Thursday, June 15th, 2023
Cybersecurity Week in Review (16/06/2023)
New Report Reveals Shuckworm’s Long Running Intrusions on Ukranian Organisation’s
The Russian threat actor known as Shuckworm has continued its cyber assault spree against Ukrainian entities in a bid to steal sensitive information from compromised environments. Targets of the recent intrusions, which began in February/March 2023, include security services, military, and government organizations.
The attackers repeatedly attempted to access and steal sensitive information such as reports about the deaths of Ukrainian service members, reports from enemy engagements and air strikes, arsenal inventory reports, training reports, and more.
Shuckworm, also known by the names Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder, is attributed to the Russia’s Federal Security Service (FSB). It’s said to be active since at least 2013.
The cyber espionage activities consist of spear-phishing campaigns that are designed to entice victims into opening booby-trapped attachments, which ultimately lead to the deployment of information stealers such as Giddome, Pterodo, GammaLoad, and GammaSteel on infected hosts.
Iron Tilden sacrifices some operational security in favour of high tempo operations, meaning that their infrastructure is identifiable through regular use of specific Dynamic DNS providers, Russian hosting providers, and remote template injection techniques. In the latest set of attacks, the threat actors have been observed using a new PowerShell script to propagate the Pterodo backdoor via USB drives.
While Shuckworm’s use of Telegram channels to retrieve the IP address of the server hosting the payloads is well documented, the threat actor is said to have expanded the technique to store command-and-control (C2) addresses on Telegraph, a blogging platform owned by Telegram.
Also used by the group is a PowerShell script (“foto.safe”) that’s spread through compromised USB drivers and features capabilities to download additional malware onto the host.
Analysis of intrusions shows that the adversary managed to breach the machines of human resources departments of the targeted organisations, suggesting its attempts to glean information about various individuals working at those entities. The findings are yet another indication of Shuckworm’s continued reliance on short-lived infrastructure and its ongoing evolution of tactics and tools to stay ahead of the detection curve.
They also arrive a day after Microsoft shed light on destructive attacks, espionage, and information operations carried out by another Russian nation-state actor known as Cadet Blizzard targeting Ukraine.
Lockbit Ransomware Extorts $91M From US Companies
The threat actors behind the LockBit ransomware-as-a-service (RaaS) scheme have extorted $91 million following hundreds of attacks against numerous U.S. organisations since 2020.
That’s according to a joint bulletin published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and other partner authorities from Australia, Canada, France, Germany, New Zealand, and the U.K.
“The LockBit ransomware-as-a-service (RaaS) attracts affiliates to use LockBit for conducting ransomware attacks, resulting in a large web of unconnected threat actors conducting wildly varying attacks,” the agencies said.
LockBit, which first burst onto the scene in late 2019, has continued to be disruptive and prolific, targeting as many as 76 victims in May 2023 alone. The Russia-linked cartel has claimed responsibility for at least 1,653 ransomware attacks to date. The cybercrime operation has attacked a wide array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.
LockBit has received three substantial upgrades so far: LockBit Red (June 2021), LockBit Black (March 2022), and LockBit Green (January 2023), the last of which is based on leaked source code from the now-disbanded Conti gang.
The ransomware strain has since been adapted to target Linux, VMware ESXi, and Apple macOS systems, transforming it into an ever-evolving threat. The RaaS operation is also notable for paying people to get tattoos of its insignia and instituting the first-ever bug bounty program. The business model involves the core developers renting out their program to affiliates who perform the actual ransomware deployment and extortion. But in a twist, the group allows the affiliates to receive ransom payments before sending a cut to the main crew.
Attack chains involving LockBit have leveraged recently disclosed flaws in Fortra GoAnywhere Managed File Transfer (MFT) and PaperCut MF/NG servers as well as other known bugs in Apache Log4j2, F5 BIG-IP and BIG-IQ, and Fortinet devices to obtain initial access.
Also used by the affiliates are over three dozen freeware and open-source tools that allow for network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. The intrusions have been found to further abuse legitimate red team software such as Metasploit and Cobalt Strike.
The development comes as CISA issued a Binding Operational Directive 23-02, instructing federal agencies to secure network devices like firewalls, routers, and switches that are exposed to the public internet within 14 days of discovery and take steps to minimise the attack surface.
