Thursday, April 27th, 2023
Cybersecurity Week in Review (28/04/2023)
RTM Locker’s First Linux Ransomware Strain Targeting NAS and ESXi Hosts
The threat actors behind RTM Locker have developed a ransomware strain that’s capable of targeting Linux machines, marking the group’s first foray into the open-source operating system.
The locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware’s leaked source code. It uses a combination of ECDH on Curve25519 (asymmetric encryption) and Chacha20 (symmetric encryption) to encrypt files.
RTM Locker was first documented earlier this month, being described as a private ransomware-as-a-service (RaaS) provider. It has its roots in a cybercrime group called Read The Manual (RTM) that’s known to be active since at least 2015.
The group is notable for deliberately avoiding high-profile targets such as critical infrastructure, law enforcement, and hospitals so as to draw as little attention as possible. It also leverages affiliates to ransom victims, in addition to leaking stolen data should they refuse to pay up.
The Linux flavor is specifically geared to single out ESXi hosts by terminating all virtual machines running on a compromised host prior to commencing the encryption process. The exact initial infector employed to deliver the ransomware is currently unknown.
Following successful encryption, victims are urged to contact the support team within 48 hours via Tox or risk getting their data published. Decrypting a file locked with RTM Locker requires the public key appended to the end of the encrypted file and the attacker’s private key.
The development comes as Microsoft revealed that vulnerable PaperCut servers are being actively targeted by threat actors to deploy Cl0p and LockBit ransomware.
Source – https://thehackernews.com/2023/04/rtm-lockers-first-linux-ransomware.html?
Charming Kittens New BellaCiao Malware Discovered in Multi-Country Attacks
The prolific Iranian nation-state group known as Charming Kitten is actively targeting multiple victims in the U.S., Europe, the Middle East and India with a novel malware dubbed BellaCiao, adding to its ever-expanding list of custom tools.
BellaCiao is a personalised dropper that’s capable of delivering other malware payloads onto a victim machine based on commands received from an actor-controlled server. Charming Kitten, also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm (née Phosphorus), TA453, and Yellow Garuda, is an Iranian state-sponsored APT group associated with the Islamic Revolutionary Guard Corps (IRGC). Over the years, the group has utilised various means to deploy backdoors in systems belonging to a wide range of industry verticals.
The development comes as the threat actor was attributed by Microsoft to retaliatory attacks aimed at critical infrastructure entities in the U.S. between late 2021 to mid-2022 using bespoke malware such as CharmPower, Drokbk, and Soldier. Earlier this week, Mint Sandstorm was identified using an updated version of the PowerLess implant to strike organisations located in Israel using Iraq-themed phishing lures.
The exact modus operandi used to achieve initial intrusion is currently undetermined, although it’s suspected to entail the exploitation of known vulnerabilities in internet-exposed applications like Microsoft Exchange Server or Zoho ManageEngine. A successful breach is followed by the threat actor attempting to disable Microsoft Defender using a PowerShell command and establishing persistence on the host via a service instance.
BellaCiao, for its part, is notable for performing a DNS request every 24 hours to resolve a subdomain to an IP address that’s subsequently parsed to extract the commands to be executed on the compromised system. It communicates with an attacker-controlled DNS server that sends malicious hard-coded instructions via a resolved IP address that mimics the target’s real IP address. The result is additional malware dropped via hard-coded instructions rather than traditional download. Depending on the resolved IP address, the attack chain leads to the deployment of a web shell that supports the ability to upload and download arbitrary files as well as run commands.
Also spotted is a second variant of BellaCiao that substitutes the web shell for a Plink tool – a command-line utility for PuTTY – that’s designed to establish a reverse proxy connection to a remote server and implement similar backdoor features.
The campaign, which has singled out a plethora of industries and company sizes, is assessed to be an outcome of opportunistic attacks, wherein BellaCiao is customised and deployed against carefully selected victims of interest following indiscriminate exploitation of vulnerable systems.
Source – https://thehackernews.com/2023/04/charming-kittens-new-bellaciao-malware.html
FIN7 Hackers Caught Exploiting Recent Veeam Vulnerability
Russian cybercrime group FIN7 has been observed exploiting unpatched Veeam Backup & Replication instances in recent attacks.
Around since at least 2015 and also referred to as Anunak, and Carbanak, FIN7 is a financially motivated group mainly focused on credit card information theft. Security researchers believe there are numerous sub-groups operating under the FIN7 umbrella. Over the past years, some of the threat actors overlapping with FIN7 operations were seen transitioning to ransomware, including REvil, DarkSide, BlackMatter, Alphv, and Black Basta.
At the end of March 2023, FIN7 attacks were discovered that exploited internet-facing servers running Veeam Backup & Replication software to execute payloads on the compromised environment. A Veeam Backup process was observed executing a shell command to download and execute a PowerShell script that turned out to be the Powertrash in-memory dropper known to be used by FIN7.
The dropper was used to drop Diceloader, a backdoor also known as Lizar, which enables attackers to perform various post-exploitation operations, and which has been linked to FIN7 before. CVE-2023-27532 (CVSS score of 7.5) was disclosed and patched in early March. Roughly two weeks later, proof-of-concept (PoC) exploitation code targeting the vulnerability was released publicly.
The threat actor was seen performing network reconnaissance, stealing information from the Veeam backup database, exfiltrating stored credentials, achieving persistence for the Diceloader backdoor, and moving laterally using the stolen credentials.
CVE-2023-27532 was addressed with the release of Veeam Backup & Replication versions 12 (build 184.108.40.2060 P20230223) and 11a (build 220.127.116.111 P20230227), which organisations need to install on the Veeam Backup & Replication server. Vulnerabilities in Veeam’s product have been exploited in previous attacks and organisations are advised to update their Backup & Replication instances as soon as possible.
Source – https://www.securityweek.com/fin7-hackers-caught-exploiting-recent-veeam-vulnerability/
Clop, LockBit ransomware gangs behind PaperCut server attacks
Microsoft has attributed recent attacks on PaperCut servers to the Clop and LockBit ransomware operations, which used the vulnerabilities to steal corporate data.
Last month, two vulnerabilities were fixed in the PaperCut Application Server that allows remote attackers to perform unauthenticated remote code execution and information disclosure:
- CVE-2023–27350 / ZDI-CAN-18987 / PO-1216: Unauthenticated remote code execution flaw impacting all PaperCut MF or NG versions 8.0 or later on all OS platforms, for both application and site servers. (CVSS v3.1 score: 9.8 – critical)
- CVE-2023–27351 /ZDI-CAN-19226 / PO-1219: Unauthenticated information disclosure flaw impacting all PaperCut MF or NG versions 15.0 or later on all OS platforms for application servers. (CVSS v3.1 score: 8.2 – high)
On April 19th, PaperCut disclosed that these flaws were actively exploited in the wild, urging admins to upgrade their servers to the latest version. A PoC exploit for the RCE flaw was released a few days later, allowing further threat actors to breach the servers using these exploits.
PaperCut is a printing management software compatible with all major printer brands and platforms. It is used by large companies, state organisations, and education institutes, with the company’s website claiming it is used by hundreds of millions of people from over 100 countries.
In a series of tweets posted Wednesday afternoon, Microsoft states that it has attributed the recent PaperCut attacks to the Clop ransomware gang.
“Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505),” tweeted Microsoft’s Threat Intelligence researchers.
Microsoft is tracking this particular threat actor as ‘Lace Tempest,’ whose activity overlaps with FIN11 and TA505, both linked to the Clop ransomware operation. They say that the threat actor has been exploiting the PaperCut vulnerabilities since April 13th for initial access to the corporate network.
Once they gained access to the server, they deployed the TrueBot malware, which has also been previously linked to the Clop ransomware operation. Ultimately, Microsoft says a Cobalt Strike beacon was deployed and used to spread laterally through the network while stealing data using the MegaSync file-sharing application.
In addition to Clop, Microsoft says some intrusions have led to LockBit ransomware attacks. However, it’s unclear if these attacks began after the exploits were publicly released. Microsoft recommends admins apply the available patches as soon as possible as other threat actors will likely begin exploiting the vulnerabilities.
Source – https://www.bleepingcomputer.com/news/security/clop-lockbit-ransomware-gangs-behind-papercut-server-attacks/
SLP Vulnerability Allows DoS Attacks With Amplification Factor of 2,200
A high-severity vulnerability in the Service Location Protocol (SLP) can be exploited to launch denial-of-service (DoS) attacks with a high amplification factor, security researchers have warned.
A legacy internet protocol created in 1997, SLP is used for local network service discovery, without prior configuration, and can be scaled from small to large enterprise networks. The protocol was not intended to be exposed to the public internet.
Tracked as CVE-2023-29552 (CVSS score of 8.6), the newly disclosed vulnerability exists because SLP allows unauthenticated, remote attackers to register arbitrary services.
“This could allow the attacker to use spoofed UDP traffic to conduct a denial-of-service attack with a significant amplification factor,” a NIST advisory explains.
The vulnerability allows for a DoS amplification factor of 2,200. This is possible because attackers could combine a typical reflective DoS amplification attack with service registration to increase the amount of traffic sent to the victim.
To exploit the vulnerability for DoS amplification, an attacker needs to find an SLP server on UDP port 427, register services until SLP denies more entries, send a request to the service by spoofing the victim’s IP as the origin, and then repeat the last step while the attack is ongoing.
In February 2023, more than 2,000 global companies were using SLP, with over 54,000 SLP instances found to be accessible from the internet and roughly 34,000 exploitable systems with SLP.
These vulnerable instances have been identified in Fortune 1000 organisations in the finance, insurance, healthcare, hospitality, manufacturing, technology, telecommunications, and transportation sectors. More than 670 different product types were found vulnerable, including IBM Integrated Management Module (IMM), HP printers, Konica Minolta printers, Planex routers, VMware ESXi servers, and many others.
On Tuesday, VMware warned that, while currently supported ESXi releases (ESXi 7.x and 8.x) are not impacted by CVE-2023-29552, releases that are no longer supported, such as 6.7 and 6.5, are vulnerable. Customers are advised to upgrade to a supported release as soon as possible. Disabling SLP on systems running on untrusted networks should prevent exploitation of CVE-2023-29552. Setting firewall rules to filter traffic on UDP and TCP port 427 should also mitigate the risks associated with the flaw.
On Tuesday, the US Cybersecurity and Infrastructure Security Agency (CISA) urged network administrators to review the available information on CVE-2023-29552 and to “consider disabling or restricting network access to SLP servers” to prevent exploitation.
Source – https://www.securityweek.com/slp-vulnerability-allows-dos-attacks-with-amplification-factor-of-2200/
Iranian Hackers Launch Sophisticated Attacks Targeting Israel with PowerLess Backdoor
An Iranian nation-state threat actor has been linked to a new wave of phishing attacks targeting Israel that’s designed to deploy an updated version of a Windows backdoor called PowerLess.
The activity cluster is being tracked under its mythical creature handle Educated Manticore, which exhibits “strong overlaps” with a hacking crew known as APT35, Charming Kitten, Cobalt Illusion, ITG18, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda.
Active since at least 2011, APT35 has cast a wide net of targets by leveraging fake social media personas, spear-phishing techniques, and N-day vulnerabilities in internet-exposed applications to gain initial access and drop various payloads, including ransomware. The development is an indication that the adversary is continuously refining and retooling its malware arsenal to expand their functionality and resist analysis efforts, while also adopting enhanced methods to evade detection.
The attack chain begins with an ISO disk image file that makes use of Iraq-themed lures to drop a custom in-memory downloader that ultimately launches the PowerLess implant. The ISO file acts as a conduit to display a decoy document written in Arabic, English, and Hebrew, and purports to feature academic content about Iraq from a legitimate non-profit entity called the Arab Science and Technology Foundation (ASTF), indicating that the research community may have been the target of the campaign.
The PowerLess backdoor, previously spotlighted in February 2022, comes with capabilities to steal data from web browsers and apps like Telegram, take screenshots, record audio, and log keystrokes.
Two other archive files were discovered being used as part of a different intrusion set that shares overlaps with the aforementioned attack sequence owing to the use of the same Iraq-themed PDF file. Further analysis revealed that the infection chains arising from these two archive files culminate in the execution of a PowerShell script that’s engineered to download two files from a remote server and run them.
Source – https://thehackernews.com/2023/04/iranian-hackers-launch-sophisticated.html
Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD
Threat actors are employing a previously undocumented defense evasion tool dubbed AuKill that’s designed to disable endpoint detection and response (EDR) software by means of a Bring Your Own Vulnerable Driver (BYOVD) attack.
The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.
Incidents analysed by researchers show the use of AuKill since the start of 2023 to deploy various ransomware strains such as Medusa Locker and LockBit. Six different versions of the malware have been identified to date. The oldest AuKill sample features a November 2022 compilation timestamp.
The BYOVD technique relies on threat actors misusing a legitimate, but out-of-date and exploitable, driver signed by Microsoft (or using a stolen or leaked certificate) to gain elevated privileges and turn off security mechanisms. By using valid, susceptible drivers, the idea is to bypass a key Windows safeguard known as Driver Signature Enforcement that ensures kernel-mode drivers have been signed by a valid code signing authority before they are allowed to run.
The AuKill tool requires administrative privileges to work, but it cannot give the attacker those privileges. The threat actors using AuKill take advantage of existing privileges during the attacks, when they gained them through other means.
This is not the first time the Microsoft-signed Process Explorer driver has been weaponised in attacks. In November 2022, LockBit affiliates’ used an open source tool called Backstab that abused outdated versions of the driver to terminate protected anti-malware processes. Then earlier this year, a malvertising campaign was spotted utilising the same driver as part of an infection chain distributing a .NET loader named MalVirt to deploy the FormBook information-stealing malware.
The development comes as it was discovered that poorly managed MS-SQL servers are being weaponised to install the Trigona ransomware, which shares overlaps with another strain referred to as CryLock. This follows findings that the Play ransomware (aka PlayCrypt) actors have been observed using custom data harvesting tools that make it possible to enumerate all users and computers on a compromised network and copy files from the Volume Shadow Copy Service (VSS).
Play ransomware is notable for not only utilising intermittent encryption to speed up the process, but also for the fact that it’s not operated on a ransomware-as-a-service (RaaS) model. Evidence gathered so far points to Balloonfly carrying out the ransomware attacks as well as developing the malware themselves.
Another technique increasingly adopted by financially-motivated groups is the use of the Go programming language to develop cross-platform malware and resist analysis and reverse engineering efforts. A report last week documented a new GoLang ransomware called CrossLock that employs the double-extortion technique to increase the likelihood of payment from its victims, alongside taking steps to sidestep event tracing for Windows (ETW).
Source – https://thehackernews.com/2023/04/ransomware-hackers-using-aukill-tool-to.html
Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites
Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign.
The plugin in question is Eval PHP, released by a developer named flashpixx. It allows users to insert PHP code pages and posts of WordPress sites that’s then executed every time the posts are opened in a web browser.
While Eval PHP has never received an update in 11 years, statistics gathered by WordPress show that it’s installed on over 8,000 websites, with the number of downloads skyrocketing from one or two on average since September 2022 to 6,988 on March 30, 2023. On April 23, 2023, alone, it was downloaded 2,140 times. The plugin has racked up 23,110 downloads over the past seven days.
Some infected websites’ databases were injected with malicious code into the “wp_posts” table, which stores a site’s posts, pages, and navigation menu information. The requests originate from three different IP addresses based in Russia.
The code uses the file_put_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor. Although the injection drops a conventional backdoor into the file structure, the combination of a legitimate plugin and a backdoor dropper in a WordPress post allows them to easily reinfect the website and stay hidden. Over 6,000 instances of this backdoor were detected on compromised websites in the last 6 months.
The development once again points to how malicious actors are experimenting with different methods to maintain their foothold in compromised environments and evade server-side scans and file integrity monitoring.
Site owners are advised to secure the WP Admin dashboard as well as watch out for any suspicious logins to prevent threat actors from gaining admin access and install the plugin.
Source – https://thehackernews.com/2023/04/hackers-exploit-outdated-wordpress.html
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering
The Russian-speaking threat actor behind a backdoor known as Tomiris is primarily focused on gathering intelligence in Central Asia, fresh findings have revealed. Their endgame consistently appears to be the regular theft of internal documents, targeting government and diplomatic entities in the CIS.
This assessment is based on three new attack campaigns mounted by the hacking crew between 2021 and 2023. Tomiris first came to light in September 2021 they were highlighted as being connected to Nobelium (aka APT29, Cozy Bear, or Midnight Blizzard), the Russian nation-state group behind the SolarWinds supply chain attack.
Similarities have also been unearthed between the backdoor and another malware strain dubbed Kazuar, which is attributed to the Turla group (aka Krypton, Secret Blizzard, Venomous Bear, or Uroburos).
Spear-phishing attacks mounted by the group have leveraged a polyglot toolset comprising a variety of low-sophistication burner implants that are coded in different programming languages and repeatedly deployed against the same targets. Besides using open source or commercially available offensive tools like RATel and Warzone RAT (aka Ave Maria), the custom malware arsenal used by the group falls into one of the three categories: downloaders, backdoors, and information stealers –
- Telemiris – A Python backdoor that uses Telegram as a command-and-control (C2) channel.
- Roopy – A Pascal-based file stealer that’s designed to hoover files of interest every 40-80 minutes and exfiltrate them to a remote server.
- JLORAT – A file stealer written in Rust that gathers system information, runs commands issued by the C2 server, upload and download files, and capture screenshots.
Further overlaps have been identified with a Turla cluster tracked under the name UNC4210, uncovering that the QUIETCANARY (aka TunnusSched) implant had been deployed against a government target in the CIS by means of Telemiris.
That said, despite the potential ties between the two groups, Tomiris is said to be separate from Turla owing to differences in their targeting and tradecrafts, once again raising the possibility of a false flag operation.
On the other hand, it’s also highly probable that Turla and Tomiris collaborate on select operations or that both the actors rely on a common software provider, as exemplified by Russian military intelligence agencies’ use of tools supplied by a Moscow-based IT contractor named NTC Vulkan.
Source – https://thehackernews.com/2023/04/russian-hackers-tomiris-targeting.html
Google ads push BumbleBee malware used by ransomware gangs
The enterprise-targeting Bumblebee malware is being distributed through Google Ads and SEO poisoning that promote popular software like Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace.
Bumblebee is a malware loader discovered in April 2022, thought to have been developed by the Conti team as a replacement for the BazarLoader backdoor, used for gaining initial access to networks and conducting ransomware attacks. In September 2022, a new version of the malware loader was observed in the wild, featuring a stealthier attack chain that used the PowerSploit framework for reflective DLL injection into memory.
Researchers have recently discovered a new campaign using Google advertisements that promote trojanised versions of popular apps to deliver the malware loader to unsuspecting victims.
One of the campaigns started with a Google ad that promoted a fake Cisco AnyConnect Secure Mobility Client download page created on February 16, 2023, and hosted on an “appcisco[.]com” domain. This fake landing page promoted a trojanised MSI installer named “cisco-anyconnect-4_9_0195.msi” that installs the BumbleBee malware.
Upon execution, a copy of the legitimate program installer and a deceptively named (cisco2.ps1) PowerShell script is copied to the user’s computer. The CiscoSetup.exe is the legitimate installer for AnyConnect, installing the application on the device to avoid suspicion. However, the PowerScrip script installs the BumbleBee malware and conducts malicious activity on the compromised device.
This means that Bumblebee still uses the same post-exploitation framework module to load the malware into memory without raising any alarms from existing antivirus products. Other software packages were found with similarly named file pairs like ZoomInstaller.exe and zoom.ps1, ChatGPT.msi and chch.ps1 and CitrixWorkspaceApp.exe and citrix.ps1.
Considering that the trojanised software is targeting corporate users, infected devices make candidates for the beginning of ransomware attacks. The tools the attackers deployed on the breached environments include the Cobalt Strike pen-test suite, the AnyDesk and DameWare remote access tools, network scanning utilities, an AD database dumper, and a Kerberos credentials stealer.
This arsenal creates an attack profile that makes it very likely that the malware operators are interested in identifying accessible network points, pivoting to other machines, exfiltrating data, and eventually deploying ransomware.
Source – https://www.bleepingcomputer.com/news/security/google-ads-push-bumblebee-malware-used-by-ransomware-gangs/
American Bar Association breached, 1.5 million member accounts exposed
The American Bar Association (ABA), a prestigious national lawyer group, confirmed its networks were penetrated last month by an unauthorised third party, compromising the member accounts of 1.5 million attorneys.
The ABA said unusual activity was detected in their network systems on March 17, which triggered an incident response plan and investigation. They recently sent emails to all individuals affected by the incident – believed to have taken place around March 6 – to the last known email address on file. The group said the threat actors had access to the usernames and passwords for two older online accounts.
By March 23, 2023, the ABA investigation revealed that “the unauthorised third party had acquired usernames and hashed and salted passwords that could have been used to access online accounts on the old ABA website prior to 2018 or the ABA Career Center since 2018.”
“To be clear, the passwords were not exposed in plain text,” the ABA said.
“They were instead both hashed and salted, which is a process by which random characters are added to the plain text password, which is then converted on the ABA systems into cybertext,” the ABA notice explained.
“In addition, in many instances, the password may have been the default password assigned to the user by the ABA, if the user never changed that password on the old ABA site,” the association said.
The ABA changed its login platform in 2018 and asked each user to create new credentials, but said there may be some members who used the same credentials for the new site. They also said there is no indication any personal information compromised in the attacks has been misused, but the group is encouraging individuals to change any passwords which may be the same as or similar to the original password issued. The third party has been removed from the ABA network and the cybersecurity experts are reviewing network security configurations, the group said.
The ABA is the country’s largest voluntary bar association. There are 166,000 current members that pay dues, plus as staff of more than 1,000.
Source – https://cybernews.com/news/american-bar-association-breached-1-5-million-accounts-exposed/