Weekly Threat Briefing: July 15 - 19, 2024
Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
FIN7’s Evolution: Point of Sale Malware to Ransomware and EDR Bypass Tools
On July 17th, SentinelLabs released a report on a notorious cybercrime group, FIN7 (aka Carbanak and Carbon Spider). The group has significantly enhanced its operations by developing sophisticated tools and methods for bypassing Endpoint Detection and Response (EDR) systems.
FIN7 was first known for targeting Point of Sale (PoS) systems to steal payment card data, leading to significant financial losses for affected businesses. Starting in 2020, the group pivoted to ransomware operations, affiliating with notorious Ransomware-as-a-Service (RaaS) groups such as REvil and Conti. Additionally, they launched their own RaaS programs, first under the name DarkSide and later rebranded as BlackMatter.
One of their key innovations is the AvNeutralizer (aka AuKill) tool, designed to disable Endpoint Detection and Response (EDR) systems, facilitating ransomware and other malicious activities. It operates by exploiting Windows built-in drivers, such as "ProcLaunchMon.sys," to bypass security measures and tamper with security solutions. This tool allows attackers to evade detection and maintain persistence within compromised networks. AvNeutralizer's automation capabilities enable efficient, large-scale attacks, enhancing the operational efficiency of cybercriminals. The tool has been found on multiple criminal forums, being sold by various users who are believed to be aliases of FIN7.
Previous research from Prodaft detailed the Checkmarks platform, an automated attack system targeting public-facing Microsoft Exchange servers developed by FIN7. It extensively scans and exploits these servers using the ProxyShell exploit, leveraging vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. The platform also includes an Auto-SQLi module for SQL injection attacks, incorporating SQLMap for vulnerability scanning when initial attempts fail. This module enables remote access to victim systems, tailored for adaptability and expanding the range of exploitable vulnerabilities.
In 2022, numerous intrusions were attributed to the Auto-SQLi module, primarily targeting US companies in the manufacturing, legal, and public sectors. These activities involved the use of PowerShell droppers, which employed multiple layers of obfuscation to execute final payloads. These PowerShell droppers delivered Powertrash loaders from staging servers. The loaders enabled FIN7 to control compromised systems by loading backdoor payloads.
Hackers Use PoC Exploits in Attacks 22 Minutes After Release
On July 11th, Cloudflare released their Application Security report which included a variety of topics, most notably threat actors utilizing Proof-of-Concept (PoC) exploit code in attacks 22 minutes after disclosure. The report highlights the increase in Zero-day exploits as well as the weaponization of disclosed vulnerabilities.
Cloudflare stated that the majority of observations were related to scanning activity, followed by attempts at command injection, and some utilization of publicly available PoC exploit code. These vulnerabilities include Apache CVE-2023-50164 and CVE-2022-33891, Coldfusion CVE-2023-29298, CVE-2023-38203 and CVE-2023-26360, and MobileIron CVE-2023-35082.
The example outlined in their report states that Cloudflare observed exploitation attempts of a JetBrains TeamCity authentication bypass vulnerability, CVE-2024 27198 (CVSS:9.8). The vulnerability was exploited just 22 minutes after PoC exploit code was published.
The following is a timeline of the events:
eSentire’s Threat Response Unit (TRU) released a security advisory regarding CVE-2024-27198 on March 5th. Additionally, eSentire Managed Vulnerability Service (MVS) has plugins in place to identify CVE-2024-27198.
CrowdStrike Outage
On July 19th, 2024, a software update released by CrowdStrike led to widespread outages across the globe. This update caused a critical conflict with Windows OS, leading to system instability and crashes; specifically, the update inadvertently caused errors in the kernel mode driver, a core component of the Windows operating system, resulting in systems crashing to a "Blue Screen of Death" (BSOD). This has resulted in operational disruptions in various sectors including aviation, banking, IT, and other critical infrastructure.
Recommended by LinkedIn
At 05:45 EST, CrowdStrike CEO George Kurtz confirmed via a post on X (formerly Twitter) that the widespread Windows system outages were due to a defective update and not a cyberattack. He emphasized that only Windows hosts were affected, while Mac and Linux systems remained unaffected. Kurtz assured that the issue had been identified, isolated, and a fix had been deployed. He directed customers to CrowdStrike’s support portal for ongoing updates and urged them to communicate through official channels to ensure security and stability.
In a tech alert to customers as well as in a public statement, CrowdStrike provided the following workarounds to resolve the issue.
Workaround Steps for individual hosts:
*Note: Bitlocker-encrypted hosts may require a recovery key.
Additional Workaround for individual hosts:
Customers should restart the impacted host multiple times, forcing a race condition where the channel file which is impacting the issue, will be updated.
Workaround Steps for public cloud or similar environment including virtual:
Option 1:
Option 2:
In the wake of the CrowdStrike update incident, threat actors have seized the opportunity to exploit the situation by creating phishing pages that impersonate CrowdStrike support domains. These fraudulent sites aim to deceive users into believing they are accessing legitimate CrowdStrike support resources, potentially leading to further security breaches.
Phishing attacks leveraging such high-profile incidents can be particularly effective, as they prey on the urgency and confusion that typically accompany significant IT disruptions. Users seeking immediate assistance are more likely to fall victim to these scams, inadvertently providing sensitive information or downloading malicious software.
To mitigate this threat, organizations must enhance their phishing detection and response capabilities. Employees should be trained to recognize phishing attempts and verify the authenticity of support communications through official channels. CrowdStrike has advised users to refer to their support portal and official communications for updates, emphasizing the importance of using verified sources to avoid falling prey to these scams.
eSentire’s Threat Response Unit (TRU) has published a security advisory on July 19th highlighting these threats.
About the eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.