ICS: Multiple Johnson Controls Software House C Cure Vulnerabilities
July 11, 2024Multiple Zoom Workplace Products Vulnerabilities
July 11, 2024ICS: Multiple Johnson Controls Software House C Cure Vulnerabilities
July 11, 2024Multiple Zoom Workplace Products Vulnerabilities
July 11, 2024Severity
High
Analysis Summary
The recently discovered ransomware group known as EstateRansomware is leveraging a flaw in the Veeam Backup & Replication software that has been patched.
The basic operandi of the threat actor, according to the researchers who identified them in early April 2024, involved exploiting CVE-2023-27532 (CVSS score: 7.5) to carry out malicious actions. It is claimed that an inactive account on a Fortinet FortiGate firewall SSL VPN appliance allowed for initial access to the target environment.
To reach the failover server, the threat actor shifted laterally from the FortiGate Firewall using the SSL VPN service. Before the ransomware attack, VPN brute-force attempts were recorded in April 2024 using the username 'Acc1,' which was considered defunct. A few days later, the remote IP address was identified as the source of a successful VPN login using 'Acc1'.
The threat actors then created RDP connections between the firewall and the failover server. After that, they installed a permanent backdoor called "svchost.exe" that runs daily as part of a scheduled job. The backdoor was used to get access to the network later on while avoiding detection. The backdoor's main function is to establish an HTTP connection with a command-and-control (C2) server and carry out any commands the attacker issues.
To enable xp_cmdshell on the backup server and create a rogue user account called "VeeamBkp," researchers saw the threat actor exploiting the Veeam flaw CVE-2023-27532. The threat actor was also reportedly using the newly created account to carry out network discovery, enumeration, and credential harvesting activities using tools like NetScan, AdFind, and NitSoft.
This exploit might have required attacking the backup server's vulnerable installation of Veeam Backup & Replication software from the VeeamHax folder on the file server. This action enabled the 'VeeamBkp' account to be created when the xp_cmdshell stored procedure was activated. The ransomware was eventually used to compromise defenses and spread laterally from the AD server to all other workstations and servers using infected domain accounts.
Using DC.exe [Defender Control], Windows Defender was permanently turned off. PsExec.exe was then used to deploy and execute malware. The revelation coincides with Cisco Talos's report that the majority of ransomware groups focus on gaining initial access through phishing attachments, exploiting vulnerabilities in publicly accessible applications, or breaking into legitimate accounts. They also aim to prolong their stay in victim networks by evading defenses in their attack chains.
As a result of the twofold extortion strategy, which involves data exfiltration before file encryption, the actors have created unique tools (such as Exmatter, Exbyte, and StealBit) to transfer sensitive data to an infrastructure under the control of their adversaries. To gain an understanding of the network's structure, find resources that could aid in the attack, increase their privileges, blend in, and find valuable data that could be stolen, these e-crime groups must gain long-term access to the environment.
Impact
- Command Execution
- Credential Theft
- Sensitive Data Theft
- Financial Loss
Indicators of Compromise
IP
- 149.28.106.252
- 45.76.232.205
- 77.238.245.11
MD5
- 58008524a6473bdf86c1040a9a9e39c3
SHA-256
- 1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
SHA-1
- cb704d2e8df80fd3500a5b817966dc262d80ddb8
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Implement robust multi-layered security measures to detect and respond to ransomware and cyber espionage activities.
- Conduct regular security assessments and penetration testing to identify and mitigate vulnerabilities in critical infrastructure and government systems.
- Deploy advanced threat detection tools, such as Endpoint Detection and Response (EDR) and Network Traffic Analysis (NTA), to monitor for suspicious activities and anomalies.
- Ensure timely patching and updating of all software and systems to close known security gaps.
- Use multi-factor authentication (MFA) and strong password policies to protect user accounts from unauthorized access.
- Segment networks to limit lateral movement within the organization in case of a breach.
- Develop and maintain an incident response plan that includes procedures for ransomware attacks and data breaches.
- Train employees on cybersecurity best practices and phishing awareness to reduce the risk of social engineering attacks.
- Regularly back up critical data and ensure backups are stored securely and are not accessible from the primary network.
- Collaborate with cybersecurity firms and government agencies for threat intelligence sharing and coordinated defense strategies.
- Implement encryption for sensitive data at rest and in transit to protect against data theft.
- Limit access to critical systems and data to only those individuals who require it for their role.
- Monitor for and immediately investigate the presence of known malware and indicators of compromise associated with state-sponsored groups.
- Engage in regular cybersecurity drills and exercises to ensure readiness for potential cyber incidents.
- Ensure legal and compliance measures are in place, particularly for industries subject to specific regulatory requirements.