Warning Over Cyber Attacks Targeting Transport Firms

Global cybersecurity firm Smarttech247 is raising the alarm about a surge in Distributed Denial of Service (DDOS) attacks attempting to target Irish transport companies over the past week. Experts believe the current spate of incidents is linked to a pro-Russian hacker group known as ‘NoName057(16)’.

Organisations who fall victim to these attacks often find their websites or networks flooded with extremely high volumes of traffic, making it impossible for their service to function properly. The bogus traffic is also controlled from multiple locations, making it difficult and time-consuming to halt the disruption.

CEO of Smarttech247 Raluca Seceanu says “These threat actors have been actively targeting providers in this country as well as Norway, Sweden, Germany and Estonia in recent weeks. In a different approach to what many might expect, they’re not interested in stealing data – they simply want to cause maximum disruption to their victims’ businesses”.

Smarttech247 is reiterating the important steps companies must take to protect their networks from DDOS attacks:

—  Ensure that your main DNS server is properly configured and up to date with the latest recommendations from your provider

—  Have robust Access Control Lists (ACLs) and firewall filters in order to stop DDoS attacks

—  Enhance cybersecurity awareness training particularly around phishing and other social engineering attacks

—  Have an up to date Incident Response Plan

—  Maintain a strong Threat and Vulnerability program and scan for unpatched systems

—  Enable multi-factor authentication across entire systems

—  Enforce strong password protocols for all users

—  Monitor your systems 24/7 for anomalous behaviour

Raluca Saceanu says the impact of a DDOS attack can be very serious: “When you rely on your website or emails for much of your business, having customers locked out for days can be devastating. Transport companies are coming into an extremely busy time of the year and it’s worth being proactive on your approach to cybersecurity to reduce the risk of this kind of incident happening”.

Source – https://irishtechnews.ie/warning-cyber-attacks-targeting-transport-firms/

YoroTrooper: Researchers Warn of Kazakhstan’s Stealthy Cyber Espionage Group

A relatively new threat actor known as YoroTrooper is likely made up of operators originating from Kazakhstan.

The assessment is based on their fluency in Kazakh and Russian, use of Tenge to pay for operating infrastructure, and very limited targeting of Kazakhstani entities, barring the government’s Anti-Corruption Agency.

YoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its malicious activity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region,” researchers said.

First documented in March 2023, the adversary is known to be active since at least June 2022, singling out various state-owned entities in the Commonwealth of Independent States (CIS) countries. The activity is being tracked under the name SturgeonPhisher.

YoroTrooper’s attack cycles primarily rely on spear-phishing to distribute a medley of commodity and open source stealer malware, although the group has also been observed using the initial access vector to direct victims to attacker-controlled credential harvesting sites.

“The practice of credential-harvesting runs complementary to YoroTrooper’s malware-based operations with the end goal being data theft,” the researchers said.

Public disclosure of the threat actor’s campaigns has prompted a tactical revamp of its arsenal, pivoting from commodity malware to custom tools programmed in Python, PowerShell, Golang, and Rust.

The actor’s strong ties to Kazakhstan stem from the fact that it regularly conducts security scans of the state-owned email service, mail[.]kz, indicating continued efforts to monitor the website for potential security vulnerabilities.

It also periodically checks for currency conversion rates between Tenge and Bitcoin on Google (“btc to kzt”) and uses alfachange[.]com to convert Tenge to Bitcoin and pay for infrastructure upkeep.

Beginning in June 2023, YoroTrooper’s targeting of CIS countries has been accompanied by an increased focus on bespoke implants, while simultaneously using vulnerability scanners such as Acunetix and open-source data from search engines like Shodan to locate and infiltrate victim networks.

Some of the targets included Tajikistan’s Chamber of Commerce, the Drug Control Agency, the Ministry of Foreign Affairs, Kyrgyzstan’s KyrgyzKomur, and the Ministry of Energy of the Republic of Uzbekistan.

Another notable aspect is the use of email accounts to register and purchase tools and services, including a NordVPN subscription and a VPS instance from netx[.]hosting for $16 a month.

A major update to the infection chain entails porting its Python-based remote access trojan (RAT) to PowerShell as well as employing a custom-built interactive reverse shell to run commands on infected endpoints via cmd.exe. The PowerShell RAT is designed to accept incoming commands and exfiltrate data via Telegram.

In addition to experimenting with multiple types of delivery vehicles for their backdoors, YoroTrooper is said to have added Golang- and Rust-based malware as of September 2023, allowing it to establish a reverse shell and harvest sensitive data.

“Their Golang-based implants are ports of the Python-based RAT that uses Telegram channels for file exfiltration and C2 communication,” the researchers explained.

Source – https://thehackernews.com/2023/10/yorotrooper-researchers-warn-of.html

Record-Breaking 100 Million RPS DDoS Attack Exploits HTTP/2 Rapid Reset Flaw

Cloudflare on Thursday said it mitigated thousands of hyper-volumetric HTTP distributed denial-of-service (DDoS) attacks that exploited a recently disclosed flaw called HTTP/2 Rapid Reset, 89 of which exceeded 100 million requests per second (RPS).

“The campaign contributed to an overall increase of 65% in HTTP DDoS attack traffic in Q3 compared to the previous quarter,” the web infrastructure and security company said in a report. “Similarly, L3/4 DDoS attacks also increased by 14%.”

The total number of HTTP DDoS attack requests in the quarter surged to 8.9 trillion, up from 5.4 trillion in Q2 2023 and 4.7 trillion in Q1 2023. The number of attack requests in Q4 2022 stood at 6.5 trillion.

HTTP/2 Rapid Reset (CVE-2023-44487) came to light earlier this month following an industry-wide coordinated disclosure that delved into DDoS attacks orchestrated by an unknown actor by leveraging the flaw to target various providers such as Amazon Web Services (AWS), Cloudflare, and Google Cloud.

Fastly, in a disclosure of its own on Wednesday, said it countered a similar attack that peaked at a volume of about 250 million RPS and a duration of approximately three minutes.

“Botnets that leverage cloud computing platforms and exploit HTTP/2 are able to generate up to x5,000 more force per botnet node,” Cloudflare noted. “This allowed them to launch hyper-volumetric DDoS attacks with a small botnet ranging 5-20 thousand nodes alone.”

Some of the top industries targeted by HTTP DDoS attacks include gaming, IT, cryptocurrency, computer software, and telecom, with the U.S., China, Brazil, Germany, and Indonesia accounting for the biggest sources of application layer (L7) DDoS attacks.

On the other hand, the U.S., Singapore, China, Vietnam, and Canada emerged as the main targets of HTTP DDoS attacks.

For the second consecutive quarter, DNS-based DDoS attacks were the most common. Almost 47% of all attacks were DNS-based. This represents a 44% increase compared to the previous quarter. SYN floods remain in second place, followed by RST floods, UDP floods, and Mirai attacks.

Another notable change is the decrease in ransom DDoS attacks, as threat actors have realized that organizations will not pay them.

The disclosure comes amid internet traffic fluctuations and a spike in DDoS attacks in the aftermath of the Israel-Hamas war, with Cloudflare repelling several attack attempts aimed at Israeli and Palestinian websites.

Source – https://thehackernews.com/2023/10/record-breaking-100-million-rps-ddos.html

Iranian Group Tortoiseshell Launches New Wave of IMAPLoader Malware Attacks

The Iranian threat actor known as Tortoiseshell has been attributed to a new wave of watering hole attacks that are designed to deploy a malware dubbed IMAPLoader.

IMAPLoader is a .NET malware that has the ability to fingerprint victim systems using native Windows utilities and acts as a downloader for further payloads. It uses email as a [command-and-control] channel and is able to execute payloads extracted from email attachments and is executed via new service deployments.

Active since at least 2018, Tortoiseshell has a history of using strategic website compromises as a ploy to facilitate the distribution of malware. Earlier this May, the group was linked to the breach of eight websites associated with shipping, logistics, and financial services companies in Israel.

The threat actor is aligned with the Islamic Revolutionary Guard Corps (IRGC) and is also tracked by the broader cybersecurity community under the names Crimson Sandstorm (previously Curium), Imperial Kitten, TA456, and Yellow Liderc.

The latest set of attacks between 2022 and 2023 entails embedding malicious JavaScript in compromised legitimate websites to gather more details about the visitors, including their location, device information, and time of visits.

These intrusions focused primarily on the maritime, shipping and logistics sectors in the Mediterranean, in some cases leading to the deployment of IMAPLoader as a follow-on payload should the victim be deemed a high-value target.

IMAPLoader is said to be a replacement to a Python-based IMAP implant Tortoiseshell previously used in late 2021 and early 2022, owing to the similarities in the functionality.

The malware acts as a downloader for next-stage payloads by querying hard-coded IMAP email accounts, specifically checking a mailbox folder misspelled as “Recive” to retrieve the executables from the message attachments.

In an alternate attack chain, a Microsoft Excel decoy document is used as an initial vector to kick-start a multi-stage process to deliver and execute IMAPLoader, indicating that the threat actor is using a variety of tactics and techniques to realize its strategic goals.

Phishing sites created by Tortoiseshell were also discovered, some of which are aimed at the travel and hospitality sectors within Europe, to conduct credential harvesting using fake Microsoft sign-in pages.

The threat actor remains an active and persistent threat to many industries and countries, including the maritime, shipping, and logistics sectors within the Mediterranean; nuclear, aerospace, and defense industries in the U.S. and Europe; and IT managed service providers in the Middle East.

Source – https://thehackernews.com/2023/10/iranian-group-tortoiseshell-launches.html

Critical Flaw in NextGen’s Mirth Connect Could Expose Healthcare Data

Users of Mirth Connect, an open-source data integration platform from NextGen HealthCare, are being urged to update to the latest version following the discovery of an unauthenticated remote code execution vulnerability.

Tracked as CVE-2023-43208, the vulnerability has been addressed in version 4.4.1 released on October 6, 2023. It is an easily exploitable, unauthenticated remote code execution vulnerability that attackers would most likely exploit for initial access or to compromise sensitive healthcare data.

Called the “Swiss Army knife of healthcare integration,” Mirth Connect is a cross-platform interface engine used in the healthcare industry to communicate and exchange data between disparate systems in a standardized manner.

Additional technical details about the flaw have been withheld in light of the fact that Mirth Connect versions going as far back as 2015/2016 have been found to be vulnerable to the issue.

It’s worth noting that CVE-2023-43208 is a patch bypass for CVE-2023-37679 (CVSS score: 9.8), a critical remote command execution (RCE) vulnerability in the software that allows attackers to execute arbitrary commands on the hosting server.

While CVE-2023-37679 was described by its maintainers as only affecting servers running Java 8, analysis found that all instances of Mirth Connect, regardless of the Java version, were susceptible to the problem.

Given the ease with which the vulnerability can be trivially abused, coupled with the fact that the exploitation methods are well known, it’s recommended to update Mirth Connect, particularly that are publicly accessible over the internet, to version 4.4.1 as soon as possible to mitigate potential threats.

Source – https://thehackernews.com/2023/10/critical-flaw-in-nextgens-mirth-connect.html

Chilean Telecom Giant GTD Hit by the Rorschach Ransomware Gang

Chile’s Grupo GTD warns that a cyberattack has impacted its Infrastructure as a Service (IaaS) platform, disrupting online services.

Grupo GTD is a telecommunications company offering services throughout Latin America, with a presence in Chile, Spain, Columbia, and Peru. The company provides various IT services, including internet access, mobile and landline telephone, and data center and IT managed services.

On the morning of October 23rd, GTD suffered a cyberattack that impacted numerous services, including its data centers, internet access, and Voice-over-IP (VoIP).

