Threat Research

CVE-2024-23897 Facilitated Ransomware Attacks on Indian Banks

Securonix

The RansomEXX group carried out a ransomware attack that disrupted retail payments in Indian banks via a misconfigured Jenkins server, exploiting CVE-2024-23897 in the Jenkins CLI. The incident underscores the critical importance of patching, secure configuration, Zero Trust, robust incident response, and supply-chain security. #RansomEXX #BrontooTechnologySolutions #CEdgeTechnologies #CVE-2024-23897 #JenkinsCLI

Keypoints

  • RansomEXX was identified as responsible for the Brontoo Technology Solutions ransomware activity.
  • The attack originated from a misconfigured Jenkins server.
  • The vulnerability exploited was CVE-2024-23897 in the Jenkins Command Line Interface.
  • Emphasis on timely software updates and patching to prevent similar intrusions.
  • The need for rigorous configuration management to avoid misconfigurations.
  • Recommendation to adopt Zero Trust architecture for stronger security.
  • Importance of robust incident response planning for quick recovery.
  • Focus on supply chain security to mitigate third-party vulnerabilities.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used CVE-2024-23897 to gain initial unauthorized access to the victim’s environment. ‘On further analysis, the threat actor leveraged CVE-2024-23897 to gain initial unauthorized access to the victim’s environment.’
  • [T1059] Command and Scripting Interpreter – Executed commands on the compromised system via Jenkins CLI. ‘Used Jenkins CLI to execute commands on the compromised system.’
  • [T1543.003] Modify Existing Service – Potential persistence through Jenkins server configuration. ‘Potentially established persistence mechanisms through the Jenkins server configuration.’
  • [T1041] Exfiltration – Retrieved sensitive data by exploiting the Jenkins vulnerability. ‘Retrieved sensitive data by exploiting the Jenkins vulnerability.’
  • [T1486] Data Encrypted for Impact – Deployed ransomware to encrypt files and demand ransom. ‘Deployed ransomware to encrypt files and demand ransom.’

Indicators of Compromise

  • [File hash] Hash values associated with the ransomware indicators – 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458, ad635630ac208406cd28899313bef5d4e57dba163018dfb8924de90288e8bab3

Read more: https://blogs.juniper.net/en-us/threat-research/cve-2024-23897-enabled-ransomware-attack-on-indian-banks

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint