News

Blog

Thursday, December 7th, 2023

Cybersecurity Week in Review (08/12/2023)

German Energy Agency Latest Claimed by ALPHV/BlackCat Ransom Gang

Dena, the Deutsche Energie-Agentur GmbH – translated in English to the German Energy Agency LTD – is being claimed as the latest casualty of the ALPHV/BlackCat ransomware group. The Berlin-based profit-oriented climate protection agency announced it had been the victim of a cyberattack on November 23rd.

The international energy think tank has roughly 100 energy transition projects currently happening around the world, with 2022 earnings listed as over €700 million.

Dena posted a statement on its website with details about the attack and the ongoing investigation.

“As a result of the cyber attack on dena, a risk to the data processed by our business contacts cannot be ruled out,” dena said.

“This may also affect sensitive data, such as account details,” it said, adding forensic experts were still determining “exactly which data was leaked.”

Meanwhile, at about 2 p.m. EST Wednesday, December 6th, ALPHV/BlackCat posted dena on its dark leak site.

In a short blog entry, the Russian-linked gang claimed to have stolen sensitive data from the energy collective, but did not provide any specific amount.

A list of stolen data was stated to be “encrypted backups, esxi, unloaded all email correspondence as of 2016 and other sensitive data.”

It also appears that dena was forced to take its systems offline to try and contain the damage, which is often the case with cyberattacks.

“We will only restart our systems once this review has been completed and additional protective measures have been introduced,” dena said in its breach announcement.

The company declined to provide exactly when that would be, but said it would post any updates on its website. The company also said it would be reviewing its entire IT infrastructure to ensure the “greatest possible security” for the company and business partners.

ALPHV/BlackCat ransomware was first observed in 2021 and is known to operate as a ransomware-as-a-service (RaaS) model by selling malware subscriptions to criminals. The Russian-affiliated gang carried out more than 200 ransom attacks in the first half of 2023 alone, according to a September report by Trend Micro, and is said to be responsible for approximately 12% of all attacks in 2022.

The group has easily caused over $1 billion in lost corporate revenue in 2023, according to security insiders. Known for its triple-extortion tactics, the gang was responsible for the September ransomware attacks on the Las Vegas casino giants MGM Resorts, as well as Caesars International, who is rumored to have paid a $15 million ransom to keep operations running.

Source – https://cybernews.com/news/german-energy-agency-latest-claimed-by-alphv-blackcat-ransom-gang/

Nissan Restoring Systems After Cyberattack

Japanese car manufacturer Nissan has disclosed a cyberattack impacting the internal systems at Nissan Oceania. A regional division of the multinational carmaker, Nissan Oceania is responsible for the company’s operations in Australia and New Zealand.

Nissan Oceania disclosed the cyberattack in an incident notification on its regional websites, but did not share specific information on the type or extent of the breach, citing its ongoing investigation into the matter.

“The Australian and New Zealand Nissan Corporation and Financial Services advises that its systems have been subject to a cyber incident. Nissan is working with its global incident response team and relevant stakeholders to investigate the extent of the incident and whether any personal information has been accessed,” the carmaker said.

The company noted that the relevant authorities in Australia and New Zealand have been informed of the attack, encouraging customers to keep an eye out for any unusual or scam activities across their accounts. Nissan also said that it has been working on restoring the systems that were affected by the incident, which suggests that a ransomware attack might have forced it to take the systems offline.

Shutting systems down or disconnecting them from the network is the typical response to ransomware infections, as it helps contain the attack and may prevent broad file encryption.

Nissan also noted that, while its dealer systems would be impacted by the incident, local dealerships continue to operate, thus advising customers to contact local Nissan dealers directly to receive assistance. The company also promised to provide additional information on the attack as soon as details become available.

Nissan is the second Japanese automobile maker to disclose a cyberattack within the past month, after Yamaha Motors’ Philippines subsidiary fell victim to a ransomware attack in October.

Source – https://www.securityweek.com/nissan-restoring-systems-after-cyberattack/

Governments Spying on Apple, Google Users Through Push Notifications -US senator

Unidentified governments are surveilling smartphone users via their apps’ push notifications, a US senator warned on Wednesday.

In a letter to the Department of Justice, Senator Ron Wyden said foreign officials were demanding the data from Alphabet’s Google and Apple. Although details were sparse, the letter lays out yet another path by which governments can track smartphones.

Apps of all kinds rely on push notifications to alert smartphone users to incoming messages, breaking news, and other updates. These are the audible “dings” or visual indicators users get when they receive an email or their sports team wins a game. What users often do not realize is that almost all such notifications travel over Google and Apple’s servers.

That gives the two companies unique insight into the traffic flowing from those apps to their users, and in turn puts them “in a unique position to facilitate government surveillance of how users are using particular apps,” Wyden said.

He asked the Department of Justice to “repeal or modify any policies” that hindered public discussions of push notification spying.

In a statement, Apple said that Wyden’s letter gave them the opening they needed to share more details with the public about how governments monitored push notifications.

“In this case, the federal government prohibited us from sharing any information,” the company said in a statement. “Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”

Google said that it shared Wyden’s “commitment to keeping users informed about these requests.”

The Department of Justice did not return messages seeking comment on the push notification surveillance or whether it had prevented Apple of Google from talking about it.

Wyden’s letter cited a “tip” as the source of the information about the surveillance.

His staff did not elaborate on the tip, but a source familiar with the matter confirmed that both foreign and US government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.

The source declined to identify the foreign governments involved in making the requests but described them as democracies allied to the United States.

The source said they did not know how long such information had been gathered in that way.

Most users give push notifications little thought, but they have occasionally attracted attention from technologists because of the difficulty of deploying them without sending data to Google or Apple.

Earlier this year French developer David Libeau said users and developers were often unaware of how their apps emitted data to the US tech giants via push notifications, calling them “a privacy nightmare.”

Source – https://cybernews.com/privacy/governments-spying-apple-google-push-notifications/

Hackers Breach US Government Agencies Running End-of-life Software

Malicious actors have hacked two governmental servers running end-of-life software. The US cybersecurity agency CISA warns that cybercriminals are exploiting a vulnerability in discontinued Adobe ColdFusion versions and urges users to upgrade.

The first incident happened as early as June 26th, when threat actors gained access to a public-facing web server running an Adobe ColdFusion version from 2016. The server belonged to an unnamed Federal Civilian Executive Branch agency.

The hackers used an IP address that resolved to a public cloud service provider, which could host a large volume of legitimate traffic.

After performing connectivity and software checks, the cybercrooks were observed traversing the filesystem, uploading various artifacts, deleting files, and running web shells. Malicious code was inserted with the intent to extract username, password, and data source uniform resource locators, according to CISA’s advisory.

The second incident took place on June 2nd, when unknown hackers attacked another server of an unnamed governmental body. The server was running the ColdFusion version from 2021.

Malicious actors exploited the same critical vulnerability, CVE-2023-26360, with a base score of 9.8 out of 10. Older ColdFusion versions have an improper access control vulnerability, which allows cybercrooks to run arbitrary code without user interaction.

Using a different IP address, the hackers collected information about administrative user accounts and performed reconnaissance, discovering network configuration, logs, and user information.

The threat actors also dropped at least eight malicious artifacts, including a remote access trojan, and maintained persistence for a while, periodically testing network connectivity. They also tried to exfiltrate registry files multiple times, but these malicious activities were detected and quarantined.

“Had the attempt succeeded, the threat actors may have been able to change policies across compromised servers,” the Cybersecurity and Infrastructure Security Agency (CISA) noted.

Microsoft Defender for Endpoint alerted the agency’s pre-production environment about the potential Adobe ColdFusion vulnerability exploitation in both incidents.

The CISA encourages network defenders and critical infrastructure organizations to improve their cybersecurity posture and urges software manufacturers to incorporate secure-by-design and -default principles.

Those incidents could have been avoided if all software versions affected by the vulnerability had been upgraded. According to the CISA, internet-facing systems should be prioritized, and vulnerability scans should be automated or conducted continuously.

“Both servers were running outdated versions of software, which are vulnerable to various CVEs (Common vulnerabilities and exposures). Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion,” the CISA noted.

Source – https://cybernews.com/security/hackers-attack-government-agencies-adobe-coldfusion/

“Sierra:21” Vulnerabilities Impact Critical Infrastructure Routers

A set of 21 newly discovered vulnerabilities impact Sierra OT/IoT routers and threaten critical infrastructure with remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks.

The flaws affect Sierra Wireless AirLink cellular routers and open-source components like TinyXML and OpenNDS (open Network Demarcation Service). AirLink routers are highly regarded in the field of industrial and mission-critical applications due to high-performance 3G/4G/5G and WiFi and multi-network connectivity.

Various models are used in complex scenarios like passenger WiFi in transit systems, vehicle connectivity for emergency services, long-range gigabit connectivity to field operations, and various other performance-intensive tasks.

Sierra routers are found in government systems, emergency services, energy, transportation, water and wastewater facilities, manufacturing units, and healthcare organizations. Researchers discovered 21 new vulnerabilities in Sierra AirLink cellular routers and the TinyXML and OpenNDS components, which are part of other products, too.

Only one of the security issues has been rated critical, eight of them received a high severity score, and a dozen present a medium risk.

The most noteworthy vulnerabilities are summarized below:

  • CVE-2023-41101 (Remote Code Execution in OpenNDS – critical severity score of 9.6)
  • CVE-2023-38316 (Remote Code Execution in OpenNDS – high severity score of 8.8)
  • CVE-2023-40463 (Unauthorized Access in ALEOS – high severity score of 8.1)
  • CVE-2023-40464 (Unauthorized Access in ALEOS – high severity score of 8.1)
  • CVE-2023-40461 (Cross Site Scripting in ACEmanager – high severity score of 8.1)
  • CVE-2023-40458 (Denial of Service in ACEmanager – high severity score of 7.5)
  • CVE-2023-40459 (Denial of Service in ACEmanager – high severity score of 7.5)
  • CVE-2023-40462 (Denial of Service in ACEmanager related to TinyXML – high severity score of 7.5)
  • CVE-2023-40460 (Cross Site Scripting in ACEmanager – high severity score of 7.1)


For at least five of the above flaws, attackers do not require authentication to exploit them. For several others affecting OpenNDS, authentication is likely not required, as common attack scenarios involve clients attempting to connect to a network or service.

According to the researchers, an attacker could exploit some of the vulnerabilities “to take full control of an OT/IoT router in critical infrastructure.” The compromise could lead to network disruption, enable espionage, or move laterally to more important assets, and malware deployment.

“Apart from human attackers, these vulnerabilities can also be used by botnets for automatic propagation, communication with command-and-control servers, as well as performing DoS attacks,” the researchers explain.

After running a scan on Shodan search engine for internet-connected devices, researchers found over 86,000 AirLink routers exposed online in critical organizations engaged in power distribution, vehicle tracking, waste management, and national health services.

About 80% of the exposed systems are in the United States, followed by Canada, Australia, France, and Thailand. Of those, fewer than 8,600 have applied patches to vulnerabilities disclosed in 2019, and more than 22,000 are exposed to man-in-the-middle attacks due to using a default SSL certificate.

The recommended action for administrators is to upgrade to the ALEOS (AirLink Embedded Operating System) version 4.17.0, which addresses all flaws, or at least ALEOS 4.9.9, which contains all fixes except for those impacting OpenNDS captive portals that set a barrier between the public internet and a local area network.

Source – https://www.bleepingcomputer.com/news/security/sierra-21-vulnerabilities-impact-critical-infrastructure-routers/

Navy Contractor Austal USA Confirms Cyberattack After Data Leak

Austal USA, a shipbuilding company and a contractor for the U.S. Department of Defense (DoD) and the Department of Homeland Security (DHS) confirmed that it suffered a cyberattack and is currently investigating the impact of the incident.

The company is based in Australia and specializes in high-performance aluminum vessels. Its American subsidiary, Austal USA, is under contract for multiple programs that include building Independence class littoral combat ships for the U.S. Navy, which are 127-meter-long vessels at a cost of $360 million per unit. Austal also has an active $3.3 billion contract for building 11 patrol cutters for the U.S. Coast Guard.

Earlier today, the Hunters International ransomware and data extortion group claimed to have breached Austal USA and leaked some information as proof of the intrusion.

Responding to a request for comment, a spokesperson for the company confirmed the attack and said that Austal USA acted quickly to mitigate the incident:

Austal USA recently discovered a data incident. We were able to quickly mitigate the incident resulting in no impact on operations.

Regulatory authorities, including the Federal Bureau of Investigation (FBI) and Naval Criminal Investigative Service (NCIS) were promptly informed and remain involved in investigating the cause of the situation and the extent of information that was accessed.

No personal or classified information was accessed or taken by the threat actor. We are working closely with the appropriate authorities and will continue to inform any stakeholders impacted by the incident as we learn new information.

Austal USA recognizes the seriousness of this event and the special responsibility we have as a DoD and DHS contractor. Our assessment is on-going as we seek to fully understand this incident so that we can prevent a similar occurrence.

Hunters International threatened to publish more data stolen from Austal’s systems in the following days, including compliance documents, recruiting information, finance details, certifications, and engineering data.

Austal USA did not share if the threat actor was able to access data about engineering schematics or other proprietary U.S. Navy technology.

Hunters International emerged recently as a ransomware-as-a-service (RaaS) operation and is believed to be a rebrand of the Hive ransomware gang, a theory based on overlaps in the malware code.

The group denied the allegations, though, saying that they are a new operation that purchased the encryptor source code from the defunct Hive. According to the threat actor, encryption is not the end goal of their attacks, as their focus is on stealing data and using it as leverage to extort victims into paying a ransom.

At the moment, the gang’s data leak site lists well over a dozen victims in different sectors and from various regions of the world.

Source – https://www.bleepingcomputer.com/news/security/navy-contractor-austal-usa-confirms-cyberattack-after-data-leak/#google_vignette

New Threat Actor ‘AeroBlade’ Targeted US Aerospace Firm in Espionage Campaign

Over the past year, a previously unknown threat actor has been observed launching cyberattacks against an aerospace organization in the United States. Dubbed AeroBlade, the adversary first targeted the organization in September 2022, as part of a ‘testing phase’, and then again in July 2023, with updated tools.

Apparently focused on cyberespionage, the two campaigns used lure documents named the same, delivered a reverse shell as the final payload, and used the same IP address for the command-and-control (C&C) server.

The second attack, however, was stealthier and employed additional evasion techniques, with the final payload including more capabilities.

In both attacks, the attack vector was a spear-phishing email carrying a malicious Word document. When opened, the document employed a remote template injection to fetch a second stage that executed an XML file to create a reverse shell.

The initial document would display a scrambled text to the intended victim, luring them into clicking the ‘Enable Content’ button to download the second stage and trigger the infection chain.

The second stage would display readable text to the victim, making them believe that the document was legitimate. However, it also ran a macro that executed a library from the first-stage document that acted as a reverse shell and connected to a hardcoded C&C.

A heavily obfuscated executable, the library can list all directories on the system, evade sandboxes and antivirus emulators, achieve persistence, and send information to a remote server.

Based on the content of the lure message, an aerospace company in the United States was the intended target for both campaigns. The development of this threat group’s toolkit indicates that the operator has been active for at least one year. Exactly who is behind these two campaigns remains unknown.

The purpose of the attacks are thought to be commercial cyberespionage, with the intent of gaining visibility into the victim’s internal network to weigh its susceptibility to a future ransom demand.

Source – https://www.securityweek.com/new-threat-actor-aeroblade-targeted-us-aerospace-firm-in-espionage-campaign/

Russia’s AI-Powered Disinformation Operation Targeting Ukraine, U.S., and Germany

The Russia-linked influence operation called Doppelganger has targeted Ukrainian, U.S., and German audiences through a combination of inauthentic news sites and social media accounts.

These campaigns are designed to amplify content designed to undermine Ukraine as well as propagate anti-LGBTQ+ sentiment, U.S. military incompetence, and Germany’s economic and social issues, according to a new repor.

Doppelganger, described by Meta as the “largest and the most aggressively-persistent Russian-origin operation,” is a pro-Russian network known for spreading anti-Ukrainian propaganda. Active since at least February 2022, it has been linked to two companies named Structura National Technologies and Social Design Agency.

Activities associated with the influence operation are known to leverage manufactured websites as well as those impersonating authentic media – a technique called brandjacking – to disseminate adversarial narratives.

The latest campaigns are also characterized by the use of advanced obfuscation techniques, including “manipulating social media thumbnails and strategic first and second-stage website redirects to evade detection, and the likely use of generative artificial intelligence (AI) to create inauthentic news articles,” the cybersecurity firm said.

The findings demonstrate Doppelgänger’s evolving tactics and throw light on the use of AI for information warfare and to produce scalable influence content.

The campaign targeting Ukraine is said to consist of more than 800 social media accounts, in addition to banking on first and second-stage domains to conceal the true destination. Some of these links also use the Keitaro Traffic Distribution System (TDS) to assess the overall success and effectiveness of the campaign.

One of the notable aspects of the U.S. and German campaigns is the use of inauthentic media outlets such as Election Watch, MyPride, Warfare Insider, Besuchszweck, Grenzezank, and Haüyne Scherben that publish malign content as original news and opinion outlets.