“We understand the importance of proactive and fluid communication in the face of incidents, therefore, in accordance with what we previously discussed on the phone, I would like to inform you that we are experiencing a partial impact on services as a result of a cybersecurity incident,” reads a GTD security incident notification.

“This impact is limited to part of our laas platform and some shared services (IP telephony services, VPNs and OTT television system). Our communication COR, as well as our ISP, are operating normally.”

To prevent the attack’s spread, the company disconnected its IaSS platform from the internet, leading to these outages.

Today, Chile’s Computer Security Incident Response Team (CSIRT) confirmed that GTD suffered a ransomware attack.

“The Computer Security Incident Response Team (Government CSIRT) of the Ministry of the Interior and Public Security was notified by the company GTD about a ransomware that affected part of its IaaS platforms during the morning of Monday, October 23,” reads a machine-translated statement on the CSIRT website.

“As a consequence, some public services in our country have presented unavailability on their websites.”

The CSIRT is requiring all public institutions who are utilizing GTD’s IaaS services to notify the government under decree No. 273, which requires all State agencies to report when a cybersecurity incident may impact them.

While CSIRT has not disclosed the name of the ransomware operation behind the attack on GTD, it is believed that it involved the Rorschach ransomware variant previously seen used in an attack on a US company.

Rorschach ransomware (aka BabLock) is a relatively new encryptor seen by Check Point Research in April 2023. While the researchers could not link the encryptor to a particular ransomware gang, they warned that it was both sophisticated and very fast, able to encrypt a device in 4 minutes and 30 seconds.

In a report on the GTD attack, the threat actors are utilizing DLL sideloading vulnerabilities in legitimate Trend Micro, BitDefender, and Cortex XDR executables to load a malicious DLL.

This DLL is the Rorschach injector, which will inject a ransomware payload called “config[.]ini” into a Notepad process. Once loaded, ransomware will begin encrypting files on the device.

CSIRT has shared the following IOCs related to the attack on GTD below, with u.exe and d.exe being legitimate TrendMicro and BitDefender executables used in the attack and the DLLs containing the malware.

Chile’s CSIRT recommends that all organizations connected to GTD’s IaaS go through the following steps to confirm they were not breached in the attack:

• Perform a complete scan of your infrastructure with antivirus.
• Verify that there is no suspicious software on your systems.
• Review existing accounts on your server and confirm that no new accounts have been created.
• Analyze processing and hard drive performance to ensure it is not altered.
• Check if there is any type of variation in the information or data leak of the company and its databases.
• Check your network traffic.
• Maintain an up-to-date record of your systems to ensure effective monitoring.
• Restrict access via SSH to servers, only if strictly necessary.

Earlier this year, the Chilean military suffered a Rhysida ransomware attack, where the threat actors released 360,000 documents stolen from the government.

Source – https://www.bleepingcomputer.com/news/security/chilean-telecom-giant-gtd-hit-by-the-rorschach-ransomware-gang/

Hackers Backdoor Russian State, Industrial Orgs for Data Theft

Several state and key industrial organizations in Russia were attacked with a custom Go-based backdoor that performs data theft, likely aiding espionage operations.

The campaign was first detected in June 2023, while in mid-August, a newer version of the backdoor was spotted that introduced better evasion, indicating ongoing optimization of the attacks. The threat actors responsible for this campaign are unknown.

The attack begins with an email carrying a malicious ARJ archive named ‘finansovyy_kontrol_2023_180529.rar’ (financial control), which is a Nullsoft archive executable. The archive contains a decoy PDF document used for distracting the victim and an NSIS script that fetches the primary payload from an external URL address (fas-gov-ru[.]com) and launches it.

The malware payload is dropped at ‘C:\ProgramData\Microsoft\DeviceSync\’ as ‘UsrRunVGA.exe.’

The same phishing wave distributed two more backdoors named ‘Netrunner’ and ‘Dmcserv.’ These are the same malware with different C2 (command and control) server configurations.

The script launches the malicious executables in a hidden window and adds a Start Menu link to establish persistence.

