Thursday, July 6th, 2023
Cybersecurity Week in Review (07/07/2023)
SilentBob Campaign: Cloud-Native Environments Under Attack
Cybersecurity researchers have unearthed an attack infrastructure that’s being used as part of a potentially massive campaign against cloud-native environments.
The infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack, and further infestation of the worm.
The activity, dubbed Silentbob in reference to an AnonDNS domain set up by the attacker, is said to be linked to the infamous cryptojacking group tracked as TeamTNT, citing overlaps in tactics, techniques, and procedures (TTPs). Alternatively, it could be the work of an advanced copycat.
An investigation was prompted in the aftermath of an attack targeting a honeypot in early June 2023, leading to the discovery of four malicious container images that are designed to detect exposed Docker and Jupyter Lab instances and deploy a cryptocurrency miner as well as the Tsunami backdoor.
This feat is achieved by means of a shell script that’s programmed to launch when the container starts and is used to deploy the Go-based ZGrab scanner to locate misconfigured servers. Docker has since taken down the images from the public registry. The list of images are below –
- shanidmk/jltest2 (44 pulls)
- shanidmk/jltest (8 pulls)
- shanidmk/sysapp (11 pulls)
- shanidmk/blob (29 pulls)
shanidmk/sysapp, besides executing a cryptocurrency miner on the infected host, is configured to download and run additional binaries, which could either be backup cryptominers or the Tsunami malware.
Also downloaded by the container is a file named “aws.sh.txt,” a script that’s likely designed to systematically scan the environment for AWS keys for subsequent exfiltration.
51 servers were found with exposed JupyterLab instances in the wild, all of which have been actively exploited or exhibited signs of exploitation by threat actors. This includes a live manual attack on one of the servers that employed masscan to scan for exposed Docker APIs.
This process is designed to spread the malware to an increasing number of servers. The secondary payload of this attack includes a crypto miner and a backdoor, the latter employing the Tsunami malware as its weapon of choice.
RedEnergy Stealer-as-a-Ransomware Threat Targeting Energy and Telecom Sectors
A sophisticated stealer-as-a-ransomware threat dubbed RedEnergy has been spotted in the wild targeting energy utilities, oil, gas, telecom, and machinery sectors in Brazil and the Philippines through their LinkedIn pages.
The malware possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities. The goal is to couple data theft with encryption with the goal of inflicting maximum damage to the victims.
Following a successful breach, the malicious binary is used as a conduit to set up persistence, perform the actual browser update, and also drop a stealer capable of covertly harvesting sensitive information and encrypting the stolen files, leaving the victims at risk of potential data loss, exposure, or even the sale of their valuable data.
In the final stage, RedEnergy’s ransomware component proceeds to encrypt the user’s data, suffixing the “.FACKOFF!” extension to each encrypted file, deleting existing backups, and dropping a ransom note in each folder.
Victims are expected to make a payment of 0.005 BTC (about $151) to a cryptocurrency wallet mentioned in the note to regain access to the files. RedEnergy’s dual functions as a stealer and ransomware represent an evolution of the cybercrime landscape.
The development also follows the emergence of a new RAT-as-a-ransomware threat category in which remote access trojans such as Venom RAT and Anarchy Panel RAT have been equipped with ransomware modules to lock various file extensions behind encryption barriers.
Japan’s Largest Port Stops Operations After Ransomware Attack
The Port of Nagoya, the largest and busiest port in Japan, has been targeted in a ransomware attack that impacted the operation of its container terminals. The port accounts for roughly 10% of Japan’s total trade volume. It operates 21 piers and 290 berths. It handles over two million containers and cargo tonnage of 165 million every year.
The port is also used by the Toyota Motor Corporation, one of the world’s largest automakers, to export most of its cars.
Today, the administrative authority of the Port of Nagoya has issued a notice about a malfunction in the “Nagoya Port Unified Terminal System” (NUTS) — the central system controlling all container terminals in the port.
According to the notice, the problem was caused by a ransomware attack that occurred on July 4, 2023, around 06:30 AM local time.
“Upon investigating the cause, we held a meeting with the Nagoya Port Operation Association Terminal Committee, who operates the system, and the Aichi Prefectural Police Headquarters [and] it was discovered that the issue was a ransomware infection.” — Nagoya Port
The port authority is working to restore the NUTS system by 6 PM today (July 5th) and plans to resume operations by 08:30 AM tomorrow.
Until then, all container loading and unloading operations at the terminals using trailers have been cancelled, causing massive financial losses to the port and severe disruption to the circulation of goods to and from Japan.
The Nagoya Port Authority has dealt with cyberattacks before but it appears that this one has the largest impact. On September 6, 2022, the website of the port was unreachable for about 40 minutes due to a massive distributed denial-of-service attack (DDoS) launched by the pro-Russian group Killnet.
The threat actor behind the ransomware attack on the Port of Nagoya remains unknown as no threat actor has claimed the intrusion publicly, yet.
Swedish Data Protection Authority Warns Companies Against Google Analytics Use
The Swedish data protection watchdog has warned companies against using Google Analytics due to risks posed by U.S. government surveillance, following similar moves by Austria, France, and Italy last year.
The development comes in the aftermath of an audit initiated by the Swedish Authority for Privacy Protection (IMY) against four companies CDON, Coop, Dagens Industri, and Tele2.
“In its audits, IMY considers that the data transferred to the U.S. via Google’s statistics tool is personal data because the data can be linked with other unique data that is transferred,” IMY said.
“The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA.”
The data protection authority also fined $1.1 million for Swedish telecom service provider Tele2 and less than $30,000 for local online marketplace CDON failing to implement adequate security measures to anonymise the data prior to the transfer.
Furthermore, CDON, Coop, and Dagens Industri have been ordered to cease using Google Analytics. Tele2 is said to have voluntarily stopped using the service.
The investigation, the IMY added, was based on a complaint filed by the privacy non-profit None of Your Business (noyb) alleging violations of the General Data Protection Regulation (GDPR) laws.
The decision is rooted in the fact that such E.U.-U.S. data transfers have been found illegal in light of potential surveillance worries that data stored in U.S. servers could be subject to access by intelligence agencies in the country.
Similar concerns have led to Meta being levied a record $1.3 billion fine by European Union data protection agencies. That said, the E.U. and U.S. are in the process of finalising a new data transfer arrangement, called the E.U.-U.S. Data Privacy Framework, that replaces the now-invalid Privacy Shield.
US Healthcare Firm Breach, Child Patient Data at Risk
ARx Patient Solutions says it suffered a cyberattack in 2022 that may have exposed personal details relating to more than 40,000 people, many of them child patients. Why it took it so long to make the disclosure is unclear.
The Kansas-based healthcare provider made the disclosure on its website and notified the Attorney General’s Office of Maine, which imposes strict reporting requirements on any data breaches involving its residents, on July 3rd.
Just 526 Maine residents were affected, but the total number of potential victims comes to 41,166, according to the Attorney General — it isn’t clear whether these are all patients or if that figure also includes details of third-party contractors that might have been kept on ARx’s internal systems.
What does seem sure is that the healthcare firm suffered a system intrusion in March last year that exposed details including child patients’ names, prescription information, insurance and account numbers, the names of their doctors, and, in some cases, Social Security numbers.
ARx made this disclosure in a letter of notification sent to affected parties on June 30th, 2023, although it also claims that “based on our investigation and dark web monitoring, there is no evidence of misuse of any of this information.”
ARx will be hoping it is right about this: its investigation took more than a year to reach its final verdict, following a cyber break-in after “an employee email account was compromised and accessed by an unauthorised third party.”
“On discovery of the incident, we disabled the account, contained the disruption, engaged an industry-leading cybersecurity firm to complete an investigation and accelerated implementation of key initiatives to strengthen our systems and security protocols,” said ARx.
The letter of disclosure to patients’ parents added: “Based on findings from the investigation, ARx Patient Solutions has determined that personal information belonging to your child was contained in files within the email account and potentially accessed by an unauthorised third party.”
The company has offered a year’s worth of free credit monitoring and identity theft protection services to parents.
