Sarina

I. Targeted Entities

• Internet users

II. Introduction

LandUpdate808 is a malicious downloader that distributes malicious payloads disguised as fake browser updates. The downloader is usually hosted on malicious or compromised websites. LandUpdate808 was identified by the Center for Internet Security as a top ten observed malware in quarter three of 2024, landing as the second most prominent identified malware.

III. Additional Background Information

LandUpdate808 redirects website visitors to first download the loader for the fake update content. The redirect also adds a cookie to the targeted user which has been observed with the naming conventions “isDone” or “isVisited11”. The cookie’s value is set to true after the operation is successful. The cookie has an expiration date of four days and will cause the malware to skip over the previous steps if the cookie is detected. The fake update page is disguised as an out-of-date Chrome notification with a blue download button labeled “Update Chrome”. When clicked, the button will link to an “update.php” file. The payload has been observed as a JS, EXE, and MSIX file that changes file type frequently. Recent reporting has identified multiple domains being tied to the same IP address, a potential indicator that the LandUpdate808 operation is expanding operations.

IV. MITRE ATT&CK

VII. References

Samala, A. (2024b, October 15). New Behavior for LandUpdate808 Observed. Malasada Tech. https://malasada.tech/new-behavior-for-landupdate808-observed/

Samala, A. (2024a, July 2). The LandUpdate808 Fake Update Variant. Malasada Tech. https://malasada.tech/the-landupdate808-fake-update-variant/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Benjamin Price

I. Targeted Entities

• Fortune 500 Companies
• Government Agencies

II. Introduction

According to The Multi-State Information Sharing and Analysis Center’s (MS-ISAC) monitoring services, SocGholish has retained its position as the most prevalent malware in Q3 2024, accounting for 42% of observed infections. SocGholish is a JavaScript-based downloader that spreads primarily through malicious or compromised websites that present fake browser update prompts to users. Once deployed, SocGholish infections can facilitate further exploitation by delivering additional malicious payloads.

III. Additional Background Information

SocGholish, also known as “FakeUpdates,” has emerged as the leading malware in Q3 2024. This malware has been active since 2018 and operates as a JavaScript-based downloader that exploits drive-by-download techniques to gain initial access. SocGholish primarily spreads through compromised websites, which present fake browser or software update prompts to unsuspecting users. When users download and run the updates, they execute a malicious payload that establishes communication with SocGholish’s command-and-control (C2) infrastructure.

The malware typically delivers its payload via direct download of JavaScript files or, less frequently, within obfuscated ZIP archives to evade detection. The attackers have continued to adapt, using techniques such as homoglyphs in filenames to bypass string-based detection methods. Once deployed, SocGholish conducts reconnaissance on infected systems, identifying users, endpoints, and potentially critical assets such as Active Directory domains. In about 10% of cases, the malware escalates to delivering second-stage payloads, including remote access tools (RATs) like Mythic, replacing previously popular choices like NetSupport.

SocGholish serves as an initial access broker, facilitating further exploitation by delivering additional malware, including ransomware variants such as LockBit and WastedLocker. Its activities are often precursors to larger attacks, making it a critical threat to monitor. Infections may involve domain trust enumeration and script-based data exfiltration, primarily executed in memory, complicating detection efforts. Organizations are advised to implement preventive measures, such as disabling automatic JavaScript execution, monitoring for unusual script activity, and swiftly isolating infected hosts to mitigate the impact of potential intrusions.

IV. MITRE ATT&CK

VI. Additional OSINT Information

SocGholish operates as a JavaScript-based malware loader that initially infects victims through compromised websites, presenting them with fake browser or software update prompts. Once users click to “update,” the malware executes a JavaScript payload, connecting back to the attacker’s command and control (C2) server to deliver additional payloads.

Image 1 of SocGholish Payload Delivery

Image 2 of SocGholish Payload Delivery

Image 3 of SocGholish Payload Delivery via Fake Google Alerts

Payload details:

• Primary Payload: The initial JavaScript script collects system and user information, which it sends back to the C2 server, enabling the attacker to assess the target for further exploitation. This reconnaissance phase helps the malware operators determine the value of the target and the appropriate secondary payloads to deploy.
• Secondary Payloads: SocGholish is known to deploy additional malware based on the information gathered. Historically, it used the NetSupport RAT for remote access but has evolved to favor other tools. Since 2022, SocGholish shifted its preference to more advanced payloads, including:
• Cobalt Strike: This well-known post-exploitation tool allows attackers to conduct further reconnaissance, privilege escalation, and lateral movement within networks. However, recent reports show a transition to using Mythic, an alternative to Cobalt Strike.

• Mythic: A versatile open-source command and control framework used for post-compromise operations, allowing attackers to load additional modules and control infected systems stealthily.

• Reconnaissance and Lateral Movement: The secondary payload often includes commands for system discovery and Active Directory enumeration. Common tools used in this phase include nltest.exe for domain trust discovery and whoami for privilege reconnaissance.

• Ransomware Associations: SocGholish has acted as an initial access broker, facilitating access for ransomware groups such as LockBit and WastedLocker. This handoff process enables ransomware operators to capitalize on SocGholish’s infiltration to execute ransom demands or further network disruption.

By delivering these targeted payloads, SocGholish operators can gain persistent access, conduct extensive reconnaissance, and potentially disrupt critical systems. These payloads make SocGholish not only a potent malware threat but also a significant enabler of larger ransomware and espionage campaigns across various industries.

VII. References

The Center for Internet Security, Inc (October 23, 2024) Top 10 Malware Q3 2024 https://www.cisecurity.org/insights/blog/top-10-malware-q3-2024

Red Canary (2024) SocGholish https://redcanary.com/threat-detection-report/threats/socgholish/

MITRE ATT&CK (March 22, 2024) SocGholish https://attack.mitre.org/software/S1124/

Blackpoint Cyber (June 21, 2024) AsyncRAT, NetSupport RAT, and VssAdmin Abuse for Shadow Copy Deletion https://blackpointcyber.com/resources/blog/asyncrat-netsupportrat-vssadmin-abuse-for-shadow-copy-deletion-soc-incidents-blackpoint-apg/

Proofpoint (November 22, 2022) Part 1: SocGholish, a very real threat from a very fake update https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update

ReliaQuest (January 30, 2023) SocGholish: A Tale of FakeUpdates https://www.reliaquest.com/blog/socgholish-fakeupdates/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Uday Bilakhiya, Thiago Pagliaroni, and Kayla Walker.

I. Targeted Entities

• Fortinet FortiManager Customer
• Managed Service Providers

II. Introduction

A critical vulnerability has been identified in Fortinet’s FortiManager platform, a centralized management solution for Fortinet security products. This vulnerability, tracked as CVE-2024-47575, allows for remote code execution (RCE) by unauthorized attackers. The exploitation of this vulnerability is currently active in the wild, posing a significant threat to affected organizations. If successfully exploited, attackers could gain access to critical systems, install malicious programs, and manipulate sensitive data. Fortinet and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories urging organizations to take immediate action by applying the latest patches to mitigate risks.

FortiManager is widely deployed across sectors, including government, telecommunications, financial services, and healthcare, making this vulnerability particularly concerning. Given the increasing sophistication of cyberattacks, unpatched systems present a high risk, allowing attackers to potentially escalate privileges and compromise network infrastructures.

III. Additional Background Information

In October 2024, a critical vulnerability was discovered in Fortinet’s FortiManager, a network management solution widely used to centrally configure and monitor Fortinet devices. This vulnerability, tracked as CVE-2024-47575, exploits a missing authentication mechanism in the fgfmd daemon, allowing attackers to execute arbitrary code remotely without valid credentials. Fortinet and CISA have confirmed that malicious actors are actively targeting both on-premises and cloud-based instances of FortiManager through specially crafted requests, leveraging this flaw to compromise network environments.

The exploit is aligned with tactics defined in the MITRE ATT&CK framework, specifically T1190 – Exploit Public-Facing Application, indicating that adversaries are using exposed FortiManager instances as initial access points. Once inside, attackers can install backdoors, modify security configurations, and delete or manipulate data, depending on the privileges of the compromised service accounts. Higher-privileged accounts can allow attackers to escalate their control leading to significant disruptions.

Previous incidents involving vulnerabilities in network appliances highlight the severity of such attacks. FortiManager’s broad adoption across multiple critical infrastructures and industries make it an attractive target. Unpatched instances are especially vulnerable to this exploit. Additionally, this vulnerability exposes connected Fortinet devices, allowing attackers to disable firewalls or VPNs and undermine network defenses.

Organizations are strongly advised to apply the latest patches immediately, perform vulnerability assessments, and monitor for indicators of compromise (IoC). Fortinet has released mitigation guidelines, emphasizing the importance of updating software, segmenting networks, and limiting administrative access to prevent further exploitation. Failure to act could result in severe operational disruptions and data breaches, particularly for critical infrastructure providers and enterprises that rely heavily on Fortinet’s security infrastructure.

IV. MITRE ATT&CK

VII. References

The Channel CO, CRM (October 24, 2024) 5 Things To Know On The Fortinet FortiManager Attacks  https://www.crn.com/news/security/2024/5-things-to-know-on-the-fortinet-fortimanager-attacks
 

Bleeping Computer (October 23, 2024) Fortinet warns of new critical FortiManager flaw used in zero-day attacks
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-fortimanager-flaw-used-in-zero-day-attacks/ 

Google Cloud (October 23, 2024) Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575 

 New York State (October 23, 2024) A Vulnerability in Fortinet FortiManager Could Allow for Remote Code Execution https://its.ny.gov/2024-120 

 Bleeping Computer (October 24, 2024) Mandiant says new Fortinet flaw has been exploited since June https://www.bleepingcomputer.com/news/security/mandiant-says-new-fortinet-fortimanager-flaw-has-been-exploited-since-june/ 

 CVE (October 23, 2024) CVE-2024-47575 https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2024-47575 

 Fortigaurd (October 17, 2024) Missing authentication in fgfmsd https://www.fortiguard.com/psirt/FG-IR-24-423 

 MS-ISAC (October 23, 2024) A Vulnerability in Fortinet FortiManager Could Allow for Remote Code Execution https://learn.cisecurity.org/webmail/799323/2307481671/eb748002d95238b2d31f1dc45b527f271478b2fb5b4d5ee93eb20f05d2825fce

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Uday Bilakhiya, Thiago Pagliaroni, and Kayla Walker. 

I. Targeted Entities

• Small to Medium Government and Business Entities

II. Introduction

A critical remote code execution (RCE) vulnerability, tracked as CVE-2024-45519, has been discovered in Zimbra email servers, posing a significant threat to organizations relying on the platform. The vulnerability resides in Zimbra’s postjournal service, which processes incoming emails over SMTP. This vulnerability allows attackers to compromise servers by sending specially crafted emails that trigger arbitrary command execution through the server’s CC field. Once exploited, the vulnerability can be used to install web shells, providing attackers full access to the compromised server and enabling further network infiltration.

III. Additional Background Information

Zimbra Collaboration, a widely used cloud-hosted platform for email and communication services, has become a prime target for cyberattacks due to its prevalence in corporate and government environments. In September 2024, a critical vulnerability, CVE-2024-45519, was uncovered in Zimbra’s postjournal service. This flaw, caused by improper input validation, allows remote attackers to execute arbitrary commands without authentication. The vulnerability has gained increased attention following the release of a proof-of-concept (PoC) exploit, significantly raising the risk of widespread exploitation. Given Zimbra’s importance across various sectors, the exposure of this vulnerability poses a serious threat to affected systems, making it a key concern in the current cybersecurity landscape.

IV. MITRE ATT&CK

VII. References

Dark Reading. (October 1, 2024). Zimbra RCE Vuln Under Attack Needs Immediate Patching. https://www.darkreading.com/cyberattacks-data-breaches/recent-zimbra-rce-under-attack-patch-now

BleepingComputer. (October 2, 2023). Critical Zimbra RCE flaw exploited to backdoor servers using emails. https://www.bleepingcomputer.com/news/security/critical-zimbra-rce-flaw-exploited-to-backdoor-servers-using-emails/

SOCRadar. (October 02, 2024). RCE Vulnerability in Zimbra (CVE-2024-45519). https://socradar.io/rce-vulnerability-in-zimbra-cve-2024-45519/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Thiago Reis Pagliaroni, Benjamin Price