Vercara’s Open-Source Intelligence (OSINT) Report – October 25 – October 31, 2024

Black Basta ransomware poses as IT support on Microsoft Teams to breach networks. 

(TLP: CLEAR) The Black Basta ransomware group, active since April 2022 and linked to the disbanded Conti cybercrime syndicate, has escalated its social engineering tactics. Initially known for using methods such as vulnerabilities and malware partnerships, Black Basta has recently targeted employees via Microsoft Teams. Posing as corporate IT help desks, they leverage these external communications to exploit overwhelmed users dealing with spam attacks. Earlier attacks involved flooding inboxes with non-malicious emails, followed by voice calls where attackers posed as IT support to convince victims to install remote access tools like AnyDesk and Windows Quick Assist. These tools facilitated the deployment of payloads such as ScreenConnect, NetSupport Manager, and Cobalt Strike, allowing Black Basta to move laterally within networks, elevate privileges, steal data, and deploy ransomware. The latest tactic observed by ReliaQuest in October 2024 shows Black Basta affiliates using Microsoft Teams, creating Entra ID accounts with help-desk-like names to impersonate IT staff. Through one-on-one chats, attackers request victims to install remote tools or scan QR codes, although the exact use of these QR codes remains unknown. This approach continues to involve payloads such as “AntispamAccount.exe” and “AntispamConnectUS.exe,” with the latter linked to the SystemBC proxy malware. The final step involves deploying Cobalt Strike, granting attackers full control of the compromised device for deeper network infiltration. 

(TLP: CLEAR) Comments: The Black Basta ransomware group is a sophisticated ransomware group that first emerged in April 2022 and rapidly became a significant threat by targeting over 500 organizations worldwide. This group has targeted 12 of the 16 critical infrastructure sectors such as healthcare, public health, and energy. Black Basta affiliates several different methods in order to gain initial access into targeted networks such as spear-phishing, exploiting known vulnerabilities and abusing valid credentials. Once this group gain initial access, they will conduct lateral movement and privilege escalation by using tools such as Mimikatz, Remote Desktop Protocol (RDP), PsExec and Colbalt Strike beacons. It is highly advised that organizations have a robust and continuous cybersecurity training program that teaches their employees how to identify malicious emails and other social engineering attacks. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users.  This can be done via a protective DNS or forward web proxy solution with website categories feeds.  

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 

Source: https://www.bleepingcomputer.com/news/security/black-basta-ransomware-poses-as-it-support-on-microsoft-teams-to-breach-networks/  

BeaverTail malware resurfaces in malicious npm packages targeting developers. 

(TLP: CLEAR) In September 2024, three malicious npm packages were discovered containing BeaverTail malware, a JavaScript downloader and information stealer linked to the North Korean campaign called Contagious Interview. This ongoing campaign, also monitored by Datadog as Tenacious Pungsan (also known as CL-STA-0240 or Famous Chollima), targets developers with backdoored npm packages. The malicious packages were: 

• passports-js (118 downloads) 
• bcrypts-js (81 downloads) 
• blockscan-api (124 downloads) 

These packages are no longer available for download. The Contagious Interview campaign, which began in November 2023, tricks developers into downloading harmful software under the guise of coding tests or innocuous video conferencing tools. This campaign has also involved other malicious npm packages and Python backdoors, with cryptocurrency-related tools such as etherscan-api being repeatedly mimicked to target the cryptocurrency sector. 

Additional counterfeit packages identified in recent months, like eslint-module-conf and eslint-scope-util, aimed at harvesting cryptocurrencies and maintaining persistent access on compromised developer machines. Palo Alto Networks Unit 42 has confirmed that this method effectively spreads malware by exploiting job seekers’ trust when applying for positions online. The findings underscore a rising trend of threat actors misusing the open-source software supply chain to target developers and compromise downstream users. Datadog highlights that backdooring legitimate npm packages remains a common tactic in these operations, showcasing how individual developers continue to be key targets for North Korean-linked threat actors. 

