Cyber Threat Intelligence Briefing - February 12, 2024

Welcome back for another bi-weekly threat intelligence report from PacketWatch. This week, we cover the VexTrio traffic broker, Kasseika BYOVD, and a vulnerability roundup.

Incident Response: Where the Wild Logs Are

Scenario: You are the IT administrator for a small to medium-sized business. On a Monday morning, you arrive at work only to find that all of your production servers have been encrypted with ransomware.

You hire an Incident Response (IR) firm to assist in removing the threat actor from your environment and help restore your network to working order.

To assess the totality of the intrusion and identify the full extent of threat actor activity in your network, the IR firm requests logs from multiple devices, including the firewall, the virtual machine environment, and several servers.

However, due to limited budgets, your organization does not have central logging, so logs are to be found on each individual device. How

How do you pull useful logs from all of these devices?

The scenario described above is unfortunately very common.

In many environments, central logging does not exist, and logs are stored on each individual device. This can lead to many pitfalls and headaches during an IR engagement.

First, most devices only store logs for a short period of time (1 - 7 days).  In many cases, this is too small of a time window to store relevant data for the incident. If the threat actor has a dwell time exceeding the log retention time, that data is simply lost, and the investigation will never be able to paint the picture of threat actor activity accurately.

Second, many devices from a wide range of manufacturers have extremely poor documentation, especially when it comes to manually retrieving logs.  This is further exacerbated when the device is end-of-life and no longer has support from the manufacturer.

How To Protect Your Organization

The simple answer is practice.

For example, common practice for data backup retention is to not just regularly take data backup snapshots, but also practice restoring these snapshots to ensure their validity. This is done so that if the organization is ever impacted by ransomware, the organization can confidently restore their data because they have practiced this process. This same level of preparation can be done with logs.

• Take the time to gather documentation from your vendors.
• Practice pulling logs from critical devices such as your firewall, web gateway, ESXi servers, Windows and Linux servers.
• Document what log retention is for each of these devices.  Understand what type of data can be gathered from these devices.
• If the available logs are not sufficient for your needs, work with the vendor to find an appropriate solution.

Taking the time to document and practice these procedures before an incident will greatly reduce the impact, stress, and time-to-containment of a major security incident.

The Ballad of AnyDesk: What We Know So Far

Earlier this month, there was a lot of confusion and uncertainty surrounding the popular remote desktop software maker AnyDesk.

There was an extended maintenance outage from January 29 to February 1, and it was also discovered that AnyDesk had revoked their codesigning certificate and replaced it with a new one.

On February 2, AnyDesk released an official statement confirming a security incident. AnyDesk also released a follow-up statement on February 5. According to the developer, there is no evidence that end-user devices were affected.

In addition to revoking previous code signing certificates, they revoked all previous passwords for the my.anydesk.com web portal out of an abundance of caution.

They recommend users change passwords if those same credentials were used elsewhere.  AnyDesk also states that the newest versions of their software, 7.0.15 and 8.0.8, are safe to use.  Administrators are strongly encouraged to update AnyDesk to these newer versions.  

To search for instances of AnyDesk across your environment, use the PacketWatch and CrowdStrike queries below:

http.host:(*.anydesk.com*) OR dns.host:(*.anydesk.com) OR destination port:6568

index=main event_simpleName=ProcessRollup2 AND (CommandLine IN (*anydesk*) OR ParentBaseFileName=*anydesk.exe OR ImageFileName=*anydesk.exe) | stats count by company, aid, ComputerName, ParentBaseFileName, ImageFileName, CommandLine

Note: These queries can also be used to hunt for rogue instances of AnyDesk. Threat actors are known to use legitimate versions of remote desktop software such as AnyDesk to maintain persistence in an environment.

Additional Resources

• https://anydesk.com/en/public-statement
  
• https://anydesk.com/en/public-statement-2-2-2024
  
• https://thehackernews.com/2024/02/anydesk-hacked-popular-remote-desktop.html
  
• https://support.anydesk.com/knowledge/firewall
  
• https://www.netify.ai/resources/applications/anydesk

Vulnerability Roundup

CVE-2024-21888 and CVE-2024-21893: Multiple Critical Vulnerabilities in Ivanti

Ivanti disclosed two critical vulnerabilities at the end of January, CVE-2024-21888 and CVE-2024-21893.

The first vulnerability, CVE-2024-21888, is a flaw in the web component of Ivanti Connect Secure that allows a threat actor to gain administrator privileges.

CVE-2024-21893 is a server-side request forgery vulnerability that allows the attacker to access restricted resources on the device without authentication.  This vulnerability is currently being exploited in the wild.  

Following this disclosure, due to the active exploitation of CVE-2024-21893, as well as active exploitation of previous critical vulnerabilities CVE-2023-46805 and CVE-2024-21887, CISA issued a rare order instructing all federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances until they can follow an exhaustive remediation process.  

On February 8, Ivanti disclosed yet another critical vulnerability for Connect Secure, Policy Secure, and ZTA gateways, CVE-2024-22024.  This flaw allows attackers to access restricted resources without user interaction or authentication. 

Due to the multitude of critical vulnerabilities of these appliances over the last several weeks, combined with evidence of exploitation of these flaws, any organization running vulnerable Ivanti products should investigate for signs of compromise.

It is strongly recommended to adhere to the the CISA advisory on removal and remediation of this product.

Additional Resources

• https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities
  
• https://thehackernews.com/2024/01/alert-ivanti-discloses-2-new-zero-day.html
  
• https://thehackernews.com/2024/02/warning-new-malware-emerges-in-attacks.html
  
• https://www.bleepingcomputer.com/news/security/cisa-emergency-directive-mitigate-ivanti-zero-days-immediately/
  
• https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-disconnect-ivanti-vpn-appliances-by-saturday/
  
• https://www.bleepingcomputer.com/news/security/ivanti-patch-new-connect-secure-auth-bypass-bug-immediately/
  
• https://thehackernews.com/2024/02/warning-new-ivanti-auth-bypass-flaw.html

CVE-2024-21762: Fortinet Critical RCE

Fortinet recently disclosed a critical remote code execution vulnerability in FortiOS SSL VPN.

The vulnerability, CVE-2024-21762, allows unauthenticated attackers to gain remote code execution using specially crafted HTTP requests.

CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog, as there is evidence of active exploitation from the Chinese state-sponsored group Volt Typhoon.  Administrators are urged to patch immediately.

A list of vulnerable versions and their fixed versions can be found here.

If the patch cannot be applied in a timely manner, Fortinet recommends disabling SSL VPN.

Additional Resources

• https://www.fortiguard.com/psirt/FG-IR-24-015
• https://thehackernews.com/2024/02/fortinet-warns-of-critical-fortios-ssl.html
• https://www.bleepingcomputer.com/news/security/new-fortinet-rce-flaw-in-ssl-vpn-likely-exploited-in-attacks/

CVE-2024-23917: JetBrains TeamCity On-Prem

A critical vulnerability was recently disclosed for JetBrains TeamCity On-Prem continuous integration and continuous deployment (CI/CD) software. The flaw, CVE-2024-23917, allows for an unauthenticated attacker with HTTP or HTTPS access to the TeamCity server to bypass authentication and gain administrative control of the server.

Administrators are urged to update TeamCity servers to versions 2023.11.3, or temporarily remove TeamCity access to the internet until the patch can be applied.

• https://blog.jetbrains.com/teamcity/2024/02/critical-security-issue-affecting-teamcity-on-premises-cve-2024-23917/
  
• https://thehackernews.com/2024/02/critical-jetbrains-teamcity-on-premises.html

Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Disclaimer

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.