Thursday, May 11th, 2023
Cybersecurity Week in Review (12/05/2023)
Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability
U.S. cybersecurity and intelligence agencies have warned of attacks carried out by a threat actor known as the Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the education facilities sector in the country.
The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity advisory issued Thursday.
“The Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet,” the agencies said.
“Ultimately, some of these operations led to data exfiltration and encryption of victim systems. The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files.”
CVE-2023-27350 is a now-patched critical security flaw affecting some versions of PaperCut MF and NG that enables a remote actor to bypass authentication and conduct remote code execution on the following affected installations.
Malicious exploitation of the vulnerability has been observed since mid-April 2023, with attacks primarily weaponising it to deploy legitimate remote management and maintenance (RMM) software and use the tool to drop additional payloads such as Cobalt Strike Beacons, DiceLoader, and TrueBot on compromised systems.
The disclosure comes as new activity was uncovered targeting an unnamed education sector customer that involved the exploitation of CVE-2023–27350 to drop an XMRig cryptocurrency miner.
Attacks against PaperCut print management servers have also been deployed by Iranian state-sponsored threat groups Mango Sandstorm (aka MuddyWater or Mercury) and Mint Sandstorm (aka Phosphorus), Microsoft revealed last week.
Andoryu Botnet Exploits Critical Ruckus Wireless Flaw for Widespread Attack
A nascent botnet called Andoryu has been found to exploit a now-patched critical security flaw in the Ruckus Wireless Admin panel to break into vulnerable devices.
The flaw, tracked as CVE-2023-25717 (CVSS score: 9.8), stems from improper handling of HTTP requests, leading to unauthenticated remote code execution and a complete compromise of wireless Access Point (AP) equipment.
Andoryu was first documented earlier this February, detailing its ability to communicate with command-and-control (C2) servers using the SOCKS5 protocol.
While the malware is known to weaponise remote code execution flaws in GitLab (CVE-2021-22205) and Lilin DVR for propagation, the addition of CVE-2023-25717 shows that Andoryu is actively expanding its exploit arsenal to ensnare more devices into the botnet.
Further analysis of the attack chain has revealed that once the Ruckus flaw is used to gain access to a device, a script from a remote server is dropped onto the infected device for proliferation. The malware, for its part, also establishes contact with a C2 server and awaits further instructions to launch a DDoS attack against targets of interest using protocols like ICMP, TCP, and UDP.
The cost associated with mounting such attacks is advertised via a listing on the seller’s Telegram channel, with monthly plans ranging from $90 to $115 depending on the duration.
The alert follows the discovery of new versions of the RapperBot DDoS botnet that incorporate cryptojacking functionality to profit off compromised Intel x64 systems by dropping a Monero crypto miner. RapperBot campaigns have primarily focused on brute-forcing IoT devices with weak or default SSH or Telnet credentials to expand the botnet’s footprint for launching DDoS attacks.
The latest iteration of the RapperBot miner activity was detected in January 2023, with the attacks delivering a Bash shell script that, in turn, is capable of downloading and executing separate XMRig crypto miners and RapperBot binaries. Subsequent updates to the malware have merged the two disparate functions into a single bot client with mining capabilities, while also taking steps to terminate competing miner processes.
The twin developments also come as the U.S. Justice Department announced the seizure of 13 internet domains associated with DDoS-for-hire services.
North Korean hackers breached major hospital in Seoul to steal data
The Korean National Police Agency (KNPA) warned that North Korean hackers had breached the network of one of the country’s largest hospitals, Seoul National University Hospital (SNUH), to steal sensitive medical information and personal details. The incident occurred between May and June 2021, and the police conducted an analytical investigation during the past two years to identify the perpetrators.
According to the law enforcement agency’s press release, the attack was attributed to North Korean hackers based on the following information:
- the intrusion techniques observed in the attacks,
- the IP addresses that have been independently linked to North Korean threat actors,
- the website registration details,
- the use of specific language and North Korean vocabulary
Local media in South Korea linked the attack to the Kimsuky hacking group, but the police’s report does not explicitly mention the particular threat group.
The attackers used seven servers in South Korea and other countries to launch the attack on the hospital’s internal network. The police said the incident resulted in data exposure for 831,000 individuals, most of whom were patients. Also, 17,000 of the impacted people are current and former hospital employees.
The KNPA press release cautioned that North Korean hackers might try to infiltrate information and communication networks across various industries. It emphasised the need for enhanced security measures and procedures, such as implementing security patches, managing system access, and encrypting sensitive data.
North Korean hackers have been previously linked to hospital network intrusions aiming to steal sensitive data and extort a ransom payment from healthcare organisations. More specifically, the U.S. government has highlighted the Maui ransomware threat as such, warning the healthcare sector that they need to raise their defenses against the North Korean operation.
Sophisticated DownEx Malware Campaign Targeting Central Asian Governments
Government organisations in Central Asia are the target of a sophisticated espionage campaign that leverages a previously undocumented strain of malware dubbed DownEx with evidence likely pointing to the involvement of Russia-based threat actors.
The malware was first detected in a highly targeted attack aimed at foreign government institutions in Kazakhstan in late 2022. Subsequently, another attack was observed in Afghanistan.
The use of a diplomat-themed lure document and the campaign’s focus on data exfiltration suggests the involvement of a state-sponsored group, although the exact identity of the hacking outfit remains indeterminate at this stage.
The initial intrusion vector for the campaign is suspected to be a spear-phishing email bearing a booby-trapped payload, which is a loader executable that masquerades as a Microsoft Word file. Opening the attachment leads to the extraction of two files, including a decoy document that’s displayed to the victim while a malicious HTML application (.HTA) with embedded VBScript code runs in the background. The HTA file, for its part, is designed to establish contact with a remote command-and-control (C2) server to retrieve a next-stage payload. While the exact nature of the malware is not yet known, it’s said to be a backdoor to establish persistence.
The attacks are also notable for employing a variety of custom tools for carrying out post-exploitation activities. This includes –
- Two C/C++-based binaries (wnet.exe and utility.exe) to enumerate all the resources on a network,
- A Python script (help.py) to establish an infinite communication loop with the C2 server and receive instructions to steal files with certain extensions, delete files created by other malware, and capture screenshots, and
- A C++-based malware (diagsvc.exe aka DownEx) that’s chiefly designed to exfiltrate files to the C2 server
Two other variants of DownEx have also been earthed, the first of which executes an intermediate VBScript to harvest and transmit the files in the form of a ZIP archive. The other version, which is downloaded via a VBE script (slmgr.vbe) from a remote server, eschews C++ for VBScript, but retains the same functionality as the former.
Cybersecurity firm Dragos discloses cybersecurity incident, extortion attempt
Industrial cybersecurity company Dragos today disclosed what it describes as a “cybersecurity event” after a known cybercrime gang attempted to breach its defenses and infiltrate the internal network to encrypt devices. While Dragos states that the threat actors did not breach its network or cybersecurity platform, they got access to the company’s SharePoint cloud service and contract management system.
“On May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Platform,” the company said.
“The criminal group gained access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process.”
After breaching Dragos’ SharePoint cloud platform, the attackers downloaded “general use data” and accessed 25 intel reports that were usually only available to customers.
During the 16 hours they had access to the employee’s account, the threat actors failed to also access multiple Dragos systems—including its messaging, IT helpdesk, financial, request for proposal (RFP), employee recognition, and marketing systems—due to role-based access control (RBAC) rules.
After failing to breach the company’s internal network, they sent an extortion email to Dragos executives 11 hours into the attack. The message was read 5 hours later because it was sent outside business hours. Five minutes after reading the extortion message, Dragos disabled the compromised sure account, revoked all active sessions, and blocked the cybercriminals’ infrastructure from accessing company resources.
“We are confident that our layered security controls prevented the threat actor from accomplishing what we believe to be their primary objective of launching ransomware,” Dragos said.
“They were also prevented from accomplishing lateral movement, escalating privileges, establishing persistent access, or making any changes to the infrastructure.”
The cybercrime group also attempted to extort the company by threatening to publicly disclose the incident in messages sent via public contacts and personal emails belonging to Dragos executives, senior employees, and their family members.
One of the IP addresses listed in the IOCs (144.202.42[.]216) was previously spotted hosting SystemBC malware and Cobalt Strike, both commonly used by ransomware gangs for remote access to compromised systems. SystemBC has been used by numerous ransomware gangs, including Conti, ViceSociety, BlackCat, Quantum, Zeppelin, and Play, making it hard to pinpoint what threat actor is behind the attack.
New Ransomware Strain ‘CACTUS’ Exploits VPN Flaws to Infiltrate Networks
Cybersecurity researchers have shed light on a new ransomware strain called CACTUS that has been found to leverage known flaws in VPN appliances to obtain initial access to targeted networks.
Once inside the network, CACTUS actors attempt to enumerate local and network user accounts in addition to reachable endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks.
The ransomware has been observed targeting large commercial entities since March 2023, with attacks employing double extortion tactics to steal sensitive data prior to encryption. No data leak site has been identified to date.
Following a successful exploitation of vulnerable VPN devices, an SSH backdoor is set up to maintain persistent access and a series of PowerShell commands are executed to conduct network scanning and identify a list of machines for encryption. CACTUS attacks also utilise Cobalt Strike and a tunneling tool referred to as Chisel for command-and-control, alongside remote monitoring and management (RMM) software like AnyDesk to push files to the infected hosts.
Also taken are steps to disable and uninstall security solutions as well as extract credentials from web browsers and the Local Security Authority Subsystem Service (LSASS) for escalating privileges. Privilege escalation is succeeded by lateral movement, data exfiltration, and ransomware deployment, the last of which is achieved by means of a PowerShell script that has also been used by Black Basta.
A novel aspect of CACTUS is the use of a batch script to extract the ransomware binary with 7-Zip, followed by removing the .7z archive before executing the payload.
The development comes days after another type of ransomware known as Rapture was identified that bears some similarities to other families such as Paradise.
The intrusion is suspected to be facilitated through vulnerable public-facing websites and servers, making it imperative that companies take steps to keep systems up-to-date and enforce the principle of least privilege (PoLP).
CACTUS and Rapture are the latest additions to a long list of new ransomware families that have come to light in recent weeks, including Gazprom, BlackBit, UNIZA, Akira, and a NoCry ransomware variant called Kadavro Vector.
BEC Campaign via Israel Spotted Targeting Large Multinational Companies
An Israel-based threat group was discovered carrying out a business email compromise (BEC) campaign primarily targeting large and multinational enterprises with an average annual revenue of over $10 billion.
According to researchers who discovered the attacks, the group has conducted 350 BEC campaigns since February 2021, with email attacks targeting employees from 61 countries across six continents.
The attackers pose as the CEO of the employee being targeted. They then pass on the communication to a second external persona, usually a mergers and acquisitions attorney responsible for overseeing the payment process.
In some instances, once the attack progresses to this second stage, the attackers request the conversation shift from email to a voice call on WhatsApp to accelerate the attack — and to reduce the possibility of leaving behind an evidence trail.
They implemented several tactics to give their emails a sense of legitimacy, improving their ability to evade detection by the human eye or by traditional email security solutions, including the targeting of senior leaders, who could reasonably be involved in a financial transaction such as the one the criminals used as their pretext.
In addition to their use of two personas — a CEO and an external attorney — they spoofed email addresses using real domains.
If the target organisation had a DMARC policy that would prevent email spoofing, the BEC group updated the sending display name to make it look like emails were coming from the CEO. The group also translates emails into the language mainly used by the targeted organisation.
The best way to prevent an attack is to ensure that defenses are in place to prevent malicious attacks from landing in inboxes in the first place. New solutions that use behavioral AI to baseline normal behavior across the email environment can detect and block anomalies with greater precision, better preventing sophisticated BEC attacks from ever reaching users.
Operation ChattyGoblin: Hackers Targeting Gambling Firms via Chat Apps
A gambling company in the Philippines was the target of a China-aligned threat actor as part of a campaign that has been ongoing since October 2021. The series of attacks against Southeast Asian gambling companies are being tracked under the name Operation ChattyGoblin.
The attacks use a specific tactic: targeting the victim companies’ support agents via chat applications – in particular, the Comm100 and LiveHelp100 apps. The use of a trojanised Comm100 installer to deliver malware was first documented in October 2022.
The attack chains leverage the aforementioned chat apps to distribute a C# dropper that, in turn, deploys another C# executable, which ultimately serves as a conduit to drop a Cobalt Strike beacon on hacked workstations.
Similar attacks mounted by India-linked threat actors Donot Team and SideWinder have been tracked targeting government institutions in South Asia. Another set of limited attacks has been tied to a different Indian APT group called Confucius that’s been active since at least 2013 and is believed to share ties with the Patchwork group. The threat actor has in the past used Pegasus-themed lures and other decoy documents to target Pakistan government agencies.
The latest intrusion involved the use of a remote access trojan dubbed Ragnatela that’s an upgraded variant of the BADNEWS RAT. Elsewhere, the Iranian threat actor referred to as OilRig (aka Hazel Sandstorm) was identified deploying a custom implant labeled Mango to an Israeli healthcare company.
Other notable APT activity spotted during the time period comprises that of Winter Vivern and YoroTrooper, which ESET said strongly overlaps with a group that it has been tracking under the name SturgeonPhisher since the start of 2022. Evidence gathered so far points to YoroTrooper being active since at least 2021, with attacks singling out government, energy, and international organisations across Central Asia and Europe.
Researchers Uncover SideWinder’s Latest Server-Based Polymorphism Technique
The advanced persistent threat (APT) actor known as SideWinder has been accused of deploying a backdoor in attacks directed against Pakistan government organisations as part of a campaign that commenced in late November 2022. In the campaign, the SideWinder advanced persistent threat (APT) group used a server-based polymorphism technique to deliver the next stage payload.
Another campaign discovered in early March 2023 shows that Turkey has also landed in the crosshairs of the threat actor’s collection priorities. SideWinder has been on the radar since at least 2012 and it’s primarily known to target various Southeast Asian entities located across Pakistan, Afghanistan, Bhutan, China, Myanmar, Nepal, and Sri Lanka.
Suspected to be an Indian state-sponsored group, SideWinder is also tracked under the monikers APT-C-17, APT-Q-39, Hardcore Nationalist (HN2), Rattlesnake, Razor Tiger, and T-APT4.
Typical attack sequences mounted by the actor entail using carefully crafted email lures and DLL side-loading techniques to fly under the radar and deploy malware capable of granting the actors remote access to the targeted systems.
Over the past year, SideWinder has been linked to a cyber attack aimed at Pakistan Navy War College (PNWC) as well as an Android malware campaign that leveraged rogue phone cleaner and VPN apps uploaded to the Google Play Store to harvest sensitive information.
The latest infection chain documented mirrors findings from December 2022 detailing the use of PNWC lure documents to drop a lightweight .NET-based backdoor (App.dll) that’s capable of retrieving and executing next-stage malware from a remote server.
What makes the campaign also stand out is the threat actor’s use of server-based polymorphism as a way to potentially sidestep traditional signature-based antivirus (AV) detection and distribute additional payloads by responding with two different versions of an intermediate RTF file.
Specifically, the PNWC document employs a method known as remote template injection to fetch the RTF file such that it harbors the malicious code only if the request originates from a user in the Pakistan IP address range.
Western Digital Confirms Ransomware Group Stole Customer Information
Western Digital confirmed on Friday that cybercriminals have stolen customer and other information after breaching its systems.
According to the digital storage giant, a security breach was discovered on March 26. In early April, the company shut down some services as part of its incident response activities and informed customers about a cyberattack, but has not shared any updates until May 5.
Western Digital’s second public statement comes just days after a ransomware group known as Alphv/BlackCat started publishing screenshots showing the extent of their access. The screenshots appear to show video calls, emails and internal documents discussing the cyberattack, as well as internal tools, invoices, and confidential communications.
The hackers have threatened to make public — unless WD pays up — customer personal information, firmware, code signing certificates, and intellectual property.
In the statement issued on Friday, WD confirmed that the hackers accessed a database associated with its online store that contained customers’ personal information, including name, billing and shipping address, phone number, email address, hashed and salted password, and partial credit card number.
The impacted online store is expected to be restored in the week of May 15. The My Cloud service, which was also shut down following the hack, was restored in mid-April.
The company said it’s still investigating the validity of the other data made public by the ransomware group. However, it did provide some clarifications regarding digital certificates.
“Regarding reports of the potential to fraudulently use digital signing technology allegedly attributed to Western Digital in consumer products, we can confirm that we have control over our digital certificate infrastructure. In the event we need to take precautionary measures to protect customers, we are equipped to revoke certificates as needed,” the company said.
In a separate incident that involved digital certificates, a different ransomware group hacked computer manufacturer MSI and recently leaked what appeared to be firmware image signing keys and Intel BootGuard keys associated with several major vendors.
1 Million Impacted by Data Breach at NextGen Healthcare
Healthcare solutions provider NextGen Healthcare has started informing roughly one million individuals that their personal information was compromised in a data breach. Headquartered in Atlanta, Georgia, the company makes and sells electronic health records software and provides doctors and medical professionals with practice management services.
On Friday, NextGen Healthcare informed the Maine Attorney General’s Office that it started sending notification letters to more than one million individuals, to inform them about the incident.
According to the letters, NextGen Healthcare first identified suspicious activity on its systems on March 30, 2023. The investigation launched into the matter revealed that an unauthorised party had access to those systems between March 29 and April 14, 2023.
During that time, the attackers accessed personal information such as names, addresses, birth dates, and Social Security numbers – NextGen Healthcare says it maintains such data on behalf of its customers, in support of the services it provides to them.
The company says it has no evidence that the unauthorised party had access to health or medical records and data.
NextGen Healthcare told the Maine Attorney General that the attackers accessed its database using “client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen”.
The company says it reset passwords to contain the incident and informed law enforcement of the breach, working with them throughout the investigation.
Earlier this year, NextGen was targeted by a known ransomware group, but no information appears to be available on the impact of that incident.