(TLP: CLEAR) Comments: Malicious actors continue look to interject malicious code into legitimate programming packages with the hopes that their malicious code will be used, and they will be able to gain unauthorized access to networks. Organizations should implement a Secure Software Development Framework (SSDF) that contains static and dynamic code review to ensure that no malicous code is used. Also, all new code should be deployed in a testing environment or sand box that is not connected to any production network or systems during the testing.  

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION: 

“Control:   

• “a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;   
• “b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;   
• “c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection; and   
• “d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.”  

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections. 

Source: https://thehackernews.com/2024/10/beavertail-malware-resurfaces-in.html  

Massive Midnight Blizzard phishing attack via weaponized RDP files. 

(TLP: CLEAR) A significant phishing campaign led by the Russian cyber threat group Midnight Blizzard (also known as APT29, UNC2452, or Cozy Bear) has been uncovered, targeting multiple sectors through sophisticated phishing tactics. Microsoft Threat Intelligence researchers found that this operation, active since October 22, 2024, leverages spear-phishing emails containing malicious Remote Desktop Protocol (RDP) configuration files. When opened, these files connect victims to attacker-controlled servers, facilitating the theft of credentials and data. The campaign primarily targets government agencies, academic institutions, defence organizations, and NGOs, impacting over 100 organizations across the U.S., Europe, the U.K., Australia, and Japan. Midnight Blizzard’s methods include impersonating Microsoft and AWS employees and exploiting trust relationships in cloud services. Their tools include specialized malware like FOGGYWEB and MAGICWEB, which target Active Directory Federation Services (AD FS), enabling lateral movement from on-premises networks to cloud environments and potential persistent access. Notably, the phishing emails were distributed using legitimate compromised email accounts, enhancing their credibility. The attack enables extensive access to sensitive data, local drives, network drives, authentication mechanisms, and peripheral devices. Attackers can install malware and maintain system access even after RDP sessions end, achieving long-term system compromise. Mitigations recommended include securing operating environments, robust endpoint security, strengthening antivirus and Office 365 configurations, enhancing email security, and conducting user training. Indicators of compromise (IoCs) include specific malicious sender domains and RDP file names used in the campaign. 

(TLP: CLEAR) Comments: The Midnight Blizzard groups is a sophisticated cyber threat group that has been attributed to the Russian Foreign Intelligence Service (SVR) and have been active since 2018. This group has mainly targeted government entities, diplomatic organizations, non-governmental organizations (NGO) and IT service providers within the United States and Europe. In order to gain initial access into targeted networks this group uses spear-phishing campaigns, password spraying, exploiting known vulnerabilities and supply chain attacks. This group is proficient at stealing credentials and using OAuth applications to maintain persistence.  

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide defence-in-depth against malware and phishing and other abuses:  

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.  
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.  
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.  
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. 

Source: https://cybersecuritynews.com/phishing-attack-weaponized-rdp-file/  

LiteSpeed cache plugin vulnerability poses significant risk to WordPress websites. 

(TLP: CLEAR) A high-severity security vulnerability, CVE-2024-50550 (CVSS score: 8.1), has been disclosed in the LiteSpeed Cache plugin for WordPress, which could allow unauthenticated attackers to gain administrative access and execute malicious actions. This flaw has been fixed in version 6.5.2 of the plugin. The vulnerability stems from an issue in the is_role_simulation function, similar to the CVE-2024-28000 flaw identified earlier. It involves a weak security hash that can be brute-forced, enabling abuse of the crawler feature to simulate a logged-in user, including an administrator. Exploiting this flaw requires specific plugin configurations in the Crawler settings. LiteSpeed’s patch addresses this by removing the role simulation process and enhancing the hash generation method to use a random value generator, increasing unpredictability. The vulnerability highlights the importance of using secure, unpredictable values for security hashes. PHP’s rand() and mt_rand() functions, while adequate for many purposes, are not secure enough for cryptographic functions, especially when using mt_srand. 