It also claims that since the attack it has “strengthened systems and protocols for our employees, patients and customers by implementing threat monitoring systems, proactive vulnerability management programs, active systems scanning, and significant investments in the Security Operations department.”
Mexico-Based Hacker Targets Global Banks with Android Malware
An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023. The activity is being attributed to an actor codenamed Neo_Net following a Malware Research Challenge in collaboration with vx-underground.
Despite using relatively unsophisticated tools, Neo_Net has achieved a high success rate by tailoring their infrastructure to specific targets, resulting in the theft of over 350,000 EUR from victims’ bank accounts and compromising Personally Identifiable Information (PII) of thousands of victims.
Some of the major targets include banks such as Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole, and ING.
Neo_Net, linked to a Spanish-speaking actor residing in Mexico, has established themselves as a seasoned cybercriminal, engaging in the sales of phishing panels, compromised victim data to third-parties, and a smishing-as-a-service offering called Ankarex that’s designed to target a number of countries across the world.
The initial entry point for the multi-stage attack is SMS phishing, in which the threat actor employs various scare tactics to trick unwitting recipients into clicking on bogus landing pages to harvest and exfiltrate their credentials via a Telegram bot. The pages were designed to closely resemble genuine banking applications, complete with animations to create a convincing façade.
The threat actors have also been observed duping bank customers into installing rogue Android apps under the guise of security software that, once installed, requests SMS permissions to capture SMS-based two-factor authentication (2FA) codes sent by the bank.
The Ankarex platform, for its part, has been active since May 2022. It’s actively promoted on a Telegram channel that has about 1,700 subscribers.
The development comes as a new Anatsa (aka TeaBot) banking trojan campaign has been identified targeting banking customers in the U.S., U.K., Germany, Austria, and Switzerland since the start of March 2023.
Ukrainian Banks Hit by Pro-Russian NoName Hackers
The Russian-linked hacktivist group NoName has been relentlessly targeting the Ukrainian financial sector in its latest campaign against the war-torn nation. Since the attackers posted a threat through their Telegram channel four days ago, nearly a dozen major Ukrainian banks have been hit daily by the gang’s signature DDoS attack method.
Targets include four of the nation’s largest commercial banks, including First Ukrainian International Bank (PUMB), State Savings Bank of Ukraine (Oshchadbank), Credit Agricole Bank, and Universal Bank.
The pro-Russian hacking conglomerate, officially known in the security world as NoName057(16), said its latest campaign is aimed at disrupting Ukraine’s online banking internet infrastructure.
Besides claiming to have knocked several of the bank websites completely offline, the gang has also specifically gone after authorisation services, login portals, customer service systems, and loan processing services. Other Ukrainian banks claimed by NoName this week include Ukrsibbank, Tascombank, MTB Bank, Pravex Bank, Piraeus Bank, Credit Dnepr Bank, and Clearing House.
The hacking campaign may have been spurred on by a recent announcement by Ukrainian politicians to become the “first country in the world to completely abolish cash,“ the group posted on Telegram.
Randomly, on June 28th, the gang also picked up on a post by fellow hacktivist group Anonymous Sudan, which has been continuously targeting Sweden since the burning of a Quran during a protest in Stockholm this past January. In an apparent gesture of solidarity towards Anonymous Sudan, NoName momentarily switched gears and decided to attack two targets in Sweden, the website of the Swedish railway carrier SJ AB and the Swedish Financial Supervisory Authority, Finansinspektionen (FI).
Anonymous Sudan claims its motivation against the West is due to interference in Sudanese political affairs, but most security insiders are convinced the group is either operated by Russian sympathisers or backed by the Russian government – possibly explaining why NoName would suddenly take up arms with the group.
Since then, the gang has mainly set its sites on NATO member nations allied with Ukraine, recently targeting critical infrastructure in Poland, Denmark, and Lithuania, the French parliament, and nearly a dozen attacks on Switzerland’s financial and aviation sectors this month.
Some of the largest European ports in Italy, Germany, Spain and Bulgaria were hacked by NoName on June 16.
In January, NoName was discovered advertising cryptocurrency payouts to volunteer hackers in exchange for joining in on the group’s distributed denial-of-service (DDoS) attacks, which overload a website with traffic requests, causing it to crash.
Around the same time, the group was able to take down at least half a dozen websites belonging to the 2023 Czech presidential election candidates, causing chaos just days before the elections were scheduled to begin.
Hackers Target European Government Entities in SmugX Campaign
A phishing campaign named SmugX and attributed to a Chinese threat actor has been targeting embassies and foreign affairs ministries in the UK, France, Sweden, Ukraine, Czech, Hungary, and Slovakia, since December 2022.
Researchers analysed the attacks and observed overlaps with activity previously attributed to advanced persistent threat (APT) groups tracked as Mustang Panda and RedDelta.
Looking at the lure documents, the researchers noticed that they are typically themed around European domestic and foreign policies.
Among the samples collected during the investigation are:
- A letter from the Serbian embassy in Budapest
- a document stating the priorities of the Swedish Presidency of the Council of the European Union
- an invitation to a diplomatic conference issued by Hungary’s Ministry of Foreign Affairs
- an article about two Chinese human rights lawyers
The lures used in the SmugX campaign betray the threat actor’s target profile and indicates espionage as the likely objective of the campaign. SmugX attacks rely on two infection chains, both employing the HTML smuggling technique to hide malicious payloads in encoded strings of HTML documents attached to the lure message.
One variant of the campaign delivers a ZIP archive with a malicious LNK file that runs PowerShell when launched, to extract an archive and save it into the Windows temporary directory.
The extracted archive contains three files, one being a legitimate executable (either “robotaskbaricon.exe” or “passwordgenerator.exe”) from an older version of the RoboForm password manager that allowed loading DLL files unrelated to the application, a technique called DLL sideloading.
The other two files are a malicious DLL (Roboform.dll) that is sideloaded using one of the two legitimate executables, and “data.dat” – which contains the PlugX remote access trojan (RAT) that is executed through PowerShell.
The MSI then creates a new folder within the “%appdata%\Local” directory and stores three files: a hijacked legitimate executable, the loader DLL, and the encrypted PlugX payload (‘data.dat’).
Again, the legitimate program is executed, and PlugX malware is loaded into memory via DLL sideloading in an effort to avoid detection.
To ensure persistence, the malware creates a hidden directory where it stores the legitimate executable and malicious DLL files and adds the program to the ‘Run’ registry key. Once PlugX is installed and running on the victim’s machine, it may load a deceptive PDF file to distract the victim and reduce their suspicion.
PlugX is a modular RAT that has been used by multiple Chinese APTs since 2008. It comes with a wide range of functions that include file exfiltration, taking screenshots, keylogging, and command execution.
While the malware is typically associated with APT groups, it has also been used by cybercriminal threat actors. However, the version deployed in the SmugX campaign is largely the same as those seen in other recent attacks attributed to a Chinese adversary, with the difference that it used the RC4 cipher instead of XOR.
Based on the details uncovered, it is believed that the SmugX campaign shows that Chinese threat groups are becoming interested in European targets, likely for espionage.
Evasive Medusa Stealer Targets 19 Password Managers and 76 Crypto Wallets
In yet another sign of a lucrative crimeware-as-a-service (CaaS) ecosystem, researchers have discovered a new Windows-based information stealer called Meduza Stealer that’s actively being developed by its author to evade detection by software solutions.
The Meduza Stealer has a singular objective: comprehensive data theft. It pilfers users’ browsing activities, extracting a wide array of browser-related data, from critical login credentials to the valuable record of browsing history and meticulously curated bookmarks. Even crypto wallet extensions, password managers, and 2FA extensions are vulnerable.
Despite the similarity in features, Meduza boasts of a crafty operational design that eschews the use of obfuscation techniques and promptly terminates its execution on compromised hosts should a connection to the attacker’s server fail. It’s also designed to abort if a victim’s location is in the stealer’s predefined list of excluded countries, which consists of the Commonwealth of Independent States (CIS) and Turkmenistan.
