New CherryLoader Malware Mimics CherryTree to Deploy PrivEsc Exploits

A new Go-based malware loader called CherryLoader has been discovered by threat hunters in the wild to deliver additional payloads onto compromised hosts for follow-on exploitation.

Researchers, who discovered the new attack tool in two recent intrusions, said the loader’s icon and name masquerades as the legitimate CherryTree note-taking application to dupe potential victims into installing it.

CherryLoader was used to drop one of two privilege escalation tools, PrintSpoofer or JuicyPotatoNG, which would then run a batch file to establish persistence on the victim device. In another novel twist, CherryLoader also packs modularized features that allow the threat actor to swap exploits without recompiling code.

It’s currently not known how the loader is distributed, but the attack chains examined by the cybersecurity firm show that CherryLoader (“cherrytree.exe”) and its associated files (“NuxtSharp.Data,” “Spof.Data,” and “Juicy.Data”) are contained within a RAR archive file (“Packed.rar”) hosted on the IP address 141.11.187[.]70.

Downloaded along with the RAR file is an executable (“main.exe”) that’s used to unpack and launch the Golang binary, which only proceeds if the first argument passed to it matches a hard-coded MD5 password hash.

The loader subsequently decrypts “NuxtSharp.Data” and writes its contents to a file named “File.log” on disk that, in turn, is designed to decode and run “Spof.Data” as “12.log” using a fileless technique known as process ghosting that first came to light in June 2021.

“This technique is modular in design and will allow the threat actor to leverage other exploit code in place of Spof.Data,” the researchers said. “In this case, Juicy.Data which contains a different exploit, can be swapped in place without recompiling File.log.”

The process associated with “12.log” is linked to an open-source privilege escalation tool named PrintSpoofer, while “Juicy.Data” is another privilege escalation tool named JuicyPotatoNG.

A successful privilege escalation is followed by the execution of a batch file script called “user.bat” to set up persistence on the host and disarm Microsoft Defender.

“CherryLoader is [a] newly identified multi-stage downloader that leverages different encryption methods and other anti-analysis techniques in an attempt to detonate alternative, publicly available privilege escalation exploits without having to recompile any code,” the researchers concluded.

Source – https://thehackernews.com/2024/01/new-cherryloader-malware-mimics.html

HPE: Russian Hackers Breached its Security Team’s Email Accounts

Hewlett Packard Enterprise (HPE) disclosed today that suspected Russian hackers known as Midnight Blizzard gained access to the company’s Microsoft Office 365 email environment to steal data from its cybersecurity team and other departments.

Midnight Blizzard, aka Cozy Bear, APT29, and Nobelium, is a Russian state-sponsored hacking group believed to be part of Russia’s Foreign Intelligence Service (SVR). The threat actors have been linked to multiple attacks throughout the year, including the infamous 2020 SolarWinds supply chain attack.

In a new Form 8-K SEC filing, HPE says they were notified on December 12th that the suspected Russian hackers breached their cloud-based email environment in May 2023.

“Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” reads the SEC filing.

HPE says they are still investigating the breach but believe it is related to a previous breach in May 2023, when threat actors gained access to the company’s SharePoint server and stole files.

The company continues to work with external cybersecurity experts and law enforcement to investigate the incident.

In response to further questions about the breach, HPE shared the following statement.

“On December 12, 2023, HPE was notified that a suspected nation-state actor had gained unauthorized access to the company’s Office 365 email environment. HPE immediately activated cyber response protocols to begin an investigation, remediate the incident, and eradicate the activity. Through that investigation, which remains ongoing, we determined that this nation-state actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions. We believe the nation-state actor is Midnight Blizzard, also known as Cozy Bear.

The accessed data is limited to information contained in the users’ mailboxes. We continue to investigate and will make appropriate notifications as required.

Out of an abundance of caution and a desire to comply with the spirit of new regulatory disclosure guidelines, we have filed a form 8-K with the Securities & Exchange Commission to notify that body, and investors, about this incident. That said, there has been no operational impact on our business and, to date, we have not determined that this incident is likely to have a material financial impact.”

While HPE has not provided any further details, Microsoft recently reported a security breach by Midnight Blizzard that also involved data theft from the company’s corporate email accounts, including its leadership team. Microsoft’s breach was caused by a misconfigured test tenant account that allowed the threat actors to brute force the account’s password and log in to their systems.

Using this access, Midnight Blizzard gained access to corporate email accounts to steal data from Microsoft’s senior leadership team and employees in its cybersecurity and legal departments.

The company was previously breached in 2018 when Chinese hackers breached it’s and IBM’s network and then used that access to hack into their customers’ devices. More recently, in 2021, HPE disclosed that the data repositories for its Aruba Central network monitoring platform were compromised, allowing a threat actor to access data about monitored devices and their locations.

Source – https://www.bleepingcomputer.com/news/security/hpe-russian-hackers-breached-its-security-teams-email-accounts/#google_vignette

Major US, UK Water Companies Hit by Ransomware

Two major water companies, Veolia North America in the United States and Southern Water in the United Kingdom, have been targeted in ransomware attacks that resulted in data breaches.

Veolia describes itself as the world’s largest private player in the water sector, providing water and wastewater services to tens of millions of people.

In a notice posted on its website, Veolia North America revealed that its Municipal Water division was hit by ransomware last week. In response to the incident, the company took down the targeted backend systems and servers, which disrupted online bill payment systems.

“This incident seems to have been confined to our internal back-end systems at Veolia North America, and there is no evidence to suggest it affected our water or wastewater treatment operations,” Veolia said.

The water company has also determined that the personal information of “a limited number of individuals” may have been compromised. Affected people will be notified by the firm.

No known ransomware group appears to have taken credit for the attack on Veolia.

Across the pond, a ransomware group targeted Southern Water, which provides water services to 2.5 million customers and wastewater services to 4.7 million customers in the South of England. A statement issued by the company on Tuesday confirmed that suspicious activity was detected on its systems and an investigation has been launched.

The statement came after the Black Basta ransomware group listed Southern Water on its leak website, claiming to have stolen 750 Gb of files, including ones containing personal information and corporate documents. The hackers posted several screenshots showing that they obtained identification document scans (passports and driver’s licenses) and other documents containing personal information.

The cybercriminals are threatening to make the stolen data public in five days if Southern Water refuses to pay a ransom. The water utility is investigating the claims, but has currently found no evidence that customer relationship or financial systems have been impacted. “Our services are not impacted and are operating normally,” it said.

The water sector in the West has been increasingly targeted by malicious cyber actors. Hackers believed to be affiliated with the Iranian government last year targeted industrial control systems (ICS) at multiple water facilities in the United States. In Ireland, a cyberattack targeting the systems of a small utility caused significant disruption, leaving people without water for two days.  

Source – https://www.securityweek.com/major-us-uk-water-companies-hit-by-ransomware/

3.5M Users’ Dinner Habits Exposed in Data Leak

FreshMenu, a popular food delivery service, has exposed over 3.5 million order details along with sensitive customer information, including phone numbers and food delivery addresses. FreshMenu, which delivers food to Bangalore, Mumbai, Gurgaon, and Delhi, has exposed its customer data to the public.

Researchers stumbled upon a 26GB-strong MongoDB database that wasn’t secured with a password, meaning that anyone could potentially access it. The database contained over 3.5 million orders.

While users might not really care if threat actors find out what they’ve ordered, unfortunately, the company also exposed customer data along with their orders, including:

• Names
• Emails
• Phone numbers
• Billing and shipping addresses
• IP addresses

As per researchers, the database wasn’t exposed for long – only around 2-3 days. However, it takes mere seconds for threat actors to dump discovered open sets of data using automation, and companies need to make sure that sensitive information is always hidden from the public eye.

The exposed data provides threat actors with the potential to engage in identity theft, phishing attacks, and targeted scams. The comprehensive nature of the leaked information could enable malicious actors to exploit customer vulnerabilities, compromise privacy, and potentially perpetrate fraudulent activities.

Source – https://cybernews.com/security/fresh-menu-data-leak/

US, UK, Australia Sanction Russian Man Over Ransomware Attack on Healthcare Insurer 

The United States and the United Kingdom have joined Australia in sanctioning a Russian national accused of being involved in the 2022 ransomware attack on Australian healthcare insurer Medibank.

Australia announced early on Tuesday that Alexander Ermakov has been sanctioned for his alleged role in the October 2022 Medibank cyberattack, which resulted in the personal information of nearly 10 million Australians getting stolen.

The cybercriminals claimed to have stolen 200 Gb of files from Medibank and posted the information, which included sensitive medical details, on the dark web after the company refused to pay a ransom. It was described as one of the worst cyber incidents in Australia’s history.

The sanctions against Ermakov represent the first time the Australian government imposed its cyber sanction powers. The Russian national was linked to the ransomware attack as a result of an investigation conducted by Australian authorities and international partners.

Just hours after Australia, the US and the UK also announced sanctions against Ermakov, saying that he had a key role in the Medibank cyberattack.

“The United States and the United Kingdom, in solidarity with Australia, are taking action against the same individual because of the similar risk presented by this actor to the United States and the UK,” the US Department of the Treasury said.

Ermakov and the attack on Medibank have been linked to the REvil ransomware group, whose operations were allegedly dismantled by Russian authorities in January 2022, months before the attack on Medibank. REvil had previously been targeted in an international law enforcement operation.

However, it’s not uncommon for cybercriminals, including ransomware-as-a-service affiliates and operators, to join or launch other operations after a takedown attempt.

As a result of the sanctions announced this week, entities in the US, UK and Australia are banned from dealing with Ermakov, including through cryptocurrency wallets or ransomware payments.

Source – https://www.securityweek.com/us-uk-australia-sanction-russian-man-over-ransomware-attack-on-healthcare-insurer/

Global Fintech Firm EquiLend Offline after Recent Cyberattack

New York-based global financial technology firm EquiLend says its operations have been disrupted after some systems were taken offline in a Monday cyberattack. Following the incident, the technology, data and analytics company also detected unauthorized access to its network and is now working to restore all affected services.

“On January 22, 2024, EquiLend identified a technical issue that placed portions of our systems offline,” an EquiLend spokesperson said.

“We immediately launched an investigation and have identified a cyber security incident involving unauthorized access to our systems. We took immediate steps to secure our systems and are working methodically to restore the involved services as quickly as possible.”

EquiLend has also hired the services of third-party experts to investigate the security breach and to help speed up its restoration efforts.

“We are working with external cybersecurity firms and other professional advisers to assist with our investigation and restoration of service. Clients have been advised that this may take several days,” the spokesperson added.

The company has yet to disclose if any company or customer data was exposed or stolen during the incident.

News of the attack comes less than a week after Equilend announced that it will be acquired by U.S. private equity firm Welsh, Carson, Anderson & Stowe (WCAS). The transaction is set to close in Q2 2024, pending regulatory approval.

“In addition to the acquisition, WCAS has committed a further $200 million investment to support organic growth initiatives and acquisitions by EquiLend,” the company said.

While there’s information on the attack’s nature, the FBI warned that ransomware gangs are targeting companies involved in “time-sensitive financial events,” including corporate mergers and acquisitions as this makes it easier to extort their victims.

“Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established,” the FBI said.

EquiLend was founded in 2001 by a consortium of ten global banks and broker-dealers, including Bank of America Merrill Lynch, BlackRock, Credit Suisse, Goldman Sachs, JP Morgan, Morgan Stanley, National Bank of Canada, Northern Trust, State Street, and UBS. The company has more than 330 employees in offices around North America, EMEA and Asia-Pacific, and its services are now being used by more than 190 firms worldwide, including agency lending banks, hedge funds, and broker-dealers.

Securities finance marketplace participants use Equilend’s Next Generation Trading (NGT) multi-asset securities lending trading platform to execute more than $2.4 trillion of transactions each month.

Source – https://www.bleepingcomputer.com/news/security/global-fintech-firm-equilend-offline-after-recent-cyberattack/

Attack on Swedish Datacenter Shocks Multiple Businesses

Cloud hosting service provider Tietoevry’s data centers in Sweden suffered a ransomware attack that could take weeks to mitigate. Several businesses were forced to close across the country. The ransomware attack took place over the weekend and impacted several of Tietoevry‘s datacenters in Sweden, the company said in a statement.

“The attack was limited to one part of one of our Swedish datacenters, impacting Tietoevry’s services to some of our customers in Sweden,” the company said.

Several Tietoevry customers in Sweden suffered from the fallout of the attack.

For example, the Gardening store chain Granngården closed down its stores and stopped e-commerce activities, and the movie theater chain Filmstaden could not sell tickets. Meanwhile, spirits monopoly chain Systembolaget, sports clothing chain Stadium, and domestic goods chain Rusta had their websites shut down due to the disruption.

“Considering the nature of the incident and the number of customer-specific systems to be restored, the restoration process may extend over several days, even weeks,” the company’s latest statement said.

The Finland-based company revealed that attackers used the Akira ransomware strain. However, we didn’t find Tietoevry listed on Akira’s dark web blog, where the gang typically posts its latest victims. Recently, the gang made headlines after attacking Nissan Oceania, the Japanese auto giant’s Australian and New Zealand businesses.

Tietoevry is a significant cloud hosting service provider, with €2.9 billion ($3.1 billion) revenue and staff exceeding 24,000.

Akira, a ransomware group discovered in March 2023, takes its name from a Japanese cyberpunk manga. According to Ransomlooker, a Cybernews tool that monitors the dark web, Akira has victimized 169 organizations in the US, Canada, and other countries. The group follows a consistent modus operandi, demanding ransom payments ranging from $200,000 to $4 million. If these demands are not met, they resort to publishing compromised data online.

In July 2023, researchers at Avast, a cybersecurity firm, released a decryptor for the Akira ransomware used in several incidents. However, it only combats the Windows version of the ransomware. Akira also targets Linux-based systems with a specifically developed strain of malware.

Source – https://cybernews.com/news/tietoevry-ransomware-attack-disrupts-businesses/

Kasseika Ransomware Using BYOVD Trick to Disarm Security Pre-Encryption

The ransomware group known as Kasseika has become the latest to leverage the Bring Your Own Vulnerable Driver (BYOVD) attack to disarm security-related processes on compromised Windows hosts, joining the likes of other groups like Akira, AvosLocker, BlackByte, and RobbinHood.

The tactic allows threat actors to terminate antivirus processes and services for the deployment of ransomware. Kasseika, first discovered in mid-December 2023, exhibits overlaps with the now-defunct BlackMatter, which emerged in the aftermath of DarkSide’s shutdown.

There is evidence to suggest that the ransomware strain could be the handiwork of an experienced threat actor that acquired or purchased access to BlackMatter, given that the latter’s source code has never publicly leaked post its demise in November 2021.

Attack chains involving Kasseika commence with a phishing email for initial access, subsequently dropping remote administration tools (RATs) to gain privileged access and move laterally within the target network.

The threat actors have been observed utilizing Microsoft’s Sysinternals PsExec command-line utility to execute a malicious batch script, which checks for the existence of a process named “Martini.exe,” and if found, terminates it ensure there is only one instance of the process running the machine.

The executable’s main responsibility is to download and run the “Martini.sys” driver from a remote server in order to disable 991 security tools. It’s worth noting that “Martini.sys” is a legitimate signed driver named “viragt64.sys” that has been added to Microsoft’s vulnerable driver blocklist.

“If Martini.sys does not exist, the malware will terminate itself and not proceed with its intended routine,” the researchers said, indicating the crucial role played by the driver in defense evasion.

Following this step, “Martini.exe” launches the ransomware payload (“smartscreen_protected.exe”), which takes care of the encryption process using ChaCha20 and RSA algorithms, but not before killing all processes and services that are accessing Windows Restart Manager.

A ransom note is then dropped in every directory that it has encrypted and the computer’s wallpaper is modified to display a note demanding a 50 bitcoin payment to a wallet address within 72 hours, or risk paying an extra $500,000 every 24 hours once the deadline elapses.

On top of that, the victims are expected to post a screenshot of the successful payment to an actor-controlled Telegram group to receive a decryptor.

The Kasseika ransomware also has other tricks up its sleeves, which includes wiping traces of the activity by clearing the system’s event logs using the wevtutil.exe binary.

“The command wevutil.exe efficiently clears the Application, Security, and System event logs on the Windows system,” the researchers said. “This technique is used to operate discreetly, making it more challenging for security tools to identify and respond to malicious activities.”

Source – https://thehackernews.com/2024/01/kasseika-ransomware-using-byovd-trick.html

Aviation Leasing Giant AerCap Hit by Ransomware Attack

Aircraft leasing giant AerCap has confirmed falling victim to ransomware after an emerging cybercrime gang claimed responsibility for the attack. The intrusion, the company said in a Form 6-K filing with the US Securities and Exchange Commission, occurred on January 17.

“We have full control of all of our IT systems and to date, we have suffered no financial loss related to this incident,” the lessor told the SEC.

AerCap also noted that it had notified law enforcement immediately after identifying the attack and that its investigation into the incident has yet to determine if any data was compromised or exfiltrated.

While the company shared no details on the attackers, an emerging ransomware group named ‘Slug’ has taken responsibility for the incident, listing AerCap on its leak site.

Slug claims to have stolen roughly one terabyte of data from the aircraft lessor, threatening to progressively leak the information unless a ransom is paid. Within two weeks, the group says, all the stolen data will be released publicly. At the moment, Slug’s leak site only has AerCap listed as a victim.

Headquartered in Dublin, Ireland, AerCap Holdings is the largest aviation leasing company worldwide, with thousands of owned, on order, or managed aircraft, engines, and helicopters, serving more than 300 customers in 80 countries.One of the largest purchasers of aircraft and aircraft engines, the company has offices in Amsterdam, Dubai, London, Miami, Shanghai, Shannon, and Singapore, and representative offices in Seattle and Toulouse.

BianLian has been an active and prevalent threat group since September 2022, predominantly singling out healthcare, manufacturing, professional, and legal services sectors in the U.S., the U.K., Canada, India, Australia, Brazil, Egypt, France, Germany, and Spain.

Stolen Remote Desktop Protocol (RDP) credentials, known security flaws (e.g., ProxyShell), and web shells act as the most common attack routes adopted by BianLian operators to infiltrate corporate networks.

What’s more, the cybercrime crew shares a custom .NET-based tool with another ransomware group tracked as Makop, suggesting potential connections between the two. This .NET tool is responsible for retrieving file enumeration, registry, and clipboard data. This tool contains some words in the Russian language, such as the numbers one to four. The use of such a tool indicates that the two groups might have shared a tool set or used the services of the same developers in the past.

Source – https://www.securityweek.com/aircraft-lessor-aercap-confirms-ransomware-attack/

loanDepot Cyberattack Causes Data Breach for 16.6 Million People

Mortgage lender loanDepot says that approximately 16.6 million people had their personal information stolen in a ransomware attack disclosed earlier this month.

Following a January 6 attack that forced it to shut down some of its systems to contain the breach, the company told customers that recurring automatic payments would still be processed, with payment history delays.

Payments via the servicing customer portal were also unavailable after the incident, and several other online portals, including MyloanDepot, HELOC, and the mellohome website, were also offline. Several days later, loanDepot confirmed this was a ransomware attack, with the malicious actors also encrypting files on compromised devices.

Today, after confirming that millions of people had their data stolen, the company said it would notify individuals impacted by this data breach, providing them with free credit monitoring and identity protection services.

“The Company has made significant progress in restoring our loan origination and loan servicing systems, including our MyloanDepot and Servicing customer portals,” loanDepot said.

“Although its investigation is ongoing, the Company has determined that an unauthorized third party gained access to sensitive personal information of approximately 16.6 million individuals in its systems.”

Corporate and customer data stolen by ransomware gangs is now commonly used as leverage in double-extortion attacks to pressure victims into paying a ransom. Given that loanDepot stores sensitive customer financial and bank account information, those affected by this breach should know they might be the target of phishing attacks and identity theft attempts.

However, loanDepot has yet to share what type of customer personal information was accessed and stolen from its systems.

In May 2023, loanDepot disclosed another data breach resulting from an August 2022 cyberattack that exposed customer data. loanDepot is a major U.S. nonbank mortgage lender with roughly 6,000 employees and over $140 billion in serviced loans.

Source – https://www.bleepingcomputer.com/news/security/loandepot-cyberattack-causes-data-breach-for-166-million-people/

Invoice Phishing Alert: TA866 Deploys WasabiSeed & Screenshotter Malware

The threat actor tracked as TA866 has resurfaced after a nine-month hiatus with a new large-volume phishing campaign to deliver known malware families such as WasabiSeed and Screenshotter.

The campaign, observed earlier this month on January 11, 2024, involved sending thousands of invoice-themed emails targeting North America bearing decoy PDF files. The PDFs contained OneDrive URLs that, if clicked, initiated a multi-step infection chain eventually leading to the malware payload, a variant of the WasabiSeed and Screenshotter custom toolset.

TA866 was first documented in February 2023, and attributed to a campaign named Screentime that distributed WasabiSeed, a Visual Basic script dropper that’s used to download Screenshotter, which is capable of taking screenshots of the victim’s desktop at regular intervals of time and exfiltrating that data to an actor-controlled domain.

There is evidence to suggest that the organized actor may be financially motivated owing to the fact that Screenshotter acts as a recon tool to identify high-value targets for post-exploitation, and deploy an AutoHotKey (AHK)-based bot to ultimately drop the Rhadamanthys information stealer.

Subsequent findings in June 2023 unearthed overlaps between Screentime and another intrusion set dubbed Asylum Ambuscade, a crimeware group active since at least 2020 that also engages in cyber espionage operations.

The latest attack chain remains virtually unchanged save for the switch from macro-enabled Publisher attachments to PDFs bearing a rogue OneDrive link, with the campaign relying on a spam service provided by TA571 to distribute the booby-trapped PDFs.

TA571 is a spam distributor, and this actor sends high volume spam email campaigns to deliver and install a variety of malware for their cybercriminal customers. This includes AsyncRAT, NetSupport RAT, IcedID, PikaBot, QakBot (aka Qbot), and DarkGate, the last of which allows attackers to perform various commands such as information theft, cryptocurrency mining, and execution of arbitrary programs.

Splunk, which detected multiple campaigns deploying a loader designed to initiate DarkGate on compromised endpoints, said malicious PDF files act as a carrier for an MSI installer that executes a cabinet (CAB) archive to trigger the execution of DarkGate via AutoIT loader script.

News of TA866’s resurgence comes as it was revealed that shipping-related phishing emails primarily single out the manufacturing sector to propagate malware like Agent Tesla and Formbook.

For the most part, the yearly trends suggest that these emails follow a particular trend throughout the year with varying degrees of volumes, with the most significant volumes being in June, October, and November.

The development also follows the discovery of a novel evasion tactic that leverages the caching mechanism of security products to get around them by incorporating a Call To Action (CTA) URL that points to a trusted website in the phishing message sent to the targeted individual.

When such a URL gets scanned by the security engine, it’s marked as safe, and the verdict is stored in its cache for a set time. This also means that if the URL is encountered again within that time period, the URL is not reprocessed, and instead, the cached result is served.

Source – https://thehackernews.com/2024/01/invoice-phishing-alert-ta866-deploys.html

Smarttech247