In this week’s Threat Digest, we once again dive into the ever-evolving landscape of cyber threats. From Octo Tempest’s transition from SIM swaps to aggressive ransomware campaigns to the scary Citrix Bleed getting patched just in time for Halloween, we underline the critical need for vigilance and timely updates. As new players like Hunters International emerge and familiar brands like Microsoft Exchange get targeted again, we underscore the importance of staying informed and proactive in the face of potential cybersecurity breaches.

Microsoft has revealed insights into Octo Tempest, an English-speaking threat actor exhibiting advanced social engineering skills. Originally involved in SIM swaps and account thefts, particularly of high-profile individuals with cryptocurrency assets, the group transitioned in late 2022 to a more aggressive approach involving phishing, mass password resets, and data theft. They later partnered with the ALPHV/BlackCat ransomware group, utilizing the ransomware to both encrypt and steal data. Notably, Octo Tempest has threatened physical harm to extract login credentials in some cases. Their recent attacks span numerous sectors, from gaming to financial services. Microsoft underscores the group’s sophistication, highlighting their targeting of technical administrators and their ability to convincingly impersonate targets. The group also uses a myriad of tools and methods to maintain access, hide their tracks, and exfiltrate data. Their primary motivations are financial, focusing on cryptocurrency theft, data extortion, and ransom demands.

VMware has released security updates addressing a critical vulnerability (CVE-2023-34048) in its vCenter Server, which is pivotal for managing and monitoring the vSphere suite. Discovered by Grigory Dorodnov from Trend Micro’s Zero Day Initiative, this vulnerability stems from an out-of-bounds write issue in the vCenter’s DCE/RPC protocol. The flaw allows unauthenticated attackers to initiate remote code execution attacks without user interaction, though VMware hasn’t found evidence of its active exploitation. Patches are now available through standard vCenter Server update channels, and, given the vulnerability’s severity, VMware has also extended patches to certain end-of-life products. Without any available workarounds, VMware advises administrators to rigidly oversee network perimeter access to vSphere components and has identified network ports that may be susceptible. Another moderate vulnerability (CVE-2023-34056) linked to potential information disclosure was also addressed, with VMware recommending organizations act promptly.

Citrix recently addressed a critical-severity flaw known as the Citrix Bleed vulnerability (CVE-2023-4966) in their NetScaler ADC and NetScaler Gateway appliances. This vulnerability, which permits attackers to extract authentication session cookies, had been discreetly exploited in limited attacks since late August 2023. The situation escalated when, post Citrix’s initial patching, Mandiant highlighted its exploitation as a zero-day. This week, with exploitation rates rising, Citrix urged administrators to implement the fix without delay. Further insight into the flaw came from researchers at Assetnote, who have now unveiled a proof-of-concept exploit on GitHub. The vulnerability stems from a buffer-related flaw that can lead to account hijacking. In light of the exploit’s publication, a surge in targeted attacks on Citrix Netscaler devices is anticipated. System administrators are strongly advised to promptly apply patches to mitigate potential ransomware and data theft threats.

A recently disclosed Proof-of-Concept (PoC) exploit targets a significant Microsoft Exchange Server vulnerability, CVE-2023-36745, allowing remote attackers to execute code and potentially manipulate user data, leading to system downtime. The flaw stems from a bypass in a Microsoft Exchange SharedTypeResolver function which allows for sidestepping system checks and allowing attackers to exploit the vulnerability, which can lead to Remote Code Execution (RCE). This grants attackers substantial control over the Exchange Server. Despite protective measures taken by .NET Framework 4, attackers found ways around, including using SMB sharing from external machines. Notably, researcher N1k0la confirmed these vulnerabilities with a PoC exploit on Github. Microsoft has released a patch, but many organizations remain vulnerable due to not updating their systems.

A new ransomware group, Hunters International, has surfaced, bearing significant code similarities to the previously known Hive ransomware operation. This observation suggests that the Hive group may have rebranded itself. Expert analysis revealed that over 60% of the code in Hunters International matches that of Hive. Despite these findings, the Hunters International team denies these claims, asserting they purchased the encryptor source code from Hive. Interestingly, their primary objective isn’t just encryption; they also prioritize data theft to exert more pressure on victims during ransom negotiations. Their modus operandi includes appending a “.LOCKED” extension to encrypted files and leaving a “Contact Us.txt” ransom note. Currently, they’ve targeted a UK school, disclosing they’ve taken nearly 50,000 files. In hindsight, the Hive ransomware operation halted after its sites were confiscated earlier this year, following an FBI operation that monitored them for six months, culminating in the recovery of over 1,300 decryption keys for victims.

For real-time intel and updates, don’t forget to follow APG on Twitter and Reddit.