Threat Research

In-Depth Analysis of Intelbroker’s Jenkins Exploitation in the BORN Group Supply Chain Breach | CloudSEK

Securonix

Intelbroker exploited CVE-2024-23897 to breach BORN Group and exfiltrate data from multiple clients, highlighting a sophisticated supply chain compromise. The actor claims data access, GitHub dumping, and the use of the Endurance ransomware, affecting numerous secondary victims. #Intelbroker #EnduranceRansomware

Keypoints

  • Intelbroker carried out a sophisticated supply chain intrusion targeting BORN Group by exploiting Jenkins (CVE-2024-23897) on an exposed server.
  • The attack includes LFI-based key theft to obtain SSH credentials, enabling further access.
  • Stolen SSH keys were used to access BORN Group’s GitHub repository and dump all repositories.
  • Hardcoded keys and secrets found in source code were leveraged to infiltrate additional systems beyond the initial target.
  • Intelbroker claims the Endurance ransomware was developed/operated to encrypt data, functioning as a wiper.
  • A third-party compromise scenario is claimed, suggesting possible infiltration via involved service providers (e.g., a case involving T-Mobile).
  • Primary victim is BORN Group with multiple secondary victims and exposed exposure of a vulnerable Jenkins server linked to the incident.

MITRE Techniques

  • [T1210] Exploitation of Remote Services – ‘Exploited CVE-2024-23897 on an exposed Jenkins server for initial access.’
  • [T1552.004] SSH Keys – ‘Threat Actor uses CVE-2024-23897 (LFI vulnerability) to steal SSH keys.’
  • [T1078] Valid Accounts – ‘Used stolen SSH keys to access the GitHub repository of borngroup.com.’
  • [T1041] Exfiltration – ‘Dumped all repositories from BORN Group’s GitHub.’
  • [T1003] Credential Dumping – ‘Exploited hardcoded keys and secrets found in the source code to infiltrate other systems.’
  • [T1486] Data Encrypted for Impact – ‘Developed and operated the “Endurance” ransomware, overwriting files with random data.’
  • [T1195] Supply Chain Compromise – ‘Third-Party Compromise: Intelbroker may have compromised a third-party service provider to gain access to the target organization’s network.’

Indicators of Compromise

  • [URL] context – http[:]//h44jyyfomcbnnw5dha7zgwgkvpzbzbdyx2onu4fxaa5smxrgbjgq7had.onion/, olx.id7423[.]ru
  • [SHA256 Hash] context – 600be5ab7f0513833336bec705ca9bcfd1150a2931e61a4752b8de4c0af7b03a, 8a3ca9efa2631435016a4f38ff153e52c647146e, and 3 more hashes

Read more: https://www.cloudsek.com/blog/born-group-supply-chain-breach-in-depth-analysis-of-intelbrokers-jenkins-exploitation

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint