This Week in Cyber 12th July 2024

Analyst Insight

Over the past week, we’ve witnessed some significant developments in the world of cybersecurity. Cybercriminals are becoming increasingly sophisticated, targeting vulnerabilities across different platforms. For example, they’ve managed to sneak trojanised jQuery packages onto npm, GitHub, and jsDelivr, exposing the ongoing risk of supply chain attacks. Meanwhile, the EstateRansomware group has been busy exploiting a Veeam Backup software vulnerability, demonstrating the continued relentless pursuit of zero-day weaknesses. 

But that’s not all. Our recent IoT security report at Rapid7 has revealed a concerning trend: smash-and-grab extortion. Attackers are hitting multiple organisations simultaneously, taking advantage of zero-day vulnerabilities within minutes. We’ve even uncovered ViperSoftX malware masquerading as innocent eBooks on torrent sites. And let’s not forget the critical PHP vulnerability (CVE-2024-4577), which cybercriminals have exploited to spread malware and launch DDoS attacks. To top it off, hackers are now using Jenkins Script Console for cryptocurrency mining. Microsoft’s July 2024 Patch Tuesday was significant in scope and impact. With 123 vulnerabilities addressed (including 15 critical flaws), it’s clear that prompt updates and robust security measures are essential for safeguarding against cyber risks.

Microsoft's July 2024 Patch Tuesday: Key Highlights

On July 9, 2024, Microsoft released its latest Patch Tuesday updates, addressing a total of 103 vulnerabilities across its product portfolio. Among these, 14 are classified as Critical, 87 as Important, and 2 as Moderate. Notably, the patches include fixes for several zero-day vulnerabilities that have been actively exploited in the wild. One of the most significant updates is for CVE-2024-33091, a remote code execution vulnerability in Microsoft Exchange Server that could allow attackers to execute arbitrary code on affected systems. Additionally, patches were released for critical flaws in Microsoft Windows, Office, and .NET Core, emphasising the widespread nature of these security risks.

Another critical update addresses CVE-2024-33101, a vulnerability in the Windows Graphics Component, which can be exploited to gain elevated privileges. This month’s updates also include significant security enhancements for Microsoft Edge, mitigating several vulnerabilities that could be used for remote code execution and information disclosure. With cyber threats becoming increasingly sophisticated, Microsoft’s timely patching efforts are crucial for protecting users and enterprises from potential breaches. Administrators are strongly advised to prioritise these updates to mitigate the risks posed by these critical vulnerabilities.

Hackers Exploiting Jenkins Script Console for Cryptocurrency Mining Attacks

Cybersecurity researchers have recently identified a method by which attackers can exploit improperly configured Jenkins Script Console instances to conduct malicious activities, such as cryptocurrency mining. According to Trend Micro's Shubham Singh and Sunil Bharti, misconfigurations, particularly those involving improperly set up authentication mechanisms, expose the '/script' endpoint to attackers. This vulnerability can lead to remote code execution (RCE) and misuse by malicious actors. Jenkins, a widely used continuous integration and continuous delivery (CI/CD) platform, includes a Groovy script console that allows users to run arbitrary scripts within the Jenkins controller runtime. The official documentation warns that this web-based Groovy shell can be used to read sensitive data, decrypt credentials, and even reconfigure security settings, effectively granting any user with Script Console access near-administrative rights within Jenkins.

Trend Micro has discovered instances where threat actors have exploited these misconfigurations to execute Base64-encoded scripts designed to mine cryptocurrency. These scripts, hosted on malicious sites like berrystore[.]me, deploy a miner payload on compromised servers and establish persistence. The scripts also ensure they have sufficient system resources by terminating processes that consume more than 90% of the CPU's resources. To mitigate such risks, it's crucial to ensure proper Jenkins configuration, implement robust authentication and authorisation, conduct regular audits, and restrict Jenkins servers from being publicly exposed on the internet. This development comes amidst a surge in cryptocurrency thefts, with threat actors plundering $1.38 billion in the first half of 2024 alone.

Trojanised jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories

Cybersecurity researchers have uncovered a sophisticated supply chain attack involving trojanised versions of jQuery on npm, GitHub, and jsDelivr. The attackers cleverly hid malware in the 'end' function of jQuery, called internally by the 'fadeTo' function, allowing them to exfiltrate website form data to a remote URL. From May 26 to June 23, 2024, 68 malicious packages were published to npm with names like cdnjquery and jqueryxxx. The manual assembly and publication of these packages suggest a meticulously planned attack. The compromised jQuery files were hosted on a GitHub account "indexsc" and associated scripts were designed to bypass firewalls using jsDelivr. 

Ransomware Group Exploiting Veeam Backup Software Vulnerability

A newly identified ransomware operation, EstateRansomware, is exploiting a previously patched security flaw in Veeam Backup & Replication software. This vulnerability, tracked as CVE-2023-27532 with a CVSS score of 7.5, was leveraged by the threat actors to infiltrate target environments. Group-IB discovered this campaign in early April 2024 and detailed how the attackers used a dormant account on a Fortinet FortiGate firewall SSL VPN appliance to gain initial access. The attack involved lateral movement from the firewall to the failover server, establishing RDP connections, and deploying a persistent backdoor disguised as "svchost.exe."

The attackers utilised the backdoor to maintain access and evade detection, exploiting the Veeam flaw to enable xp_cmdshell on the backup server and create a rogue account named "VeeamBkp." Tools like NetScan, AdFind, and NitSoft were employed for network discovery and credential harvesting. Before executing the ransomware payload, the attackers disabled Windows Defender and moved laterally across the network, targeting all servers and workstations using compromised domain accounts. 

ViperSoftX Malware Disguises as eBooks on Torrents to Spread Stealthy Attacks

The sophisticated malware known as ViperSoftX has recently been observed being distributed as eBooks over torrent networks. Trellix security researchers Mathanraj Thangaraju and Sijo Jacob highlighted that the current variant of ViperSoftX uses the Common Language Runtime (CLR) to dynamically load and execute PowerShell commands within AutoIt, creating a stealthy environment for malicious operations. Initially detected by Fortinet in 2020, ViperSoftX is known for exfiltrating sensitive information from compromised Windows systems. The malware has evolved to incorporate advanced anti-analysis techniques such as byte remapping and web browser communication blocking, as documented by Trend Micro in April 2023.

Recent campaigns, as of May 2024, have utilised ViperSoftX to distribute Quasar RAT and TesseractStealer, with cracked software and torrent sites being common propagation methods. However, the use of eBook lures is a new tactic. The malicious eBook RAR archive contains a hidden folder and a deceptive Windows shortcut file, which, when executed, initiates a multi-stage infection process. This process involves PowerShell scripts that establish persistence and interact with the .NET CLR framework to decrypt and run further malicious payloads. ViperSoftX collects system information, scans for cryptocurrency wallets via browser extensions, captures clipboard contents, and can dynamically download additional commands from a remote server. The malware also employs self-deletion mechanisms to avoid detection. The use of CLR within AutoIt to execute PowerShell commands allows ViperSoftX to bypass traditional security measures and evade detection effectively.

Critical PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks

A recently disclosed PHP vulnerability, CVE-2024-4577, has been exploited by multiple threat actors to distribute remote access trojans, cryptocurrency miners, and DDoS botnets. This critical flaw, which allows remote command execution on Windows systems with Chinese and Japanese locales, was publicly revealed in June 2024 and has a CVSS score of 9.8. Exploit attempts were detected by Akamai within 24 hours, targeting their honeypot servers. Attackers utilised this vulnerability to deploy malware such as Gh0st RAT, RedTail, XMRig, and the Muhstik botnet.

Imperva also noted its exploitation by TellYouThePass ransomware operators. Organisations using PHP are urged to update their installations promptly to mitigate these threats. This incident underscores the diminishing window for defenders to act post-vulnerability disclosure, particularly given the high exploitability of this PHP flaw and its rapid adoption by malicious actors. Concurrently, Cloudflare reported a 20% year-over-year increase in DDoS attacks in Q2 2024, with known botnets contributing to half of all HTTP DDoS attacks, highlighting the escalating cyber threat landscape.