Every month, the Pondurance team hosts a webinar to keep clients current on the state of cybersecurity. In June, the team discussed threat intelligence, notable vulnerabilities and trends, threat hunting, security operations center (SOC) engineering insights, and deception technologies.

The Assistant Vice President of Digital Forensics and Incident Response discussed June’s heavy threat activity, particularly ransomware and business email compromise (BEC). Though the tactics and tools may change, the team expects these two types of attacks to continue to evolve.

• Ransomware. Most ransomware activity in June involved vulnerability exploits. However, the team saw virtual private network (VPN) compromise for ransomware as the second most common way threat actors gained access. The team estimates that threat actors execute kerberoast attacks in 9 out of 10 VPN for ransomware exploits. In a Kerberoast attack, the threat actor logs in, obtains a domain administrator account, intercepts a kerberos ticket, and then exploits service accounts with greater privileges to gain unauthorized access to the network.
• A whopping 82% of these VPN attacks occur when an organization does not use multifactor authentication (MFA) on the VPN. To avoid becoming a VPN attack statistic, the team recommends that organizations enable MFA on their VPNs and take steps to remove privileges from service accounts. In addition, the team stresses that organizations must confirm there is no web shell in place before applying an update on a VPN appliance.
• BEC attacks. The team saw very high numbers of BECs in June. In contrast to VPN attacks, 92% of BEC attacks occur with MFA in place. The team recommends that organizations implement a standard process where the accounting department must call a known phone number to verify a request to update financial information such as bank account numbers. The team also discussed that organizations may want to protect themselves with a paragraph in every legal contract that includes the phone number to call to request updated bank information.

Vulnerabilities and Trends

The Vulnerability Management Program Team Lead reviewed notable vulnerabilities from May and June. Based on 2024 numbers, he estimates that the new normal for disclosed vulnerabilities each month is 2,900, a bump up from 2023. As many as 258 of those vulnerabilities from May were high risk, and seven of those were known to be exploited in the wild on Justice AV Solutions, Google Chrome, and Microsoft products.

• The Justice AV Solutions vulnerability (CVE-2024-4978) is a supply chain attack in the legitimate version of the software. Justice AV Solutions offers digital audio-visual recording solutions for courtrooms and other legal settings. For the attack, the threat actor uploaded a malicious backdoor installer to the Justice AV Solutions website. Then, when unsuspecting users downloaded it, the vulnerability allowed the update to take place, which could ultimately lead to a complete compromise of the system where the update was installed.
• Four Google Chrome vulnerabilities were actively exploited, and a patch was released for each of them. CVE-2024-4671 is a use-after-free vulnerability that could result in data leakage, code execution on the impacted system, or a system crash. Both CVE-2024-4947 and CVE-2024-5247 are type confusion errors on a V8 JavaScript engine that could result in code execution, unauthorized memory access inside the system, or a browser crash. CVE-2024-4761 is an out-of-bounds memory write. All four of the vulnerabilities could be exploited by a user browsing to a specially crafted HTML page.
• Two Microsoft vulnerabilities were addressed with the Patch Tuesday release on May 14. CVE-2024-30040 is a security feature bypass vulnerability in the Windows MSHTML engine that a threat actor could exploit by convincing a user to open a specially crafted document and then executing code on the targeted system. CVE-2024-30051 is a privilege escalation vulnerability in the core library that is distributed via a phishing campaign with Qakbot malware and successfully exploited to gain system privileges.

In June, CVE-2024-30078 impacted the Microsoft Windows Wi-Fi driver, found in every in-use version of Windows. This easy-to-exploit vulnerability is a zero-click attack that requires no authentication and no user interaction. The threat actor simply sends a specially crafted network packet to the device. Then, any user on the Wi-Fi network at the same time as the threat actor can be exploited. Users who work from public Wi-Fi networks are particularly at risk and can potentially compromise co-workers on the corporate network. This vulnerability can ultimately lead to the threat actor gaining complete control of the system, making it an important patch, though it’s unknown whether the vulnerability is currently being exploited in the wild.

