5 min read
Cyber Threat Intelligence Briefing - April 22, 2024
The PacketWatch Intelligence Team : Apr 22, 2024 2:45:00 AM
This week, we explore the new Akira ransomware advisory and provide insights on three critical vulnerabilities.
Akira Ransomware Advisory
On April 18, the Cybersecurity & Infrastructure Security Agency (CISA) released a joint cybersecurity advisory on the Akira ransomware group that outlines their latest tactics, techniques, and procedures (TTPs). With the recent exit scam of ALPHV, and the disruption of Lockbit's infrastructure by federal authorities, there is a new opportunity for established groups such as Akira to become one of the leading ransomware gangs.
Per the advisory, as of January 1, 2024, Akira has already claimed about $42 million in ransomware payments. Based on Akira's ransomware-as-a-service (RaaS) infrastructure, and their encryptor's ability to target Windows, Linux, and VMware ESXi hosts, they have the ability to compromise a wide range of targets across almost every industry vertical.
Initial Access
To gain initial access into their target environment, Akira relies heavily on remote exploitation of VPN devices. They target VPNs that do not have multifactor authentication enabled and most commonly attempt to exploit known Cisco vulnerabilities, CVE-2020-3259 and CVE-2023-20269.
Akira has also been observed using external services such as Remote Desktop Protocol (RDP), spear phishing (social engineering), and valid (stolen) credentials for initial access.
Persistence and Discovery
After gaining initial access, Akira will quickly create new administrator accounts to establish persistence.
Of note, Akira has been observed on several occasions to create an admin account named 'itadm'.
Once persistence has been established, Akira leverages a variety of basic techniques and tools to further elevate privileges and move laterally through the network.
Akira has been observed using Kerberoasting to grab credentials out of memory, as well as popular open-source tools such as Mimikatz and LaZagne.
Akira uses SoftPerfect and Advanced IP Scanner to enumerate the internal network and uses the built-in Windows 'net' command to discover domain controllers and identify trust relationships.
Data Exfiltration
- Akira uses a variety of free and open-source tools to exfiltrate data, including FileZilla, WinRAR, WinSCP, and RClone.
- They also leverage common remote access tools such as AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel to establish command-and-control (C2) channels.
- Exfiltration of data is commonly achieved via FTP or SFTP, and data is usually uploaded to a cloud storage service such as Mega.
How To Protect Your Organization
While Akira has had wide-ranging success over the last year, the group does not use any tool or technique that would be considered 'advanced' or novel. Their TTPs provide a variety of detection and prevention opportunities.
- Ensure all external-facing devices and services are fully patched - Akira is not known for leveraging 0-day remote exploits. They attack well-known vulnerabilities on unpatched devices.
- Enable Multi-factor Authentication - MFA should be enabled wherever possible, especially on accounts used for remote access.
- Disable vulnerable or unused services - Only ports and services that are an absolute necessity for the proper functioning of the network should be open to the internet. Known vulnerable services such as RDP and SMB should never be exposed.
- Have a password policy that mandates strong, unique passwords across all accounts. This will nullify techniques such as credential stuffing or credentials purchased by the threat actor from 3rd party data breaches.
- Deploy up-to-date and properly configured EDR across all endpoints. Modern EDR tools that are properly configured will detect and prevent common hacking tools such as Mimikatz. EDR tools can also be used to identify software used throughout the environment and can shine a light on unauthorized use of remote admin or data transfer tools.
- Regularly audit network administrator accounts - Identify any newly created or modified administrator accounts. Ensure administrative accounts are given only the permissions that are absolutely necessary to complete their job functions.
- Use network monitoring tools such as PacketWatch to identify suspicious network traffic, including insecure protocols and remote access tools:
-
protocol:(rdp OR ftp)
-
http.host:(*.anydesk.com) OR dns.host:(*.anydesk.com) OR destination port:6568
-
\*.host:(*.mega.nz OR *.mega.co.nz OR *.mega.io)
-
\*.host:(cfargotunnel.com OR *.cfargotunnel.com)
-
\*.port:[21114 TO 21119] AND protocol:(tcp OR udp)
-
Additional Resources
- https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2020-3259
- https://nvd.nist.gov/vuln/detail/CVE-2023-20269
- https://www.bleepingcomputer.com/news/security/fbi-akira-ransomware-raked-in-42-million-from-250-plus-victims/
- https://platform.socradar.com/app/threatfeed/cve/CVE-2023-20269/details
- https://platform.socradar.com/app/threatfeed/cve/CVE-2020-3259/details
- https://www.crowdstrike.com/cybersecurity-101/kerberoasting/
Vulnerability Rundown
Here are the latest critical vulnerabilities we think you should know about:
CVE-2024-3400: Palo Alto Networks PAN-OS 0-day Under Active Exploitation
Palo Alto Networks released a security bulletin detailing a new critical command injection vulnerability in their PAN-OS software, tracked as CVE-2024-3400 which carries a maximum CVSS score of 10.0. According to the advisory, this vulnerability has been under active exploitation. Proof-of-concept exploit code has also been published in the wild. Successful exploitation of this flaw allows for a threat actor to execute arbitrary code with root privileges on the device.
Which Versions Are Affected?
The vulnerability only affects certain versions of PAN-OS when both GlobalProtect gateway and device telemetry are enabled. Affected versions are:
- PAN-OS 10.2.9-h1 and prior
- PAN-OS 11.0.4-h1 and prior
- PAN-OS 11.1.2-h3 and prior
Per the Palo Alto advisory, administrators can verify if the GlobalProtect gateway is configured by checking in the firewall web interface (Network > GlobalProtect > Gateways). Device telemetry features can also be verified in the web interface (Device > Setup > Telemetry).
How To Protect Your Organization
The patch for this vulnerability has been published by Palo Alto. Administrators are urged to apply this patch as soon as possible.
There are several mitigation steps that can be taken if the patch cannot be applied immediately. Palo Alto customers with the Threat Prevention subscription enabled can block attacks for the vulnerability by enabling Threat ID 95187. Additionally, those customers must ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation on their device. Additional information for this can be found here.
Additional Resources
- https://security.paloaltonetworks.com/CVE-2024-3400
- https://packetwatch.com/resources/threat-intel/cve-2024-3400-palo-alto-networks-pan-os-zero-day
- https://platform.socradar.com/app/threatfeed/cve/CVE-2024-3400/details
- https://www.cisa.gov/news-events/alerts/2024/04/12/cisa-adds-one-known-exploited-vulnerability-catalog
- https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-pan-os-firewall-zero-day-used-in-attacks/
- https://bishopfox.com/blog/pan-os-cve-2024-3400-patch-your-palo-alto-firewalls
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
CVE-2024-21006: Oracle WebLogic Server
Among the 441 security patches released by Oracle across a wide range of their products, is a severe vulnerability in Oracle WebLogic Server. Successful exploitation of this vulnerability, CVE-2024-21006, allows an unauthenticated attacker with network access to compromise the server. The vulnerability affects versions 12.2.1.4.0 and 14.1.1.0.0. While the exploitation of this vulnerability is not complex, it does require network access via T3 (a proprietary Oracle/WebLogic protocol) and IIOP (Internet Inter-ORB Protocol, used for facilitating communication between distributed programs written in different programming languages). Administrators are urged to patch as soon as possible, as well as review the Oracle security bulletin for patches of other Oracle products.
CVE-2024-20295: Cisco Integrated Management Controller (IMC) Privilege Escalation
On April 17, Cisco released a patch for a high-severity vulnerability in the CLI of their Integrated Management Controller (IMC). This vulnerability, tracked as CVE-2024-20295, is a command injection privilege escalation vulnerability that can allow the threat actor to gain root privileges on the device due to insufficient validation of user input. Per the advisory, the following products are affected if they are running vulnerable IMC versions in default configurations:
- 5000 Series Enterprise Network Compute Systems (ENCS)
- Catalyst 8300 Series Edge uCPE
- UCS C-Series Rack Servers in standalone mode
- UCS E-Series Servers
Additional products may be affected if they expose access to the Cisco IMC CLI. The full list can be found in the Cisco advisory here. Proof-of-concept exploit code has been observed in the wild. Administrators are urged to patch as soon as possible.
Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.
PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog.
If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.
Note: We've also enriched our original threat intelligence report by including resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.