Friday, November 25th, 2022
Cybersecurity Week in Review (25/11/22)
Black Basta Ransomware Gang Actively Infiltrating U.S. Companies with Qakbot Malware
US companies have been targeted by an aggressive Qakbot malware campaign that leads to Black Basta ransomware infections on compromised networks. The ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organisation’s network.
Black Basta, which emerged in April 2022, follows the tried-and-tested approach of double extortion to steal sensitive data from targeted companies and use it as leverage to extort cryptocurrency payments by threatening to release the stolen information. Similar attacks were identified last month that entailed the use of Qakbot to deliver the Brute Ratel C4 framework, which in turn, was leveraged to drop Cobalt Strike. The attack chain commences with a spear-phishing email bearing a malicious disk image file that, when opened, kickstarts the execution of Qbot, which connects to a remote server to retrieve the Cobalt Strike payload. At this stage, credential harvesting and lateral movement activities are carried out to place the red team framework on several servers, before breaching as many endpoints as possible using the collected passwords and launching the Black Basta ransomware.
Over 10 different customers were impacted by the fresh set of attacks in the past two weeks. In two instances the intrusions not only deployed the ransomware but also locked the victims out of their networks by disabling the DNS service in a bid to make recovery more challenging. Black Basta remains a highly active ransomware actor with the ransomware cartel successfully targeting 25 companies in October 2022 alone, putting it behind LockBit, Karakurt, and BlackCat.
Hackers Exploiting Abandoned Boa Web Servers to Target Critical Industries
Intrusion activity aimed at Indian power grid entities earlier this year were disclosed by Microsoft earlier this week. The intrusion involved the exploitation of security flaws in a now-discontinued web server called Boa. The vulnerable component poses a supply chain risk that may affect millions of organisations and devices.
This attack is similar to a sustained campaign orchestrated by suspected China-linked adversaries to strike critical infrastructure organizations in India. The attacks have been attributed to a previously undocumented threat cluster called Threat Activity Group 38. While the Indian government described the attacks as unsuccessful probing attempts, China denied it was behind the campaign. The connections to China stem from the use of a modular backdoor dubbed ShadowPad, which is known to be shared among several espionage groups that conduct intelligence-gathering missions on behalf of the nation. Although the exact initial infection vector used to breach the networks remains unknown, the ShadowPad implant was controlled by using a network of compromised internet-facing DVR/IP camera devices. Microsoft said its own investigation into the attack activity uncovered Boa as a common link, assessing that the intrusions were directed against exposed IoT devices running the web server. More than one million internet-exposed Boa server components were discovered worldwide in a single week, with significant concentrations in India.
Some of the high-severity bugs affecting Boa include CVE-2017-9833 and CVE-2021-33558, which, if successfully exploited, could enable malicious hacking groups to read arbitrary files, obtain sensitive information, and achieve remote code execution. Weaponising these unpatched shortcomings could further enable threat actors to glean more information about the targeted IT environments, effectively making way for disruptive attacks.
34 Russian Cybercrime Groups Stole Over 50 Million Passwords with Stealer Malware
Over 50 million passwords were stolen in the first seven months of 2022 by as many as 34 Russian-speaking gangs distributing information-stealing malware under the stealer-as-a-service model. Aside from looting passwords, the stealers also harvested 2.11 billion cookie files, 113,204 crypto wallets, and 103,150 payment cards. The majority of the victims were located in the U.S., followed by Brazil, India, Germany, Indonesia, the Philippines, France, Turkey, Vietnam, and Italy. In total, over 890,000 devices in 111 countries were infected during the time frame.
Members of several scam groups who are propagating the information stealers previously participated in the Classiscam operation. These groups are active on Telegram and have around 200 members on average. They consist of administrators and workers (or traffers), the latter of whom are responsible for driving unsuspecting users to info-stealers like RedLine and Raccoon. This is achieved by setting up bait websites that impersonate well-known companies and lure victims into downloading malicious files. Links to such websites are embedded into YouTube video reviews for popular games and lotteries on social media or shared directly with NFT artists.
