This week, we explore Black Basta ransomware gang tactics, techniques, and procedures, and a vulnerability roundup of CVEs for Google Chrome, F5 BIG-IP, and the Cacti Network Monitoring Framework.
This group focuses mainly on espionage and financial gain, and targets software, IT, education, and defense industry verticals.
Moonstone Sleet uses a combination of tried-and-true techniques, as well as more advanced and unique techniques for gaining initial access and persistence.
Even for organizations outside of the targeted industry verticals, good detection and prevention opportunities can be learned and implemented from this report.
One of the main ways Moonstone Sleet gains initial access is via trojanized legitimate software, such as PuTTY.
However, whereas many threat actors rely on malvertising or typo-squatted fake domains to trick users into downloading these trojanized programs, Moonstone Sleet instead uses messaging apps like LinkedIn and Telegram to send their target a .zip file.
Within the .zip file is the trojanized version of PuTTY, along with a .txt file containing an IP address and password. If the user types the IP and password into PuTTY, it downloads, decrypts, and loads additional malicious files onto the system.
In order to establish a level of trust with the target, Moonstone Sleet establishes fake social media profiles and companies.
The group even went so far as to develop a fully functional game called "DeTankWar", with corresponding domains and X (Twitter) accounts to promote it.
As recently as April 2024, Microsoft observed Moonstone Sleet deploying a custom ransomware variant dubbed FakePenny. The ransom note is nearly identical to those observed with the infamous NotPetya ransomware. The ransom demands of FakePenny are as high as $6.6 million USD.
While Moonstone Sleet has gone to great lengths to establish fake personas and companies, it still relies on solicitation to spread its malware.
As with all other ransomware threats, standard best practices will help prevent infection:
\*.host:(bestonlinefilmstudio.org OR blockchain-newtech.com OR ccwaterfall.com OR chaingrown.com OR defitankzone.com OR detankwar.com OR freenet-zhilly.org OR matrixane.com OR pointdnt.com OR starglowventures.com OR mingeloem.com)
On May 29, the FBI announced the dismantlement of the "911 S5 Residential Proxy Service" and botnet.
This service provided threat actors access to approximately 19 million hosts via proxy backdoors installed from malicious VPN applications. While this botnet is currently dismantled, the FBI has provided guidance on discovering and removing the backdoored VPN applications that allowed this botnet to exist.
The FBI identified the following VPN services that were compromised: MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN.
Users are encouraged to read these steps on how to detect and remove these services from their computers.
Any organization with a Bring Your Own Device (BYOD) policy should encourage users to detect and remove these VPNs.
The FBI also advises the following to protect individuals and businesses:
For individuals:
For businesses:
Check Point disclosed an actively exploited 0-day vulnerability in their Network Security gateway products, now tracked as CVE-2024-24919.
The flaw affects CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances.
While this is branded as an information disclosure vulnerability, successful exploitation can allow threat actors to read password hashes for local accounts and other sensitive information like SSH keys that can give them remote access.
Included in the local account hashes is the service account used for connecting to Active Directory. These compromised accounts can then be used to pivot further into the network.
Exploitation of the vulnerability can be achieved with single POST request to the vulnerable endpoint, an example can be found here.
Administrators are urged to apply the hotfix released from Check Point as soon as possible.
\*.ip:(23.227.196.88 OR 23.227.203.36 OR 37.19.205.180 OR 38.180.54.104 OR 38.180.54.168 OR 46.59.10.72 OR 46.183.221.194 OR 46.183.221.197 OR 64.176.196.84 OR 87.206.110.89 OR 104.207.149.95 OR 109.134.69.241 OR 146.70.205.62 OR 146.70.205.188 OR 149.88.22.67 OR 154.47.23.111 OR 156.146.56.136 OR 158.62.16.45 OR 167.61.244.201 OR 178.236.234.123 OR 185.213.20.20 OR 185.217.0.242 OR 192.71.26.106 OR 195.14.123.132 OR 203.160.68.12 OR 68.183.56.130 OR 167.99.112.236 OR 132.147.86.201 OR 162.158.162.254 OR 61.92.2.219 OR 183.96.10.14 OR 198.44.211.76 OR 221.154.174.74 OR 112.163.100.151 OR 103.61.139.226 OR 82.180.133.120 OR 146.185.207.0\/24 OR 193.233.128.0\/22 OR 193.233.216.0\/21 OR 217.145.225.0\/24 OR 31.134.0.0\/20 OR 37.9.40.0\/21 OR 45.135.1.0\/24 OR 45.135.2.0\/23 OR 45.155.166.0\/23 OR 5.188.218.0\/23 OR 85.239.42.0\/23 OR 88.218.44.0\/24 OR 91.132.198.0\/24 OR 91.218.122.0\/23 OR 91.245.236.0\/24)
Additional Resources
CISA recently added a critical Linux privilege escalation but to its Known Exploited Vulnerabilities catalog. The flaw is tracked as CVE-2024-1086 and affects versions 5.14 through 6.6 of the Linux kernel.
While the patch was released in January, CISA noted that many organizations have not yet implemented it.
Since this vulnerability is now being exploited in the wild, administrators are urged to patch as soon as possible. Federal agencies are required to patch by June 20.
Additional Resources
Veeam disclosed a critical vulnerability in their Backup Enterprise Manager service tracked as CVE-2024-29849.
Per their advisory, successful exploitation allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.
Administrators are urged to patch to version 12.1.2.172 as soon as possible.
It should be noted that Veeam Enterprise Backup Manager is an optional service and may not be installed in every environment.
To identify if the service is installed, run the following PowerShell command on Veeam Backup Server:
Get-VBRServer | Out-Null
[Veeam.Backup.Core.SBackupOptions]::GetEnterpriseServerInfo() | Format-List
Additional Resources
Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.
PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog.
If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.
Note: We've also enriched our original threat intelligence report by including resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.