Every month, the Pondurance team hosts a webinar to keep clients current on the state of cybersecurity. In April, the team discussed threat intelligence, vulnerabilities and trends, security operations center (SOC) engineering insights, threat hunting, and detection engineering.

The Senior Manager of Digital Forensics and Incident Response (DFIR) discussed the recent surge of third-party compromises within the cybersecurity landscape and what companies can do to protect against these attacks. Typically, in a third-party compromise, a threat actor gains access to a company’s sensitive data through a vendor, contractor, or supplier. These high-risk, high-impact attacks are often unexpected, though they are statistically quite likely, and can present a significant financial impact to downsteam customers of the third party. For example, Change Healthcare, a payroll and health information clearinghouse, recently experienced a ransomware attack that financially impacted 94% of hospitals, according to an American Hospital Association survey. Third-party compromises can occur as ransomware attacks, data theft, insider threats, supply chain compromises, and more. 

The Senior Manager of DFIR suggested a few measures to help companies prevent an impact from a third-party compromise: 

• Minimize your exposure. Wherever possible, your company should use good IT security practices, employ least privileges, and implement security controls to keep the third party’s presence as minimal as possible. 
• Limit your IT footprint. It’s often difficult for a company to quantify and understand what its exposure is to a third-party compromise. Limiting where your data lives, internally and externally, can help your company better understand your risk and employ controls to manage it.
• Understand your interconnections. Your company needs to know which third parties you rely on for services, where your data resides, and how your data is processed. In addition, you want to know which third-party applications exist in your environment and have a plan in place to mitigate the risk of compromise from those applications.

Vulnerabilities and Trends

The Vulnerability Management Program Team Lead reviewed notable vulnerabilities from April. As many as 2,500 vulnerabilities were disclosed, and nine of those vulnerabilities were high risk. Of those nine, four were known to be exploited in the wild on products including: 

• JetBrains TeamCity. The JetBrains vulnerability (CVE-2024-27198) involved an authentication bypass that led to a second vulnerability, allowing an authenticated attacker to execute code on the impacted device. Also, a directory traversal vulnerability (CVE-2024-27199) allowed the attacker to see unauthorized content. JetBrains released a patch on March 3. The very next day, the researchers released proof of concept codes on the internet. 
• Fortinet. The SQL injection vulnerability (CVE-2024-48788) impacted Fortinet endpoint management service software, leading to remote code execution on vulnerable systems. Patches were released on March 12. On March 21, Horizon3 researchers released proof of concept codes. 
• Apple. Two vulnerabilities (CVE-2024-23225 and CVE-2024-23296) affected the entire Apple ecosystem, from watches to iPhones. These vulnerabilities involved arbitrary read and write issues within memory that could result in memory loss or information loss due to memory being overwritten, code being run on the device, or malware being placed on the device. 

The most significant new vulnerability that the team saw in April was the Palo Alto command injection vulnerability (CVE-2024-3400) that impacts PAN-OS Global Connect versions 10.2, 11.0, and 11.1. The vulnerability allows the threat actor to execute code with root privileges on the firewall. From there, a cron job is created that runs every minute, which accesses an external server containing commands that are executed via a batch file. The commands pull down code to establish a Python backdoor on the impacted system, and a second Python script runs to establish persistence. Palo Alto released patches on April 14, which should be applied immediately, though there was limited exploitation in the wild. If your company suspects a compromise, you can submit a technical support ticket to Palo Alto. Also, Nessus has released a single plug-in as a version check to detect this vulnerability.

The SOC Engineering Lead discussed the Palo Alto vulnerability in greater detail. The team was tracking the threat, hunting for indicators, and fortunately, got a copy of the web shell. The team decoded the web shell and found some legible code.

The web shell showed that the initial Python code is Base64 encoded and dropped, which is a binary-to-text encoding scheme that threat actors often use to hide their activity in a system. The code puts outputs of shell commands on a cascading style sheet that is part of the HTML documentation, and the command output is written as a comment that’s not visible to viewers. Also, one function in the code erases the output of the command from the cascading style sheet file as it is rewritten to ensure that the original version is restored with no evidence of a compromise. 

The team continually watches for indicators of this vulnerability and looks for any evidence of the malicious code on client networks.

The SOC Director talked about upward and downward trends that the team is currently monitoring on client networks. 

Ransomware is the most prevalent malware attack, as usual, and probably the most costly and dangerous threat in the cyber environment.

Phishing emails with a financial lure are still on the rise. The team is seeing an increase in ACH, wire, and tax lures in phishing emails, with a majority of phishing emails linking to credential harvesting web pages and not involving malware. The use of artificial intelligence services, such as ChatGPT, is making phishing emails harder to identify due to more convincing language and correct grammar. Following a successful attack, team members often see the creation of auto-forward rules, which they alert on for every client. To reduce the risk of an attack, the team suggests using multifactor authentication for all user accounts and implementing user awareness training.

Malware delivery via phishing emails has increased since the beginning of the year. These attacks usually occur through links in the body of emails, link attachments, and PDF attachments that contain JavaScript, ActionScript, or AutoRun that lead to a malicious website. Also, password-protected documents and zip files are often associated with these attacks. The team recommends blocking password-protected files at the email gateway, but it’s important for companies to fine-tune the blocking to assure that valid business documents are not blocked.

Malware delivery via drive-by websites has been decreasing over the past several months, though it’s still a threat. The team encourages companies to continue patching operating systems and applications and offering user awareness training to employees.

Detection and Engineering

The Detection Engineer discussed the specific devices used to execute physical device attacks. He set the stage with a history of these devices and told how Cottonmouth, a USB port surveillance device used to gain remote access to a targeted network, was developed in 2009 by the National Security Agency at a per-device cost of $20,000. Since then, new devices —such as Rubber Ducky, O.MG Cable, USB Ninja Cable, and other alternatives — have been developed at drastically reduced costs, some as low as $6.

• Rubber Ducky. This USB plug-in device looks like a normal flash drive but acts as a keyboard, using keystroke injection as its attack method. Once inserted, it holds the same privileges as the current logged-in user of the computer. The device has built-in storage for commands and, within seconds, can type out the commands. The commands attack the target, get the Wi-Fi passwords, and write the passwords to a file. Then, another command reads the file to put the data onto the USB drive. The device exfiltrates data using the caps lock and numb lock features on the keyboard.
• O.MG Cable. This device is a tiny, hidden implant in a USB cable. Like Rubber Ducky, the device uses keystroke injection to run commands on the targeted computer. Once inserted, it can jiggle the mouse 1 pixel to keep the computer screen from locking, so the threat actor can access the computer at a later time. The device can self-destruct, or wipe itself clean, leaving no evidence of the attack, and it has geofencing capabilities to ensure that the attack hits the intended target. 
• USB Ninja Cable. This cable device has two push buttons used to remotely trigger the malicious payload, or it can be used on a timer. Once inserted, the device can exfiltrate data through an internal Wi-Fi or Bluetooth chip.
• Other alternatives. Though not as sophisticated as the devices mentioned above, there are more than 20 other physical devices available, such as ATtiny85, Adafruit, Raspberry Pi, and Arduino, that are easy to program and inexpensive to buy. 

As a defense against physical device attacks, the team recommends user awareness training for all employees. In particular, employees need to know that they should never plug in an untrusted USB device. Blocking USB devices is also a smart option. And, as always, restricting administrative rights is a best practice to protect against an attack.

The Pondurance team will host another webinar in May to discuss new cybersecurity activity. Check back next month to read the summary.