Picus Security surveys April’s top vulnerabilities, exploits, and threat actor activity, highlighting PAN-OS GlobalProtect and PuTTY flaws, high-profile breaches, and campaigns leveraging steganography and hacktivist personas. The round-up also details Kapeka backdoor activity and a ransomware incident at Nexperia, along with notable threat actors like IntelBroker, Sandworm, and TA558. #UPSTYLE #CVE2024-3400 #PuTTY #Kapeka #Sandworm #IntelBroker #SpaceEyes #Nexperia
Keypoints
- High-severity CVE-2024-3400 in PAN-OS enables unauthenticated remote command execution via GlobalProtect telemetry, with UPSTYLE backdoor observed in the wild.
- PuTTY vulnerable to CVE-2024-31497 could allow recovery of SSH private keys due to deterministic nonce generation on the P-521 curve.
- IntelBroker claims a Space-Eyes breach exposing sensitive government-related data, signaling exfiltration-focused activity against national-security targets.
- Sandworm (APT44) masquerades as hacktivist groups, using multiple Telegram channels to promote operations and potentially mislead attribution.
- TA558 leverages steganography ( SteganoAmor ) to deliver multiple malware families and to abuse compromised SMTP/FTP infrastructure for phishing and data theft.
- Kapeka backdoor (Windows DLL) uses Word add-in masquerade, JSON-C2, and certutil-based delivery, representing a resilient, multi-stage initial access toolset.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Unauthenticated remote attackers exploit PAN-OS GlobalProtect telemetry to run commands with root privileges via crafted HTTP POST requests. “permits unauthenticated remote attackers to execute arbitrary commands with root privileges on affected devices.”
- [T1552.004] Private Keys – PuTTY vulnerability allows potential recovery of SSH private keys used for authentication. “could potentially recover the private keys used for their generation.”
- [T1041] Exfiltration – IntelBroker/Government data breach claims involve sensitive information exfiltration from Space-Eyes and associated entities.
- [T1036] Masquerading – Sandworm masquerades as hacktivist groups to conduct operations and manage narratives. “masquerading as hacktivist groups to conduct its cyber operations.”
- [T1027] Obfuscated/Compressed Files and Information – TA558 steganography hides malicious payloads inside images and text (SteganoAmor) to deliver malware. “embedding … Visual Basic Scripts (VBS), PowerShell code, and RTF documents with exploits into image and text files.”
- [T1566.001] Phishing: Spearphishing Attachment – TA558 uses booby-trapped Excel attachments exploiting CVE-2017-11882 to deliver malware. “phishing email that includes a booby-trapped Microsoft Excel attachment … CVE-2017-11882.”
- [T1071.001] Web Protocols – TA558 uses JSON-based C2 communications to exfiltrate data and control payloads. “C2 communications that use JSON for transmitting data.”
- [T1105] Ingress Tool Transfer – Kapeka deployment uses certutil to fetch the malicious payload from compromised websites. “certutil utility, a legitimate tool exploited to fetch the malicious payload.”
Indicators of Compromise
- [File Hash] UPSTYLE Backdoor – MD5: 0c1554888ce9ed0da1583dbdf7b31651, SHA1: 988fc0d23e6e30c2c46ccec9bbff50b7453b8ba9, SHA256: 3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac