Researchers at Sysdig's Threat Research Team have reported an uptick in attacks by a threat actor dubbed "CRYSTALRAY". Observed in February 2024 abusing SSH-Snake, an Open-Source Software (OSS) penetration testing tool to exploit Confluence vulnerabilities, CRYSTALRAY's operations have scaled ten-fold to target over 1,500 potential victims. CRYSTALRAY's techniques rely heavily on OSS for all tactics in the MITRE ATT&CK matrix (i.e., reconnaissance, initial access, lateral movement, command and control, and impact). Tools used and abused by the threat group include asn, zmap, httpx, nuclei, SSH-Snake, sliver, and platypus. CRYSTALRAY first conducts reconnaissance to specify IP ranges to scan for vulnerable services. It then leverages existing vulnerability proof-of-concepts (PoC) to gain remote code execution (RCE) and initial access via the identified vulnerability. Lateral movement is achieved through SSH-Snake, which uses ssh keys and credentials to propagate through the environment. The goal is to harvest credentials from the victim systems for selling on black markets. Once established in the victim's environment, CRYSTALRAY also installs cryptominers to further their financial gain. Of the over 1,800 IP addresses seen targeted by CRYSTALRAY, the large majority were in the United States and China. Vulnerable services observed targeted include Apache ActiveMQ and RocketMQ, Confluence, Metabase, Openfire, Oracle WebLogic Server, Solr, and Laravel. The sale of credentials on the dark web leaves victims vulnerable to further exploitation by malicious buyers. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
The Hacker News: CRYSTALRAY Article
CSO: CRYSTALRAY Article
Sysdig: CRYSTALRAY Article
Threat Actor Activity
Threat Actors Weaponizing Proof-of-Concept Exploits at Increasingly Fast Speeds
Cloudflare's Application Security report for 2024 reveals a concerning trend in cybersecurity: threat actors are increasingly able to weaponize vulnerabilities at unprecedented speeds, sometimes within minutes of a vulnerability being disclosed. This rapid exploitation presents significant challenges for defenders, who often cannot update Web Application Firewall (WAF) rules or deploy patches quickly enough to prevent attacks. The report, covering activity from May 2023 to March 2024, specifically points out the swift weaponization of vulnerabilities in widely used software products by Apache, Coldfusion, and MobileIron. One (1) instance involved an authentication bypass flaw in JetBrains TeamCity, where an exploit was deployed merely twenty-two (22) minutes following its disclosure. This speed underscores the necessity for employing AI assistance in developing detection rules, a strategy Cloudflare suggests for maintaining a balance between response speed and minimizing false positives. Moreover, the report highlights a growing problem with distributed denial-of-service (DDoS) attacks, which now account for 6.8% of all daily internet traffic, indicating an increase in both the volume and impact of these attacks. Cloudflare's findings, including a staggering 86.6% year-over-year increase in blocked cyber threats, emphasize the evolving landscape of internet security threats and the critical need for advanced, AI-supported defense mechanisms.
Bleeping Computer: POC Exploits Article
Cloudflare: Application Security Report
Vulnerabilities
Critical Vulnerability in Exim Mail Server Exposes Millions of User Mailboxes to Attack
Censys has reported a critical vulnerability in the Exim mail transfer agent, which has a high CVSS score of 9.1/10. This flaw, tracked as CVE-2024-39929, affects Exim versions up to 4.97.1 but has been patched in version 4.98. The vulnerability allows attackers to bypass $mime_filename extension-blocking mechanisms, enabling them to deliver malicious executable attachments to users' mailboxes. Shodan scans show that Exim, the default MTA for Debian Linux and widely used on Unix-like systems, has over 4.8 million of its 6.5 million public-facing SMTP servers running vulnerable versions, with most located in the U.S., Russia, and Canada. While no active exploitation has been reported yet, the availability of a proof-of-concept (PoC) exploit underscores the urgency for users to patch their systems promptly. This vulnerability follows the disclosure of six (6) other significant flaws in Exim last year. CTIX analysts urge all administrators to update their Exim agents immediately to prevent exploitation. Administrators unable to upgrade immediately due to the detrimental effects to critical business processes are advised to restrict remote access to mitigate potential exploitation.
Bleeping Computer: CVE-2024-39929 Article
The Hacker News: CVE-2024-39929 Article
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Ankura Consulting Group LLC
Ankura Consulting Group LLC
2000 K Street NW
12th Floor
Washington
DC 20006
UNITED STATES
Tel: 202797 1111
E-mail: cody.prince@ankura.com
URL: ankura.com
Cloudflare, Inc. is a connectivity cloud company. It is a global cloud services provider that delivers a range of services to businesses of all sizes and in all geographies. Its network serves as a scalable, unified control plane to deliver security, performance, and reliability across on-premise, hybrid, cloud and software-as-a-service applications. Its integrated suite of products consists of solutions for an organization's external-facing infrastructure, such as Websites, applications and application programming interfaces to deliver security and reliability; solutions to serve an organization's internal resources, such as internal networks and devices; developer-based solutions and consumer offerings. Its security products include Web Application Firewall, Bot Management, SSL/TLS Encryption and Secure Origin Connection. Its performance products include Content Delivery, Intelligent Routing, Content Optimization and Others. It also offers a zero trust infrastructure access platform.
CLOUDFLARE, INC. 
