Thursday, April 20th, 2023
Cybersecurity Week in Review (21/04/2023)
Google TAG Warns of Russian Hackers Conducting Phishing Attacks in Ukraine
Elite hackers associated with Russia’s military intelligence service have been linked to large-volume phishing campaigns aimed at hundreds of users in Ukraine to extract intelligence and influence public discourse related to the war.
Google’s Threat Analysis Group (TAG), which is monitoring the activities of the actor under the name FROZENLAKE, said the attacks continue the “group’s 2022 focus on targeting webmail users in Eastern Europe.”
The state-sponsored cyber actor, also tracked as APT28, Fancy Bear, Forest Blizzard, Iron Twilight, Sednit, and Sofacy, is both highly active and proficient. It has been active since at least 2009, targeting media, governments, and military entities for espionage.
The latest intrusion set, starting in early February 2023, involved the use of reflected cross-site scripting (XSS) attacks on various Ukrainian government websites to redirect users to phishing domains and capture their credentials.
The disclosure comes as U.K. and U.S. intelligence and law enforcement agencies released a joint advisory warning of APT28’s attacks exploiting an old, known vulnerability in Cisco routers to deploy malware known as Jaguar Tooth.
FROZENLAKE is far from the only actor focused on Ukraine since Russia’s military invasion of the country over a year ago. Another notable adversarial collective is FROZENBARENTS – aka Sandworm, Seashell Blizzard (née Iridium), or Voodoo Bear – which has engaged in a sustained effort to target organisations affiliated to the Caspian Pipeline Consortium (CPC) and other energy sector entities in Eastern Europe.
Both groups have been attributed to the General Staff Main Intelligence Directorate (GRU), with APT28 tied to the 85th Special Service Center (GTsSS) military intelligence unit 26165. Sandworm, on the other hand, is believed to be part of GRU’s Unit 74455.
The credential harvesting campaign targeted CPC employees with phishing links delivered via SMS. The attacks against the energy vertical distributed links to fake Windows update packages that ultimately executed an information stealer known as Rhadamanthys to exfiltrate passwords and browser cookies.
FROZENBARENTS, dubbed the “most versatile GRU cyber actor,” has also been observed launching credential phishing attacks targeting the Ukrainian defense industry, military, and Ukr.net webmail users beginning in early December 2022.
The threat actor is said to have further created online personas across YouTube, Telegram, and Instagram to disseminate pro-Russian narratives, leak data stolen from compromised organisations, and post targets for distributed denial-of-service (DDoS) attacks.
Blind Eagle Espionage Group Has New Attack Chain Uncovered
The cyber espionage actor tracked as Blind Eagle has been linked to a new multi-stage attack chain that leads to the deployment of the NjRAT remote access trojan on compromised systems. The group is known for using a variety of sophisticated attack techniques, including custom malware, social engineering tactics, and spear-phishing attacks.
Blind Eagle, also referred to as APT-C-36, is a suspected Spanish-speaking group that chiefly strikes private and public sector entities in Colombia. Attacks orchestrated by the group have also targeted Ecuador, Chile, and Spain.
Infection chains documented this year have revealed the use of spear-phishing lures to deliver commodity malware families like BitRAT and AsyncRAT, as well as in-memory Python loaders capable of launching a Meterpreter payload.
The VBScript code is then run to launch the batch file, which is subsequently deobfuscated to run the PowerShell script that was previously delivered along with it. In the final stage, the PowerShell script is used to execute njRAT. njRAT, also known as Bladabindi is a remote access tool (RAT) with user interface or trojan which allows the holder of the program to control the end-user’s computer.
Both the flaws – CVE-2023-29199 and CVE-2023-30547 – are rated 9.8 out of 10 on the CVSS scoring system and have been addressed in versions 3.9.16 and 3.9.17, respectively.
Successful exploitation of the bugs, which allow an attacker to raise an unsanitised host exception, could be weaponised to escape the sandbox and run arbitrary code in the host context.
“A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox,” the maintainers of the vm2 library said in an alert.
The disclosure comes a little over a week after vm2 remediated another sandbox escape flaw (CVE-2023-29017, CVSS score: 9.8) that could lead to the execution of arbitrary code on the underlying system.
It’s worth noting that a critical remote code execution vulnerability in vm2 was also identified late last year (CVE-2022-36067, CVSS score: 9.8), codenamed Sandbreak.
US, UK warn of govt hackers using custom malware on Cisco routers
The US, UK, and Cisco are warning of Russian state-sponsored APT28 hackers deploying a custom malware named ‘Jaguar Tooth’ on Cisco IOS routers, allowing unauthenticated access to the device.
APT28, also known as Fancy Bear, STRONTIUM, Sednit, and Sofacy, is a state-sponsored hacking group linked to Russia’s General Staff Main Intelligence Directorate (GRU). This hacking group has been attributed to a wide range of attacks on European and US interests and is known to abuse zero-day exploits to conduct cyber espionage.
A joint report released today by the UK National Cyber Security Centre (NCSC), US Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI details how the APT28 hackers have been exploiting an old SNMP flaw on Cisco IOS routers to deploy a custom malware named ‘Jaguar Tooth.’
Jaguar Tooth is malware injected directly into the memory of Cisco routers running older firmware versions. Once installed, the malware exfiltrates information from the router and provides unauthenticated backdoor access to the device.
To install the malware, the threat actors scan for public Cisco routers using weak SNMP community strings, such as the commonly used ‘public’ string. SNMP community strings are like credentials that allow anyone who knows the configured string to query SNMP data on a device.
If a valid SNMP community string is discovered, the threat actors exploit the CVE-2017-6742 SNMP vulnerability, fixed in June 2017. This vulnerability is an unauthenticated, remote code execution flaw with publicly available exploit code. Once the threat actors access the Cisco router, they patch its memory to install the custom, non-persistent Jaguar Tooth malware.
In addition, the malware creates a new process named ‘Service Policy Lock’ that collects the output from the following Command Line Interface (CLI) commands and exfiltrates it using TFTP:
- show running-config
- show version
- show ip interface brief
- show arp
- show cdp neighbors
- show start
- show ip route
- show flash
All Cisco admins should upgrade their routers to the latest firmware to mitigate these attacks. Cisco also recommends switching from SNMP to NETCONF/RESTCONF on public routers for remote management, as it offers more robust security and functionality.
If SNMP is required, admins should configure allow and deny lists to restrict who can access the SNMP interface on publicly exposed routers, and the community string should be changed to a sufficiently strong, random string.
CISA also recommends disabling SNMP v2 or Telnet on Cisco routers, as these protocols could allow credentials to be stolen from unencrypted traffic.
Finally, if a device is suspected of having been compromised, CISA recommends using Cisco’s advice for verifying the integrity of the IOS image, revoking all keys associated with the device and to not reuse old keys, and to replace images with those directly from Cisco.
Takedown of GitHub Repositories Disrupts RedLine Malware Operations
The RedLine information stealer’s operations have been disrupted after the takedown of GitHub repositories used by the malware’s control panels. A piece of commodity malware active since at least early 2020, the RedLine stealer is written in .NET and packs broad data exfiltration capabilities.
The malware targets system information, cookies and other browser data, login credentials for various applications and services, credit card information, and crypto wallets.
Available under the stealer-as-a-service business model, RedLine was seen being offered by 23 of 34 Russian-speaking groups that were distributing infostealers last year. Each of the groups had an average of 200 members.
RedLine is sold on underground forums and Telegram channels. Affiliates purchase access to an all-in-one control panel that acts as a command-and-control (C&C) server, allowing them to generate new samples and to manage stolen information.
Recently, threat actors were seen distributing the information stealer via the PureCrypter downloader, fake Adobe Acrobat Sign signature requests, and malicious Microsoft OneNote documents.
Stealer-as-a-service is one of the top three crime-as-a-service categories likely to be prevalent in 2023, along with ransomware-as-a-service and victims-as-a-service.
New Qbot campaign delivers malware by hijacking business emails
Cyberattacks that use banking trojans of the Qbot family have been targeting companies in Germany, Argentina, and Italy since April 4 by hijacking business emails.
In the latest campaign, the malware is delivered through emails written in English, German, Italian, and French. The messages are based on real business emails that the attackers have gained access to. This gives the attackers the opportunity to join the correspondence thread with messages of their own.
Through such emails, the attackers try and persuade the victim to download an attached PDF, which would eventually help them install the Qbot trojan on the victim’s computer. For authenticity, the attackers put the sender’s name from the previous letters in the ‘From’ field; however, the sender’s fraudulent email address will be different from that of the real correspondent.
Qbot, also known as Qakbot or Pinkslipbot, is a banking trojan that was first observed in 2007 and is designed to steal victims’ banking credentials. The trojan has gone through multiple modifications and improvements and has become one of the most actively spread malware.
The Qbot malware delivery campaign begins with an email with a PDF file in the attachment being sent to the victim. The PDF file’s content imitates a Microsoft Office 365 or Microsoft Azure alert, recommending that the victim clicks “Open to view the attached files.” Once opened, an archive is downloaded from a remote server.
The PowerShell script then runs on the victim’s computer to download the Qbot trojan, which then tries to steal the victim’s banking credentials.
The first emails with malicious PDF attachments began to arrive on the evening of April 4. The mass email campaign began at 12:00 pm on the following day and continued until 9:00 pm.
During this time approximately a total of 1,000 emails were detected. The second upsurge began on April 6, at noon, with over 1,500 emails dispatched. Since then, the cybercriminal activity went down, but users still receive fraudulent messages. The campaign mainly targets users in Germany, Argentina, and Italy.
In March, Qbot was the most prevalent malware with an impact of more than 10% on worldwide organisations. Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection.
The trojan’s distribution methods have also evolved. Earlier it was distributed through infected websites and pirated software. Now the banking trojan is delivered to potential victims through malware already residing on their computers, social engineering, and spam mailings.
Payment Processing Giant NCR Global Hit By Ransomware Attack
NCR, a major player in the US payments industry, admitted it was a target of a ransomware attack for which the BlackCat/Alphv group claimed responsibility.
On April 12, NCR revealed that it was looking into an “issue” with its Aloha restaurant point-of-sale (PoS) system.
The business announced an outage at a single data center had affected just a few of its hospitality customers’ ancillary Aloha applications on April 15.
“On April 13, we confirmed that the outage was the result of a ransomware incident. Immediately upon discovering this development we began contacting customers, engaged third-party cybersecurity experts and launched an investigation. Law enforcement has also been notified,” NCR said.
NCR is a software and technology consulting firm in the United States that offers restaurants, enterprises, and retailers digital banking, POS systems, and payment processing solutions. Since Wednesday, one of its products, the Aloha POS platform used in the hospitality industry, has been down, making it impossible for customers to use.
After going silent for many days, NCR finally revealed today that the Aloha POS platform’s data centers were the target of a ransomware attack that triggered the outage.
“As a valued customer of NCR Corporation, we are reaching out with additional information about a single data center outage that is impacting a limited number of ancillary Aloha applications for a subset of our hospitality customers,” reads an email sent to Aloha POS customers.
On the data leak site used by the BlackCat/ALPHV ransomware gang, a short-lived post saw the threat actors taking ownership. A section of the negotiation dialogue between the ransomware gang and an alleged NCR official was also included in this post. In his discussion, the ransomware group allegedly informed NCR that they had not stolen any server-stored data during the attack.
BlackCat has since removed the NCR post from their data breach website, hoping the firm will agree to discuss a ransom.
LockBit ransomware encryptors found targeting Mac devices
The LockBit ransomware gang has created encryptors targeting Macs for the first time, likely becoming the first major ransomware operation to ever specifically target macOS.
The new ransomware encryptors were discovered when a ZIP archive on VirusTotal was discovered that contained what appears to be most of the available LockBit encryptors.
Historically, the LockBit operation uses encryptors designed for attacks on Windows, Linux, and VMware ESXi servers. However, this archive [VirusTotal] also contained previously unknown encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC CPUs. These encryptors also include one named ‘locker_Apple_M1_64’ [VirusTotal] that targets the newer Macs running on Apple Silicon. The archive also contains lockers for PowerPC CPUs, which older Macs use.
These are believed to be in-development/test builds, and that the encryptor is far from complete as it is missing the required functionality to encrypt Macs properly. Instead, it is thought that the macOS encryptor is based on the Linux version and compiled for macOS with some basic configuration settings. Furthermore, when the macOS encryptor is launched, it crashes due to a buffer overflow bug in its code.
While Windows has been the most targeted operating system in ransomware attacks, nothing prevents developers from creating ransomware that targets Macs. However, as the LockBit operation is known for pushing the envelope in ransomware development, it would not be surprising to see more advanced and optimised encryptors for these CPU architectures released in the future.
Therefore, all computer users, including Mac owners, should practice good online safety habits, including keeping the operating system updated, avoiding opening unknown attachments and executables, generate offline backups, and using strong and unique passwords at every site you visit.
Russia-linked APT29 Attacking NATO and European Union Countries
The Polish military, along with its CERT.PL recently discovered that a Russian state-sponsored group of hackers, dubbed APT29 (aka Cozy Bear and Nobelium), is actively targeting the NATO and European Union countries as well as in Africa, but to a lesser extent. The cyberespionage group’s campaign focused on obtaining sensitive information from foreign ministries and diplomatic entities through data harvesting techniques.
By creating fake emails pretending to be embassies from European countries, the attackers have targeted diplomatic personnel using spear-phishing tactics to direct victims to malicious websites. They also employed the emails’ ISO, IMG, and ZIP files as attachments, intending to deploy malware onto the target’s computer systems.
The EnvyScout dropper, facilitated by HTML smuggling on APT29-controlled websites, infected victims, leading to the deployment of malware downloaders like:-
Additionally, the attackers used CobaltStrike Beacon stager called HALFRIG to distribute more malware.
To determine target relevance and evade honeypots or virtual machines used for malware analysis, attackers employed SNOWYAMBER and QUARTERRIG for reconnaissance purposes.
After a manual verification process of the infected workstation, the downloaders SNOWYAMBER and QUARTERRIG were used to deploy commercial tools like:-
- COBALT STRIKE
- BRUTE RATEL
HALFRIG operates as a loader containing the COBALT STRIKE payload and launches it automatically, unlike other downloaders.
The Russian Foreign Intelligence Service (SVR) hacking division, APT29, was responsible for the SolarWinds supply-chain attack three years ago, resulting in various U.S. federal agencies’ infiltration.
APT29 has continued to breach the networks of various organisations since the SolarWinds attack using stealthy malware such as the TrailBlazer and a variant of the GoldMax Linux backdoor, which remained undetected for years.
In their pursuit of sensitive foreign policy information, the APT29 group has targeted Microsoft 365 accounts in NATO countries and conducted multiple phishing campaigns aimed at:-
- European governments
- European Embassies
- High-ranking officials
Vice Society ransomware uses new PowerShell data theft tool in attacks
The Vice Society ransomware gang is deploying a new, rather sophisticated PowerShell script to automate data theft from compromised networks.
Vice Society’s new data exfiltrator is fully automated and uses “living off the land” binaries and scripts that are unlikely to trigger alarms from security software, keeping their activities stealthy before the final step of the ransomware attack, the encrypting of data.
The new data theft tool was discovered in early 2023, when a file was recovered from a victim’s network named “w1.ps1” and, more specifically, referenced in an Event ID 4104: Script Block Logging event. The script uses PowerShell to automate data exfiltration and consists of multiple functions, including Work(), Show(), CreateJobLocal(), and fill(). These four functions are used to identify potential directories for exfiltration, process groups of directories, and eventually exfiltrate data via HTTP POST requests to Vice Society’s servers.
While there appears to be some automated functionality in the script to determine what files are stolen, there is still a master exclusion and inclusion list to help refine what files are stolen. For example, the script will not steal data from folders whose names include common strings for backups, program installation folders, and Windows operating system folders.
However, it will specifically target folders containing over 433 strings in English, Czech, German, Lithuanian, Luxembourgish, Portuguese, and Polish, emphasising German and English.
The PowerShell script uses system-native cmdlets like “Get-ChildItem” and “Select-String” to search and exfiltrate data from the infected machine, minimising its footprint and maintaining a stealthy profile.
Another interesting aspect of Vice Society’s new data exfiltrator is its rate-limiting implementation that sets a max of 10 simultaneously running jobs of five directory groups to avoid capturing too much of the host’s available resources. Although the specific goal behind this is unclear, it aligns with best coding practices and shows a professional level of script coding.
In December 2022, researchers warned about Vice Society having switched to a new, sophisticated file encryptor dubbed “PolyVice,” which was probably supplied by a contracted developer who also sold his malware to Chilly and SunnyDay ransomware.
Unfortunately, with the adoption of ever-sophisticated tools, Vice Society has become a more formidable threat to organisations worldwide, giving defenders fewer opportunities to detect and stop the attacks.