PacketWatch Threat Intelligence

Moonstone Sleet APT, 911 S5 Proxy Removal, and More | PacketWatch Threat Intelligence | June 3, 2024

Written by The PacketWatch Intelligence Team | Jun 3, 2024 9:01:20 PM

This week, we explore Black Basta ransomware gang tactics, techniques, and procedures, and a vulnerability roundup of CVEs for Google Chrome, F5 BIG-IP, and the Cacti Network Monitoring Framework.

New North Korean APT: Moonstone Sleet

Microsoft released new details on a North Korean APT group they call Moonstone Sleet.

This group focuses mainly on espionage and financial gain, and targets software, IT, education, and defense industry verticals.

Moonstone Sleet uses a combination of tried-and-true techniques, as well as more advanced and unique techniques for gaining initial access and persistence.

Even for organizations outside of the targeted industry verticals, good detection and prevention opportunities can be learned and implemented from this report.

Moonstone Sleet Techniques

One of the main ways Moonstone Sleet gains initial access is via trojanized legitimate software, such as PuTTY.

However, whereas many threat actors rely on malvertising or typo-squatted fake domains to trick users into downloading these trojanized programs, Moonstone Sleet instead uses messaging apps like LinkedIn and Telegram to send their target a .zip file.

Within the .zip file is the trojanized version of PuTTY, along with a .txt file containing an IP address and password. If the user types the IP and password into PuTTY, it downloads, decrypts, and loads additional malicious files onto the system.

In order to establish a level of trust with the target, Moonstone Sleet establishes fake social media profiles and companies.

The group even went so far as to develop a fully functional game called "DeTankWar", with corresponding domains and X (Twitter) accounts to promote it.

  • They created a fake company called C.C. Waterfall and used emails from the company domain to solicit game downloads. To further entice victims to download the game, it is branded as a "play-to-earn" game, where users can earn NFTs by playing the game.
  • Once downloaded and installed, the game loads a malicious DLL loader which downloads further malicious payloads.
  • These payloads allow for network and user discovery and browser data collection and gives the threat actor the ability to interact with the compromised host directly.

Moonstone Sleet's Impact

As recently as April 2024, Microsoft observed Moonstone Sleet deploying a custom ransomware variant dubbed FakePenny. The ransom note is nearly identical to those observed with the infamous NotPetya ransomware. The ransom demands of FakePenny are as high as $6.6 million USD.

Lessons Learned from Moonstone Sleet and Detection Opportunities

While Moonstone Sleet has gone to great lengths to establish fake personas and companies, it still relies on solicitation to spread its malware.

  • As "advanced" as its techniques are, they are nothing more than fancy social engineering.
  • Users should not be allowed to download executable files sent via email.
  • Additionally, users should be coached to never download files from messaging apps, especially from third-party untrusted sources.
  • Only legitimate, approved software should be allowed on endpoints. 

As with all other ransomware threats, standard best practices will help prevent infection:

  • Modern, up-to-date, correctly configured, and actively monitored EDR solution across all endpoints.
  • Ensuring all software and operating systems are continuously patched and up to date.
  • Strong password policy, including implementing multifactor authentication (MFA) wherever possible.
  • Network monitoring for anomalous behavior.
  • Regular and tested backups.

Moonstone Sleet IOCs and PacketWatch Query

\*.host:(bestonlinefilmstudio.org OR blockchain-newtech.com OR ccwaterfall.com OR chaingrown.com OR defitankzone.com OR detankwar.com OR freenet-zhilly.org OR matrixane.com OR pointdnt.com OR starglowventures.com OR mingeloem.com)


FBI Guidance for 911 S5 Proxy Removal

On May 29, the FBI announced the dismantlement of the "911 S5 Residential Proxy Service" and botnet.

This service provided threat actors access to approximately 19 million hosts via proxy backdoors installed from malicious VPN applications. While this botnet is currently dismantled, the FBI has provided guidance on discovering and removing the backdoored VPN applications that allowed this botnet to exist.

The FBI identified the following VPN services that were compromised: MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN.

Users are encouraged to read these steps on how to detect and remove these services from their computers.

Any organization with a Bring Your Own Device (BYOD) policy should encourage users to detect and remove these VPNs. 

The FBI also advises the following to protect individuals and businesses:

For individuals:

  • Avoid untrustworthy websites and ads. Avoid downloading free software such as VPN services, and do not click pop-up ads as these commonly are used to deliver malware.
  • Ignore suspicious emails. Phishing continues to be one of the key ways threat actors deliver malicious payloads.
  • Use antivirus software to detect and remove known threats.

For businesses:

  • Keep software and operating systems up-to-date. Many botnets are designed to exploit vulnerabilities in software. Patching nullifies these exploits.
  • Evaluate BYOD policies. Unmanaged devices connecting to the corporate network can be a very large risk. If these devices are allowed, ensure they are segmented appropriately.
  • Encourage strong passwords. Password managers are a great way to facilitate the use of strong, unique passwords.

Vulnerability Roundup

Check Point Zero-Day

Check Point disclosed an actively exploited 0-day vulnerability in their Network Security gateway products, now tracked as CVE-2024-24919.

The flaw affects CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances.

While this is branded as an information disclosure vulnerability, successful exploitation can allow threat actors to read password hashes for local accounts and other sensitive information like SSH keys that can give them remote access.

Included in the local account hashes is the service account used for connecting to Active Directory. These compromised accounts can then be used to pivot further into the network.

Exploitation of the vulnerability can be achieved with single POST request to the vulnerable endpoint, an example can be found here.

Administrators are urged to apply the hotfix released from Check Point as soon as possible.

Check Point Zero-Day IOCs: Known IPs Exploiting CVE-2024-24919 & PacketWatch Query

\*.ip:(23.227.196.88 OR 23.227.203.36 OR 37.19.205.180 OR 38.180.54.104 OR 38.180.54.168 OR 46.59.10.72 OR 46.183.221.194 OR 46.183.221.197 OR 64.176.196.84 OR 87.206.110.89 OR 104.207.149.95 OR 109.134.69.241 OR 146.70.205.62 OR 146.70.205.188 OR 149.88.22.67 OR 154.47.23.111 OR 156.146.56.136 OR 158.62.16.45 OR 167.61.244.201 OR 178.236.234.123 OR 185.213.20.20 OR 185.217.0.242 OR 192.71.26.106 OR 195.14.123.132 OR 203.160.68.12 OR 68.183.56.130 OR 167.99.112.236 OR 132.147.86.201 OR 162.158.162.254 OR 61.92.2.219 OR 183.96.10.14 OR 198.44.211.76 OR 221.154.174.74 OR 112.163.100.151 OR 103.61.139.226 OR 82.180.133.120 OR 146.185.207.0\/24 OR 193.233.128.0\/22 OR 193.233.216.0\/21 OR 217.145.225.0\/24 OR 31.134.0.0\/20 OR 37.9.40.0\/21 OR 45.135.1.0\/24 OR 45.135.2.0\/23 OR 45.155.166.0\/23 OR 5.188.218.0\/23 OR 85.239.42.0\/23 OR 88.218.44.0\/24 OR 91.132.198.0\/24 OR 91.218.122.0\/23 OR 91.245.236.0\/24)

Additional Resources

Linux Kernel Local Privilege Escalation

CISA recently added a critical Linux privilege escalation but to its Known Exploited Vulnerabilities catalog. The flaw is tracked as CVE-2024-1086 and affects versions 5.14 through 6.6 of the Linux kernel.

While the patch was released in January, CISA noted that many organizations have not yet implemented it.

Since this vulnerability is now being exploited in the wild, administrators are urged to patch as soon as possible. Federal agencies are required to patch by June 20.

Additional Resources

Veeam Authentication Bypass

Veeam disclosed a critical vulnerability in their Backup Enterprise Manager service tracked as CVE-2024-29849.

Per their advisory, successful exploitation allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.

Administrators are urged to patch to version 12.1.2.172 as soon as possible.

It should be noted that Veeam Enterprise Backup Manager is an optional service and may not be installed in every environment.

To identify if the service is installed, run the following PowerShell command on Veeam Backup Server:

Get-VBRServer | Out-Null
[Veeam.Backup.Core.SBackupOptions]::GetEnterpriseServerInfo() | Format-List

Additional Resources


Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog.

If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Note: We've also enriched our original threat intelligence report by including resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.

DISCLAIMER

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.