The SOC Director talked about cyber activity that the team is currently monitoring on client networks. 

Social engineering tactics. The SOC is seeing an increase in compromises that originate from social engineering help desk calls. The team recommends that organizations use stricter verification procedures for the help desk and any employee who can reset MFA or passwords. Also, as always, user awareness training is essential.

Ransomware is still the most prevalent malware attack, and the team expects this trend to continue for the foreseeable future.

Phishing emails, particularly shipping notification emails with a financial lure, are prevalent but not as common now as during tax season. A majority of these emails link to credential harvesting web pages, and the use of artificial intelligence services, such as ChatGPT, is making phishing emails harder to detect due to more convincing language and correct grammar. To reduce the risk of an attack, the team suggests setting inbox rules to detect any unauthorized activity and hide attacker access and offering user awareness training to employees.

The Senior Manager of SOC Engineering focused on a recent event in the news: a second ransomware demand on UnitedHealthcare. In February, the AlphV BlackCat ransomware group initially breached UnitedHealthcare, and UnitedHealthcare paid a $22 million ransom. The State Department offered a $10 million reward for individuals linked to the threat group, and shortly thereafter, the group went dark. Then, in June, RansomHub demanded a ransom from UnitedHealthcare for the same February breach. 

The Senior Manager of SOC Engineering discussed speculation that RansomHub is an affiliate of AlphV and that AlphV should have shared the large ransom payment with RansomHub but didn’t. There’s not much hard evidence that this scenario occurred, but there are reasons to believe it. Both groups use the same ransomware, which was developed by AlphV, and posts on the dark web stated that AlphV sold the ransomware. Also, there’s a theory that AlphV could have installed a backdoor to give RansomHub access to the data. 

Overall, the team suggests that it’s best to assume that RansomHub is an affiliate of AlphV until proven otherwise — and it’s an important consideration for an organization being threatened by a ransomware-as-a-service adversary. To minimize risk, the team recommends that organizations continue user awareness training, use MFA, and maintain visibility into all key aspects of their networks. In addition, the team asks clients to share their crown jewels, significant IP addresses, VIP lists, honeytokens, and anything distinct to the network that can give the team an edge against threat actors.

The Detection Engineer talked about basic deception technologies that clients can use as a covert measure to help protect their networks.

• Canary tokens are free tools that organizations can implant in files and folders to lure a threat actor, a pen tester, or even an unauthorized employee and expose his or her actions. Canary tokens function like a digital trip wire that will generate an alert once a file or folder has been accessed. There are several different forms of canary tokens including credit cards, where an organization can put a credit card in the database, and if the database is stolen and someone tries to sell the credit card or use it, the organization will receive an alert, and domain name systems, where a link within a document can resolve to a domain that no one should know about and trigger an alert if a visitor lands on the domain.
• Honeypots are quite similar to canary tokens and can be used interchangeably with them. They are tools used to lure threat actors into a safe environment where users can see what the threat actors are doing. In addition, honeypots can be used to detect a threat actor conducting a particular activity inside the network, such as scanning to look for remote desktop protocols and file shares.
• Tar pits act as decoys to lure potential threat actors and intentionally keep them “stuck in a network molasses” for an extended time. Tar pits spin up or reply as a host that doesn’t actually exist to slow down the threat actors or get them looking in a different direction.
• Breadcrumbs are a good way to catch improper activity in a network. Organizations can use breadcrumbs to detect activity in intranets, Teams messages, and password searches.

The Detection Engineer explained that deception technology is already being used in system environments, as antivirus and endpoint detection and response (EDR) solutions use decoy files. All EDRs that Pondurance deploys have a decoy or deception technology built into them, with the exception of Microsoft Defender. He also discussed other deception technologies that can be created or purchased including QR codes, MySQL or SQL dumps, custom.exe, Raspberry Pi, and more.

The Pondurance team will host another webinar in July to discuss new cybersecurity activity. Check back next month to read the summary.