March 19, 2024  —  Acronis

MSP cybersecurity news digest, March 19, 2024

Microsoft March 2024 Patch Tuesday 

Microsoft's March 2024 Patch Tuesday fixes 60 vulnerabilities, encompassing 18 remote code execution (RCE) flaws. Among these, only two critical vulnerabilities have been addressed, specifically targeting Hyper-V remote code execution and denial of service flaws.

The breakdown of vulnerabilities includes 24 Elevation of Privilege; three security feature bypass; six information disclosure; and six denial of service vulnerabilities — along with two spoofing vulnerabilities. Notably, the total count excludes four Microsoft Edge flaws patched earlier in March, and no zero-day vulnerabilities were disclosed in these updates. Additionally, Microsoft has released nonsecurity updates, notably the Windows 11 KB5035853 update and the Windows 10 KB5035845 update.

This month's vulnerabilities include CVE-2024-21400, addressing a Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege issue, and CVE-2024-26199, tackling a Microsoft Office Elevation of Privilege vulnerability. Another significant fix is CVE-2024-20671, addressing a Microsoft Defender Security Feature Bypass flaw, with CVE-2024-21411 focusing on a Skype for Consumer Remote Code Execution Vulnerability.

8Base Ransomware visits Italy and Belgium 

The 8Base ransomware group recently hit companies in Belgium and Italy. The victims are Sprimoglass, with an annual revenue of $86.2 million, and Federchimica (Italian Federation of the chemical industry), which encompasses 1,450 companies with approximately 94,000 employees. As claimed by 8Base, the stolen data includes invoices, receipts, accounting documents, personal data, certificates, employment contracts, confidentiality agreements, personal files and more.

8Base ransomware group usually demands high ransoms and conducts negotiations within a week, threatening to publish stolen data otherwise. This approach, coupled with double-extortion tactics, can lead to severe financial losses and reputational damage for the victims. 

Despite the lack of details on the breach methods, it's evident that 8Base strategically targets smaller enterprises to evade law enforcement attention. Consequently, victims often face the dilemma of whether to pay the ransom to resume operations swiftly or confront significant financial consequences. 

Magnet Goblin Hacker Group leverages 1-day exploits to deploy Nerbian RAT 

Magnet Goblin, a financially motivated threat actor, is rapidly integrating newly disclosed one-day vulnerabilities into its arsenal, focusing on breaching edge devices and public-facing services to deploy malware on compromised hosts. Researchers highlighted Magnet Goblin's ability to exploit vulnerabilities within a day of their disclosure, particularly targeting servers and edge devices. 

This swift deployment, occurring within 24 hours of a proof-of-concept publication, significantly heightens the threat posed by this group. Leveraging unpatched Ivanti Connect Secure VPN, Magento, Qlik Sense, and potentially Apache ActiveMQ servers, Magnet Goblin gains unauthorized access as its initial infection vector since at least January 2022. 

Upon successful exploitation, Magnet Goblin deploys the Nerbian RAT, a cross-platform remote access trojan, and its simplified variant, MiniNerbian. Both strains enable the execution of arbitrary commands from a command-and-control server and exfiltrate the results. Additional tools utilized by Magnet Goblin include the WARPWIRE JavaScript credential stealer, Ligolo, a Go-based tunneling software, and legitimate remote desktop offerings like AnyDesk and ScreenConnect. The researchers noted that Magnet Goblin's campaigns appear to be financially motivated.

Phishing campaign leverages AWS and GitHub to launch RATs 

A recent phishing campaign has been discovered, utilizing public services like Amazon Web Services (AWS) and GitHub to host malware and initiate attacks via email, targeting organizations' staff members. The phishing email tricks victims into downloading a malicious Java downloader, leading to the deployment of the VCURMS and STRRAT remote access trojans (RATs) on systems with Java installed. 

The VCURMS RAT not only facilitates command and control communication but also includes a modified version of a Rude Stealer and keylogger to gather sensitive data from victims. Attackers employ various obfuscation techniques to evade detection, communicating with the command and control server through email. 

Cybercriminals have chosen AWS and GitHub for hosting malware due to their ease of use and protections, enabling them to evade detection until they are reported. This tactic, known as "living off the land," allows attackers to bypass traditional security tools and leverage trusted services to deliver payloads, posing challenges for organizations to identify and mitigate such threats effectively.

IntelBroker claims responsibility for Acuity breach

U.S. federal technology consulting firm Acuity has reportedly been compromised by IntelBroker. The breach led to the theft of data obtained from U.S. Immigration and Customs Enforcement and from U.S. Citizenship and Immigration Services. The stolen data is being sold for $3,000 worth of cryptocurrency.

IntelBroker confirmed exploiting a critical GitHub zero-day vulnerability to breach Acuity's systems, resulting in the exfiltration of data belonging to over 100,000 U.S. citizens, including personal information such as full names, birthdates, addresses, phone numbers and passports.

Additionally, the investigation uncovered the compromise of source code, confidential messages, .gov-hosted emails containing plain-text passwords, and sensitive documents related to the Five Eyes alliance and the Russia-Ukraine War. This incident follows IntelBroker's claims of responsibility for breaches at Los Angeles International Airport, General Electric and Robert Half.