Weekly Cyber Reports

This Week in Cyber 19th February 2024

Latest news and views from our Cyber Analysts

Written by

Team Nucleus

Written on

19th February, 2024


Analyst Insight

This week's cyber news reveals a spectrum of developments. On a positive note, a global coalition of countries and tech companies is joining forces to combat the misuse of commercial spyware. Additionally, a new vulnerability has been uncovered, enabling the decryption of the notorious Rhysida ransomware, allowing for the reconstruction of encryption keys and the decryption of locked data. However, not all news is optimistic; a critical vulnerability in FortiOS SSL VPN has surfaced. Moreover, the previously mentioned Ivanti flaw has taken a concerning turn - within hours of the proof-of-concept (PoC) going public, Orange Cyberdefense identified 670 cases of successful exploitation. Ransomware continues to pose a significant threat, with a sophisticated strain targeting financial traders emerging as the latest example. It is imperative to remain vigilant regarding newly disclosed vulnerabilities, as updating services and products is indispensable for preserving organizational security.

Critical FortiOS SSL VPN Flaw

CVE-2024-21762 is a critical security flaw found within FortiOS SSL VPN. Multiple researchers and sources have confirmed that it is likely being actively exploited. The vulnerability, with a score of 9.6, enables the execution of arbitary code and commands; which poses a secere threat to affected systems. Fortinet acknowledges that the issue is currently "potentially being exploited in the wild", though they are not forthcoming with specific details about the method of the exploitation and the identity of the perpetrators. 

The impacted versions include FortiOS 7.4 (up to 7.4.2), FortiOS 7.2 (up to 7.2.6), FortiOS 7.0 (up to 7.0.13), FortiOS 6.4 (up to 6.4.14), FortiOS 6.2 (up to 6.2.15), and FortiOS 6.0 (all versions). Users are being encouraged to upgrade to the recommended versions or deploy suitable mitigations in order to avoid putting themselves at risk. APTs have been known to exploit flaws in Fortinet devices, with the CISA having recently mandated fixes within the Federal Civilian Branches that are due before the end of this week.

Global Coalition and Tech Giants Unite Against Misuse of Commercial Spyware

A coalition of countries, including France, the U.K., and the U.S., along with tech giants like Google, MDSec, Meta, and Microsoft, have joined forces in the Pall Mall Process to combat the misuse of commercial spyware for human rights violations. The agreement aims to establish guidelines to regulate the development, purchase, and use of such tools, highlighting the risks they pose to cyber stability, human rights, and national security. The initiative coincides with the U.S. Department of State's decision to deny visas to individuals involved in dangerous spyware technology misuse. While spyware like Chrysaor and Pegasus are licensed for law enforcement, they're often abused by oppressive regimes. Efforts to curb spyware misuse face challenges as new exploit chains are developed, perpetuating an industry harmful to high-risk users and society.

Vulnerability Unveiled Allowing Decryption of Rhysida Ransomware

Cybersecurity researchers have discovered an implementation vulnerability in Rhysida ransomware, allowing them to reconstruct encryption keys and decrypt locked data. The findings, published by researchers from Kookmin University and KISA, mark the first successful decryption of this ransomware strain. The decryption tool is distributed through KISA. Rhysida, known for double extortion tactics, targets various sectors, as highlighted in a U.S. government advisory. The ransomware employs LibTomCrypt for encryption, parallel processing, and intermittent encryption to evade detection. By analyzing the ransomware's inner workings, researchers identified patterns enabling decryption without paying a ransom. It's noted that several parties found these weaknesses earlier but didn't publish them. The vulnerability applies only to the Windows PE version of Rhysida ransomware, not to the ESXi or PowerShell payloads.

Ivanti Vulnerability Exploited to Deploy Over 670 Backdoors

Two weeks ago, we covered the significant decision from CISA to issue an Emergency Directive 24-01 to US federal agencies regarding Ivanti Connect Secure and Ivanti Policy Secure products. The directive ordered any agency using these products to disconnect, threat hunt and isolate them, until zero-day vulnerabilities can be patched, and recovery templates released by Ivanti.

