Cyber Threat Intelligence Report | 12/16/2024 | PacketWatch

This week we briefed our clients on how to detect and prevent Zloader malware and combat Citrix NetScaler password spray attacks.

 KEY TAKEAWAYS 

• Zloader malware derived from Zeus banking trojan is a popular initial access vector with ransomware gangs. Learn the latest detection and prevention strategies.
• Citrix warns of widespread password spray attacks against Netscaler infrastructure. Learn mitigation strategies for these attacks.
• Critical and high-severity vulnerabilities in Windows LDAP, Cleo MFT solutions, and Veeam Service Provider Console. Patch now!

From Zeus to Zloader

Researchers from Zscaler's Threatlabz recently published detailed research on the latest variant of ZLoader. Zloader is a trojan that is derived from the leaked source code of the infamous Zeus banking trojan. This malware is now used primarily for initial access, allowing threat actors to gain a foothold in their target environment which can then be further leveraged to deploy ransomware. Zloader is a popular initial access tool for the Black Basta ransomare gang.

How is it Delivered?

Initial access brokers that use Zloader have shifted to more focused, personalized social engineering attacks to trick users into installing the malware. These attacks go beyond a well-crafted spearphishing email and will include targeted phone calls to build rapport with the target. During these calls, the threat actor will first convince the user to establish a remote access session using a common Remote Monitoring and Management (RMM) tool such as AnyDesk, TeamViewer, or Microsoft Quick Assist. Once this RMM session is established, the threat actor will then deploy an additional piece of malware known as GhostSocks, which facilitates the download and installation of Zloader. This attack chain is shown in the image below:

Fig 1. Zloader Infection Chain | Source: Zscaler

Detection and Prevention Strategies

The report highlights several details and behaviors of Zloader that can be used for detection and prevention opportunities:

• When communicating to its command and control (C2) infrastructure, it uses POST requests over HTTPS. In these requests, it uses a very abnormal and specific User-Agent string of "PresidentPutin".
• The HTTPS POST requests also include a header field called "Rand", which includes a random set of alphabetic characters between 32 and 255 characters long. This causes the packet size to vary between requests.
• It has additional C2 communication capabilities via DNS tunneling. These DNS requests have the following format:
  • [prefix].[header].[payload].[zloader_nameserver_domain]
  • Example: cdn.90baf13f03000000040003000000.160303009d0100009903036713bfbe1a8dea1ce0b97a5196762fe327f8da77.0a06e9aff09fff3a4f07cc1400002ac02cc02bc030c02f009f009ec024c023.c028c027c00ac009c014c013009d009c003d003c00.ns1.brownswer[.]com
• Analysis of the known C2 domains and IP infrastructure shows a preference for AS 210644 (AEZA International LTD).
  • PW query: as.number:210644
• Train users to never download software or click links sent by unsolicited emails or phone calls.
• Ensure up-to-date EDR solutions are deployed to every possible endpoint.

Resources:

• https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-trick-dns-tunneling
• https://thehackernews.com/2024/05/zloader-malware-evolves-with-anti.html
• https://thehackernews.com/2024/12/black-basta-ransomware-evolves-with.html

Citrix NetScaler Password Spray Attacks

Citrix Cloud Software group issued a blog highlighting an increase in password spray attacks against NetScaler and NetScaler Gateway devices. Password spray attacks differ from traditional brute-force attacks, where instead of targeting a single account with many passwords, the threat actor targets many accounts with a small set of common passwords. While typically these types of attacks have a low enough volume to go unnoticed by many security tools or alerting rules, the volume observed with these attacks was high enough to cause performance issues and even cause devices to crash. These observed attacks originated across a broad range of dynamic IP addresses, which makes traditional blocking strategies ineffective. Additionally, these attacks mostly target "pre-nFactor" endpoints.

Citrix has the following recommendations to combat these attacks:

• Ensure multi-factor authentication (MFA) is enabled for Gateway and that the MFA verification factor is configured before the LDAP factor.
• Create a responder policy to allow requests only for the fully qualified domain name (FQDN) of the device as the password spray attacks are targeting IP addresses.
• Create a responder policy to block the following end points if not utilizing historic pre-nFactor basic/classic authentication:
  • /cgi/login
  • /p/u/doAuthentication.do
  • /p/u/getAuthenticationRequirements.do
• Enable IP reputation to automatically block requests from known bad IP addresses.
• Commands for creating the responder policies and enabling IP reputation can be found in the Citrix blog here.
• As with all password-related attacks, the following steps should also be implemented:
  • Ensure strong, random passwords are used on each account.
  • Ensure passwords are unique across each site.

Resources:

• https://www.citrix.com/blogs/2024/12/13/password-spraying-attacks-netscaler-december-2024/
• https://docs.netscaler.com/en-us/netscaler-gateway/current-release/authentication-authorization/configure-multifactor-authentication
• https://support.citrix.com/s/article/CTX230893-how-to-configure-preauth-and-postauth-epa-scan-as-a-factor-in-nfactor-authentication?language=en_US
• https://www.bleepingcomputer.com/news/security/citrix-shares-mitigations-for-ongoing-netscaler-password-spray-attacks/

Vulnerability Roundup

Windows LDAP RCE

As part of Microsoft's December Patch Tuesday release, they disclosed a critical remote code execution (RCE) vulnerability in the Windows LDAP service, tracked as CVE-2024-49112. Per the advisory, this vulnerability can be successfully exploited via a specially crafted set of LDAP calls, which leads to code execution in the context of the LDAP service, which runs as SYSTEM. Administrators are urged to apply this patch as soon as possible. If unable to apply the patch immediately, administrators are strongly urged to ensure domain controllers are not exposed to the internet, or not allow inbound RPC from untrusted networks.

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49112
• https://www.rapid7.com/blog/post/2024/12/10/patch-tuesday-december-2024/

Cleo MFT Software Exploited in the Wild Even After Patch

Last week, Cleo, a software company that has a suite of file transfer and management products (LexiCom, VLTransfer, Harmony), issued an advisory to address CVE-2024-50623, a vulnerability in their MFT products that allows for unauthenticated remote code execution. Shortly after the patch was released, security researchers from Huntress found that the patch does not fully remediate the issue, and this vulnerability is still being actively exploited in the wild. All versions of Cleo Harmony, VLTrader, and LexiCom before and including 5.8.0.21 are vulnerable. The vulnerability is now tracked as CVE-2024-55956, and Cleo has released a new patch, version 5.8.0.24. Administrators are strongly encouraged to move any internet exposed Cleo systems behind a firewall until the patch is applied.

• https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623
• https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
• https://censys.com/cve-2024-50623/
• https://attackerkb.com/topics/geR0H8dgrE/cve-2024-55956/rapid7-analysis

Veeam Service Provider Console Critical RCE

Earlier this month, Veeam issued a security advisory detailing a vulnerability tracked as CVE-2024-42448, which is a critical RCE vulnerability in the Veeam Service Provider Console affecting version 8.1.0.21337 and all earlier version 8 and 7 builds. Per the advisory, "from the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to perform RCE on the VSPC server machine." There are no known mitigations to this vulnerability; administrators are urged to patch to the latest cumulative patch.

• https://www.veeam.com/kb4679
• https://thehackernews.com/2024/12/veeam-issues-patch-for-critical-rce.html

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.