Threat Context monthly: Executive intelligence briefing for August 2024
Welcome to the Threat Context monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber Threat Intelligence team. Here’s what you need to know from August.
Threat actor of the month: NullBulge (Hacktivist group)
“NullBulge” is a is a threat group that emerged in the first semester of 2024, claiming to protect artists worldwide by targeting AI-centric applications and gaming platforms.
The group often claims hacktivist causes but employs sophisticated malware for data theft and extortion, suggesting a dual motive of financial gain and ideological statements. NullBulge is known for creative malware distribution methods and targets the software supply chain, leveraging trusted platforms such as GitHub and Hugging Face.
The adversary employs Async RAT, Xworm, and LockBit ransomware as part of their sophisticated attack strategy. The gang’s targets include artificial intelligence apps and gaming platforms and among their notorious victims NullBulge claimed they breached Disney and gained access to their internal Slack data.
Spotlight threat: Windows downgrade attack (CVE-2024-38202 and CVE-2024-21302)
OS-based downgrade attacks consist of reverting secure and updated software to an old and vulnerable version which allows threat actors to exploit vulnerabilities already fixed to gain access and compromise systems.
Alon Leviev, a SafeBreach researcher specializing in the study of downgrade attacks against operative systems, recently discovered a previously undocumented way to execute a downgrade attack against Windows systems.
The analyst has developed a tool named “Windows Downdate” which exploits Windows update architecture and Windows Virtualization-Based Security (VBS), to craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components. This allowed him to elevate privileges and bypass security features. Consequently, the researcher was able to make an updated Windows machine vulnerable to thousands of past vulnerabilities, turning patched vulnerabilities into zero-days.
Before publishing the investigation Alon Leviev shared the results with Microsoft which issued two CVE referring this issue: CVE-2024-38202 and CVE-2024-21302.
Nevertheless, in real world scenarios the exploitation mechanism is complex, and it should be mentioned that the tool “Windows Downdate” is a proof-of-concept (PoC) developed by a researcher with benign intentions. Furthermore, the responsible disclosure and the vendor efforts to fix the issues reduce the risk of exploitation. However, the researcher noted that Microsoft VBS was announced in 2015, so the downgrade attack surface existed at least for 9 years.
Downgrade attacks have attracted the interest of malicious threat actors for years. The BlackLotus UEFI Bootkit malware, on sale in underground forums since 2022, is a clear example of the threat actors’ interest in this attack modality and evidences the serious impact of this growing threat.
KrakenLabs’ highlighted observations
Vulnerabilities
“0.0.0.0 day”: Oligo researchers have discovered “0.0.0.0 day,” a web browser vulnerability affecting MacOS and Linux devices. Windows is not impacted by this issue. The analysts observed a logical vulnerability affecting major browsers like Chromium, Firefox, or Safari that enables external websites to communicate with software that runs locally. The flaw existed at least since 2006 and the exploitation, in a worse-case scenario, can lead to remote code execution (RCE) attacks. Learn more →
CVE-2024-38112: The sophisticated threat actor “Void Banshee” exploited the zero-day vulnerability CVE-2024-38112, which enables the access and execution of files in Internet Explorer using MSHTML. The campaign’s goal was to deploy the Atlantida stealer for information theft and financial gain. Learn more →
Underground activity
Malware: The infamous threat group “FIN7“ is believed to maintain several aliases in underground forums to advertise and sell malware. That is the case of AvNeutralizer, a tool designed to impair endpoint detection and response (EDR) systems already in use by well-known ransomware groups, including Black Basta, LockBit, and BlackCat. Learn more →
Legislation & Policies
Ransomware: The US Senate Intelligence Committee’s has announced a bill proposal, that includes new measures against ransomware such as considering ransomware gangs as “hostile foreign cyber actors”, designating “state sponsors of ransomware”, and impose sanctions to such states. Furthermore, the proposal seeks to grant the US intelligence community greater legal authority and elevate the ransomware threat to the level of a national intelligence priority. Learn more →
Emerging threat
Hacktivism: “SN_Blackmeta” has gained prominence in the hacktivist landscape after performing major DDoS attacks against financial institutions in the Middle East and allegedly against Microsoft Azure. The adversary TTP’s shows similarities with the infamous threat actor group “Anonymous Sudan”. Learn more →/and more →
Social engineering: KnowBe4, a cybersecurity firm, mistakenly hired a North Korean state actor as a Principal Software Engineer. The threat actor used a stolen identity and AI-generated profile to pass initial checks. The company detected an attempt to install an infostealer on its devices and stopped it. Learn more →
Recent ransomware activity
What’s new in Threat Context this month?
New threat actors added: NullBulge, Funnull, Brain Cipher, Revolver Rabbit, FSociety, SenSayQ, pryx, Poe, Void Banshee, CloudSorcerer, Trinity, RED CryptoApp, Lynx, SN_Blackmeta, shafo, Scarlet, Fog, GlorySec, ExCobalt, Big Head, Embargo Team, plus more!
New tools added: Rshell, FrostyGoop, Brain Cipher, Fickle, DUSTTRAP, CatB, BugSleep, AvNeutralizer, MoonWalk, Ov3r_Stealer, TrinityLock, COGSCAN, SquidLoader, Checkmarks, HotPage, GCleaner, Noodle RAT, Scarlet Stealer, Lu0Bot, Embargo ransomware, plus more!
Learn more about Threat Compass
Want more threat intel? Get started with Threat Compass to receive the latest actionable intelligence from our world-class in-house analyst team. Request a live demo here.