Executive Summary

The Professional, Scientific, and Technical Services (PSTS) sector is increasingly becoming a focal point for cyber threats due to its vast data repositories and dependency on remote access tools. This report, based on the ReliaQuest Threat Landscape Report, provides a comprehensive analysis of the vulnerabilities, threat actors, and exploitation tactics targeting this sector. Notably, the report highlights the activities of ransomware groups such as Akira, Black Basta, and Ransomhub, as well as nation-state actors like APT41 from China, who are exploiting vulnerabilities to gain unauthorized access and exfiltrate sensitive data. The report also discusses specific vulnerabilities such as CVE-2024-36412, an unauthenticated SQL injection in SuiteCRM, and provides mitigation strategies to help organizations bolster their cybersecurity defenses.

Technical Information

The PSTS sector is a prime target for cybercriminals due to its reliance on remote access tools and the sensitive nature of the data it handles. One of the critical vulnerabilities identified is CVE-2024-36412, an unauthenticated SQL injection vulnerability in SuiteCRM, an open-source CRM software. This vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access and system compromise. Affected versions include those prior to 7.14.4 and 8.6.1. Public proof-of-concept (PoC) exploits are available, increasing the risk of exploitation in the wild. Organizations are advised to upgrade to the latest patched versions of SuiteCRM and implement web application firewalls to detect and block SQL injection attempts.

Ransomware groups such as Akira are known for their double-extortion tactics, encrypting files and exfiltrating data to pressure victims into paying ransoms. Akira has targeted over 250 organizations, leveraging vulnerabilities like CVE-2024-40766 in SonicWall SSLVPNs for initial access. Similarly, Black Basta and Ransomhub have been active in targeting the PSTS sector, exploiting remote access vulnerabilities and phishing attacks to deploy ransomware.

Nation-state actors, particularly APT41 from China, are targeting PSTS organizations to steal intellectual property and sensitive data. They employ advanced techniques to maintain long-term persistence in networks, often exploiting vulnerabilities in public-facing applications and remote services. The MITRE ATT&CK framework identifies several techniques used by these threat actors, including T1133 (abuse of external remote services), T1190 (exploiting public-facing applications), and T1566.002 (spearphishing with links).

Exploitation in the Wild

Initial Access Brokers (IABs) play a significant role in the exploitation landscape by selling access to compromised networks. The PSTS sector has seen a 116% increase in IAB activity, driven by ransomware affiliates seeking network access. These actors often exploit vulnerabilities in VPNs and RDP tools to gain initial access, which is then sold to other cybercriminals for further exploitation.

APT Groups using this vulnerability

The report highlights the activities of several Advanced Persistent Threat (APT) groups targeting the PSTS sector. APT41, a Chinese nation-state actor, is particularly notable for its focus on stealing intellectual property and sensitive data from PSTS organizations. This group employs sophisticated techniques to exploit vulnerabilities in public-facing applications and maintain long-term persistence in networks.

Affected Product Versions

The primary vulnerability discussed in this report, CVE-2024-36412, affects SuiteCRM versions prior to 7.14.4 and 8.6.1. Organizations using these versions are at risk of unauthorized data access and system compromise due to the unauthenticated SQL injection vulnerability.

Workaround and Mitigation

To mitigate the risks associated with the vulnerabilities discussed in this report, organizations should implement several key strategies. Regular patch management is crucial to protect against known vulnerabilities like CVE-2024-36412. Organizations should also conduct regular phishing training sessions to educate employees about phishing tactics and how to recognize suspicious emails. Implementing strict access controls and monitoring for unauthorized access attempts, especially for remote services, can further enhance security. Additionally, leveraging tools like ReliaQuest GreyMatter for automated threat detection and response can significantly reduce the mean time to contain incidents, minimizing the impact of attacks.

References

For further reading and detailed information on the vulnerabilities and threat actors discussed in this report, please refer to the following resources: CVE-2024-36412 - NVD, Akira Ransomware Group Activities - CISA, and ReliaQuest Threat Landscape Report.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex cybersecurity landscape. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive solutions to identify, assess, and mitigate vulnerabilities, ensuring that your organization remains secure against emerging threats. We are happy to answer any questions you might have about this report or any other issue at ops@rescana.com.