September Cyber Threat Download™

Each month, the Pondurance team of experts in threat intelligence, incident response, security operations, vulnerability management, and compliance share insights with our clients and partners to help them stay on top of recent trends in cybersecurity and take action to prevent harm to their organizations. Please feel free to share this information with colleagues and other interested parties on social media. 

Threat trends

Malicious threat actors are continuing to use proven tactics to exploit their victims. Our team noted that the following attack methods are a primary concern:

• Script-based escalation. Most of these attacks involve PowerShell scripts through unusual vectors, such as temporary data locations, removable drives, or odd network shares. Often, the threat actor will attempt to create tasks to establish permanence.

• Brute force attack. These exploits usually involve threat actors accessing accounts through varied IPs across large locations or through an IP accessing multiple accounts atypical of their login histories. The Pondurance team recommends that clients protect themselves against a brute force attack with user awareness training, proper password hygiene, and blocking of malicious domains.

The Pondurance team discussed the importance of creating a cyber safety culture to prevent security breaches. The team recommends assigning permissions to accounts on a least privilege basis, offering training to teach awareness and proper caution rather than using click-and-learn education, using verification when dealing with any unexpected communications, and scrutinizing the urgency of any sudden request.

The team also presented a brief case study of a malicious inbox rule, reviewing the triggers for concern, the effects of such a rule, why a malicious inbox rule is bad, and how to mitigate. 

Akira activity

Since March 2023, ransomware group Akira has impacted hundreds of business and critical infrastructure organizations and claimed millions of U.S. dollars in proceeds. Akira’s earlier focuses were on Windows operating systems and VMware ESXi virtual machines. Currently, the group has expanded to Linux operating systems and Hyper-V machines. Also, as a ransomware-as-a-service operation, Akira partners with other threat actors for individual attacks and shares in the extortion fees. The group targets U.S. materials organizations and law firms, organizations that run a virtual private network (VPN) service without multifactor authentication (MFA) configured, and Cisco and Fortinet capabilities. Lately though, SonicWall vulnerabilities are the group’s primary focus.

The SonicWall vulnerability allows Akira threat actors to attack improper access control flaws to exploit weak or misconfigured security settings and gain unauthorized access to sensitive systems. They gain access by exploiting local accounts most often when accounts are migrated from a lower-generation SonicWall device to a newer one that has SSL VPN enabled but did not undergo a password reset after migration. Once the threat actors gain access, they disable the security tools and encrypt the systems.

In the past month, the Pondurance team has seen nine or more cases attributed to Akira, which is significant compared with last quarter when only three cases occurred. For those cases, the average dwell time was four days, and the average time to exfiltrate data was approximately 36 hours. These cases highlight the importance of credential rotation of perimeter appliances during migration, MFA with strong password policies, and alerting for the tools Akira typically uses and the behavior that typically begins an encryption event. 

The team sees several common indicators of compromise (IOCs) for Akira’s ransomware. In particular, threat actors are placing their encryption payload or ransomware executable in the program data folder. Also, using specific tools can be an IOC such as:

• Remote access tools like AnyDesk and RustDesk for persistence

• Ngrok or Cloudflare for secure tunneling to expose local servers or services

• WinRAR for data compression and Rclone and WinSCP to exfiltrate data

• Scanners such as Advanced IP Scanner or Angry IP Scanner 

• Mimikatz and Kerberos ticket stealer for credential harvesting

As a possible new tactic, technique, and procedure, Akira threat actors are renaming folders after endpoint detection and response tools, such as AVG or SentinelOne, and then placing their tools within those folders.

Notable vulnerabilities

Approximately 4,000 vulnerabilities were disclosed in July, and 22 of those disclosed vulnerabilities were actively exploited — a significant jump from the 10 to 15 actively exploited vulnerabilities usually seen each month. Fifteen proof-of-concept codes were released on the internet. 

During Microsoft Patch Tuesday in July, 66 reported vulnerabilities were addressed. Of those 66, nine vulnerabilities were critical, and there was one zero day that was a remote code execution vulnerability. Multiple patches were released for the affected products. The team briefly discussed three of the critical vulnerabilities:

• CrushFTP alternate channel vulnerability. Nearly 300,000 CrushFTP instances are exposed to the public internet, mostly in the United States. But only specific versions with the DMZ proxy feature disabled have the vulnerability. For the attack, the threat actor targets the Crush administrator account, sending a specially crafted HTTP POST request over the alternate channel. Once exploited, the threat actor runs commands on the underlying operating system and gains administrator access over the HTTPS channel. IOCs include the creation of a default account with administrator privileges, new administrator accounts, and long, random user IDs.

