The July 2024 Threat Intelligence Report, published by Cradlepoint, covers Qilin RaaS, the impact of SolarWinds Serve-U, and a threat to the education sector.
Each month the Cradlepoint Threat Research and Analysis Team publishes a threat intelligence report to inform organizations about relevant changes in the threat landscape. This report covers events during June 2024.
At a glance
- Some medical services in UK halted due to third party “Qilin” ransomware attack
- SolarWinds Serv-U file share software actively exploited for CVE-2024-28995
- U.S. education sector targeted with “Fog” ransomware using CVE-2023-27532
- High-risk vulnerabilities Cradlepoint solutions would mitigate
UK NHS medical care reduced due to Synnovis ransomware attack
The Qilin ransomware affiliates attacked Synnovis, a pathology services company, significantly reducing the capacity of some London hospitals to 15% or less. Qilin gained initial access through VPN software flaws, and weak identity management protocols allowed them to move laterally within the Synnovis network. There are no reports of Qilin having breached other organizations’ networks through the Synnovis compromise. The exploited vulnerabilities and noncompliance with security standards at Synnovis had been previously reported to their Board as recently as April. However the issues were not resolved by the time of the attack. Synnovis did not pay the $50M USD ransom ,and the stolen patient data was published on a dark website on June 20, 2024. For more details, see https://www.england.nhs.uk/synnovis-cyber-incident/
TR&A Comments: Qilin is a ransomware-as-a-service (RaaS) malware platform, previously known as Agenda in 2022. While Qilin is a Chinese-Anglicized name, the platform is written in Russian, and the platform is advertised in Telegram channels and dark web sites catering to Russian threat actors. The affiliates who have used Qilin are financially motivated and opportunistic across all industries, including manufacturing and media. A threat actor reportedly spoke as the leader for the Synnovis hack, stating that the attack was politically motivated. However, that is inconsistent with previous attacks using Qilin where the only demand was for ransom payment.
Cradlepoint solutions for proactive defense: Attack surface reduction using a combination of secure remote access and zero trust network architecture can reduce the impact of ransomware attacks. Cradlepoint’s Zero Trust WAN Security and Zero Trust Web Security allows an organization to provide secured remote access to internal applications removing the need for VPN devices and software.
SolarWinds Serv-U impact similar to MoveIT
Security researcher Hussein Daher reported a directory transversal vulnerability in SolarWinds Serv-U software which allows unauthenticated remote access to data stored on the host machine. Serv-U is commonly used for secure and managed file exchange, and there are at least 9,500 instances available to the internet as of publication. Exploit code was made available within days of the patch release, leading to significant internet scanning activity for vulnerable instances of Serv-U. For more details, see SolarWinds Trust Center Security Advisories | CVE-2024-28995
TR&A Comments: The impact of file sharing application exploitation will be defined by how sensitive the compromised data is. The MoveIT zero-day vulnerability had a significant impact due to the highly sensitive data stored by its victims, which included U.S. government service firms, universities, and manufacturing companies like Siemens Energy. No compromises caused by this vulnerability have been reported; however, detecting a compromise could be difficult if traversal bypass or large data transfers are not configured for detection.
Cradlepoint solutions for proactive defense: Securely sharing data is business critical, and Cradlepoint’s clientless ZTNA solution can secure application access without direct internet access.
Fog ransomware targets U.S. education sector
A new ransomware named “Fog” was detected by security researchers at Arctic Wolf in late May 2024, and was used primarily for attacks against the US education sector. A vulnerability in Veeam Backup and Restore software (CVE-2023-27532) was exploited to dump credentials and encrypt backups to thwart victim system recovery. The threat actors encrypted data but did not leave evidence of data exfiltration. The ransom demanded payment for a decrypting key only. The threat actors who deployed Fog used common techniques to gain initial access and move laterally, including compromised credentials to log into organizations’ VPN systems to scan for network file shares and Windows RDP sessions. For more details, see Lost in the Fog: A New Ransomware Threat - Arctic Wolf
TR&A Comments: VPNs are a common entry point in attacks due to several attack vectors: VPN software vulnerabilities, poor identity management, and permissive access. VPN vulnerabilities were recently exploited to compromise U.S. CISA and MITRE. Additionally, threat actors have used compromised credentials of unused and local accounts, and password-only authentication. Identity management should include disabling unused accounts, enforcing MFA, and regular audits. Once access is achieved to a network without a zero trust network architecture, attackers have more opportunity to exploit internal system weaknesses.
Cradlepoint solutions for proactive defense: Cradlepoint’s Secure Connect solution replaces the need for a VPN device or software, provides consolidated identity management using an identity provider, and is deployed as a zero trust network by default.
High-risk vulnerabilities Cradlepoint solutions would mitigate
The vulnerabilities listed below are actively exploited and relevant to the Cradlepoint technology used by many industries, including vulnerabilities published or added to CISA’s Known Exploited Vulnerabilities Catalog in June 2024.
Web Application Isolation
| Product | Criticality (CVSS 3.0) | Impact | Industry | Exploited? | CVE |
| PHP Group | 9.8 | Under some conditions arbitrary code can be executed on remote PHP servers through the argument injection attack. | Multiple | Yes | CVE-2024-4577 |
Secure Connect
| Product | Criticality (CVSS 3.0) | Impact | Industry | Exploited? | CVE |
| CheckPoint security gateways with IPsec VPN | 8.6 | Allows attackers to access sensitive information in the security gateways that, in some instances, could allow them to move laterally on a compromised network and gain domain admin privileges. | Multiple | Yes | CVE-2024-24919 |
| Zyxel | 9.8 | Allows an unauthenticated attacker to execute some operating system (OS) commands or arbitrary code. | Multiple | Yes | CVE-2024 -29972 -29973 -29974 |
For more monthly threat intelligence reports, please visit our threat intelligence blog. If you would like to speak with a Cradlepoint solutions person, please contact us by clicking on “Cradlepoint Chat” on our website.