Threat Context Monthly: Executive intelligence briefing for September 2024

Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team. Here’s what you need to know from September.

Threat actor of the month: NoName (Ransomware)

NoName is a ransomware group that emerged in 2020 but gained prominence in 2023. Despite name similarities, it should not be confounded with the pro-Russian hacktivist of the same name.

As an initial attack vector, the group employs brute-force attacks and exploiting known vulnerabilities, such as EternalBlue (CVE-2017-0144) and Zerologon (CVE-2020-1472). The adversary employs different ransomware families, such as RansomHub, Scara, and ScRansom.

NoName has notably attempted to leverage the reputation of the LockBit Group, even creating a leak site called “NONAME” that closely resembles LockBit‘s design. However, NoName primarily focuses on data encryption, they do not consistently exfiltrate data. Instead, they utilize their leak site to create a sense of urgency among victims.

NoName Data Leak Site

Spotlight threat: Chromium zero-day (CVE-2024-7971)

Microsoft recently uncovered a new campaign linked to the North Korean “Lazarus Group”, targeting the cryptocurrency sector for financial gain. The group exploited a zero-day vulnerability in the Chromium engine, designated as CVE-2024-7971.

In this attack, the Lazarus Group directed victims to an attacker-controlled exploit domain, possibly through social engineering techniques. Once a user connected, the zero-day exploit allowed the adversary to achieve remote code execution (RCE), after which they deployed a sophisticated rootkit called FudModule onto the compromised systems. This malware is capable of escaping browser sandboxes and tampering with Windows kernel security via CVE-2024-38106 exploitation, allowing the threat actor to maintain long-term access to the target’s systems.

The attack is part of a broader strategy by North Korean nation-state threat actors to fund state operations by targeting vulnerable cryptocurrency platforms. 

KrakenLabs observed highlights

Vulnerabilities

Critical Vulnerability: The vulnerability CVE-2024-40766 in SonicWall SonicOS firewall devices is being exploited by Akira and other ransomware groups. This affects SSLVPN features and firewalls in Gen 5, 6, and 7. Attackers have disabled multi-factor authentication during breaches, and government agencies are mandated to patch by September 30. Learn more  / more  / and more →

0-day: The Chinese state-sponsored threat actor “Volt Typhoon” has been actively exploiting a zero-day vulnerability (CVE-2024-39717) in Versa Director servers, which are widely used by internet service providers (ISPs) and managed service providers (MSPs). This vulnerability allows attackers to escalate privileges and plant a custom web shell, enabling them to steal credentials and infiltrate targeted networks. Learn more  / more  / and more →

Trend

Data exfiltration tactic: Data exfiltration has become a common tactic in ransomware attacks, with groups like BianLian and Rhysida using Azure Storage Explorer to steal sensitive data. These actors repurpose this legitimate tool as Azure Blob Storage allows efficient handling of large volumes of unstructured data. Learn more → 

Law enforcement

Law enforcement action: French authorities have indicted Pavel Durov, the CEO and co-founder of Telegram. The charges include complicity in running an online platform that facilitates illegal activities such as child abuse, drug sales, and hacking. An increased scrutiny, may push Telegram to implement stricter content moderation or cooperate with law enforcement, forcing cybercriminal to find communication alternatives. Learn more →

Emerging threats

Attack: A new attack method has been identified where Amadey drops StealC alongside a credential flusher. The flusher forces the browser into kiosk mode, displaying a Google login page that prevents victims from closing or navigating away. Frustration compels victims to enter their credentials, which are then stolen from the browser’s credential store by StealC. Learn more →

Supply chain: Researchers have uncovered a new supply-chain attack technique called Revival Hijack that exploits PyPI‘s package removal process, potentionally allowing attackers to re-register and hijack over 22,000 removed packages. This method manipulates PyPI’s system, enabling malicious actors to republish packages under the same name after the original owner removes them. Learn more →

Most relevant malware families observed from 08/27 to 09/23/2024 in KrakenLabs’ sandbox.

What’s new in Threat Context this month?

Threat actors: Null14, Cthulhu Team, Kalashnikov, Famous Chollima, and TIDRONE.

Tools: Tickler, BingoMod, Chameleon, 7777 Botnet, D3F@ck Loader, Sedexp, AndroxGh0st, GrewApacha, Cthulhu Stealer, BulletCVE, NGate, Xeon Sender, ExploitTool, CLNTEND, Voldemort, VigilByte Stealer, RaidVortex Stealer, and CXCLNT.

Try Threat Compass for yourself

Want more threat intel? Get started with Threat Compass to receive the latest actionable intelligence from our world-class in-house analyst team. Request a live demo here.

About the Author

KrakenLabs Threat Intelligence Team, Outpost24

KrakenLabs is Outpost24’s Cyber Threat Intelligence team. Our team helps businesses stay ahead of malicious actors in the ever-evolving threat landscape, helping you keep your assets and brand reputation safe. With a comprehensive threat hunting infrastructure, our Threat Intelligence solution covers a broad range of threats on the market to help your business detect and deter external threats.