This should have served as an important guideline for all organisations using these products. However, shortly after Ivanti releasing fixes for the vulnerabilities as well as disclosing two new vulnerabilities two Security Research groups released working Proof of Concept exploits for one of the new vulnerabilities disclosed (CVE-2024-21893). In just hours of these PoC going public, Orange Cyberdefense identified a successful exploitation of the vulnerability in the wild likely using the disclosed PoCs. Within the day, over 670 cases had been identified. The exploit allows a malicious backdoor to be installed, the one identified in these cases has been referred to as DSLog based on the DSLog.pm perl script used.

This is an important learning experience for everyone involved. When vendors and reputable bodies announce mitigation steps, we should all follow them, no matter how extreme and exhaustive it may seem. Organisations not following these steps become vulnerable to follow up exploits if they ignore advisories or jump the gun in reactivating vulnerable products. So once again, if you’re using Ivanti products and have yet to follow their recommended remediation steps, now is the time to do it.

Water Hydra's Sophisticated Attack Targeting Financial Traders

A recently disclosed security vulnerability in Microsoft Defender SmartScreen has been exploited by an advanced persistent threat actor known as Water Hydra (also called DarkCasino), targeting financial market traders. Trend Micro, which began tracking the campaign in late December 2023, identified the exploitation of CVE-2024-21412, a security bypass vulnerability related to Internet Shortcut Files (.URL). This flaw allowed the threat actor to bypass Microsoft Defender SmartScreen and deliver the DarkMe malware to victims.

Microsoft addressed the vulnerability in its February Patch Tuesday update. The attack involves convincing victims to click on a specially crafted file link, which then drops a malicious installer file ("7z.msi") from a booby-trapped URL ("fxbulls[.]ru"). The malware delivery chain exploits the search: application protocol and cleverly uses internet shortcut files hosted on remote servers to evade detection. The ultimate goal is to stealthily deploy the DarkMe Visual Basic trojan in the background while displaying a stock graph to the victim. This development highlights the trend of cybercrime groups exploiting zero-day vulnerabilities, which are then incorporated into attack chains by nation-state hacking groups for sophisticated attacks. Water Hydra is identified as possessing the technical expertise to discover and exploit zero-day vulnerabilities, deploying highly destructive malware like DarkMe.

February 2024 Microsoft Patch Tuesday Updates: Key Vulnerabilities and Exploits

Microsoft has released patches addressing 73 security flaws across its software lineup in the February 2024 Patch Tuesday updates, including two zero-days under active exploitation. Of these vulnerabilities, 5 are rated Critical, 65 are rated Important, and 3 are rated Moderate in severity. Notably, 24 flaws have also been fixed in the Chromium-based Edge browser since January 2024. The two actively exploited flaws are CVE-2024-21351 and CVE-2024-21412, allowing attackers to bypass SmartScreen security checks and execute arbitrary code.

Trend Micro detailed an attack campaign by Water Hydra leveraging CVE-2024-21412, targeting financial market traders. This flaw acts as a bypass for a previously patched SmartScreen vulnerability, enabling threat actors to evade detection. Water Hydra, known for targeting financial institutions, has been active since 2021 and recently updated its infection chain to streamline the DarkMe trojan delivery process using CVE-2024-21412. Both vulnerabilities are now listed in the Known Exploited Vulnerabilities catalog by CISA. Microsoft also patched five critical flaws, including CVE-2024-21410, an elevation of privilege vulnerability in Microsoft Exchange Server, and CVE-2024-21413, a remote code execution flaw in Microsoft Outlook. Additionally, the security update addressed 15 remote code execution flaws in Microsoft WDAC OLE DB provider for SQL Server and fixed CVE-2023-50387, a 24-year-old design flaw in the DNSSEC specification named KeyTrap, which could lead to denial-of-service attacks.


Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus