Cyber Threat Intelligence Report | 12/02/2024 | PacketWatch

This week we briefed our clients on ransomware data exfiltration techniques, common tools, and ways to protect themselves.

 KEY TAKEAWAYS 

• Review the tools and techniques used for data exfiltration by ransomware gangs and how to protect your organization from these threats. 
• Critical and high-severity vulnerabilities in Firefox, Windows, Ubuntu Linux, Apple, Oracle, and 7-zip. Patch now!

Ransomware Data Exfiltration Techniques

Over the past 5+ years, ransomware groups have increasingly used what is known as a double extortion model in their attacks, where not only do they encrypt data on the victim's network, but they exfiltrate sensitive files to be used for extortion. Often, two separate ransom payments are demanded; one for the decryption key to recover encrypted files, another to prevent the stolen data from being leaked online. Depending on the threat actor and the victim, these ransom demands can exceed $10 million.

As organizations have become more resilient with data backups and recovery, the overall impact of a ransomware encryption event has been reduced. Threat actors are increasingly leveraging the data theft and extortion aspect of the intrusion to apply the most pressure on their victims. Some groups, such as BianLian, are switching to a pure data theft extortion-only model.

With this shift in tactics, it is important to understand the tools these threat actors are using to accomplish data exfiltration. Last week, researchers at Sekoia published a detailed report on the tools and techniques that are being leveraged for data exfiltration. Below are some key takeaways on what tools and artifacts to look for, as well as steps on how to protect your organization from these threats.

What tools are Threat Actors using?

A common thread between the majority of these threat actors is the use of free and open-source tooling for file staging and file transfer.  They use the same administrative tools found on many networks to compress file data, such as WinRar and 7zip.  To move data off the victim network, they use tools such as WinSCP, FileZilla, and PuTTy.  The outlier here is rclone, as the presence of this tool on a corporate network almost always signifies malicious activity.  PacketWatch has observed the abuse of commercial and open-source remote monitoring and management (RMM) tools such as AnyDesk and Splashtop leveraged for data exfiltration in addition to being used for persistence.  While some threat actors do use custom tooling to facilitate these activities, the majority use these common tools as they tend to blend in with regular network activity.

Fig 1. Tools used by ransomware campaigns  Source: Sekoia Blog

Where does the data go?

While occasionally threat actors will exfiltrate data to self-hosted infrastructure, often they use publicly available file hosting services. These include sites such as Mega, Anonfiles, and Temp.sh. These sites tend to not have any legitimate business use case and are easy to watch for. However, threat actors also leverage sites such as DropBox that can blend in with legitimate traffic.

How to protect your Organization

There are several detection and prevention opportunities organizations can take to mitigate this threat:

• Know where your data is - In order to protect your data, you must first understand what type of sensitive data you have, and where that data is stored. Everything from HR files (these usually contain PII), sales invoices (customer data), source code, financial documents, and databases are all common targets for these ransomware groups. Knowing where this data resides on the network allows you to put controls in place to monitor this data.
• Know what tools are used in your environment - Administrators only need one file utility, one RMM tool, one cloud storage site, etc. Once these tools are determined, organizations can implement application allow-listing to only allow pre-approved tools to be used on the network. Even when strict allow-listing cannot be implemented, it is still good practice to only have a finite set of tools in use on the network. This way, if a threat actor installs something that is not normally seen, it will immediately raise suspicion and allow the security team to remediate it. 
• Endpoint protection - Fully up-to-date EDR tools will help mitigate the use of custom tooling. Many of the custom utilities built by ransomware groups have known signatures that will be flagged by EDR tools.
• Network monitoring - There are several ways data exfiltration can be detected from network monitoring tools such as PacketWatch. First is through data volume. When threat actors exfiltrate data, they often take multiple gigabytes, sometimes terabytes of data. This large volume of outbound traffic is very noticeable when compared to normal traffic baselines. Second, network tools can monitor ports and protocols used for outbound traffic. For example, if an organization never has outbound FTP traffic, then suddenly has an outbound connection over FTP/21, this would be a sign of exfiltration. Network monitoring tools can also be used to identify anomalous RMM traffic, both through protocol analysis and destination domains. Finally, there is the traffic destination itself. Network monitoring tools can identify traffic to sites like Mega or DropBox. Any unauthorized traffic to these sites would immediately raise suspicion and be indicative of data exfiltration.

