Friday, March 10th, 2023
Cybersecurity Week in Review (10/03/23)
North Korean UNC2970 Hackers Expands Operations with New Malware Families
A North Korean espionage group tracked as UNC2970 has been observed employing previously undocumented malware families as part of a spear-phishing campaign targeting U.S. and European media and technology organisations since June 2022.
The threat cluster shares multiple overlaps with a long-running operation dubbed “Dream Job” that employs job recruitment lures in email messages to trigger the infection sequence.
UNC2970 is the new moniker designated to a set of North Korean cyber activity that maps to UNC577 (aka Temp.Hermit), and which also comprises another nascent threat cluster tracked as UNC4034. The UNC4034 activity entailed the use of WhatsApp to socially engineer targets into downloading a backdoor called AIRDRY.V2 under the pretext of sharing a skills assessment test.
Temp.Hermit is one of the primary hacking units associated with North Korea’s Reconnaissance General Bureau (RGB) alongside Andariel and APT38 (aka BlueNoroff). All three actor sets are collectively referred to as the Lazarus Group (aka Hidden Cobra or Zinc). TEMP.Hermit is an actor that has been around since at least 2013. Their operations since that time are representative of Pyongyang’s efforts to collect strategic intelligence to benefit North Korean interests.
The latest set of UNC2970 attacks are characterised by initially approaching users directly on LinkedIn using well designed and professionally curated fake accounts posing as recruiters. The conversation is subsequently shifted to WhatsApp, after which a phishing payload is delivered to the target under the guise of a job description.
In some instances, these attack chains have been observed to deploy trojanised versions of TightVNC (named LIDSHIFT), which is engineered to load a next-stage payload labeled as LIDSHOT that’s capable of downloading and executing shellcode from a remote server.
Establishing a foothold within compromised environments is achieved by means of a C++-based backdoor known as PLANKWALK that then paves the way for the distribution of additional tooling such as –
- TOUCHSHIFT – A malware dropper that loads follow-on malware ranging from keyloggers and screenshot utilities to full-featured backdoors
- TOUCHSHOT – A software that’s configured to take a screenshot every three seconds
- TOUCHKEY – A keylogger that captures keystrokes and clipboard data
- HOOKSHOT – A tunneling tool that connects over TCP to communicate with the command-and-control (C2) server
- TOUCHMOVE – A loader that’s designed to decrypt and execute a payload on the machine
- SIDESHOW – A C/C++ backdoor that runs arbitrary commands and communicates via HTTP POST requests with its C2 server
UNC2970 is also said to have leveraged Microsoft Intune, an endpoint management solution, to drop a bespoke PowerShell script containing a Base64-encoded payload referred to as CLOUDBURST, a C-based backdoor that communicates via HTTP.
In what’s a continuing use of the Bring Your Own Vulnerable Driver (BYOVD) technique by North Korea-aligned actors, the intrusions further employ an in-memory-only dropper called LIGHTSHIFT that facilitates the distribution of another piece of malware codenamed LIGHTSHOW.
The utility, besides taking steps to hinder dynamic and static analysis, drops a legitimate version of a driver with known vulnerabilities to perform read and write operations to kernel memory and ultimately disarm security software installed on the infected host.
Source – https://thehackernews.com/2023/03/north-korean-unc2970-hackers-expands.html
Iranian Hackers Target Women Involved in Human Rights and Middle East Politics
Iranian state-sponsored actors are continuing to engage in social engineering campaigns targeting researchers by impersonating a U.S. think tank. Notably, the targets in this instance were all women who are actively involved in political affairs and human rights in the Middle East region.
The activity was attributed to a hacking group tracked as Cobalt Illusion, which is also known by the names APT35, Charming Kitten, ITG18, Phosphorus, TA453, and Yellow Garuda. The targeting of academics, activists, diplomats, journalists, politicians, and researchers by the threat actor has been well-documented over the years.
The group is suspected to be operating on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC) and has exhibited a pattern of using fake personas to establish contact with individuals who are of strategic interest to the government. It is common for Cobalt Illusion to interact with its targets multiple times over different messaging platforms. The threat actors first send benign links and documents to build rapport. They then send a malicious link or document to phish credentials for systems that Cobalt Illusion seeks to access.
Chief among its tactics include leveraging credential harvesting to gain control of victims’ mailboxes as well as employing custom tools like HYPERSCRAPE (aka EmailDownloader) to steal data from Gmail, Yahoo!, and Microsoft Outlook accounts using the stolen passwords. Another bespoke malware linked to the group is a C++-based Telegram “grabber” tool that facilitates data harvesting on a large scale from Telegram accounts after obtaining the target’s credentials.
The latest activity involves the adversary passing off as an employee of the Atlantic Council, a U.S.-based think tank, and reaching out to political affairs and human rights researchers under the pretext of contributing to a report.
To make the ruse convincing, the social media accounts associated with the fraudulent “Sara Shokouhi” persona (@SaShokouhi on Twitter and @sarashokouhii on Instagram) claimed to have a PhD in Middle East politics.
What’s more, the profile photos in these accounts are said to have been taken from an Instagram account belonging to a psychologist and tarot card reader based in Russia.
It’s not immediately clear if the effort resulted in any successful phishing attacks. The Twitter account, created in October 2022, remains active to date as is the Instagram account.
Source – https://thehackernews.com/2023/03/iranian-hackers-target-women-involved.html
Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware
Security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware. These latest vulnerabilities mark the continued abuse of the flaws to deliver a variety of payloads on compromised systems.
This includes the Sliver post-exploitation framework, XMRig cryptocurrency miner, Gh0st RAT, and Paradise ransomware. PlugX is the latest addition to this list. The modular malware has been extensively put to use by threat actors based in China, with new features continuously added to help perform system control and information theft.
In the attacks, successful exploitation of the flaws is followed by the execution of a PowerShell command that retrieves an executable and a DLL file from a remote server. This executable is a legitimate HTTP Server Service from cybersecurity company ESET, which is used to load the DLL file by means of a technique called DLL side-loading and ultimately run the PlugX payload in memory.
The backdoor is also notable for its ability to start arbitrary services, download and execute files from an external source, and drop plugins that can harvest data and propagate using Remote Desktop Protocol (RDP).
Source – https://thehackernews.com/2023/03/hackers-exploiting-remote-desktop.html
AT&T alerts 9 million customers of data breach after vendor hack
AT&T is notifying roughly 9 million customers that some of their information was exposed after a marketing vendor was hacked in January. Customer Proprietary Network Information from some wireless accounts was exposed, such as the number of lines on an account or wireless rate plan. The information did not contain credit card information, Social Security Numbers, account passwords, or other sensitive personal information.
While the data breach notification does not share the number of impacted customers, AT&T stated that “approximately 9 million wireless accounts had their Customer Proprietary Network Information accessed.”
Exposed CPNI data includes customer first names, wireless account numbers, wireless phone numbers, and email addresses. A small percentage of impacted customers also had exposure of rate plan name, past due amount, monthly payment amount, various monthly charges and/or minutes used. The information was several years old.
The company added that its systems were not compromised in the vendor security incident and that the exposed data is mostly associated with device upgrade eligibility. Customers are advised to toggle off CPNI data sharing on their accounts by making a CPNI Restriction Request to reduce exposure risks in the future if AT&T uses it for third-party vendor marketing purposes.
Source – https://www.bleepingcomputer.com/news/security/atandt-alerts-9-million-customers-of-data-breach-after-vendor-hack/
FBI investigates data breach impacting U.S. House members and staff
The FBI is investigating a data breach affecting U.S. House of Representatives members and staff after their account and sensitive personal information was stolen from DC Health Link’s servers.
DC Health Link is the organisation that administers the health care plans of U.S. House members, their staff, and their families. Impacted individuals were notified today of the breach in an email from Catherine L. Szpindor, the U.S. House Chief Administrative Officer.
‘’DC Health Link suffered a significant data breach yesterday potentially exposing the Personal Identifiable Information (PII) of thousands of enrollees. As a Member or employee eligible for health insurance through the D.C. Health Link, your data may have been comprised,” Szpindor said.
“Currently, I do not know the size and scope of the breach but have been informed by the Federal Bureau of Investigation (FBI) that account information and Pit of hundreds of Member and House staff were stolen.
“It is important to note that at this time, it does not appear that Members or the House of Representatives were the specific target of the attack.”
While the email sent by House CAO Szpindor doesn’t have any details regarding the stolen data, at least one threat actor (known as IntelBroker) is selling the U.S. House members’ information stolen from DC Health Link’s servers on a hacking forum. A sample of stolen data with the database header shows it contains the information of roughly 170,000 affected individuals, including their names, dates of birth, addresses, email addresses, phone numbers, Social Security Numbers, and much more.
The data was posted for sale on Monday, March 6, and IntelBroker claims it was stolen after breaching the DC.gov Health Benefit Exchange Authority.
‘’I am looking for undisclosed amount in XMR crypto currency. Contact me on keybase @ IntelBroker. Middleman only,” the threat actor says.
The threat actor also claims that the stolen information has already been sold to at least one buyer.
Source – https://www.bleepingcomputer.com/news/security/fbi-investigates-data-breach-impacting-us-house-members-and-staff/
Lazarus Group Exploits Zero-Day Vulnerability to Hack South Korean Financial Entity
The North Korea-linked Lazarus Group has been observed weaponising flaws in an undisclosed software to breach a financial business entity in South Korea twice within a span of a year. While the first attack in May 2022 entailed the use of a vulnerable version of a certificate software that’s widely used by public institutions and universities, the re-infiltration in October 2022 involved the exploitation of a zero-day in the same program.
The adversarial collective, after obtaining an initial foothold by an unknown method, abused the zero-day bug to perform lateral movement, shortly after which the anti-malware engine was disabled via a BYOVD attack. It’s worth noting here that the Bring Your Own Vulnerable Driver, aka BYOVD, technique has been repeatedly employed by the Lazarus Group in recent months.
Among other steps taken to conceal its malicious behavior include changing file names before deleting them and modifying timestamps using an anti-forensic technique referred to as timestomping. The attack ultimately paved the way for multiple backdoor payloads (Keys.dat and Settings.vwx) that are designed to connect to a remote command-and-control (C2) server and retrieve additional binaries and execute them in a fileless manner.
The development comes a week after ESET shed light on a new implant called WinorDLL64 that’s deployed by the notorious threat actor by means of a malware loader named Wslink.
Source – https://thehackernews.com/2023/03/lazarus-group-exploits-zero-day.html
Acer Confirms Breach After Hacker Offers to Sell Stolen Data
Electronics giant Acer has confirmed getting hacked after a hacker offered to sell 160 Gb of files allegedly stolen from the company’s systems.
“We have recently detected an incident of unauthorised access to one of our document servers for repair technicians. While our investigation is ongoing, there is currently no indication that any consumer data was stored on that server,” Acer said in an emailed statement.
Acer issued the statement after a hacker announced on a popular cybercrime forum that he is selling more than 2,800 files totaling 160 Gb for an unspecified amount of Monero cryptocurrency. The cybercriminal claims the files include confidential slides, staff manuals, confidential product documentation, binary files, information on backend infrastructure, disk images, replacement digital product keys, and BIOS-related information.
The hacker, who has a good reputation on the forum where the data was offered for sale, claimed the data was stolen in mid-February.
This is not the first time Acer has confirmed a data breach. In October 2021, the tech giant admitted that servers in India and Taiwan were hacked after a group claimed to have stolen more than 60 Gb of data from the company’s systems.
Source – https://www.securityweek.com/acer-confirms-breach-after-hacker-offers-to-sell-stolen-data/
New malware variant has “radio silence” mode to evade detection
The Sharp Panda cyber-espionage hacking group is targeting high-profile government entities in Vietnam, Thailand, and Indonesia with a new version of the ‘Soul’ malware framework. The particular malware was previously seen in espionage campaigns targeting critical Southeast Asian organisations, attributed to various Chinese APTs.
A new campaign was identified using the malware that started in late 2022 and continues through 2023, employing spear-phishing attacks for initial compromise. The use of the RoyalRoad RTF kit, C2 server addresses, and the hacker’s working hours allowed the latest espionage operation to be attributed to state-backed Chinese hackers. The TTPs and tools are consistent with previously seen activities by Sharp Panda.
The new Sharp Panda campaign uses spear-phishing emails with malicious DOCX file attachments that deploy the RoyalRoad RTF kit to attempt to exploit older vulnerabilities to drop malware on the host. In this case, the exploit creates a scheduled task and then drops and executes a DLL malware downloader, which in turn fetches and executes a second DLL from the C2 server, the SoulSearcher loader. This second DLL creates a registry key with a value that contains the final compressed payload and then decrypts and loads the Soul modular backdoor into memory, helping it evade detection from antivirus tools running on the breached system.
Upon execution, the main module of the Soul malware establishes a connection with the C2 and waits for additional modules that will extend its functionality. The new version features a “radio silence” mode which allows the threat actors to specify the specific hours of the week that the backdoor should not communicate with the command and control server, likely to evade detection during the victim’s working hours.
Moreover, the new variant implements a custom C2 communication protocol that uses various HTTP request methods, including GET, POST, and DELETE. Support for multiple HTTP methods gives the malware flexibility, as GET is used for retrieving data, POST for submitting data. Soul’s communication with the C2 begins by registering itself and sending victim fingerprinting data (hardware details, OS type, time zone, IP address), after which it enters an infinite C2 contacting loop. The commands it may receive during these communications concern loading additional modules, collecting and resending enumeration data, restarting the C2 communication, or exiting its process.
The Soul framework was first seen in the wild in 2017 and subsequently tracked throughout 2019 in Chinese espionage campaigns conducted by threat actors with no obvious links to Sharp Panda.
Source – https://www.bleepingcomputer.com/news/security/new-malware-variant-has-radio-silence-mode-to-evade-detection/
SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms
A new information stealer dubbed SYS01stealer has been discovered targeting critical government infrastructure employees, manufacturing companies, and other sectors since November 2022. The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file.
The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information. The campaign was initially tied to a financially motivated cybercriminal operation dubbed Ducktail. The two intrusion sets are different from one another, indicating how the threat actors managed to confuse attribution efforts and evade detection.
The attack chain commences when a victim is successfully lured into clicking on a URL from a fake Facebook profile or advertisement to download a ZIP archive that purports to be cracked software or adult-themed content. Opening the ZIP file launches a based loader – typically a legitimate C# application – that’s vulnerable to DLL side-loading, thereby making it possible to load a malicious dynamic link library (DLL) file alongside the app.
Some of the applications abused to side-load the rogue DLL are Western Digital’s WDSyncService.exe and Garmin’s ElevatedInstaller.exe. In some instances, the side-loaded DLL acts as a means to deploy Python and Rust-based intermediate executables.
Irrespective of the approach employed, all roads lead to the delivery of an installer that drops and executes the PHP-based SYS01stealer malware. The stealer is engineered to harvest Facebook cookies from Chromium-based web browsers (e.g., Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi), exfiltrate the victim’s Facebook information to a remote server, and download and run arbitrary files.
It’s also equipped to upload files from the infected host to the command-and-control (C2) server, run commands sent by the server, and update itself when a new version is available.
Source – https://thehackernews.com/2023/03/sys01stealer-new-threat-using-facebook.html
Royal Ransomware Made Upto $11 Million USD Using Custom-Made Encryption Malware
The collaborative efforts of the FBI and CISA have resulted in the creation and distribution of a comprehensive Cybersecurity Advisory (CSA) revealing that the threat actors behind the Rayal ransomware made up to $11 million in Crypto. This advisory has been designed to share crucial information on the Royal ransomware threat and its associated IOCs and TTPs.
The FBI’s dedicated threat response activities have identified these IOCs and TTPs recently in January 2023, and the CSA aims to share this information to help organisations protect themselves against this malicious threat.
A new variant of Royal ransomware has been used by cybercriminals to breach the security of both US-based and foreign organisations since around September 2022. The FBI and CISA believe that the custom-built file encryption program utilised by a particular ransomware variant is an evolved version of previous iterations that employed a loader known as “Zeon.”
The modus operandi of the Royal ransomware involves disabling the antivirus software of targeted organisations after breaching their network security. As a result, considerable amounts of data are exfiltrated by attackers prior to the final deployment of the ransomware and encryption of the computers that are affected.
The operators of the Royal ransomware have demanded payment of a ransom in Bitcoin from their victims. These ransom demands have varied between roughly $1 million and $11 million USD, depending on the targeted organisation’s size and level of sensitivity of the stolen data. Based on recorded incidents, it has been observed that the perpetrators behind the Royal ransomware do not provide ransom amounts and payment details in their initial ransom notes. Instead, they engage in direct negotiations with the victims through a .onion URL after gaining their attention via the ransom note.
The Royal ransomware has specifically aimed at compromising a broad range of critical infrastructure sectors, which include manufacturing, communications, healthcare and education.
Aside from the primary function of encrypting data, the individuals behind the Royal ransomware have also employed double extortion tactics. While the Royal ransomware operators employ multiple techniques to gain initial access to their target networks, which include phishing, Remote Desktop Protocol (RDP), Public-facing applications and brokers.
After successfully breaching a target network, the perpetrators establish communication with their C2 infrastructure. Subsequently, they download several tools to execute their attack strategy on the compromised systems. The attackers have repurposed valid Windows software to their advantage in strengthening their foothold in the targeted network. They utilise this technique to evade detection by security protocols and to facilitate a further compromise of the victim’s network.
Recent observations have indicated that the perpetrators of the Royal ransomware have begun to use Chisel, as a means of communicating with their command and control (C2) infrastructure. The Royal ransomware operators have employed several command-and-control (C2) servers that have previously been linked to Qakbot malware in their attacks. However, it is not yet clear if the Royal ransomware exclusively relies on the Qakbot infrastructure for its operations.
In accordance with their further compromising step, threat actors move laterally across the network with the help of RDP or RMM tools like AnyDesk, LogMeIn, and Atera. Afterward, they use pen-testing and malware tools in order to exfiltrate data from victim networks, such as Cobalt Strike, PsExec, Ursnif, and Gozi. The Cobalt Strike program is subsequently repurposed for the purposes of aggregating and exfiltrating data.
During the month of January 2023, the Royal ransomware was reportedly associated with 19 attacks, placing it behind other ransomware families such as LockBit, ALPHV and Vice Society. Recent reports indicate that Royal ransomware has advanced its capabilities and can now target both Windows and Linux environments. This suggests that the attackers are adapting and evolving their tactics to expand the scope of their attacks.
Source – https://cybersecuritynews.com/royal-ransomware/