APG Threat Digest: 18th Edition

Welcome to this week’s edition of the Threat Digest, where we delve into the latest and most critical developments in the cybersecurity landscape. In this issue, we address a spectrum of emerging cyberthreats and vulnerabilities. From the high-risk command injection vulnerability in FortiSIEM affecting multiple sectors, to the sophisticated tactics of the Scattered Spider cybercriminal group, we explore the intricate challenges facing IT security today. Additionally, we cover:

• the unconventional extortion strategies of the ALPHV ransomware group,
• Intel’s patch for the ‘Reptar’ CPU vulnerability,
• VMware’s critical authentication bypass issue,
• the ongoing risks of the Citrix Bleed vulnerability exploited by LockBit ransomware, and
• the evolving tactics of Ducktail malware.

Each section provides in-depth analysis and actionable insights to help you stay ahead of these evolving cyberthreats.

Fortinet has alerted customers about a critical vulnerability (CVE-2023-36553) in FortiSIEM, a key cybersecurity solution employed across sectors including healthcare, finance, retail, and government. This OS command injection flaw, internally identified as a variant of FG-IR-23-130, enables remote, unauthenticated attackers to execute unauthorized commands through crafted API requests. Affecting all FortiSIEM versions from 4.7 to 5.4, the vulnerability necessitates upgrading to versions 6.4.3, 6.5.2, 6.6.4, 6.7.6, 7.0.1, or 7.1.0 and later to mitigate risks. The urgency is amplified by Fortinet’s history of being targeted in sophisticated attacks, including state-backed hacking groups exploiting vulnerabilities to infiltrate government networks. Organizations are advised to promptly upgrade and regularly review their security systems for vulnerability patches.

The FBI and CISA have released a joint advisory on Scattered Spider, a cybercriminal group targeting commercial facilities and IT help desks. Known for data theft and ransomware use, notably BlackCat/ALPHV, the group specializes in social engineering tactics like phishing and SIM swapping to gain unauthorized access. They adeptly utilize legitimate tools and malware, frequently modifying their tactics to evade detection. A new trend involves encrypting files post-exfiltration. Scattered Spider’s extensive tactics include account takeovers, exploiting multifactor authentication, and maintaining network persistence through various sophisticated methods. They perform extensive discovery, lateral movement, and exfiltration activities within compromised networks. The advisory recommends secure-by-design principles in software development and adherence to Cross-Sector Cybersecurity Performance Goals (CPGs) to mitigate these threats.

The ALPHV/BlackCat ransomware group, known for its double-extortion scheme and advanced tactics like privilege escalation, lateral movement, and exploiting Remote Monitoring and Management (RMM) solutions within corporate networks, has adopted an unprecedented approach in extortion. According to an article from Dissent, they filed an SEC complaint against MeridianLink after the software company allegedly failed to disclose a cyberattack within four days as per SEC rules. MeridianLink, a software company providing digital solutions for financial organizations, was reportedly breached on November 7, with data stolen but systems left unencrypted. This action by ALPHV represents a significant shift in ransomware strategies, moving beyond traditional data theft and encryption to leveraging regulatory compliance as a pressure tactic. The incident underscores the evolving behavior of threat actors and the importance of timely incident reporting.

Intel has addressed a high-severity vulnerability, CVE-2023-23583, known as ‘Reptar,’ affecting various modern CPUs, including Alder Lake, Raptor Lake, and Sapphire Rapids. The flaw has a CVSS score of 8.8, denoting its high severity and potential impact. This ‘Redundant Prefix Issue’ could enable attackers to escalate privileges, access sensitive information, or cause a denial of service. Discovered internally and independently by Google researchers, Reptar presents unusual behaviors in CPU processing. Intel has released microcode updates for affected processors and recommends users update their BIOS, system OS, and drivers to incorporate these fixes.

VMware has disclosed a critical authentication bypass vulnerability, CVE-2023-34060, in its Cloud Director Appliance (VCD Appliance). This flaw, rated with a high severity score of 9.8, specifically impacts VCD Appliance versions upgraded to 10.5 from older releases. A malicious actor with network access can exploit this vulnerability to bypass login restrictions on ports 22 (ssh) and 5480 (appliance management console). Notably, the issue does not exist on new installations of VCD Appliance 10.5, nor does it affect port 443 (VCD provider and tenant login). To address this critical security concern, VMware has provided guidance in KB95534 for affected deployments, recommending updates to remediate the vulnerability. It’s important to note that this vulnerability stems from a version of sssd used in the underlying Photon OS of the appliance. Other appliances are not affected by this vulnerability. VMware urges administrators to follow the recommended upgrade path to secure their systems.

The Citrix Bleed vulnerability continues to pose significant risks, now exploited by LockBit ransomware attacks against large organizations. As noted in a previous Threat Digest, patches were released for this vulnerability prior to Halloween, but despite the availability of Citrix’s fixes, over 10,400 servers, predominantly in the U.S., remain vulnerable. This exploitation has led to significant breaches at companies like ICBC, DP World, Allen & Overy, and Boeing, according to an article from researcher Kevin Beaumont. The attacks, leveraging publicly available exploits, underscore the urgency for system administrators to patch their systems to prevent data theft and encryption. The large-scale exposure of unpatched servers highlights a critical need for immediate action to secure networks against these ongoing threats.

The Ducktail malware family, active since the latter half of 2021, has recently advanced its tactics by switching from .NET applications to Delphi in a campaign targeting Facebook business accounts. SecureList observed this strategic shift starting in March 2023 and found it’s primarily aimed at marketing professionals. It is believed to enhance evasion from signature-based detection systems. The malware is spread via fake job advertisements, with the attackers sending archives containing malicious executables disguised as PDFs. Upon execution, these files install a browser extension designed to steal, and likely sell, Facebook business and ads accounts. This extension, masquerading under the guise of legitimate services like Google Docs Offline, is adept at bypassing two-factor authentication using Facebook API requests and external services. The malware’s operations include the use of PowerShell scripts, saving malicious DLLs, and exfiltrating stolen credentials to a command-and-control (C2) server based in Vietnam. The campaign predominantly targeted users in India, alongside attempts in several other countries globally, signifying a significant evolution in Ducktail’s operational sophistication and threat landscape presence.

For real-time intel and updates, don’t forget to follow APG on Twitter and Reddit.