That having said, the actual reach of the campaign has been found to be negligible, lacking any significant engagement and viewership from authentic social media users in the form of reshares, likes, and replies across the network.

It’s worth pointing out that Meta, in its quarterly Adversarial Threat Report published last week, said it also found a new cluster of websites linked to Doppelganger that are geared towards U.S. and European political affairs, such as migration and border security.

“Their latest web content appears to have been copy-pasted from mainstream U.S. news outlets and altered to question U.S. democracy and promote conspiratorial themes,” Meta said, highlighting Election Watch as one of the U.S.-focused sites.

“Soon after the Hamas terrorist attack in Israel [in October 2023], we saw these websites begin posting about the crisis in the Middle East as a proof of American decline; and at least one website claimed Ukraine supplied Hamas with weapons.”

Meta also said it took steps to disrupt three separate covert influence operations – two from China and one from Russia – during the third quarter of 2023 that leveraged fictitious personas and media brands to target audiences in India and the U.S., and share content about Russia’s invasion of Ukraine.

It, however, noted that proactive threat sharing by the federal government in the U.S. related to foreign election interference has been paused since July 2023, cutting off a key source of information that could be valuable to disrupt malicious foreign campaigns by sophisticated threat actors.

Source – https://thehackernews.com/2023/12/russias-ai-powered-disinformation.html

HTC Global Services Confirms Cyberattack After Data Leaked Online

IT services and business consulting company HTC Global Services has confirmed that they suffered a cyberattack after the ALPHV ransomware gang began leaking screenshots of stolen data. HTC Global Services is a managed service provider offering technology and business services to the healthcare, automotive, manufacturing, and financial industries.

While HTC has not posted a statement to the company website, they issued a brief announcement last night on X confirming the attack.

“HTC has experienced a cybersecurity incident,” reads a tweet posted to HTC’s X account last night.

“Our team has been actively investigating and addressing the situation to ensure the security and integrity of user data.”

“We’ve enlisted cybersecurity experts and are working to resolve it. Your trust is our priority.”

This announcement comes after the ALPHV (BlackCat) ransomware gang listed HTC on their data leak site, along with screenshots of allegedly stolen data. The leaked data includes passports, contact lists, emails, and confidential documents allegedly stolen during the attack.

While little information about the attack on HTC is available, cybersecurity professional Kevin Beaumont believes the company was breached using the Citrix Bleed vulnerability. According to Beaumont, one of HTC’s business units, CareTech, operated a vulnerable Citrix Netscaler device, which was exploited for initial access to the company’s network.

The ALPHV/BlackCat ransomware operation launched in November 2021, is believed to be a rebrand of the DarkSide and BlackMatter ransomware operations. As DarkSide, the group gained international attention after they breached Colonial Pipeline, leading to intense pressure from law enforcement agencies globally. After rebranding again as BlackMatter in July 2021, their operations abruptly ceased in November 2021 when authorities seized their servers, and security firm Emsisoft created a decryptor exploiting a ransomware vulnerability.

This ransomware operation is known for consistently targeting global enterprises and continuously adapting and refining their tactics, and has seen a surge in attacks recently. This evolution includes working with English-speaking threat actors, who utilize their encryptors and infrastructure to launch extortion attacks.

In a recent incident, a group of English-speaking affiliates tracked as Scattered Spider claimed responsibility for the attack on MGM Resorts, saying they encrypted over 100 ESXi hypervisors during the attack.

This week, one ALPHV affiliate claimed to have stolen data from Tipalti and said they have begun to extort impacted companies individually.

The company has also recently attacked a publicly owned electricity provider and a hospital network, both classified as critical infrastructure in the United States. The attacks on critical infrastructure may once again be the tipping point that leads to increased scrutiny by US law enforcement.

Source – https://www.bleepingcomputer.com/news/security/htc-global-services-confirms-cyberattack-after-data-leaked-online/

ICS at Multiple US Water Facilities Targeted by Hackers Affiliated With Iranian Government

The hackers behind recent cyberattacks targeting industrial control systems (ICS) at water facilities in the US are affiliated with the Iranian government, according to security agencies in the United States and Israel.

The FBI, CISA, the NSA, the EPA and Israel’s National Cyber Directorate on Friday published a joint advisory focusing on the threat actor responsible for the recent attack on the Municipal Water Authority of Aliquippa in Pennsylvania.

The hackers, calling themselves Cyber Av3ngers, compromised an ICS associated with a booster station that monitors and regulates water pressure, but the water facility said there was no risk to the water supply or drinking water. 

