Security Roundup October 2024

October 2024: Teams Chats used by Black Basta, Another Critical Fortinet Vulnerability, SonicWall VPNs Attacked by Ransomware Gangs, and more!

Teams Chats used by Black Basta

Security researchers at ReliaQuest reported that the Black Basta ransomware group have recently been detected using Microsoft Teams chats as a vector to deliver malware and ransomware.

Black Basta is a well-known Russian-speaking ransomware gang that has existed since 2022. The gang has over 100 confirmed victims, including 19 prominent enterprise victims. The group operates a Ransomware-as-a-Service (RaaS) model. It is known for its ‘double extortion’ attacks, whereby it demands payment for both decrypting files and not leaking data on the Dark Web.

Targeted users were added to Microsoft Teams chats with external users posing as support or help-desk staff; the users had previously received spam emails from the same attackers. The attackers have been detected trying to convince users to scan QR codes or click links to download standard remote monitoring and management (RMM) tools such as QuckAssist and AnyDesk.

The following Microsoft tenancies were identified in the attacks:

• securityadminhelper.onmicrosoft[.]com
• supportserviceadmin.onmicrosoft[.]com
• supportadministrator.onmicrosoft[.]com
• cybersecurityadmin.onmicrosoft[.]com

It has been observed that the threat actors have also used the following domains to deliver QR codes in phishing attacks:

• qr-s1[.]com
• qr-s2[.]com
• qr-s3[.]com
• qr-s4[.]com

In detected attacks, subdomains are used to tailor the attack to the target organisation, for example, company name.qr-s1[.]com.

To mitigate these attacks, organisations are advised to turn off communications from external untrusted domains where possible, enable logging for Team activity and train IT teams and users to spot suspicious team messages from users with names such as ‘Help Desk’. The post-exploitation actions taken by the threat actors usually include deploying common tools such as Impacket and Cobalt Strike, which will be detected by the leading endpoint detection and response (EDR) software.

Another Month, Another Critical Fortinet Vulnerability

With a Common Vulnerability Score (CVSS) of 9.8, the latest Foritnet vulnerability has been classified as critical. The vulnerability lies in the protocol that allows the FortiGate devices to communicate with the FortiManager software (FortiGate to FortiManager—FGFM protocol).

In a summary of the vulnerability on the Fortinet website, they state, “A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.” In layman’s terms, because FortiManager doesn’t correctly check who’s allowed to access certain functions, a hacker could take advantage of this to run harmful code or commands on the system from anywhere in the world.

Fortinet recommends updating to a fixed version of the operating software or, if this is not possible, performing a workaround. Instructions for workarounds on different software versions are available on the website.

SonicWall VPNs Attacked by Ransomware Gangs

The Fog and Akira ransomware groups exploit SonicWall VPN vulnerabilities, specifically targeting unpatched endpoints vulnerable to CVE-2024-40766, a flaw addressed in August 2024. Fog, a newer threat, has been noted for quickly encrypting data in corporate networks, while Akira has employed similar techniques in the past. In recent incidents, both groups have used coordinated infrastructure, suggesting ongoing collaboration. Many affected organisations had unprotected endpoints without multi-factor authentication on VPNs. The attackers commonly focus on encrypting virtual machines and recent files while skipping older data.

It is recommended that system administrators move to the below versions, which address CVE-2024-40766:

• For Gen 5: Version 5.9.2.14-13o
• For Gen 6: Version 6.5.4.15.116n
• For SM9800, NSsp 12400, and NSsp 12800, version 6.5.2.8-2n is safe
• For Gen 7: Any SonicOS firmware version higher than 7.0.1-5035

The security updates have been made available for download through mysonicwall.com.

Some of This Month’s Other Vulnerabilities and Fixes

Microsoft Patch Tuesday

As reported by our partners at CrowdStrike, in its October 2024 Patch Tuesday update, Microsoft addressed 118 vulnerabilities, including two actively exploited zero-day flaws: CVE-2024-43573 and CVE-2024-43572. Three of the patched vulnerabilities were classified as Critical, while the rest were rated Important or Moderate. Users are advised to apply these updates promptly to mitigate potential security risks.

Cisco ASA and FTD Appliances

Cisco’s recent update to its ASA (Adaptive Security Appliance) and FTD (Firepower Threat Defence) software enhances VPN security by blocking brute-force and password-spray attacks, which have increasingly targeted VPN gateways. These new features allow administrators to block repeated failed login attempts automatically, which can strain system resources and create security vulnerabilities. The update includes controls restricting invalid login attempts and overloads from malicious clients, significantly reducing brute-force success rates. Cisco recommends that users update to the latest versions to fully utilise these new security features.

The new security features for blocking VPN brute-force attacks are similar to fail2ban, an open-source tool released in 2004 and used on various services ever since. Fail2ban works by monitoring log files for repeated failed login attempts. When it detects multiple attempts from a single IP within a short period, it automatically blocks the IP, typically by modifying firewall rules. This prevents brute-force and password-spray attacks from overwhelming resources and helps maintain system integrity. Cisco’s updates bring this same concept directly into their network hardware.