Vercara’s Open-Source Intelligence (OSINT) Report – October 11 – October 17, 2024

US charge Sudanese brothers linked to the Anonymous Sudan hacktivist group.  

(TLP: CLEAR) Recent reporting highlights the U.S. Department of Justice’s latest efforts in indicting two Sudanese brothers, Ahmed Salah Yousif Omer and Alaa Salah Yusuuf Omer, for their alleged role in operating the hacktivist group Anonymous Sudan, reportedly responsible for launching over 35,000 distributed-denial-of-service (DDoS) attacks globally. The group’s DDoS attacks targeted critical infrastructure ranging from corporate networks and healthcare institutions to government agencies and major U.S. technology platforms such as Microsoft Corp. Additionally, reporting indicates the brothers have been in custody since March 2024, when U.S. and international authorities disabled their DDoS infrastructure. Ahmed faces a maximum sentence of life in prison for reckless endangerment during attacks, while his brother, Alaa, faces up to five years. Authorities have stressed that the charges given highlight the extensive damage caused by Anonymous Sudan, which is estimated to have resulted in over $10 million in damages across the U.S., affecting major organizations and critical government operations. 

(TLP: CLEAR) Comments: Anonymous Sudan’s DDoS-for-hire service claimed to be driven by a Sudanese nationalist ideology. They capitalized on cloud infrastructure to significantly boost the scale of their attacks, occasionally disrupting major platforms such as Microsoft, OpenAI, and PayPal. Despite their claims of being Sudanese hacktivists, some analysts speculated possible links to Russian nation-state threat actors, although U.S. authorities did not find concrete evidence of external financial backing. Back in March 2024, U.S. authorities dismantled Anonymous Sudan’s Distributed Cloud Attack Tool (DCAT), which operated under various aliases like “Godzilla,” “Skynet,” and “InfraShutdown.” This effort, supported by court-authorized seizures, targeted critical infrastructure, including servers used to launch and manage DDoS attacks, systems relaying commands across compromised networks, and accounts containing the attack tool’s source code. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected”  

Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real-time, such as Vercara’s UltraDDoS Protect. 

(TLP: CLEAR) Vercara: Vercara’s UltraDDoS Protect is a purpose-built DDoS mitigation solution that offers comprehensive protection through on-premise hardware, cloud-based ddos mitigation, or hybrid approaches. Tailored to meet any organizational need, Vercara’s array of DDoS Protection services include blocking ddos attacks, redirecting DDoS attacks, and cloud ddos prevention, ensuring the broadest and most adaptable DDoS defense services available. 

Source: https://thehackernews.com/2024/10/us-charges-two-sudanese-brothers-for.html 

Source: https://www.justice.gov/usao-cdca/pr/two-sudanese-nationals-indicted-alleged-role-anonymous-sudan-cyberattacks-hospitals  

EDRSilencer red team tool observed in attacks to bypass security. 

(TLP: CLEAR) Recent intelligence reporting sheds lights on the growing misuse of ‘EDRSilencer’, an open-source tool initially developed to bypass Endpoint Detection and Response (EDR) systems during red-team assessments. By leveraging the Windows Filtering Platform (WFP), the tool disrupts EDR processes, blocking their ability to communicate alerts and telemetry back to management servers. Investigators have observed threat actors adapting EDRSilencer to evade detection when performing cyber-attacks. Additionally, EDRSilencer is capable of targeting a wide range of EDR products, and attackers can further extend its functionality by adding custom rules to block processes that aren’t pre-configured. This ability to disable critical security configurations significantly enhances the stealth of malware and ransomware operations, heightening the risk of serious disruptions and breaches. This is indicative of an evolving threat landscape that necessitates a proactive and adaptive security posture, combining multi-layered defences and continuous monitoring to mitigate risks. Cybersecurity researchers have released a list of indicators of compromise (IoC) executable names associated with common EDR products terminated by EDRSilencer to assist in managing the threat. 

(TLP: CLEAR) Comments: Originally inspired by the proprietary NightHawk FireBlock tool, EDRSilencer targets up to 16 well-known EDR tools, including Microsoft Defender, SentinelOne, and FortiEDR. Once deployed, it can disable the aforementioned tools ability to report suspicious network activity, allowing threat actors to operate in stealth mode. The tool dynamically identifies active EDR processes and creates WFP filters to block outbound communication, leaving the security infrastructure blind to ongoing threats. IoCs have been released here – https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.3: “Anti-malware mechanisms and processes are active, maintained, and monitored: 

• “The anti-malware solution(s) is kept current via automatic updates.  
• “The anti-malware solution(s):   
• Performs periodic scans and active or real-time scans.   
• OR  
• Performs continuous behavioural analysis of systems or processes.  

“If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.”  

Regular updating of anti-malware definitions and performing periodic scans requires processing and disk input/output.  As a result, most updates and scans happen overnight, resulting in a detection gap of up to several days depending on the type of device.  Protective DNS solutions are able to update their detection rules in realtime and provide support for network-based behavioral analytics. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defence in Depth against malware, phishing, and other abuses:  

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.  
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.  
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.  
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. 

Source: https://www.bleepingcomputer.com/news/security/edrsilencer-red-team-tool-used-in-attacks-to-bypass-security/  

Internet Archive slowly revives after DDoS barrage. 

(TLP: CLEAR) On October 9, 2024, the Internet Archive experienced a major data breach accompanied with a series of distributed denial-of-service (DDoS) attacks, causing significant service disruption to their network. Intelligence reporting indicates the threat actors responsible for the breach leaked millions of users’ personal details and ultimately directing them to the “Have I Been Pwned” site to check for compromised information. In order to mitigate and prevent further attacks and potential compromise, the Internet Archive went offline, ultimately disrupting their ‘Wayback Machine’ services. Security researchers from NETSCOUT meticulously analyzed the October 9th attack, suggesting that the attack campaign involved approximately 24 coordinated DDoS attacks. TCP RST floods and HTTPS application-layer attacks were launched at the Archive’s Autonomous System Number (ASN 7941), the network responsible for routing traffic to and from the Archive’s servers. NETSCOUT indicated the DDoS attack was likely powered by a Mirai botnet variant, compromised IoT devices from Korea, China, and Brazil. The 24 distinct attacks highlight the intensity and coordination of the attack campaign, demonstrating that threat actors were strategically overwhelming the Archive’s critical core systems. This level of precision underscores the attackers’ intent to cripple the Archive’s services. After several days the Internet Archive resumed operations in a limited read-only mode, all the while focusing on securely restoring full functionality across the Wayback Machine platform. 

(TLP: CLEAR) Comments: The Internet Archive attack demonstrates the ongoing challenge of securing large-scale digital assets and highlights the importance of real-time monitoring, proactive defences, and comprehensive data management strategies to mitigate both cyber breaches and DDoS attacks. The 24 distinct DDoS attacks highlight the intensity and coordination of the campaign, demonstrating the determination the threat actors were at strategically overwhelming the Archive’s network. Furthermore, Botnets like Mirai continue to expand, using compromised IoT devices due to their poor security and improving overall functionality, adding additional layers of complexity to DDoS mitigation. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected.” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real-time, such as Vercara’s UltraDDoS Protect. 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect offers native integration with the most popular on-premises DDoS appliances, including Arbor AED or APS from NETSCOUT and Corero SmartWall, for seamless, auto-mitigation options for transferring traffic from premises to the cloud. BGP and API-based integration options can be used to easily integrate any type of on-premises solution that you may have in place. 

Vercara’s Web Application Firewall, UltraWAF, provides protection at the application layer to detect and block DDoS attacks but also unwanted web bots and application attacks such as SQLi, XSS, and CSRF. 

Source: https://www.darkreading.com/cyberattacks-data-breaches/internet-archive-slowly-revives-ddos-barrage 

Source: https://www.netscout.com/blog/asert/internet-archive-under-assault  

Burning Zero Days: suspected nation-state adversary targets Ivanti CSA. 

(TLP: CLEAR) Recent reporting has identified a suspected nation-state actor leveraging a chain of three vulnerabilities in Ivanti Cloud Service Appliance (CSA) in order to gain unauthorized access. The attackers were able to enumerate users configured on the appliance and attempt to steal their credentials for further exploitation. The vulnerabilities in question are CVE-2024-8190: An OS command injection vulnerability in Ivanti Cloud Services Appliance that allows a remote authenticated attacker to obtain remote code execution, CVE-2024-8963: Path Traversal in the Ivanti CSA that allows a remote unauthenticated attacker to access restricted functionality and CVE-2024-9380: An OS command injection vulnerability in the admin web console of Ivanti CSA allowing a remote authenticated attacker with admin privileges to obtain remote code execution. According to Fortinet FortiGuard Labs, the organization reporting the incident, became aware of the malicious activity after one of its customers identified unusual communication between its internal systems and a known malicious IP address. During the ensuing investigation, Fortinet’s incident response team (FGIR) discovered that the attackers had exploited CVE-2024-8190 in combination with CVE-2024-8963 to gain access to both user and admin credentials. These credentials were then used to carry out an authenticated exploitation of CVE-2024-9380, a command injection vulnerability, enabling the deployment of webshells on the victim’s environment. The threat actor was also observed exploiting CVE-2024-29824, a SQL injection vulnerability in Ivanti Endpoint Manager, allowing remote code execution after successfully compromising the CSA appliance. Additional attacker activities included creating a new user account named “mssqlsvc,” executing reconnaissance commands, and exfiltrating the results via DNS tunneling using PowerShell scripts. Furthermore, they routed traffic through the CSA appliance using an open-source tool called ReverseSocks5. According to Fortinet researchers, “The likely motive was for the threat actor to establish kernel-level persistence on the CSA device, potentially surviving even a factory reset.” In response, Ivanti has released patches for Ivanti CSA (Cloud Services Appliance) to address these critical vulnerabilities and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the aforementioned vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in early October 2024. 

(TLP: CLEAR) Comments: According to reporting, Ivanti issued an advisory for CVE-2024-8190 back on September 10, revealing that the vulnerability had been actively exploited in the wild, instructing its customers to apply patches immediately. Separately, Fortinet observed that the threat actor remained active within the affected customer’s network and had patched the command injection vulnerability themselves, rendering it unexploitable. The following malicious activity has not been attributed to a known threat actor. However, the exploitation of several zero-day vulnerabilities prior to their patches were available highly suggests the involvement of a nation-state actor. 

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection.  

• “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.  
• “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.” 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. Its always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats. 

Source: https://thehackernews.com/2024/10/nation-state-attackers-exploiting.html 

Source: https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa  

RansomHub overtakes LockBit as most prolific ransomware group. 

(TLP: CLEAR) Recent intelligence reporting emphasize the persistent threat of ransomware, with 1,255 attacks recorded in the third quarter of 2024. A significant shift during this period was the observed decline in activity from LockBit, a previously dominant ransomware threat actor in the ransomware threat space. According to reporting, in Q3 2024, LockBit reported 188 victims on its data leak site, reflecting a 47% decrease from the 353 victims claimed in the previous quarter. This decline can likely be attributed to a law enforcement operation back in February 2024, which targeted LockBit’s infrastructure, resulting in the seizure of several servers and the recovery of thousands of decryption keys. The operation dealt a significant blow to the group’s operations, causing affiliates to lose trust in LockBit and migrate to other ransomware groups, such as RansomHub. This takedown has played a key role in the overall decrease in LockBit activity, signaling a shift in the ransomware landscape. 

(TLP: CLEAR) Comments: The February 2024 takedown of LockBit’s resulted in many of its affiliates migrating to other ransomware operations, such as RansomHub. A key driver behind RansomHub’s rapid ascent has been the influx of these former LockBit affiliates, who have used their expertise in gaining initial access and deploying ransomware to accelerate RansomHub’s growth and expand its operations quickly. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices and inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations. 

Source: https://www.infosecurity-magazine.com/news/ransomhub-overtakes-lockbit/