Threat Context Monthly: Executive intelligence briefing for May 2024
Threat actor of the month: UAT4356 – State-sponsored adversary
UAT4356 is a state-sponsored threat actor that targets perimeter network devices in government networks globally with a clear focus on espionage. Their first activity can be traced back to November 2023, although researchers found evidence that the group was testing its capabilities as early as July 2023.
So far, the initial attack vector used by the group has not been able to be determined. In a campaign named ArcaneDoor, they do were observed exploiting two 0-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) (CVE-2024-20353 and CVE-2024-20359) to implant custom malware and be able to execute commands and exfiltrate information.
The campaign proves the group had a thorough understanding of the targeted devices and of forensic actions commonly performed by Cisco for network device integrity validation. The adversary employed two custom backdoors named Line Runner and Line Dancer, to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.
Spotlight threat: Threat actors exploit Ivanti Connect vulnerabilities
In the last days, Mandiant published the fourth blog in a series of publications related to the study of the exploitation of Ivanti Connect Secure vulnerabilities, unveiling new clusters of activity. Since the first announcement of the two first vulnerabilities (tracked as CVE-2023-46805 and CVE-2024-21887) in January 2024, more flaws were uncovered, some highly used by cybercriminals. In the latest Mandiant blog, they specify that they have observed eight clusters of activity, some of them already reported, highlighting that five are related to China-nexus activity. Also, they mentioned that not just nation-state threat actors but financially motivated groups are using these flaws, as also Unit42 and Check Point pointed out.
To date, the following data has been published about the threat actors that are exploiting Ivanti Connect flaws:
Ivanti CVE | Threat Actor |
CVE-2024-21887 | “UTA0178” / Nation-state (China) “Volt Typhoon” / Nation-state (China) “UNC5325” / Espionage group (China) “UNC5330” / Espionage group (China) “UNC3569” / Espionage group (China) “Magnet Goblin” / e-crime |
CVE-2023-46805 | UTA0178 Volt Typhoon UNC3569 Magnet Goblin |
CVE-2024-21893 | Volt Typhoon UNC5325 UNC5330 UNC3569 Magnet Goblin |
CVE-2024-21888 | Magnet Goblin |
Based on the Mandiant series of Ivanti Connect blogs, the following overlaps and threat actors’ names should not be mistaken:
- UNC3569 overlaps with UNC5266.
- UTA0178 is also known as UNC5221.
- Volt Typhoon is also known as UNC5291.
KrakenLabs highlights observed
Emerging threat
USB-born malware attacks: Researchers have observed that USB-born malware attacks against industrial organizations are reportedly escalating in complexity and persistence, including tactics for evading detection and the use of USB devices to bridge air-gapped security measures. Learn more →
Adoption of sophisticated steganography: Threat actors are slowly becoming more sophisticated in using steganography to hide their artefacts, which so far includes putting a piece of malware inside a picture. The threat actor known as TA558 has been using this technique for a while, launching a new massive campaign against public organizations and companies worldwide to spread, among others, AgentTesla, FormBook, Remcos, Formbook, and Guloader. Learn more →
Vulnerabilities
BIG-IP Next Central Manager vulnerabilities: F5 has fixed two high-severity BIG-IP Next Central Manager (CVE-2024-26026/21793) vulnerabilities, which can be exploited to gain admin full administrative control of the device. A Proof-of-Concept has already been shared. Learn more →
New zero-day CVE-2024-27322: A high-severity vulnerability in the R programming language’s deserialization process, identified as CVE-2024-27322, could expose users to supply chain attacks, allowing execution of arbitrary code via crafted RDS files. Learn more →
CrushFTP zero-day vulnerability: Crowdstrike warned of a critical zero-day vulnerability in CrushFTP software (CVE-2024-4040) exploited in targeted attacks, allowing unauthorized system file downloads. A Proof-of-Concept has already been shared. Learn more →
Malware & Ransomware
BlackCat exodus: After the shutdown of BlackCat operations, some affiliates moved along with RansomHub, a new group. This event caused the user notchy to extort Change Healthcare company again after they had already paid the ransom demand to BlackCat, being extorted by both groups in different periods. Learn more → / and more →
Ransomware’s reputation downturn: RaaS developers have undermined their credibility by cheating affiliates, notably with the LockBit group‘s public payment dispute and BlackCat‘s likely exit scam, which prompted a significant exodus of ransomware affiliates from these platforms. Learn more →
Operation Pandora: Europol raided 12 call centers, arresting 21 individuals involved in a widespread phone scam operation. They were involved in fake police calls, investment fraud, and romance scams.Learn more →
Learn more about Threat Compass
Want more? Get started with Threat Compass to receive the latest actionable intelligence from our world-class in-house analyst team.
What’s new in Threat Context this month?
Threat actors: Solar Spider, prapra123, CoralRaider, Cyberbooter, UNC5330, Cyberbooter, JustNoBody, snowcat, RUBYCARP, Jia Tan, etc.
Tools: Line Runner, Line Dancer, Upstyle, NKAbuse, Xeno RAT, OCEANMAP, Rude Stealer, Nova Stealer, Crystal Rans0m, SEXi, etc.
and much more!