Meduza Stealer, besides gathering data from 19 password manager apps, 76 crypto wallets, 95 web browsers, Discord, Steam, and system metadata, harvests miner-related Windows Registry entries as well as a list of installed games, indicating a broader financial motive.
It’s currently being offered for sale on underground forums such as XSS and Exploit.in and a dedicated Telegram channel as a recurring subscription that costs $199 per month, $399 for three months, or $1,199 for a lifetime license. The information pilfered by the malware is made available through a user-friendly web panel.
This feature allows subscribers to download or delete the stolen data directly from the web page, granting them an unprecedented level of control over their ill-gotten information. This in-depth feature set showcases the sophisticated nature of the Meduza Stealer and the lengths its creators are willing to go to ensure its success.
BlackCat Ransomware Pushes Cobalt Strike via WinSCP Search Ads
The BlackCat ransomware group (aka ALPHV) is running malvertising campaigns to lure people into fake pages that mimic the official website of the WinSCP file-transfer application for Windows but instead push malware-ridden installers.
WinSCP (Windows Secure Copy) is a popular free and open-source SFTP, FTP, S3, SCP client, and file manager with SSH file transfer capabilities with 400,000 weekly downloads on SourceForge alone.
BlackCat is using the program as a lure to potentially infect the computers of system administrators, web admins, and IT professionals for initial access to valuable corporate networks. This previously unknown ALPHV ransomware infection vector was discovered by analysts who spotted ad campaigns promoting the fake pages on both Google and Bing search pages.
The BlackCat attack begins with the victim searching for “WinSCP Download” on Bing or Google and getting promoted malicious results ranked above the safe WinSCP download sites. The victims click on those ads and visit a website that hosts tutorials about performing automated file transfers using WinSCP.
These sites contain nothing malicious, likely to evade detection by Google’s anti-abuse crawlers but redirect the visitors to a clone of the WinSCP official website featuring a download button. These clones utilise domain names similar to the real winscp.net domain for the utility, such as winsccp[.]com.
The victim clicks the button and receives an ISO file containing “setup.exe” and “msi.dll,” the first being the lure for the user to launch and the second being the malware dropper triggered by the executable. Once setup.exe is executed, it will call the msi.dll that will later extract a Python folder from the DLL RCDATA section as a real installer for WinSCP to be installed on the machine.
This process also installs a trojanised python310.dll and creates a persistence mechanism by making a run key named “Python” and the value “C:\Users\Public\Music\python\pythonw.exe”. The executable pythonw.exe loads a modified obfuscated python310.dll that contains a Cobalt Strike beacon that connects to a command-and-control server address. Having Cobalt Strike running on the system, it is easy to execute additional scripts, fetch tools for lateral movement, and generally deepen the compromise.
Researchers noticed that ALPHV operators used the following tools in the subsequent phases:
- AdFind: command-line tool used for retrieving Active Directory (AD) information.
- PowerShell commands used for gathering user data, extracting ZIP files, and executing scripts.
- AccessChk64: command-line tool used for user and groups permission reconnaissance.
- Findstr: command-line tool used for searching passwords within XML files.
- PowerView: PowerSploit script used in AD reconnaissance and enumeration.
- Python scripts used for executing the LaZagne password recovery tool and obtaining Veeam credentials.
- PsExec, BitsAdmin, and Curl, used for lateral movement
- AnyDesk: legitimate remote management tool abused for maintaining persistence
- KillAV BAT script used for disabling or bypassing antivirus and antimalware programs.
- PuTTY Secure Copy client used for exfiltrating the collected information from the breached system.
Along with the above tools, ALPHV also used the SpyBoy “Terminator,” an EDR and antivirus disabler sold by threat actors on Russian-speaking hacking forums for as much as $3,000. “Terminator” is capable of bypassing several Windows security tools by using a bring your own vulnerable driver (BYOVD) mechanism to escalate privileges on the system and deactivate them.
The above TTPs have been linked to confirmed ALPHV ransomware infections. A Clop ransomware file was also found in one of the investigated C2 domains, so the threat actor may be affiliated with multiple ransomware operations.