The threat actor targeted a Unitronics Vision series programmable logic controller (PLC) with an integrated human-machine interface (HMI).

Unitronics is an Israel-based company and its products are used not only in the water and wastewater systems sector, but also in industries such as energy, healthcare, and food and beverage manufacturing. In some cases, the PLCs may be rebranded and appear to have been made by other companies.

In the weeks prior to attacking the Aliquippa water utility, Cyber Av3ngers targeted ICS at water, energy, shipping, and distribution organizations in Israel. However, some of their claims turned out to be false.

Since the Israel-Hamas conflict escalated on October 7, they claimed to have breached the systems of many water treatment stations in Israel. In the case of the Aliquippa facility attack, they claimed to have targeted the PLC because it was made by an Israeli company.

While Cyber Av3ngers claims to be a hacktivist group, CISA, the FBI and the other agencies said it’s actually a persona used by cyber actors affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC). The Cyber Av3ngers persona, previously described as a pro-Iran threat group, has been used to target Israeli entities since 2020.

The agencies said IRGC-affiliated threat actors targeted multiple US water sector facilities that rely on Unitronics Vision PLCs since November 22. The victims were located in multiple states.

Unitronics PLCs have been known to be affected by critical vulnerabilities that could expose them to attacks. However, in the recent attacks, the devices were likely compromised because they were exposed to the internet on the default port and were protected by default passwords.

Once they compromised the devices, the hackers defaced their user interface, which could make the PLC inoperable.

“With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment. It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved. Organizations should consider and evaluate their systems for these possibilities,” the joint advisory reads.

A Shodan search shows that roughly 1,800 Unitronics PLCs located around the world are exposed to the internet, including a few hundred like the one targeted in the Aliquippa attack.

Regarding Cyber Av3ngers’ recent public statements, John Hultquist, chief analyst at Google Cloud’s Mandiant Intelligence, said the group has a long history of publicly exaggerating superficial intrusions, claiming significant access to critical infrastructure.

“Unfortunately, an insignificant hack against the right target, viewed without proper context, can be quite alarming. We have to be careful not to give these actors too much credit,” Hultquist said. “Even if they shut down the water at these sites, their goal would be the same. They are trying to undermine our sense of security. It doesn’t really matter whether they do that through expertise or exaggeration.”

The advisory released by the security agencies provides indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) associated with Iranian cyber operations, as well as recommendations for defenders and device manufacturers.

Source – https://www.securityweek.com/ics-at-multiple-us-water-facilities-targeted-by-hackers-affiliated-with-iranian-government/

Agent Racoon Backdoor Targets Organizations in Middle East, Africa, and U.S.

Organizations in the Middle East, Africa, and the U.S. have been targeted by an unknown threat actor to distribute a new backdoor called Agent Racoon. The malware family is written using the .NET framework and leverages the domain name service (DNS) protocol to create a covert channel and provide different backdoor functionalities.

Targets of the attacks span various sectors such as education, real estate, retail, non-profits, telecom, and governments. The activity has not been attributed to a known threat actor, although it’s assessed to be nation-state aligned owing to the victimology pattern and the detection and defense evasion techniques used.

The cluster is being tracked under the moniker CL-STA-0002. It’s currently not clear how these organizations were breached, and when the attacks took place.

Some of the other tools deployed by the adversary include a customized version of Mimikatz called Mimilite as well as a new utility called Ntospy, which utilizes a custom DLL module implementing a network provider to steal credentials to a remote server.

It’s worth pointing out a previously identified threat activity cluster known as CL-STA-0043 has also been linked to the use of Ntospy, with the adversary also targeting two organizations that have been targeted by CL-STA-0002.

Agent Raccoon, executed by means of scheduled tasks, allows for command execution, file uploading, and file downloading, while disguising itself as Google Update and Microsoft OneDrive Updater binaries.

The command-and-control (C2) infrastructure used in connection with the implant dates back to at least August 2020. An examination of VirusTotal submissions of the Agent Racoon artifacts shows that the earliest sample was uploaded in July 2022.

Evidence of successful data exfiltration from Microsoft Exchange Server environments was also discovered, resulting in the theft of emails matching different search criteria. The threat actor has also been found to harvest victims’ Roaming Profile.

Source – https://thehackernews.com/2023/12/agent-racoon-backdoor-targets.html

Smarttech247

Contact Us

The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.

    Copyright Smarttech247 - 2021