Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news, and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team.

Threat actor of the month: Volt Typhoon – Chinese state-sponsored adversary

Due to increased geopolitical tensions between China and the US, the US government issued a major advisory concerning the recent behavior of Volt Typhoon. This Chinese state-sponsored espionage group, active since at least 2020, is believed to be adjusting its tactics to potentially target the networks of US critical infrastructure organizations to cause disruption and destruction. Highlighted sectors already compromised include communications, energy, transportation systems, and water and wastewater systems, some of which for at least 5 years.

Volt Typhoon employs a meticulous approach, starting with extensive reconnaissance. They gain initial access through vulnerabilities, aiming for administrator credentials, and adopt living-off-the-land tactics for persistence. Leveraging stealthy methods, they extract critical data for further exploitation, including Active Directory databases for offline password cracking. With elevated access, they target operational technology assets, potentially leading to significant infrastructure disruptions.

Due to this unique behavior pattern, authorities also launched a fact sheet with guidance for critical infrastructure leaders to defend against Volt Typhoon.

Spotlight threat: XZ Utils Backdoor – CVE-2024-3094

 On March 29, 2024, Andres Freund, a developer and engineer working for Microsoft, detected a backdoor in XZ Utils which abuses XZ Utils liblzma package that manipulated the executable file for remote SSH connections. The affected versions of XZ Utils are 5.6.0 and 5.6.1 and the threat actor’s goal was to merge the malicious update into the RedHat and Debian distributions. The vulnerability is tracked as CVE-2024-3094 .

XZ Utils is a data compression utility for Linux and other Unix operating systems. It is an open-source project available in GitHub and maintained by Lasse Collins. Researchers have reported that a threat actor dubbed “JiaT75″ in GitHub, has used social engineering methods since at least 2022 to pressure the project owner to gain control to supervise and upload new commits to XZ Utils. For this purpose, the attacker either created fake user identities in GitHub or took advantage of other user complaints to urge XZ utils’ project owner to add a new person to maintain the project because it was not being updated as frequently as the users expected.

Eventually, in January 2023 the owner was persuaded and granted the GitHub user “JiaT75” permission to maintain the XZ Utils project. In February 2024 the threat actor released a malicious update of the XZ utils utility which included the backdoor.

This malicious operation combined technical expertise in Unix-Linux ecosystem and remarkable social engineering skills. Furthermore, the threat actor exploited and exposed the weaknesses of the open-source philosophy by abusing the trust of the project’s owner in the community.

KrakenLabs highlights observed

Emerging threat

Novel HTML smuggling tactic: Researchers have observed adversaries utilizing a novel HTML smuggling tactic, hosting fake Google Docs pages on Google Sites and incorporating CAPTCHA tests to evade URL scanners. Unlike conventional methods, this method retrieves the payload from a separate compromised domain. This scheme could become a trendy malware distribution method. Learn more →

New threat to the healthcare sector: The US Department of Health issued an alert warning hospitals about threat actors targeting IT help desk using social engineering techniques. Threat actors like “Scattered Spider” perform phone calls to IT help desk impersonating employees to bypass the Multi Factor Authentication (MFA) measures. Furthermore, the agency suggested some mitigations to the Healthcare industry to reduce risks. Learn more →

Vulnerabilities

After CVE-2024-27198 actively exploited: Recently disclosed critical vulnerabilities in the JetBrains TeamCity On-Premises platform, particularly CVE-2024-27198 (CVSS score 9.8), are being exploited for different purposes, such as deploying ransomware (Jasmin ransomware), cryptocurrency miners (XMRig), backdoors (SparkRAT), and others. Learn more →

N-day vulnerabilities exploited: The ConnectWise ScreenConnect vulnerabilities CVE-2024-1709 and CVE-2024-1708 are increasingly exploited by adversaries and hundreds of North American companies have already been compromised. Chinese actor UNC5174 has been actively exploiting the vulnerability, and unauthorized access to over 40 US companies has been offered on cybercriminal forums. Learn more → / and more →

Zero-day vulnerabilities analysis 2023: Google detected 97 zero-day vulnerabilities exploited during 2023. Researchers have concluded that attackers are increasingly focused on third-party components and libraries and on enterprise specific technologies. Commercial surveillance vendors continue exploiting browser and mobile 0days. Furthermore, China continues leading the government-backed vulnerability exploitation. Learn more →

NIST NVD analysis: During the last months the NIST National Vulnerability Database has slowed down the analysis of new vulnerabilities. The agency has acknowledged the problem, which is related to an increase in the number of vulnerabilities disclosed and the need to prioritize the analysis. NIST has announced that it is exploring further actions to solve this issue.  Learn more → / and more →

Malware & Ransomware

New wiper targeting Ukraine: A new variant of the destructive wiper AcidRain has been identified, named AcidPour. This wiper has been employed against Ukrainian ISPs, and the attack has been attributed by researchers to UAC-0165, a subgroup of the Russian group Sandworm. On Telegram, the Russian SolntsepekZ persona, potentially used by UAC-165, claimed the authorship of the attacks. Learn more →

Unusual extortion technique: The ransomware gang DragonForce has been detected using an unusual extortion technique by calling the victim through phone and recording the conversation which was eventually posted in their data leak site to increase the reputation damage and pressure on the victim. Learn more →

Learn more about Threat Compass

Want more? Get started with Threat Compass to receive the latest actionable intelligence from our world-class in-house analyst team.

What’s new in Threat Context this month?

Threat actors: Storm-0651, Breakcore, TA4903, Magnet Goblin, UAC-0006, proper12, Team Insane PK, Cobalt Terrapin, KillSec etc.

Tools: AsukaStealer, TimbreStealer, MiniNerbian, Jasmin, MINIBIKE, MINIBUS, Byakugan, Hitobito ransomware, Latrodectus etc.

and much more!

Get started with Threat Compass