• The functionality of the backdoor includes the following:
• List files and folders in a specified directory.
• Transfer (exfiltrate) files from the host to the C2.
• Obtain clipboard contents.
• Grab desktop screenshots.
• Search disk for files of specific extensions (.doc, .docx, .pdf, .xls, .xlsx, .ppt, .pptx, .zip, .rar, .7z, .odt, .ods, .kdbx, .ovpn, .pem, .crt, .key) and transfer them to the C2.

All data sent to the C2 server is first AES encrypted to evade detection from network monitoring solutions. To evade analysis, the malware performs username, system name, and directory checks to detect if it’s running in a virtualized environment and exits if it does. The results of these checks are sent to the C2 in the initial phase of the infection to be used for victim profiling.

In mid-August, a new variant of the backdoor featured minor changes like the removal of some noisy preliminary checks and the addition of new file-stealing capabilities. Most notably, the new version adds a module that targets user passwords stored in 27 web browsers and the Thunderbird email client.

Browsers targeted by the latest backdoor version include Chrome, Firefox, Edge, Opera, Brave, Vivaldi, and Yandex, a popular and trusted browser in Russia. The AES key has been refreshed in this malware version, and RSA asymmetric encryption has been added to protect client-C2 command and parameter communications.

Source – https://www.bleepingcomputer.com/news/security/hackers-backdoor-russian-state-industrial-orgs-for-data-theft/

Cyberattack on Health Services Provider Impacts 5 Canadian Hospitals

A cyberattack on shared service provider TransForm has impacted operations in five hospitals in Ontario, Canada, impacting patient care and causing appointments to be rescheduled. TransForm is a not-for-profit, shared service organization founded by five hospitals in Erie St. Clair, Ontario, to manage their IT, supply chain, and accounts payable.

The service provider released a statement stating that their IT systems are experiencing an outage due to a cyberattack. TransForm’s press release states that patients who have scheduled appointments in the next couple of days might need to make arrangements for a later date.

The organization says it is investigating the cause and scope of the incident, and for now, it has not yet been determined if any patient information was affected.

The five hospitals impacted by the situation are:

• Windsor Regional Hospital – One of the largest hospitals in the region, offering 642 acute care beds.
• Hotel Dieu Grace – Complex medical care, mental health, and rehabilitation institution providing 313 beds.
• Erie Shores Healthcare – Significant all-around healthcare provider in the area with 72 beds.
• Hospice of Windsor-Essex – End-of-life care provider with 23 beds.
• Chatham-Kent Health Alliance – Versatile community hospital with a capacity of 200 beds.

A joint statement released by the five hospitals regarding the cyberattack informs patients of problems with scheduled appointments. Those with scheduled appointments will be contacted directly to reschedule, while patients not in an emergency are advised to refrain from visiting the hospitals.

“For those patients who have care scheduled in the next few days, we will contact you directly, if possible, to reschedule or provide alternate arrangements,” reads the joint press release.

“Unfortunately, we may not be able to reach all patients, and we request your understanding if we are required to reschedule care in person at our facilities.”

“Also, we would continue to ask if you are not needing emergency care to attend your primary care provider or local clinic to reduce the impact upon the Hospitals as we work towards addressing these issues and focus on those needing hospital care.”

As the nature of the cyberattack and the scope of the incident have not been determined, those who have received healthcare services at the mentioned institutions in the past are advised to maintain a watchful stance and treat unsolicited communications with suspicion.

Source – https://www.bleepingcomputer.com/news/security/cyberattack-on-health-services-provider-impacts-5-canadian-hospitals/

University of Michigan Employee, Student Data Stolen in Cyberattack

The University of Michigan says in a statement this week that they suffered a data breach after hackers broke into its network in August and accessed systems with information belonging to students, applicants, alumni, donors, employees, patients, and research study participants.

Unauthorized access to the servers lasted between August 23-27, the university says, and the data exposed included personal, financial, and medical details.

“This notice is to inform you about an incident that involved unauthorized access to personal information maintained by the University of Michigan,” starts the data incident update from the university.

After detecting suspicious activity in August, the University of Michigan, isolated its entire campus network from the internet to minimize the impact.

Following a detailed analysis from “a dedicated review team,” the University believes that besides personal data, like an individual’s name, the threat actor also accessed medical and financial information.

For students, applicants, alumni, donors, employees, and contractors, the educational organization says that the following details were exposed:

• Social Security number
• driver’s license or other government-issued ID number
• financial account or payment card number
• health information

Data belonging to participants in research studies and patients of the University Health Service and School of Dentistry may have been impacted, too:

• demographic info (e.g., Social Security number, driver’s license or government-issued ID number)
• financial information (e.g., financial account or payment card number or health insurance information)
• University Health Service and School of Dentistry clinical information (e.g., medical record number or diagnosis or treatment or medication history)
• information related to participation in certain research studies

All individuals whose information was exposed during the breach have been informed of the incident. The letters were mailed today and may take up to five days to reach the destination.

“Out of an abundance of caution, we are offering individuals whose sensitive information may have been involved in this incident complimentary credit monitoring services” – University of Michigan

The University of Michigan disclosed the intrusion shortly after discovering it about a week later and forced a password reset for the accounts on its computer systems.

The educational institution is one of the oldest and largest in the United States, with an academic and administrative staff of more than 30,000 and about 51,000 students.

Source – https://www.bleepingcomputer.com/news/security/university-of-michigan-employee-student-data-stolen-in-cyberattack/

American Family Insurance Confirms Cyberattack is Behind IT Outages

Insurance giant American Family Insurance has confirmed it suffered a cyberattack and shut down portions of its IT systems after customers reported website outages all week.

American Family Insurance (AmFam) is an insurance company focusing on commercial and personal property, casualty, auto, and life insurance, as well as offering investment and retirement planning The company employs 13,000 people and has a 2022 revenue of $14.4 billion.

American Family Insurance confirmed that they detected unusual activity on their network and shut off IT systems to prevent the spread of the cyberattack.

“This week, the technology teams at American Family Insurance detected unusual activity in a portion of our network. We quickly took precautionary measures to protect data and resources and shut down several business systems,” said an AmFam spokesperson.

“We recognize the system outages are impacting customers, agents and employees and we appreciate their patience and understanding.”

“Our investigation into the activity is ongoing and includes internal and third-party experts. To date, we have not detected any compromises to critical business, customer data processing or storage systems, and several components of our enterprise continue to operate without interruption.”

The company hopes to bring systems back online as it continues investigating the breach and determining it is safe.

Since this past weekend, American Family Insurance has suffered IT outages impacting the company’s phone service, building connectivity, and online services. Internet connectivity was shut down by American Family Insurance after the attack, impacting other tenants of the same building.

Customers have reported being unable to pay bills or file claims online, only to be met with messages stating that the online site is down and to contact them via phone instead.

“We are currently experiencing a service outage. If you need to file a claim, please call 1-800-692-6326,” reads a message on AmFam’s site.

“If you are unable to make a payment, you can do so when the system is back up and you will not be penalized. We appreciate your patience and understanding.”

Similarly, attempting to pay a bill as a guest displays an error message stating, “The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.”

It is unclear what type of attack American Family Insurance suffered, but it shares signs similar to ransomware attacks plaguing the enterprise. Many of these attacks occur over the weekend when fewer employees monitoring the network or using their computers and noticing suspicious activity.

As part of the attacks, the threat actors commonly spread throughout the network, stealing data and encrypting devices. When the attack is completed, victims are left with ransom notes warning that the data will be leaked publicly if a ransom demand is not paid.

Unfortunately, these tactics have been very successful, with blockchain analysis company Chainalysis reporting that ransomware gangs have earned at least $449.1 million in 2023.

Source – https://www.bleepingcomputer.com/news/security/american-family-insurance-confirms-cyberattack-is-behind-it-outages/

Smarttech247