• Wing FTP Server. Almost 10,000 servers to the public internet were exposed to this exploit. The attack takes advantage of a null byte flaw that allows threat actors to inject Lua code into the user session files to gain access. Then, local users are created, giving the threat actor accounts for login. Following access, the threat actors perform a curl command test, attempt an installation of ScreenConnect, and attempt a Beacon download from the command-and-control (C2) server.

• Microsoft SharePoint vulnerability. Numerous threat actor groups, including China-based Storm-2603, are known to be exploiting this flaw on on-premises SharePoint servers using LockBit, Warlock, and X2anylock ransomware variants. The exploit requires the chaining together of four specific SharePoint vulnerabilities. The groups use multiple tools such as PsExec and Masscan throughout deployment and also use domain name system and HTTP-based backdoors to communicate with the C2 server. In addition, the groups deploy a custom antivirus terminator tool that incorporates a signed driver into the tool to kill the security processes.

During Microsoft Patch Tuesday in August, 107 reported vulnerabilities were addressed. Of those 107, 13 were critical vulnerabilities, and one was a zero-day exploit. The zero day is a privilege elevation vulnerability that affects Windows Kerberos. Numerous critical patches were released, including patches for Microsoft Word, Hyper-V, and Microsoft Message Queueing.

Session hijacking

More and more often, threat actors are stealing, copying, and intercepting session IDs and using them for malicious purposes. These attacks, known as session hijacking, allow a threat actor to take over a valid user session to gain unauthorized access to a website or application. By stealing the session ID, the threat actor can pass as the legitimate user, bypass MFA, and perform malicious actions. A successful session hijacking attack starts when the user logs in, provides a password, and is challenged with MFA. These simple actions are enough to allow a threat actor to steal the user’s credentials and hijack the session for anywhere from 24 hours to 30 days or longer. 

Session stealing methods can be passive attacks or active attacks. A passive attack typically involves a man-in-the-middle attack using fake phishing pages that appear to be legitimate. The user enters credentials, including MFA, and the threat actors incept the information. The team warns that a generic-looking sign-in page can be a giveaway that it’s a phishing attempt, especially if the URL doesn’t match the service provider that the user is logging in to. 

An active attack can happen in a few different ways:

• Malware installed/running on host. This attack uses a browser extension to gain the same rights as the user running it and can find the sessions, copy them, and send the sessions to the threat actor.

• Cross-site scripting. This popular method exploits a vulnerability in a legitimate website’s code. It tricks the browser into running the malicious code, which copies the session and relays it back to the threat actor.

• Session fixation. In this active attack, the threat actor sends a legitimate link with a session ID to a service, and the user authenticates using the session ID. Then, the threat actor can visit the first URL sent and log in. 

Fortunately, organizations can take several preventative measures to safeguard against passive and active attacks. The team recommends using short sessions, which require user logout after inactivity, and using the step-up protocol, which requires that users must reauthenticate or, at a minimum, prove they are in possession of the MFA device or know the user’s password. In addition, organizations can require passkey presence, disable the Keep Me Logged In setting, configure risk-based and conditional policies, require enrolled devices, block foreign countries, require MFA, block risky users, and enforce token binding. 

For future prevention, the team briefly discussed Device Bound Session Credentials (DBSC) for browsers and Demonstrating Proof of Possession (DPoP). Both DBSC and DPoP require users to prove that they possess the asymmetic cryptographic key.

As a final takeaway, the team reminded organizations that Windows 10 support will expire on Oct. 14. Fifty-five percent of clients now have Windows 11, and the team recommends that the other 45% should upgrade to Windows 11.

About the Pondurance threat intelligence team

The Pondurance threat intelligence team consists of cybersecurity experts across our organization dedicated to providing exceptional threat intelligence research and insights to optimize the efficacy of proactive threat prevention efforts, as well as threat detection and response. By monitoring emerging cybersecurity trends and collaborating with our security operations center, we provide real-time insights and actionable intelligence. Through knowledge sharing and advisory posts, we empower organizations to strengthen their cybersecurity posture and foster a more secure digital landscape.