• https://blog.sekoia.io/ransomware-driven-data-exfiltration-techniques-and-implications/
• https://t7f4e9n3.delivery.rocketcdn.me/wp-content/uploads/2024/11/Ransomware-driven-data-exfiltration-techniques-and-implications.pdf
• https://www.cisa.gov/sites/default/files/2024-11/aa23-136a-joint-csa-stopransomware-bianlian-ransomware-group.pdf

Vulnerability Roundup

Firefox & Windows 0-days Actively Exploited

Researchers at ESET recently reported a Russia-aligned threat actor known as RomCom have been actively exploiting two vulnerabilities, one in Firefox web browser, one in Microsoft Windows, to deploy their RomCom backdoor malware. The first vulnerability, CVE-2024-9690, is a use-after-free bug in Firefox, Thunderbird, and Tor browsers that allows for code execution in the context of the web browser. This is then chained with a second vulnerability, CVE-2024-49039, is a privilege escalation vulnerability in Microsoft Windows Task Scheduler which allows the exploit from the first vulnerability to be run in the context of the logged-in user. Users are urged to patch their web browsers to the following versions or higher:

• Firefox 131.0.2
• Firefox ESR 115.16.1
• Firefox ESR 128.3.1
• Tor Browser 13.5.7
• Tails 6.8.1
• Thunderbird 115.16
• Thunderbird 128.3.1
• Thunderbird 131.0.1

The vulnerability for Windows Task Manager was addressed in the November Patch Tuesday from Microsoft.

• https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/
• https://support.microsoft.com/en-us/topic/november-12-2024-kb5046612-os-build-14393-7515-b1748400-ba4a-444b-9051-96e3b41d8c5d
• https://nvd.nist.gov/vuln/detail/CVE-2024-9680
• https://nvd.nist.gov/vuln/detail/CVE-2024-49039

Multiple Privilege Escalation Vulnerabilities Discovered in Ubuntu Linux

Researchers at Qualys disclosed 5 new privilege escalation vulnerabilities in a Linux utility called 'needrestart'. This utility is installed by default on Ubuntu Server instances since version 21.04. The vulnerabilities in the needrestart utility were initially introduced in version 0.8, which was released in April 2014. Per the Qualys report, the vulnerabilities can be exploited by any unprivileged user to gain root access without any other user interaction. The vulnerabilities, tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003, have been fixed in needrestart version 3.8. Administrators are urged to update as soon as possible. If updates cannot be applied in a timely manner, there is a workaround available by disabling the "interpreter heuristic" in the needrestart config file found in /etc/needrestart/needrestart.conf with the following command:

$nrconf{interpscan} = 0;

• https://blog.qualys.com/vulnerabilities-threat-research/2024/11/19/qualys-tru-uncovers-five-local-privilege-escalation-vulnerabilities-in-needrestart
• https://www.qualys.com/2024/11/19/needrestart/needrestart.txt
• https://www.bleepingcomputer.com/news/security/ubuntu-linux-impacted-by-decade-old-needrestart-flaw-that-gives-root/

Apple Vulnerabilities Actively Exploited in the Wild

Apple recently released security updates for a pair of vulnerabilities that have been actively exploited against Intel-based Mac systems. The flaws are tracked as CVE-2024-44308, a vulnerability in JavaScriptCore that could lead to code execution when processing malicious web content, and CVE-2024-44309, a cookie management vulnerability in WebKit that could lead to cross-site scripting (XSS) attacks. Patches were applied in the following updates:

• iOS 18.1.1 and iPadOS 18.1.1
• iOS 17.7.2 and iPadOS 17.7.2
• macOS Sequoia 15.1.1
• visionOS 2.1.1

• Safari 18.1.1

• https://thehackernews.com/2024/11/apple-releases-urgent-updates-to-patch.html
• https://nvd.nist.gov/vuln/detail/CVE-2024-44308
• https://nvd.nist.gov/vuln/detail/CVE-2024-44309

Oracle PLM Vulnerability Actively Exploited

Oracle recently disclosed CVE-2024-21287, an authentication flaw in their Agile Prodcuct Lifecycle Management (PLM) Framework that has been exploited in the wild. Per the advisory, the vulnerability may be exploited over a network without the need for a username and password. Successful exploitation can lead to file disclosure. The vulnerability affects Oracle Agile PLM Framework version 9.3.6. Administrators are urged to patch as soon as possible.

• https://www.oracle.com/security-alerts/alert-cve-2024-21287.html
  
• https://support.oracle.com/rs?type=doc&id=3058429.1
  
• https://thehackernews.com/2024/11/oracle-warns-of-agile-plm-vulnerability.html

7-Zip Fixes RCE Vulnerability

Trend Micro's Zero Day Initiative recently disclosed a vulnerability in the popular file compression utility 7-Zip. The flaw, tracked as CVE-2024-11477, is an integer underflow vulnerability that can allow for code execution under the context of the affected process. Attackers can exploit this by tricking users into opening specially crafted archive files. Users are strongly encouraged to upgrade to 7-Zip version 24.07 or later as soon as possible or remove this application entirely if it does not serve a legitimate business use case, as this tool is often leveraged by threat actors.

• https://www.zerodayinitiative.com/advisories/ZDI-24-1532/
• https://securityonline.info/cve-2024-11477-7-zip-vulnerability-allows-remote-code-execution-update-now/
• https://7-zip.org/download.html

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We may have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.