MITRE Corporation breached via Ivanti zero-day exploits

In the latest cybersecurity landscape, the past week has seen a surge in diverse and sophisticated threats, spanning from zero-day vulnerabilities exploited in CrushFTP and MITRE Corporation’s network breach to the rebranding of HelloKitty ransomware and the emergence of GuptiMiner’s campaign exploiting eScan antivirus updates. Additionally, ToddyCat’s sophisticated tactics in industrial data theft underscore the evolving threat landscape, demanding heightened vigilance and robust defense measures from organizations worldwide.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. CrushFTP urges immediate patching of exploited zero-day vulnerability

CrushFTP has issued a warning to its customers regarding a zero-day vulnerability that permits unauthenticated attackers to access system files, urging immediate patching. This flaw enables attackers to evade the user’s virtual file system (VFS) and download system files via the WebInterface, potentially leading to unauthorized access to sensitive data. Although attacks are hindered for users with a demilitarized zone (DMZ) perimeter network, at least 2,700 CrushFTP instances with exposed web interfaces are vulnerable to exploitation.

Security intelligence teams have observed targeted attacks exploiting this vulnerability in multiple U.S. organizations, indicating a potentially politically motivated intelligence-gathering campaign. Affected versions include CrushFTP v11 below 11.1 and CrushFTP v10 below 10.7.1, with solutions available in CrushFTP versions 10.7.1 and 11.1.0. Customers are strongly advised to promptly patch their servers, with options for extended support available for those running v9.

2. MITRE’s network breached by state hackers exploiting Ivanti zero-days

MITRE Corporation disclosed a breach where threat actors exploited two Ivanti Connect Secure zero-days to compromise one of their Virtual Private Networks (VPNs), gaining access to the NERVE network. Despite the breach, the core enterprise network and partners’ systems remained unaffected. The attackers bypassed MFA defenses, utilized webshells and backdoors, and maintained access using a hijacked administrator account.

The attacks, attributed to UNC5221 and potentially linked to Chinese state-sponsored involvement, included the deployment of multiple malware families for espionage purposes. Over 2,100 backdoored Ivanti appliances were identified, impacting businesses globally. Recommendations include monitoring VPN traffic for unusual patterns, detecting deviations in user behavior, segmenting networks, staying updated with threat intelligence feeds, and deploying adversary engagement resources for detection insights.

3. HelloKitty ransomware rebrands, unveils CD Projekt and Cisco data leak

HelloKitty ransomware has undergone a rebranding to HelloGookie, with the threat actor ‘Gookee/kapuchin0’ announcing the change and releasing stolen data, including four private decryption keys for older attacks and internal data from Cisco and CD Projekt. This release notably includes passwords for leaked source code, such as Gwent and Witcher 3, taken from CD Projekt in 2021. Developers have compiled Witcher 3 from the leaked source code, revealing early build screenshots and videos.

The connection between HelloKitty and Yanluowang ransomware groups has surfaced, with leaked data from HelloGookie including NTLM hashes allegedly extracted during a Cisco security breach in May 2022, suggesting a deeper collaboration than previously known. Recommendations include regular software updates, strong passwords with multi-factor authentication, and ransomware-specific protection measures such as behavior-based detection.

4. GuptiMiner: Exploiting eScan antivirus updates to distribute backdoors and miners

A recent malware campaign leveraging the updating mechanism of eScan antivirus software has been distributing backdoors and cryptocurrency miners like XMRig, linked to the long-standing threat GuptiMiner active since 2018. Exploiting an adversary-in-the-middle attack, the campaign substitutes legitimate eScan update packages with malicious versions, exploiting the absence of digital signatures and secure HTTPS connections.

GuptiMiner utilizes a rogue DLL, “updll62.dlz,” to sideload “version.dll,” initiating a multi-stage sequence involving a PNG file loader and malicious DNS servers to fetch shellcode from a command-and-control (C2) server. The shellcode ultimately deploys XMRig and backdoors. The campaign employs evasion techniques like anti-VM and anti-debug tricks, code virtualization, and storage of payloads in Windows Registry. To mitigate such threats, it is recommended to implement HTTPS for secure communication, modify DLL search order, apply application whitelisting, and restrict write access to DLL directories.

5. Unveiling ToddyCat’s sophisticated tactics in industrial data theft

ToddyCat, a hacker group, is orchestrating large-scale data theft operations, particularly targeting government and military organizations in Europe and Asia since at least December 2020. Leveraging a sophisticated toolkit including the passive backdoor Samurai, ToddyCat employs automated data harvesting techniques and tools like LoFiSe and Pcexter to extract data from compromised hosts, uploading it to Microsoft OneDrive.

Their arsenal includes various tools like OpenSSH for reverse SSH tunnels, SoftEther VPN disguised under innocuous filenames, Ngrok and Krong for encrypting C2 traffic, FRP client for reverse proxy, Cuthead for document search, WAExp for WhatsApp data, and TomBerBil for browser credential extraction. ToddyCat ensures persistent access by establishing multiple simultaneous connections to actor-controlled infrastructure, necessitating advanced threat detection, network segmentation, and enhanced endpoint protection to counter their tactics.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider