Cyber Threat Intelligence Report | 10/21/2024 | PacketWatch

This week we briefed our clients on Part 2 of our Cybersecurity Awareness Back to Basics series and how threat actors are using EDRSilencer to attack.

 KEY TAKEAWAYS 

• Cybersecurity Awareness Month – Review fundamentals auditing, backups, and (mis)configurations. Learn how basic cybersecurity steps can go a long way toward preventing major cyber attacks.
• EDRSilencer red team tool leveraged in real world attacks. Find out which tools are affected and how to protect your organization.
• Critical and high-severity vulnerabilities in Kubernetes, FortiOS, and Veeam. Patch now!

Cybersecurity Awareness Month: Back to Basics - Part Deux

In this second installment of "Back to Basics", we will look at some additional simple yet often overlooked aspects of cybersecurity. These can play a crucial role and preventing or reducing the impact of a cybersecurity incident.

Auditing

As organizations age and grow, user counts grow higher, networks get bigger, and more systems come online. Inevitably, staff with detailed knowledge of the network leave or retire, employees quit, and systems change. Over time, accounts and devices are forgotten, ports are left open, and documentation becomes outdated. Routinely auditing different aspects of the network will help keep documentation up to date and help keep up network hygiene.

• Users - Ensure accounts in Active Directory are for active users only. Employees who have left the company should no longer have accounts or access to any systems (including 3rd party assets). For active users, ensure each user is assigned to the proper group and only has enough permissions to complete their work (least privilege). Administrative access should be delegated to as few accounts as possible. Additionally, all service accounts should be documented and reviewed on a regular basis. All service accounts should have unique, strong passwords, and these accounts should also be configured with least privilege principles.
• Third parties - 3^rd-party applications are often overlooked from a security perspective. Review who your 3^rd-party vendors and applications are, who has access to them, and what permissions they have. Once again, users assigned accounts to 3^rd-party applications should also be configured with least privilege principles. 3^rd party vendors, especially those with access to sensitive data, should also meet at least a minimum standard of security within their own environment.
• Endpoints - Ensure all endpoints have EDR coverage and have the proper GPO policies. Rogue or unmanaged devices on the network are a blind spot for security and IT and give threat actors a way to persist on the network undetected.
• Network (Firewall rules/network segmentation) - Routinely review firewall rules to ensure proper access control rules are always in place. It is often the case where a set of systems on a subnet will be swapped out for a different system using different ports and services, but the firewall rules remain either unchanged, or new ports are opened but the old ones are not closed. Only ports and services that are absolutely necessary to the function of the system should be open. Additionally, review network segmentation to ensure only systems that are supposed to talk to each other can talk to each other. Can the Guest WiFi network reach the Active Directory servers directly? Can the HR system directly connect to production servers?

Backups

Data backup solutions are one of the most effective ways to reduce the potential damage of a ransomware incident. Critical data should be backed up regularly, and the data should ideally be stored in multiple locations (on-site and off-site). Once a backup solution is in place, it is also important to regularly test the backup solution. It is often the case where after a ransomware incident, the organization will attempt to restore from backup only to discover that the backups don't work or that the data is corrupted. By regularly testing the backup and restore process, this helps ensure that the system is working to the organization's needs and will reduce the time for restoration in the event of a ransomware attack.

Additionally, having a "Gold Image" for endpoint restoration will greatly reduce the time to recovery. These images should also be updated on a regular basis to fit the needs of the organization.

(Mis)configurations

Threat actors will often exploit misconfigurations to achieve their goals. This often includes default passwords on network devices (admin:admin), open ports and services that are unused or unnecessary (RDP exposed to the internet). Misconfigurations also include improper setup of security tools, such not enabling "prevent" on EDR or IDS/IPS solutions. It is often the case where a security tool will identify malicious behavior, but due to improper configurations, the tool will either not alert at all, or just simply send a notification that malicious activity is occurring, but not do anything to block or prevent it. Spending the extra time to properly tune and configure security devices will help the organization get the maximum benefit from their investment.

EDRSilencer Tool Used to Bypass EDR in Recent Attacks

Trend Micro recently released a report detailing how threat actors are now leveraging a red team tool called EDRSilencer in their attacks. EDRSilencer leverages the Windows Filtering Platform (WFP) to create firewall rules on the target endpoint to block the EDR tool's ability to communicate with its management server. This effectively prevents the EDR tool from being able to send telemetry or alerts to the management console, hiding threat actor activity from the security team.

At the time of this writing, EDRSilencer works against 16 major EDR tools, including Carbon Black, Cisco Secure Endpoint, Microsoft Defender, and SentinelOne. A full list of EDR tools can be found here. Notably, CrowdStrike Falcon is not affected by this tool.

Additional ways to protect your organization:

• Have proper network segmentation to isolate critical systems and prevent lateral movement.
• Implement defense-in-depth strategies - Have multiple layers of security controls in addition to EDR protection such as firewalls, and network monitoring tools (such as PacketWatch).
• Application whitelisting - Only allow previously approved applications to run on a host. This will prevent many types of malware from executing.
• Proactive threat hunting - Continuously hunt for indicators of compromise or suspicious activity on the network.
• Least privilege - Ensure users and applications only have the access required to do their job.

Resources:

• https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html
  

• https://www.bleepingcomputer.com/news/security/edrsilencer-red-team-tool-used-in-attacks-to-bypass-security/
  

• https://github.com/netero1010/EDRSilencer

Vulnerability Roundup

Critical Vulnerability in Kubernetes

An issue was discovered in virtual machines created with Kubernetes Image Builder version 0.1.37 or earlier, where VMs are assigned default credentials during the image building process. This allows for threat actors to SSH into the VM and gain root access if the credentials were not manually disabled. Per the advisory, VMs built with the Proxmox provider are vulnerable to this issue, whereas VMs built with the Nutanix, OVA, QEMU or raw providers are only vulnerable if the threat actor gains access to the VM during the build process. This issue is tracked as CVE-2024-9486. Administrators are urged to rebuild VMs with Kubernetes Image Builder 0.1.38 or later, or manually disable the "builder" account with the command: 'usermod -L builder'.

• https://discuss.kubernetes.io/t/security-advisory-cve-2024-9486-and-cve-2024-9594-vm-images-built-with-kubernetes-image-builder-use-default-credentials/30119
  

• https://www.bleepingcomputer.com/news/security/critical-kubernetes-image-builder-flaw-gives-ssh-root-access-to-vms/

Critical FortiOS RCE Exploited in the Wild

CISA recently added CVE-2024-23113 to its Known Exploited Vulnerabilities (KEV) Catalog. The vulnerability is an unauthenticated remote code execution (RCE) vulnerability in FortiNet's FortOS that affects multiple products. See the FortiGuard advisory for a full listing of products. This vulnerability was initially disclosed in February 2024. Administrators are urged to ensure that vulnerable FortiNet products are fully patched.

• https://www.fortiguard.com/psirt/FG-IR-24-029
  

• https://www.cisa.gov/news-events/alerts/2024/10/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
  

• https://www.securityweek.com/organizations-warned-of-exploited-fortinet-fortios-vulnerability/
  

• https://www.bleepingcomputer.com/news/security/cisa-says-critical-fortinet-rce-flaw-now-exploited-in-attacks/

Veeam Vulnerability Exploited to Spread Ransomware

A critical vulnerability in Veeam Backup & Replication is now confirmed to be exploited by Fog and Akira ransomware groups. The vulnerability, tracked as CVE-2024-40711, was disclosed in early September, and affects Veeam Backup & Replication builds 12.1.2.172 and earlier. Per a security bulletin from Sophos, in each ransomware case observed, threat actors gained initial access via insecure VPN gateways that did not have multifactor authentication (MFA) enabled. Administrators are urged to update to the latest Veeam version as soon as possible.

• https://www.veeam.com/kb4649
  

• https://infosec.exchange/@SophosXOps/113284564225476186
  

• https://thehackernews.com/2024/10/critical-veeam-vulnerability-exploited.html

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.