Following a successful compromise, the cyber criminals peddle the stolen information on the dark web for monetary gain. The development highlights the crucial role played by Telegram in facilitating a range of criminal activities, including functioning as a hub for announcing product updates, offering customer support and exfiltrating data from compromised devices.
Ducktail hackers now use WhatsApp to phish for Facebook Ad accounts
Facebook Business accounts have been the victim of hijacking by a cybercriminal operation tracked as Ducktail causing losses of up to $600,000 in advertising credits. The gang has been spotted before using malware to steal Facebook-related information and hijack associated business accounts to run their own ads that are paid for by the victim.
Believed to be the work of a threat actor based in Vietnam, Ducktail was first documented earlier this year targeting individuals with high-level access to the Facebook business account that enables companies to reach a specific audience through paid campaigns and advertisements. The operation works by delivering info-stealing malware through LinkedIn, luring the target into launching a malicious file with a name related to brands, products, and product planning. One of the unique features of the malware is its ability to hijack Facebook Business accounts associated with the victim’s Facebook account. It attempts to grant the threat actor’s emails access to the business with the highest privilege roles.
A Facebook business account can be associated with multiple email addresses that are used for access to the Business Manager panel with various permissions: admin, employee, finance analyst, and finance editor. Individuals with administrator and finance editor roles are Ducktail’s main targets as they have control over the settings, people’s permissions, tools, and financial details. Once launched on the victim’s system, the Ducktail malware can steal all stored cookies from Google Chrome, Microsoft Edge, Brave, and Firefox. Using the session cookie, it interacts with various Facebook endpoints from the victim’s machine and collects further information (access tokens, two-factor authentication codes, user agents, IP address, geolocation) that would allow the threat actor to impersonate the victim from other systems. In the new campaign, the threat actor switched to a new malware variant that uses the .NET 7 Native AOT feature that allows compiling the binary without .NET runtime installed on the victim’s machine. Another difference is that the operator’s email addresses are no longer hardcoded in the binary but delivered from Telegram bot accounts acting as command and control (C2) servers.
To make detection more difficult, the threat actor signed their binaries with extended validation certificates, a tactic they have been using since mid-2021. The certificates were purchased through businesses registered in Vietnam, none of them operational. Based on the incident response engagements, Ducktail targeted companies in the advertising industry, which reported direct financial damage between $100,000 and $600,000.
Pro-Russian hacktivists take down EU Parliament site in DDoS attack
Anonymous Russia, part of the pro-Russian hacktivist group Killnet have claimed responsibility for a DDoS (Distributed Denial of Service) attack on the European Parliament website. The Director General for Communication and Spokesperson of the European Parliament, Jaume Dauch, confirmed the incident and that the website was down as a result of the attack.
The attack came after the European Parliament recognised Russia as a state sponsor of terrorism and MEPs called for further international isolation of Russia. The resolution was adopted on Wednesday following recent developments in Russia’s war of aggression against Ukraine. Pro-Kremlin hacktivist groups have targeted European and U.S. websites since Russia invaded Ukraine. For instance, Killnet recently claimed large-scale distributed denial-of-service (DDoS) attacks targeting the websites of several major U.S. airports last month. Earlier this month, the FBI said that DDoS attacks coordinated by pro-Russian hacktivists have a minor impact on their targets because they’re attacking public-facing infrastructure like websites instead of the actual services, leading to limited disruption.
AirAsia Hacked – 5 Million Passengers’ and Employees’ Data Stolen
The Daixin Team operation launched a ransomware attack against AirAsia Group earlier this month, resulting in the leak of personal information pertaining to 5 million unique passengers as well as employees. AirAsia is a Malaysian multinational low-cost airline headquartered near Kuala Lumpur, Malaysia. They operate scheduled domestic and international flights to more than 165 destinations spanning 25 countries.
Daixin Team contacted the airline with two files. The first file held the information on named passengers and the second file has employee information with numerous fields that included name, date of birth, country of birth, location, and date employment started. It is believed that no money has been paid given that Daixin has said that it will put AirAsia’s data, including backdoor information, into the public.
The network, according to Daixin, is rather chaotic and doesn’t seem to have any established standards, which irritated the attackers who subsequently decided not to proceed. The poor organization on AirAsia Group’s network spared the company further attacks.
In addition to leaking the passenger and employee data on their dedicated leak site, the group plans to make information about the network available privately and freely on hacker forums. The DAIXIN Team disclaims responsibility for future negative consequences.
Security Researchers Looking at Mastodon as Its Popularity Soars
Now that the decentralised social media platform Mastodon’s popularity has soared researchers have started finding vulnerabilities and other security issues.
After Elon Musk acquired Twitter, he made a series of significant changes, including firing staff and modifying features, which have had a negative impact on the platform’s security. Many Twitter users have been looking at alternatives and one of them has been Mastodon, which has now passed more than 2 million active monthly users, with hundreds of thousands of new users signing up every week since Musk officially took over Twitter.
Mastodon has a user interface similar to Twitter, but unlike Twitter, it’s not owned by a single company. Instead, Mastodon is a free and open-source software for running self-hosted social networking services. There are thousands of individual but interconnected Mastodon servers, called instances, that users can join. Unlike Twitter, where rules decided by the company are enforced across the entire platform, each of the Mastodon instances has its own content rules.
Much of the cybersecurity community has joined the ‘Infosec.exchange’ instance on Mastodon and some researchers have already started identifying issues, including ones specific to this server and ones that could impact the entire platform. One such incident discovered earlier this month was that the Infosec.exchange instance was affected by an HTML injection vulnerability that could have been exploited to steal users’ credentials. The attack involved abusing Chrome’s autofill feature to steal users’ stored credentials by getting the targeted user to click on a malicious element on a page. The issue affected a Mastodon fork named Glitch and it existed due to an HTML attribute allowed only by the developers of this fork. A patch has been released.
Another potentially serious issue in Infosec.exchange identified this month was a misconfiguration that could have been exploited to download all the files on the server, including files shared through direct messages. It also allows the deletion of all the files on the server, and replaces existing files, such as profile pictures.
A few other vulnerabilities have been found and fixed in Mastodon earlier this year, including a high-severity issue that could allegedly allow a remote attacker to gain unauthorised access to sensitive information, and a critical flaw that could allow brute force attacks.
Aurora infostealer malware increasingly adopted by cybergangs
A new Go-based information stealer named ‘Aurora’ is being increasingly used by attackers to steal sensitive information from browsers and cryptocurrency apps, exfiltrate data directly from disks, and load additional payloads. At least seven notable cybergangs with significant activity have adopted Aurora exclusively, or along with Redline and Raccoon, two other established information-stealing malware families. The reason for this sudden rise in Aurora’s popularity is its low detection rates and general unknown status, making its infections less likely to be detected.
Aurora was first announced in April 2022 on Russian-speaking forums, advertised as a botnet project with state-of-the-art info-stealing and remote access features. However, in late August 2022, Aurora was advertised as a stealer, so the project abandoned its goal of creating a multi-function tool.
The highlight features listed in the promotional posts are:
-Polymorphic compilation that doesn’t require crypter wrapping
-Server-side data decryption
-Targets over 40 cryptocurrency wallets
-Automatic seed phrase deduction for MetaMask
-Reverse lookup for password collection
-Runs on TCP sockets
-Communicates with C2 only once, during license check
-Fully native small payload (4.2 MB) requiring no dependencies
-The cost to rent the malware – $250 per month or $1,500 for a lifetime license.
Upon execution, Aurora runs several commands through WMIC to collect basic host information, snaps a desktop image, and sends everything to the C2. Next, the malware targets data stored in multiple browsers (cookies, passwords, history, credit cards), cryptocurrency browser extensions, cryptocurrency wallet desktop apps, and Telegram. The targeted desktop wallet apps include Electrum, Ethereum, Exodus, Zcash, Armory, Bytecoin, Guarda, and Jaxx Liberty. All stolen data is bundled in a single base64-encoded JSON file and exfiltrated to the C2 through TCP ports 8081 or 9865. Aurora’s malware loader uses “net_http_Get” to drop a new payload onto the filesystem using a random name and then uses PowerShell to execute it.
Currently, Aurora is distributed to victims via various channels, which is to be expected considering the involvement of seven distinct operators. Cryptocurrency phishing sites have been promoted via phishing emails and YouTube videos that link to fake software and cheat catalogue sites.
Google Chrome extension used to steal cryptocurrency, passwords
Since the beginning of 2022 93,000 ViperSoftX infection attempts against its customers have been detected, mainly impacting the United States, Italy, Brazil, and India. The main distribution channel for ViperSoftX is torrent files containing laced game cracks and software product activators. By analysing the wallet addresses that are hardcoded in samples of ViperSoftX and VenomSoftX, it’s been determined that the two had collectively earned their operators about $130,000 by November 8th, 2022. This stolen cryptocurrency was obtained by diverting cryptocurrency transactions attempted on compromised devices and does not include profits from parallel activities.
The downloaded executable is a malware loader that decrypts AES data to create the following five files:
-Log file hiding a ViperSoftX PowerShell payload
-XML file for the task scheduler
-VBS file for establishing persistence by creating a scheduled task
-Application binary (promised game or software)
The single malicious code line hides somewhere towards the bottom of the 5MB log text file and runs to decrypt the payload, ViperSoftX stealer. A key feature of newer ViperSoftX variants is the installation of a malicious browser extension named VenomSoftX on Chrome-based browsers (Chrome, Brave, Edge, Opera).
To stay hidden from the victims, the installed extension masquerades as “Google Sheets 2.1”, supposedly a Google productivity app. While VenomSoftX appears to overlap ViperSoftX activity since they both target a victim’s cryptocurrency assets, it performs the theft differently, giving the operators higher chances of success. VenomSoftX mainly steals crypto by hooking API requests on a few very popular crypto exchanges victims visits/have an account with. When a certain API is called, for example, to send money, VenomSoftX tampers with the request before it is sent to redirect the money to the attacker instead. The services targeted by VenomSoftX are Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin, while the extension also monitors the clipboard for the addition of wallet addresses. The extension can modify HTML on websites to display a user’s cryptocurrency wallet address while manipulating the elements in the background to redirect payments to the threat actor. To determine the victim’s assets, the VenomSoftX extension also intercepts all API requests to the cryptocurency services mentioned above. It then sets the transaction amount to the maximum available, siphoning all available funds.
Finally, if a user pastes content into any website, the extension will check if it matches any of the regular expressions shown above, and if so, send the pasted content to the threat actors.
Hackers steal $300,000 in DraftKings credential stuffing attack
Following an early Monday morning tweet saying that DraftKings was investigating reports of customers experiencing issues with their accounts the sports betting company said today that it would make whole customers affected by a credential stuffing attack that led to losses of up to $300,000.
The common denominator for all accounts that got hijacked seems to be an initial $5 deposit followed by the attackers changing the password, enabling two-factor authentication (2FA) on a different phone number, and then withdrawing as much as possible from the victims’ linked bank accounts. Some victims have also expressed their frustration on social media because they were unable to get in contact with anyone at DraftKings while having to watch the attackers repeatedly withdrawing money from their bank accounts.
Draft Kings deny that their own systems were breached, instead suggesting that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information. The company advised customers never to use the same password for more than one online service and never to share their credentials with third-party platforms, including betting trackers and betting apps besides the ones provided by DraftKings. Any customers not yet affected by this credential-stuffing campaign are advised to immediately turn on 2FA on their accounts and remove any banking details or, even better, unlink their bank accounts to block fraudulent withdrawal requests.
In credential stuffing, threat actors use automated tools to make repeated attempts (up to millions at a time) to gain access to user accounts using credentials (commonly in user/password pairs) stolen from other online services. This works particularly well against the accounts whose owners have reused credentials across multiple platforms. The goal is to take over as many accounts as possible to steal associated personal and financial info that can later be sold on the dark web or on hacking forums.