New Golang-based Skud Malware Stealing Discord and Brower Data from Windows PC
A new Golang-based information stealer called Skuld has compromised Windows systems across Europe, Southeast Asia, and the U.S.
Skuld, which shares overlaps with publicly available stealers like Creal Stealer, Luna Grabber, and BlackCap Grabber, is the handiwork of a developer who goes by the online alias Deathined on various social media platforms like GitHub, Twitter, Reddit, and Tumblr.
Also spotted by researchers is a Telegram group named deathinews, indicating that these online avenues could be used to promote the offering in the future as a service for other threat actors.
The malware, upon execution, checks if it’s running in a virtual environment in an attempt to thwart analysis. It further extracts the list of running processes and compares it against a predefined blocklist. Should any process match with those present in the blocklist, Skuld proceeds to terminate the matched process as opposed to terminating itself.
Besides gathering system metadata, the malware possesses capabilities to harvest cookies and credentials stored in web browsers as well as files present in the Windows user profile folders, including Desktop, Documents, Downloads, Pictures, Music, Videos, and OneDrive.
Select samples of Skuld also incorporate a clipper module to alter clipboard content and steal cryptocurrency assets by swapping the wallet addresses, which the cybersecurity company theorised is likely in development.
Data exfiltration is achieved by means of an actor-controlled Discord webhook or the Gofile upload service. In the case of the latter, a reference URL to steal the uploaded ZIP file containing the stolen data is sent to the attacker using the same Discord webhook functionality.
The development points to steady adoption of the Go programming language among threat actors due to its simplicity, efficiency, and cross-platform compatibility, thereby making it an attractive vehicle to target multiple operating systems and expand their victim pool.
Severe Vulnerabilities Reported in Microsoft Azure Bastion and Container Registry
Two dangerous security vulnerabilities have been disclosed in Microsoft Azure Bastion and Azure Container Registry that could have been exploited to carry out cross-site scripting (XSS) attacks.
The vulnerabilities allow unauthorised access to the victim’s session within the compromised Azure service iframe, which can lead to severe consequences, including unauthorised data access, modifications, and disruption of the Azure services iframes.
XSS attacks take place when threat actors inject arbitrary code into an otherwise trusted website, which then gets executed every time when unsuspecting users visit the site. The two flaws identified leverage a weakness in the postMessage iframe, which enables cross-origin communication between Window objects.
However, in order to exploit these weaknesses, a threat actor would have to conduct reconnaissance on different Azure services to single out vulnerable endpoints embedded within the Azure portal that may have missing X-Frame-Options headers or weak Content Security Policies (CSPs).
By analysing the legitimate postMessages sent to the iframe from portal.azure[.]com, the adversary could subsequently craft appropriate payloads by embedding the vulnerable iframe in an actor-controlled server (e.g., ngrok) and creating a postMessage handler that delivers the malicious payload.
Thus when a victim is lured into visiting the compromised endpoint, the malicious postMessage payload is delivered to the embedded iframe, triggering the XSS vulnerability and executing the attacker’s code within the victim’s context.
In a proof-of-concept (PoC), a specially crafted postMessage was found to be able to manipulate the Azure Bastion Topology View SVG exporter or Azure Container Registry Quick Start to execute an XSS payload.
Following responsible disclosure of the flaws on April 13 and May 3, 2023, Microsoft rolled out security fixes to remediate them. No further action is required on the part of Azure users.
The disclosure comes more than a month after Microsoft plugged three vulnerabilities in the Azure API Management service that could be abused by malicious actors to gain access to sensitive information or backend services.
Fake Researcher Profiles Spread Malware Through GitHub Repositories as PoC Exploits
At least half of dozen GitHub accounts from fake researchers associated with a fraudulent cybersecurity company have been observed pushing malicious repositories on the code hosting service.
All seven repositories, which are still available as of writing, claim to be a proof-of-concept (PoC) exploit for purported zero-day flaws in Discord, Google Chrome, and Microsoft Exchange Server.
The rogue repositories were first discovered in early May when they were observed releasing similar PoC exploits for zero-day bugs in Signal and WhatsApp. The two repositories have since been taken down.
Besides sharing some of the purported findings on Twitter in an attempt to build legitimacy, the set of accounts have been found to use headshots of actual security researchers from companies like Rapid7, suggesting that the threat actors have gone to great lengths to execute the campaign.
The PoC is a Python script that’s designed to download a malicious binary and execute it on the victim’s operating system, be it Windows or Linux.
The list of GitHub repositories and fake Twitter accounts is below –
It’s currently not known if this is the work of an amateur actor or an advanced persistent threat (APT). But security researchers have previously come under the radar of North Korean nation-state groups, as revealed by Google in January 2021.
If anything, the findings show the need for exercising caution when it comes to downloading code from open source repositories. It’s also essential that users scrutinise the code prior to execution to ensure they don’t pose any security risks.
Global Organisations Being Targeted by Sophisticated AiTM Attack Campaign
Numerous organisations worldwide have been subjected to a widespread business email compromise (BEC) campaign, employing adversary-in-the-middle (AitM) methods to carry out the attacks.
An adversary-in-the-middle (AitM) attack refers to a technique employed by cybercriminals to intercept and manipulate communication between two parties without their knowledge. In this attack, the attacker positions themselves between the sender and receiver, allowing them to eavesdrop on the communication and potentially alter or inject malicious content into it. By gaining this position of control, the attacker can exploit vulnerabilities, steal sensitive information, or carry out further attacks.
In the documented attack chain by Sygnia, the attacker initiated the assault by sending a phishing email with a link to a supposed “shared document.” According to a report, the malicious actor obtained initial entry into an employee’s account after a successful phishing attempt, and conducted an “adversary-in-the-middle” attack to bypass Office365 authentication and maintain ongoing access to that account.
The link in the attack redirected the victim to an AitM phishing page designed to collect entered credentials and one-time passwords. To execute this scheme, the attacker gains control over an account through an intricate social engineering plan. Once in control, they send fake invoices to the company’s clients or suppliers, directing payments to a fraudulent bank account.
On account of the attack, furthermore it has been reported that the threat actors took advantage of the temporary access to the compromised account to register a new multi-factor authentication (MFA) device. This allowed them to establish a persistent remote foothold using a different IP address located in Australia. In addition to extracting sensitive data from the victim’s account, the attackers utilised this access to send new phishing emails to numerous employees within the victim’s organisation, as well as to other targeted organisations. According to the researchers at Sygnia, the phishing emails spread in a manner reminiscent of a worm, moving from one targeted firm to another and infecting employees within the same company. The full extent of the campaign remains unknown at present.
Microsoft Defender Experts discovered a complex attack targeting banking and financial services organisations. It involved adversary-in-the-middle (AiTM) phishing and business email compromise (BEC), exploiting trusted vendor relationships for financial fraud across multiple organisations. The recent discovery of the attack documented by Sygnia comes within a week of Microsoft disclosing a similar attack strategy involving a combination of adversary-in-the-middle (AitM) phishing and business email compromise (BEC) targeting banking and financial services organisations.
BEC scams typically involve deceiving targets via email to send money or reveal confidential company information. The attacker often tailors the emails to appear personalised and may even impersonate a trusted individual to achieve their objectives. To prevent a BEC attack, following measures can be implemented –
- MFA: Use Multi-Factor Authentication to add extra security layers and protect against password theft and spear phishing.
- Education: Conduct awareness campaigns and training to empower employees to recognise and respond to BEC scams.
- Password policy: Implement a strong password management policy to prevent password-related vulnerabilities.
- Online information: Be cautious about sharing personal information online to limit attackers’ ability to create convincing spear-phishing content.
- Phishing defense: Implement a system for reporting and investigating suspicious emails to swiftly respond to phishing attempts.
Data of 8.8 Million Zacks Users Emerges Online
A database containing the personal information of more than 8.8 million Zacks Investment Research users has emerged on a hacking forum.
According to data breach notification service Have I Been Pwned, the database contains names, addresses, phone numbers, email addresses, usernames, and passwords stored as unsalted SHA-256 hashes. Have I Been Pwned’s maintainer, Troy Hunt, says he contacted Zacks to disclose the larger breach and the company told him that the attackers only gained access to encrypted passwords.
According to Hunt, the new database emerged on June 10, 2023, and soon after it was “broadly circulated on a popular hacking forum”.
The most recent entry in the newly discovered database is dated May 2020, which suggests that Zacks might have not been aware of the leak when disclosing a data breach in January 2023.
At the time, Zacks said the data breach occurred sometime between November 2021 and August 2022 and that it impacted the personal information of roughly 820,000 individuals who signed up for one of its products between November 1999 and February 2005.
The company also said that customer credit card details and other financial and personal information was not compromised in the incident. Zacks said at the time that it reset the passwords for the impacted accounts.
With the database shared on a hacking forum, the affected individuals might fall victim to phishing and other types of attacks, especially if they are not aware of their personal information being exposed.
Zacks provides stock research, analysis, and recommendations for firms in the US.
Zacks provided the following statement:
‘’We have confirmed that in association with the prior data breach disclosed by Zacks, which relates to a smaller subset of customers whose unencrypted passwords were compromised, the unauthorised third parties also gained access to encrypted passwords of zacks.com customers. We have no reason to believe any customer credit card information or any other customer financial information was accessed for any Zacks customer at any time. We have recommended that customers change their zacks.com passwords, as well as the password for all other online accounts for which they use the same e-mail address and password, and monitor financial accounts and consumer credit reports, although again, no financial information has been compromised. Zacks is also taking steps now to further enhance password security. We regret any inconvenience to our customers and we remain vigilant in protecting their personal information.’’
Pro-Russian Bot Farm Busted in Ukraine
Cyber police in Ukraine have taken down a large-scale bot farm outside of Kyiv – they say was used to create thousands of fake online accounts to push a pro-Russian agenda and discredit Ukrainian forces. Investigators say the “Botoferma” had at least 4,000 fake social media accounts made to look like the accounts of ordinary citizens of Ukraine.
The bots were used to troll social media platforms, publish fake posts, and leave comments on other posts and profile accounts, badmouthing the Defense Forces of Ukraine while justifying the armed aggression of the Russian Federation, police said. The Botoferma was used to “inform public opinion among Ukrainians in the interests of the enemy, and destabilise the socio-political situation in the country,” cybercrime investigators said.
Organising the bot farm using Russian services, investigators say each day, the bad actors would registered about 500 anonymous accounts. Besides social networking, the fake accounts were used on other platforms such as online trading sites and instant messenger sites, including those banned in Ukraine.
The suspects were paid in rubles (the official currency of the Russian Federation) for each bot they created, receiving payments equal to thousands of US dollars per month.
Police say the “botoferma” was found operating inside of a garage located in the west-central Ukrainian City of Vinnytsia, located about 150 miles southwest of Kyiv. During a search of the garage, police found a disarray of computer equipment containing evidence of illegal activities, multiple mobile phones, more than 3,300 SIM cards of Ukrainian and European mobile operators, and 13 SIM gateways.
Law enforcement also found bank cards that the criminals used to receive money from “clients.” Police said the suspects would use sanctioned payment systems such as “WebMoney” and “PerfectMoney,” to collect their payments. Once received, those payments were then converted into cryptocurrency and transferred to the controlled bank cards.
Three unnamed suspects, all residents of Vinnytsia, aged 30, 38, and 42, are being sought by law enforcement in connection with running the bot farm, along with several other perpetrators, according to Vinnytsia regional police chief Ivan Ishchenko.
The three individuals are being charged with unauthorised interference in the work of automated information, electronic communication, information and communication systems, and electronic communication networks under Ukrainian law. The suspects face up to 15 years in prison each if convicted.
CosmicEnergy ICS Malware Poses No Immediate Threat, but Should Not Be Ignored
The recently discovered CosmicEnergy malware, which is designed to target industrial control systems (ICS), does not pose an immediate threat to operational technology (OT), but organisations should not ignore it.
In May, details of a new piece of malware named CosmicEnergy emerged, with a warning that it could allow threat actors to cause electric grid disruptions.
The malware is designed to interact with ICS devices used in electric transmission and distribution, sending remote commands to tamper with the actuation of power line switches and circuit breakers.
Researchers linked the malware to Russian threat actors and said it appeared to target remote terminal units (RTUs) typically used in Europe, the Middle East and other parts of Asia.
The malware has two main components: LightWork, which implements the IEC104 communication protocol to modify the RTU state to on/off, and PieHop, which connects to a specified remote MSSQL server for uploading files and issuing remote commands to an RTU using LightWork.
CosmicEnergy was determined to not be an immediate threat to OT as it does not have the full-fledged attack capabilities of other ICS malware, such as Industroyer (aka CrashOverride) and Industroyer2, which were used to target Ukraine’s energy sector.
There is no evidence of the malware being deployed in the wild. CosmicEnergy appears to have been created for training scenarios, with hardcoded Information Object Addresses (IOAs) and Common Address of ASDU (COA) for targeting a specific range of equipment. In more advanced malware, such as Industroyer and Industroyer2, these parameters are configurable.
The malware may have been created by a contractor at Russian cybersecurity firm Rostelecom-Solar as part of a red teaming tool for power disruption and emergency response exercises. However, it’s also possible that someone used that red teaming tool’s code to create the malware.
While CosmicEnergy might not pose an immediate threat, Dragos has advised industrial organisations to take steps to protect their systems against attacks involving this type of malware. Recommendations include restricting access to and monitoring MS SQL servers.
Swiss Government Warns of Ongoing DDoS Attacks, Data Leak
The Swiss government has disclosed that a recent ransomware attack on an IT supplier might have impacted its data, while today, it warns that it is now targeted in DDoS attacks.
The situation reflects the complex threats affecting organisations and governments as they utilise third-party services to host data and publicly expose online services.
Last Tuesday, the Swiss government disclosed that they were impacted by a ransomware attack on Xplain, a Swiss technology provider supplying various government departments, administrative units, and even the country’s military force with software solutions.
The IT company was breached by the Play ransomware gang on May 23rd, 2023, with the threat actor claiming to have stolen various documents containing private and confidential data, financial and taxation details, etc.
On June 1st, 2023, the Play ransomware group published the entire dump, presumably after failing to extort Xplain into paying a ransom.
The Swiss government now says that while investigations on the contents and validity of the leaked data are still underway, it is likely that the attackers posted data belonging to the Federal Administration.
“Clarifications are currently underway to determine the specific units and data concerned,” reads the press release published on the government portal.
“Contrary to the initial findings and following recent in-depth clarifications, it has to be assumed that operational data could also be affected.”
A second press release posted on the Swiss government portal warns of access problems on various Federal Administration websites, as well as its online services.
The reason for this outage is a DDoS (distributed denial of service) attack launched by NoName, a pro-Russian hacktivist group targeting NATO-aligned countries and entities in Europe, Ukraine, and North America since early 2022.
“Several Federal Administration websites are/were inaccessible on Monday 12 June 2023, due to a DDoS attack on its systems,” reads the statement.
“The Federal Administration’s specialists quickly noticed the attack and are taking measures to restore accessibility to the websites and applications as quickly as possible.”
According to the same press release, NoName attacked the parliament website last week when its members discussed whether the country abandoned its neutrality to send aid to Ukraine.
Intellihartx Informs 490k Patients of GoAnywhere-Related Data Breach
Intellihartx, a company providing patient balance resolution services to hospitals, is informing roughly 490,000 individuals that their personal information was compromised in the GoAnywhere zero-day attack earlier this year.
Disclosed in early February and linked to the infamous Cl0p ransomware gang, the cyberattack exploited a zero-day vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) software.
Tracked as CVE-2023-0669 and leading to remote code execution, the flaw had been exploited starting January 28. A patch was released one week after public disclosure and Fortra published the conclusion of its investigation in April.
In an incident notification on its website, Intellihartx says it has concluded its review of the data potentially compromised during the attack and has also identified the impacted individuals.
The affected information, the company says, includes names, addresses, insurance data and medical billing, diagnosis and medication information, birth dates, and Social Security numbers.
Intellihartx says it is not aware of the compromised information being misused. However, the Cl0p gang has made the data allegedly stolen from the company available on its leak site.
Intellihartx informed the Maine Attorney General’s Office that just under 490,000 individuals were impacted by the incident.
Dozens of organisations have been hit by the incident and numerous major companies previously confirmed impact, including Community Health Systems (CHS), Rubrik, Hitachi Energy, Crown Resorts, the City of Toronto, Saks Fifth Avenue, Pluralsight, PPF, P&G, Atos, and Rio Tinto.
Other organisations have observed exploitation attempts but said the attack had limited impact.
The Cl0p cybergang has also claimed responsibility for the recent MOVEit Transfer MFT zero-day attack, which impacted several major organisations, including Irish airline Aer Lingus, British Airways, the BBC, UK-based payroll and HR company Zellis, and the Canadian province of Nova Scotia.