Thursday, May 18th, 2023
Cybersecurity Week in Review (19/05/2023)
Access to Energy Sector ICS/OT Systems Offered on Hacker Forums
Threat actors have been offering access to energy sector organisations, including industrial control systems (ICS) and other operational technology (OT) systems.
Analysis of posts published between February 2022 and February 2023 on cybercrime forums, dark web sites, and marketplaces, found many offers for initial access into the environments of energy sector organisations, including oil and gas and renewable energy firms in the US, Canada, UK, Italy, France and Indonesia.
Access is often auctioned and includes RDP access, compromised credentials, or entry through a device vulnerability — for instance, Fortinet products. Sellers share information on the type of organisation and its revenue. Prices range between as little as $20 and $2,500, depending on the target’s size, location, and the potential for supply chain attacks.
While in many cases threat actors have offered access to the corporate systems of energy companies, some have offered access and other resources aimed at ICS/OT systems. Some hackers have offered resources that can be used to conduct attacks against ICS. This includes information on conducting Shodan searches, finding vulnerabilities, and exploitation.
These types of resources can allow even unsophisticated and low-skilled attackers to hack industrial systems, as shown by some recent hacktivist attacks.
This information does allow defenders to assess the capability of attackers and monitor their evolution as credible threats over time. It underlines the need to continuously monitor for evidence that their infrastructure – corporate or industrial – has been compromised.
Millions of Smartphones Distributed Worldwide With Preinstalled ‘Guerrilla’ Malware
A threat actor has control over millions of smartphones distributed worldwide thanks to a piece of malware that has been preinstalled on the devices.
It has been known for several years that smartphones, particularly budget devices, may be shipped with shady firmware that can give companies or other entities access to user data. One of the best known operations involved Triada, an advanced trojan installed on Android devices whose existence came to light in 2016.
Since 2021, a different operation has been tracked that appears to be linked to Triada. The group behind the campaign is tracked as Lemon Group and the malware preloaded on devices is called Guerrilla. The campaign has been active since at least 2018, with the threat actor changing the name of its operation from Lemon to Durian Cloud SMS after details of its operations were released last year.
A number of businesses that Lemon Group does were identified for included big data, marketing, and advertising companies, but the main business involves the utilisation of big data: analysing massive amounts of data and the corresponding characteristics of manufacturers’ shipments, different advertising content obtained from different users at different times, and the hardware data with detailed software push. This allows Lemon Group to monitor customers that can be further infected with other apps to build on, such as focusing on only showing advertisements to app users from certain regions.
An implant planted by Lemon Group loads a downloader that serves as what’s called the main plugin, which in turn can fetch and run other plugins. The secondary plugins can be used to capture SMS messages (including ones containing one-time passwords for popular services such as WhatsApp and Facebook), set up a reverse proxy on infected phones, harvest application data, hijack applications such as WhatsApp to send messages, and deliver ads when launching official apps.
These types of implants are typically placed on devices not by the OEM, but by third-party vendors to which the OEM provides the system image for adding new features. The features they add can include malware such as Guerrilla and the OEM is unaware of its existence.
Lemon Group’s website had advertised that it could reach 8.9 million devices — the page showing these numbers was removed recently — which suggests the actual number of devices preloaded with malware is far greater.
Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover
A financially motivated cyber actor has been observed abusing Microsoft Azure Serial Console on virtual machines (VMs) to install third-party remote management tools within compromised environments. The activity has been attributed to a threat group tracked under the name UNC3944, which is also known as Roasted 0ktapus and Scattered Spider.
The emerging adversary, which first came to light late last year, is known to leverage SIM-swapping attacks to breach telecommunications and business process outsourcing (BPO) companies since at least May 2022.
Subsequently, it was also found that UNC3944 utilised a loader named STONESTOP to install a malicious signed driver dubbed POORTRY that’s designed to terminate processes associated with security software and delete files as part of a BYOVD attack.
It’s currently not known how the threat actor conducts the SIM swaps, although the initial access methodology is suspected to involve the use of SMS phishing messages targeting privileged users to obtain their credentials and then staging a SIM swap to receive the two-factor authentication (2FA) token to a SIM card under their control.
Armed with the elevated access, the threat actor then moves to survey the target network by exploiting Azure VM extensions such as Azure Network Watcher, Azure Windows Guest Agent, VMSnapshot, and Azure Policy guest configuration.
The development is yet more evidence of attackers taking advantage of living-off-the-land (LotL) techniques to sustain and advance an attack, while simultaneously circumventing detection.
State-Sponsored Sidewinder Hacker Group’s Covert Attack Infrastructure
Cybersecurity researchers have unearthed previously undocumented attack infrastructure used by the prolific state-sponsored group SideWinder to strike entities located in Pakistan and China. This comprises a network of 55 domains and IP addresses used by the threat actors.
SideWinder has been known to be active since at least 2012, with attack chains primarily leveraging spear-phishing as an intrusion mechanism to obtain a foothold into targeted environments.
The target range of the group is widely believed to be associated with Indian espionage interests. The most frequently attacked nations include Pakistan, China, Sri Lanka, Afghanistan, Bangladesh, Myanmar, the Philippines, Qatar, and Singapore. Earlier this February, evidence was discovered that SideWinder may have targeted 61 government, military, law enforcement, and other organisations across Asia between June and November 2021.
More recently, the nation-state group was observed leveraging a technique known as server-based polymorphism in evasive attacks targeting Pakistani government organisations.
The newly discovered domains mimic government organisations in Pakistan, China, and India and are characterised by the use of the same values in WHOIS records and similar registration information. Hosted on some of these domains are government-themed lure documents that are designed to download an unknown next-stage payload.
A majority of these documents were uploaded to VirusTotal in March 2023 from Pakistan. One among them is a Microsoft Word file purportedly from the Pakistan Navy War College (PNWC). Also uncovered is a Windows shortcut (LNK) file that was uploaded to VirusTotal from Beijing in late November 2022. The LNK file, for its part, is engineered to run an HTML application (HTA) file retrieved from a remote server that spoofs Tsinghua University’s email system (mailtsinghua.sinacn[.]co).
Another LNK file that was uploaded to VirusTotal around the same time from Kathmandu employs a similar method to fetch an HTA file from a domain masquerading as a Nepalese government website (mailv.mofs-gov[.]org).
Further investigation into SideWinder’s infrastructure has led to the discovery of a malicious Android APK file (226617) that was uploaded to VirusTotal from Sri Lanka in March 2023. The rogue Android app passes off as a “Ludo Game” and prompts users to grant it access to contacts, location, phone logs, SMS messages, and calendar, effectively functioning as spyware capable of harvesting sensitive information.
In all, the domains point to SideWinder setting its sights on financial, government, and law enforcement organisations, as well as companies specialising in e-commerce and mass media in Pakistan and China.
Lacroix Closes Production Sites Following Ransomware Attack
Technological equipment giant Lacroix Group says it has closed three production sites for the week after experiencing a ransomware attack.
Lacroix is an international designer and producer of embedded and industrial internet of things (IIoT) systems, including automotive and aerospace equipment, water and energy infrastructure equipment, and smart road infrastructure solutions.
According to the company, on the night of May 12, it detected a targeted cyberattack that hit its French (Beaupréau), German (Willich) and Tunisian (Zriba) sites that produce electronics systems.
The company shut down computer systems at these sites and launched an investigation to determine if the attack was fully contained and if any data was exfiltrated. Before the attack was intercepted, however, file-encrypting ransomware was deployed and some of the local infrastructures were encrypted.
“The time needed to carry out these actions and to use the backups to restart should take a few days, which is why the three sites are closed for the week,” Lacroix says.
At the moment, the company aims to resume production at the three sites on May 22, and says that partial activity measures have been implemented, along with recovery plans for each site.
The cyberattack, Lacroix says, is not expected to have a significant impact on the group’s performance for this year, because the three sites accounted for 19% of sales last year and because the French and German sites would have been closed on Thursday and Friday, in celebration of Ascension Day, which is a public holiday in both countries.
PharMerica Discloses Data Breach Impacting 5.8 Million Individuals
National pharmacy network PharMerica last week started sending out notification letters to more than 5.8 million individuals to disclose a data breach that occurred in March.
Owned by BrightSpring Health, a provider of home and community-based health services, PharMerica operates over 2,500 facilities across the US and offers more than 3,100 pharmacy and healthcare programs.
On Friday, PharMerica informed the Maine Attorney General’s Office that the personal information of more than 5.8 million individuals was compromised after an unauthorised party accessed its computer systems in March.
The data breach, the company says in notification letters sent to the impacted individuals, occurred between March 12 and March 13. Personal information compromised during the incident includes names, addresses, birth dates, Social Security numbers, health insurance, and medication information.
In some cases, the compromised information belongs to deceased individuals, and PharMerica encourages executors or surviving spouses to contact the national credit reporting agencies to notify them of the situation.
PharMerica’s letter does not provide details on the type of cyberattack that it suffered, but it appears that the Money Message ransomware group is responsible for the incident.
In April, the group started leaking personally identifiable information (PII) and protected health information (PHI) allegedly stolen from PharMerica. Last month, the ransomware operators told DataBreaches.net that they encrypted almost the entire PharMerica infrastructure and that they had engaged in negotiations with the company.
Responding to an inquiry, PharMerica, on May 15, posted a data breach notice on its website and issued a press release to notify the public of the personal information theft. However, the company made no mention of ransomware being used in the attack.
Toyota admits leaking data of more than 2 million drivers
Toyota has apologised after its primary cloud service was left publicly available for over a decade, putting more than 2 million clients at risk.
In a statement on May 12th, Toyota revealed that customer data in Japan has been publicly accessible since 2012 due to “misconfiguration of the cloud environment.”
The cloud system was accidentally set to public instead of private due to human error. It leaked both vehicle location information and the identification numbers of vehicle devices. The company claims that, at this point, they have not confirmed any malicious use of the leaked customer data.
The leak primarily affected the clients of the T-Connect service. This offers various features such as AI voice-enabled driving assistance, automatic connection to call centers, emergency support, car unlocking, navigation, vehicle statistics, and other vehicle-related metrics.
“We have implemented measures to block access from the outside, but we are continuing to conduct investigations, including all cloud environments managed by T-Connect,” says the statement by Toyota.
“We apologise for causing great inconvenience and concern to our customers and related parties.”
Toyota said it will establish a system to continuously monitor settings and thoroughly educate employees on data handling rules.
It’s not the first time that Toyota has been shaken by a data leak. Earlier this year, it was revealed that a multinational vehicle manufacturer accidentally leaked access to its marketing tools, enabling attackers to launch phishing campaigns against its vast pool of customers in Italy.
In 2022, Toyota confirmed that the data of almost 300,000 customers was leaked online after a company developer published T-Connect source code on GitHub. The leaked data included email addresses and the customer management numbers which Toyota assigns to each client.
New Ransomware Gang RA Group Hits US and South Korean Organisations
A new ransomware group known as RA Group has become the latest threat actor to leverage the leaked Babuk ransomware source code to spawn its own locker variant.
The cybercriminal gang, which is said to have been operating since at least April 22, 2023, is rapidly expanding its operations. To date, the group is thought to have compromised three organisations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals.
RA Group is no different from other ransomware gangs in that it launches double extortion attacks and runs a date leak site to apply additional pressure on victims into paying ransoms. The Windows-based binary employs intermittent encryption to speed up the process and evade detection, not to mention delete volume shadow copies and contents of the machine’s Recycle Bin.
RA Group uses customised ransom notes, including the victim’s name and a unique link to download the exfiltration proofs. If the victim fails to contact the actors within three days, the group leaks the victim’s files. It also takes steps to avoid encrypting system files and folders by means of a hard-coded list so that it allows the victims to download the qTox chat application and reach out to the operators using the qTox ID provided on the ransom note.
What sets RA Group apart from other ransomware operations is that the threat actor has also been observed selling the victim’s exfiltrated data on its leak portal by hosting the information on a secured TOR site.
The development comes less than a week after it was disclosed that threat actors of varying sophistication and expertise are increasingly adopting the Babuk ransomware code to develop a dozen variants that are capable of targeting Linux systems.
Other ransomware actors that have adopted the Babuk source code over the past year include AstraLocker and Nokoyawa. Cheerscrypt, another ransomware strain based on Babuk, has been linked to a Chinese espionage actor called Emperor Dragonfly that’s known for operating short-lived ransomware schemes such as Rook, Night Sky, and Pandora.
The findings also follow the discovery of two other new ransomware strains codenamed Rancoz and BlackSuit, the latter of which is designed to target both Windows and VMware ESXi servers.
New ‘MichaelKors’ Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems
A new ransomware-as-service (RaaS) operation called MichaelKors has become the latest file-encrypting malware to target Linux and VMware ESXi systems as of April 2023. The development points to cybercriminal actors increasingly setting their eyes on the ESXi.
This trend is especially noteworthy given the fact that ESXi, by design, does not support third-party agents or AV software. This, combined with the popularity of ESXi as a widespread and popular virtualisation and management system, makes the hypervisor a highly attractive target for modern adversaries.
The targeting of VMware ESXi hypervisors with ransomware to scale such campaigns is a technique known as hypervisor jackpotting. Over the years, the approach has been adopted by several ransomware groups, including Royal.
What’s more, analysis revealed that 10 different ransomware families, including Conti and REvil, have utilised leaked Babuk source code in September 2021 to develop lockers for VMware ESXi hypervisors. Other notable e-crime outfits that have updated their arsenal to target ESXi consist of ALPHV (BlackCat), Black Basta, Defray, ESXiArgs, LockBit, Nevada, Play, Rook, and Rorschach.
Part of the reason why VMware ESXi hypervisors are becoming an attractive target is that the software runs directly on a physical server, granting a potential attacker the ability to run malicious ELF binaries and gain unfettered access over the machine’s underlying resources.
Attackers looking to breach ESXi hypervisors can do so by using compromised credentials, followed by gaining elevated privileges and either laterally moving through the network or escaping the confines of the environment via known flaws to advance their motives.
To mitigate the impact of hypervisor jackpotting, organisations are recommended to avoid direct access to ESXi hosts, enable two-factor authentication, take periodic backups of ESXi datastore volumes, apply security updates, and conduct security posture reviews.
New Phishing-as-a-Service Platform Lets Cybercriminals Generate Convincing Phishing Pages
A new phishing-as-a-service (PhaaS or PaaS) platform named Greatness has been leveraged by cybercriminals to target business users of the Microsoft 365 cloud service since at least mid-2022, effectively lowering the bar to entry for phishing attacks.
Greatness, for now, is only focused on Microsoft 365 phishing pages. The platform equips its affiliates with tools like an attachment and link builder, enabling them to craft convincing decoy and login pages. These pages include advanced features such as pre-filled victim email addresses and display elements like the company logo and background image taken from the genuine Microsoft 365 login page of the targeted organisation.
Campaigns involving Greatness have mainly manufacturing, health care, and technology entities located in the U.S., the U.K., Australia, South Africa, and Canada, with a spike in activity detected in December 2022 and March 2023.
Phishing kits like Greatness offer threat actors, rookies or otherwise, a cost-effective and scalable one-stop shop, making it possible to design convincing login pages associated with various online services and bypass two-factor authentication (2FA) protections. Specifically, the authentic-looking decoy pages function as a reverse proxy to harvest credentials and time-based one-time passwords (TOTPs) entered by the victims.
The AiTM phishing kit also comes with an administration panel that enables the affiliate to configure the Telegram bot, keep track of stolen information, and even build booby-trapped attachments or links.
What’s more, each affiliate is expected to have a valid API key in order to be able to load the phishing page. The API key also prevents unwanted IP addresses from viewing the phishing page and facilitates behind-the-scenes communication with the actual Microsoft 365 login page by posing as the victim.
The findings come as Microsoft has begun enforcing number matching in Microsoft Authenticator push notifications as of May 8, 2023, to improve 2FA protections and fend off prompt bombing attacks.
Discord discloses data breach after support agent got hacked
Discord is notifying users of a data breach that occurred after the account of a third-party support agent was compromised. The security breach exposed the agent’s support ticket queue, which contained user email addresses, messages exchanged with Discord support, and any attachments sent as part of the tickets.
Discord says it immediately addressed the breached support account by disabling it once the incident was discovered.
“Due to the nature of the incident, it is possible that your email address, the contents of customer service messages and any attachments sent between you and Discord may have been exposed to a third party,” Discord said in letters sent to affected users.
“As soon as Discord was made aware of the issue, we deactivated the compromised account and completed malware checks on the affected machine.”
They also worked with the customer service partner to implement effective measures to prevent similar incidents in the future.
“While we believe the risk is limited, it is recommended that you be vigilant for any suspicious messages or activity, such as fraud or phishing attempts,” the company said.
Discord is a widely used instant messaging and social media platform with 150 million monthly active users. Additionally, the company claims on its website that the platform has 19 million active servers weekly.