This is the third security issue in LiteSpeed Cache in two months, following CVE-2024-44000 (CVSS score: 7.5) and CVE-2024-47374 (CVSS score: 7.2). Similar concerns were noted with Ultimate Membership Pro, where two critical vulnerabilities (CVE-2024-43240 and CVE-2024-43242) allowed privilege escalation and code execution. Patchstack CEO Oliver Sild warns users to stay vigilant, especially with the ongoing legal issues between WordPress’ parent company Automattic and WP Engine, which could lead to plugin abandonment. Users need to monitor communication channels to ensure they receive updates, as plugins removed from the repository may not be updated, leaving sites exposed to potential exploits. 

(TLP: CLEAR) Comments: The LiteSpeed cache plugin provides an all-in-one site acceleration solution that integrates caching mechanisms and various optimization features. It is advised that the organization security policy includes routine reviews of all IT infrastructure including applications to ensure they are up to date with the latest security patches. If no security patches are being released for known vulnerabilities, organizations should look at either replacing the outdated systems or establishing extra security-in-depth measures to protect non-updated systems. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “Application firewalls can enable the identification of unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command that was not preceded by another command on which it is dependent. These suspicious commands often originate from buffer overflow attacks, DoS attacks, malware, and other forms of attack carried out within application protocols such as HTTP. Another common feature is input validation for individual commands, such as minimum and maximum lengths for arguments. For example, a username argument with a length of 1000 characters is suspicious—even more so if it contains binary data.” 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, enables you to create your own rules in a variety of formats with the UltraWAF policy editor. Plus, you have the option to continuously add new threats through (signature protection for CVE and CWE, such as CMS vulnerabilities) captured by our threat research team. 

Source: https://thehackernews.com/2024/10/litespeed-cache-plugin-vulnerability.html  

FortiManager devices mass compromise exploiting CVE-2024-47575 vulnerability. 

(TLP: CLEAR) Shadowserver has issued an urgent warning regarding the active exploitation of the CVE-2024-47575 vulnerability in Fortinet FortiManager devices. This critical flaw, known as “FortiJump,” has a CVSS score of 9.8/10 and allows unauthenticated attackers to execute arbitrary code or commands on affected systems. The vulnerability originates from a missing authentication step in the fgfmd daemon of FortiManager. Fortinet has confirmed that attackers are exploiting this vulnerability to exfiltrate sensitive data. Shadowserver’s report classifies devices into those confirmed compromised and those targeted but not yet confirmed as compromised, advising organizations to treat all targeted devices as potentially compromised unless thorough forensic analysis proves otherwise. The report notes that identifying affected devices may be complex due to factors like multiple IP addresses and NAT traversal. Organizations are urged to change passwords and sensitive user data linked to FortiManager systems. Mandiant attributes the attacks to the threat actor group UNC5820, revealing that the exploitation campaign began as early as June 27, 2024, impacting more than 50 FortiManager appliances across various industries. The widespread nature of these attacks highlights the critical and rapidly evolving threat. Organizations using FortiManager are strongly encouraged to apply Fortinet’s patches or use workarounds if patching is not feasible. Shadowserver emphasizes the importance of sharing retrospective data to help potential victims mitigate risks. Cybersecurity experts recommend vigilance, monitoring for indicators of compromise, and swift reporting of any suspicious activities related to FortiManager deployments. 

(TLP: CLEAR) Comments: It is advised that the organization security policy includes routine reviews of all IT infrastructure including applications to ensure they are up to date with the latest security patches. If no security patches are being released for known vulnerabilities, organizations should look at either replacing the outdated systems or establishing extra security-in-depth measures to protect non-updated systems. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “The HTTP protocol used in web servers has been exploited by attackers in many ways, such as to place malicious software on the computer of someone browsing the web, or to fool a person into revealing private information that they might not have otherwise. Many of these exploits can be detected by specialized application firewalls called web application firewalls that reside in front of the web server. 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, enables you to create your own rules in a variety of formats with the UltraWAF policy editor. Plus, you have the option to continuously add new threats through (signature protection for CVE and CWE, such as CMS vulnerabilities) captured by our threat research team. 

Source: https://cybersecuritynews.com/fortimanager-devices-mass-compromise/