Threat Research

Leveraging CVE-2024-21412: Unveiling a Stealer Campaign | FortiGuard Labs

Securonix

Fortinet’s FortiGuard Labs analyzes a campaign that leverages CVE-2024-21412 to deliver a stealer payload and evade defenses. The post outlines the techniques used, potential impacts, and indicators tied to this campaign. #CVE-2024-21412 #FortiGuardLabs

Keypoints

  • CVE-2024-21412 is being exploited as the entry point for a stealer campaign leveraging likely weaponized payloads.
  • The campaign is analyzed by Fortinet’s FortiGuard Labs, which maps observed behaviors to MITRE-style tactics and techniques.
  • The materials describe a multi-stage operation spanning initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, C2, exfiltration, and impact.
  • Indicators of compromise in the article are presented as payload identifiers and related artifacts associated with the stealer activity.
  • MITRE ATT&CK mappings are provided for the campaign’s tactics and techniques, outlining how adversaries move from access to data impact.
  • The article links to a Fortinet threat research post that details exploitation of CVE-2024-21412 and the involved threat activity.

MITRE Techniques

  • [T1078] Initial Access – Brief description of how it was used. Quote: ‘Initial Access – T1078’
  • [T1203] Execution – Brief description of how it was used. Quote: ‘Execution – T1203’
  • [T1547] Persistence – Brief description of how it was used. Quote: ‘Persistence – T1547’
  • [T1068] Privilege Escalation – Brief description of how it was used. Quote: ‘Privilege Escalation – T1068’
  • [T1218] Defense Evasion – Brief description of how it was used. Quote: ‘Defense Evasion – T1218’
  • [T1003] Credential Access – Brief description of how it was used. Quote: ‘Credential Access – T1003’
  • [T1087] Discovery – Brief description of how it was used. Quote: ‘Discovery – T1087’
  • [T1071] Command and Control – Brief description of how it was used. Quote: ‘Command and Control – T1071’
  • [T1041] Exfiltration – Brief description of how it was used. Quote: ‘Exfiltration – T1041’
  • [T1485] Impact – Brief description of how it was used. Quote: ‘Impact – T1485’

Indicators of Compromise

  • [URL/Domain] Fortinet threat research page – https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed, and 1 more item
  • [File Name] nphplpgoakhhjchkkhmiggakijnkhfnd – observed payload identifier in the campaign
  • [File Name] apbldaphppcdfbdnnogdikheafliigcf – observed payload identifier in the campaign

Read more: https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint