Cyber Threat Intelligence Briefing - November 20, 2023

Welcome back to another week of Cyber Threat Intelligence (CTI). This week's report highlights the Rhysida ransomware group and a vulnerability roundup.

Rhysida Ransomware

This week, the FBI and CISA published a joint #StopRansomware advisory for an emerging ransomware threat actor known as Rhysida.

So far, the group's victims appear to be "targets of opportunity", and include victims in education, healthcare, manufacturing, information technology, and government.

The group operates as a ransomware-as-a-service (RaaS) model, using a network of affiliates to deploy their ransomware and compromise as many organizations as possible. They operate as a double-extortion ransomware group, meaning they will steal victim data and threaten to release it publicly in addition to encrypting data on the victim network.

For initial access, Rhysida targets remote services, such as VPN devices, using compromised valid credentials, and are also known to gain initial access via standard phishing attacks.

Once inside the network, the group has been observed specifically abusing the infamous Zerologon vulnerability (CVE-2020-1472) in the Microsoft Netlogon Remote Protocol to elevate privileges. As noted in the advisory, Microsoft released a patch for this vulnerability on August 11, 2020.

As with many current ransomware threat actors, the group has been observed leveraging "living off the land" techniques to evade detection and move throughout the victim network laterally. This includes:

• Creating internal RDP sessions for lateral movement
• Establishing VPN access
• Heavily leveraging Powershell
• Built-in Windows commands -
  • ipconfig
  • whoami
  • nltest
  • net
    • net user [username] /domain
    • net group "domain computers" /domain
    • net group "domain admins" /domain
    • net localgroup administrators

Rhysida also uses built-in, open-source, and off-the-shelf tools for further lateral movement and remote access, including but not limited to:

• psexec.exe - Used to execute processes remotely.
• mstsc.exe - Used to establish RDP connections.
• PuTTy.exe - Leveraged for Secure Shell (SSH) for lateral movement.
• PortStarter - Modifies firewall settings and opens ports to pre-configured command and control (C2) servers.
• secretsdump - Extracts credentials and confidential information from a system.
• ntdsutil.exe - Built-in Windows tool leveraged to dump the NTDS.dit database from the domain controler.  This file contains hashes for all Active Directory users.
• AnyDesk - Used by many threat actors to maintain remote access and persistence.
• wevtutil.exe - Used to clear Windows event logs.
• PowerView - Used for reconnaissance and credential harvesting.

How To Protect Your Organization

Although Rhysida is new to the RaaS space, none of their tactics, techniques, or procedures (TTPs) are anything groundbreaking. Ensuring robust patch management and implementing multi-factor authentication (MFA) will go a long way toward thwarting potential attacks from this group. Organizations should also monitor for unusual or suspicious activity surrounding the tools and commands listed above.

Additionally, our indicators of compromise (IOCs) and the Joint Advisory should be reviewed, and appropriate blocks should be put in place.

Additional Resources

• https://www.cisa.gov/sites/default/files/2023-11/aa23-319a-stopransomware-rhysida-ransomware_1.pdf
  
• https://www.bleepingcomputer.com/news/security/rhysida-ransomware-behind-recent-attacks-on-healthcare/
  
• https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-opportunistic-rhysida-ransomware-attacks/

Vulnerability Roundup

CISA added three new vulnerabilities to the Known Exploited Vulnerabilities Catalog

CVE-2020-2551

A critical vulnerability in the Oracle WebLogic Server (Oracle Fusion Middleware) that allows for an unauthenticated remote attacker with IIOP network access to gain complete control of the Oracle WebLogic Server. The vendor security advisory and patch notes can be found here. 

CVE-2023-1671

A critical pre-authentication command injection vulnerability in Sophos Web Appliance older than version 4.3.10.4.  Successful exploitation allows for arbitrary code execution.  The vendor security advisory can be found here and proof-of-concept exploit code for the vulnerability can be found here.

CVE-2023-36584

A Microsoft Mark of the Web (MotW) Security feature bypass vulnerability.  Attackers can create a malicious file that circumvents the MotW, such as "Protected View" in MS Office.  The Microsoft security advisory and patch notes for this vulnerability can be found here.

SysAid On-Prem 0-day (CVE-2023-47246)

On November 8, SysAid, an IT Service Management system widely used by enterprises, announced they had evidence their product was being actively exploited via a 0-day vulnerability.  This was confirmed the next day by reporting from Microsoft, stating they had observed the threat actor known as Lace Tempest (a threat actor affiliated with the Cl0p ransomware gang) actively exploiting the vulnerability.  This vulnerability affects all on-prem SysAid servers.  The fixed version is 23.3.36.  Administrators are urged to patch as soon as possible.  Additional information on this vulnerability can be found on the PacketWatch blog.  Download and installation instructions for the patch can be found here.

VMware Cloud Director (CVE-2023-34060)

VMware recently disclosed a critical authentication bypass vulnerability in its Cloud Director platform.  Only instances that have been upgraded to version 10.5 from an older version are affected.  A threat actor with network access to a vulnerable device can bypass login restrictions when authenticating on port 22 (ssh) or 5480 (the appliance management console).  The bypass does not work over port 443 or on new installations of version 10.5.  While no patch is currently available, VMware published a workaround, details can be found here.  

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Disclaimer

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.