Between Feb. 21-28, 2024, Blackpoint’s Security Operations Center (SOC) responded to 168 total incidents. These incidents included 13 on-premises MDR incidents, two Cloud Response for Google Workspace incidents, and 153 Cloud Response for Microsoft 365 incidents. We additionally continued to monitor for instances of ScreenConnect vulnerability exploitation, which you can learn about here. In this blog, we discuss some of the incidents we observed, why they’re important, and how you can mitigate these types of incidents with Blackpoint Cyber.

On Feb. 22, 2024, the SOC was alerted by Sophos to the processes ScreenConnectUpdate.exe and UpdateConnect.exe on multiple hosts. Further analysis revealed that the processes were related to the Vidar malware masquerading as a ScreenConnect update. We isolated all involved machines for the affected Managed Service Provider to avoid further malicious activity.

Vidar is an information stealing malware that is offered as a malware-as-a-service (MaaS), first detected in 2018. Due to its status as a MaaS operation, Vidar is deployed by multiple threat actors to steal operating system data, account credentials, payment card data, browser history, and cryptocurrency data.

This incident was not due to the exploitation of the disclosed ScreenConnect vulnerabilities – CVE-2024-1709 (CVSS Score 10) and CVE-2024-1708 (CVSS Score 8.4) – but rather the Vidar malware masquerading as a legitimate ScreenConnect update. The Vidar malware has historically been disguised as Windows activation software; however, threat actors have often been observed masquerading malware as ubiquitous software of all types – including updates, privacy tools, and remote monitoring and management (RMM) software (e.g., TeamViewer). Threat actors will likely continue to masquerade malware as legitimate software over the next 12 months to gain initial access and evade detection.

To learn more about Blackpoint’s perspective on the ScreenConnect vulnerabilities, watch our on-demand webinar here.

On Feb. 26, 2024, the SOC was alerted by Sophos to malicious activities involving one of the businesses we protect in the Hotels and Entertainment industry. The alerts detailed:

• ‘Cleanup_3c (T1059.007)’ on a client endpoint
• ‘Exec_38a (T1204.002)’ detected in ‘C:\Windows\System32\wscript.exe”

In response, we isolated the device due to the detection of a JavaScript file via wscript.exe as highlighted in the Exec_38a event, and the behavioral detection of malicious activity within a ZIP file indicated by the Cleanup_3c event. The SOC conducted further analysis and identified the malicious zip file on the disk; however, we did not observe any executions or connections related to the detection.

The SOC observed the following binary names:

• c:\users\$username\appdata\local\temp\90c74dee-8cbc-4080-a73f-ca80f493d5c2_hotel_barter_agreement_template_26539.zip.5c2\hotel barter agreement template 38156.js
• c:\users\$username\appdata\local\temp\f356a8c7-1859-48e0-b090-dca9179d70d0_hotel_barter_agreement_template_26539 (2).zip

This type of behavior suggests a correlation between the ZIP file’s presence and the subsequent execution of malicious JavaScript, pointing towards the ZIP file as a potential initial attack vector. Malicious ZIP files are often observed in both advanced persistent threat (APT) and cybercriminal (IABs, ransomware, etc.) attacks. These types of attacks allow a threat actor to hide the malicious payload and have the user execute a script that downloads and executes malware or performs other malicious actions. Social engineering attacks with malicious files, including ZIP files, have steadily remained one of the most relied upon initial access vectors over the past three years. It is likely that threat actors will continue to rely on phishing emails with malicious attachments over the next 12 months for initial access.

Blackpoint’s Adversary Pursuit Group (APG) recommends the following mitigation techniques for the threats highlighted in this blog:

• Prioritize patching based on a few considerations, including:
  • the impact on an organization’s data,
  • the number of systems affected,
  • the ease of exploitation,
  • the critical nature of the vulnerability, and
  • how widely known the vulnerability is.
• Create a robust security awareness program that includes training on idenifying phishing emails and how and when to report to an incident response authority.
• Treat unsolicited emails, especially those with attachments and links, with extreme caution. When possible, verify with the sender, if known, to establish legitimacy.
• Enable multifactor authentication and VPN for access servers and critical systems with sensitive data.
• Enable the principle of least privilege (PoLP), where employees are granted the minimum number of permissions needed to complete their job successfully.
• Ensure that data is backed up and that multiple iterations are saved and segregated.
• Implement an incident response plan (IRP) that includes the process for data backup, restoration, and the timelines & process for notifying team members, law enforcement, and ensuring business continuity.

The Adversary Pursuit Group, including…

Andi Ursry, Threat Intelligence Analyst

Andi Ursry has over five years of experience in threat intelligence. She has experience in both small business and Fortune 500 companies, beginning her career in the retail sector helping box stores mitigate risk prior to shifting to cyber intelligence. Her expertise lies in ransomware and APT (advanced persistent threat) groups’ tactics and tracking cyber trends. She holds a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Connect with Andi on LinkedIn.