VMP) Team Lead reviewed notable vulnerabilities from April. As many as 2,500 vulnerabilities were disclosed, and 14 of those vulnerabilities were high risk. Of those 14, four have a known proof of concept code on the internet and seven were known to be exploited in the wild on products including CrushFTP, Palo Alto, some Cisco devices, a Google Pixel device, Microsoft Windows, and some Linux distributions. The VMP Team Lead talked in detail about a few of these vulnerabilities:

  • The CrushFTP vulnerability (CVE-2024-4040) allows a remote threat actor with low-level privileges to access and potentially exfiltrate all files stored on the CrushFTP tool. It follows a theme the team is seeing where file transfer programs or any remote access product accessible over the internet can be exploited. 
  • The Palo Alto PAN-OS vulnerability (CVE-2024-3400) was exploited on March 26 and April 11 by UTA0218, a group of state-sponsored threat actors targeting perimeter devices. To conduct the exploit, the threat actor creates a reverse shell, then downloads executables, exfiltrates configuration data, compromises sensitive credentials, and moves laterally throughout the network. To mitigate, Palo Alto users must apply the released patches and updates. Also, users with a threat protection subscription can receive threat prevention IDs for the device.
  • The Cisco vulnerability is also thought to be a state-sponsored threat actor because the attack lacks financial motivation and has a high level of sophistication. For the attack, two vulnerabilities (CVE-2024-20353 and CVE-2024-20359) are chained together to allow the threat actor to achieve remote compromise of the device. A line dancer, or memory-resident shellcode interpreter, allows the threat actor to carry out network surveillance, and a Line Runner backdoor provides persistence on the device. In addition, antiforensics are employed throughout the process to cover the threat actor’s tracks. The team recommends that all users update the devices and software running on them.

In May, a Chrome zero-day vulnerability (CVE-2024-4761) was exploited in the wild and disclosed by Google. This use-after-free vulnerability can be used to corrupt data on a device, cause a system to crash, or execute an arbitrary code that will ultimately lead to additional malware being deployed on the system. Since the vulnerability occurs in the visual component of the open-source Chromium code, other Chromium-based browsers are impacted, including Microsoft Edge. Organizations running Edge, Chrome, or any Chromium-based browser must apply the updates and restart the browsers for the updates to apply. At the time of the webinar, there were seven vulnerabilities impacting Chrome.

Threat Hunting

The SOC Director talked about upward and downward trends that the team is currently monitoring on client networks. 

Phishing emails with a financial lure are still on the rise, especially tax rebates and refunds. The use of artificial intelligence services, such as ChatGPT, is making phishing emails harder to identify due to more convincing language and correct grammar. To reduce the risk of an attack, the team suggests the continuation of user awareness training.

Ransomware is still the most prevalent malware attack, though the team is not seeing many successful infections.

Malware delivery via phishing emails is on the rise. These attacks usually occur through links in the body of emails, link attachments, and PDF attachments containing JavaScript (but typically not ActionScript) that lead to a malicious website. Also, password-protected documents and zip files are often associated with these attacks. The team recommends blocking password-protected files at the email gateway and setting up a whitelist or allowlist to permit password-protected files from known partners. 

Malware delivery via drive-by websites is trending way down, though it’s still a threat. The team encourages organizations to continue patching operating systems and applications to stay safe.

Product Road Map

The Director of Product Management provided an overview of the Pondurance road map for 2024. 

Next Month

The Pondurance team will host another webinar in June to discuss new cybersecurity activity. Check back next month to read the summary.