Thursday, September 28th, 2023
Cybersecurity Week in Review (29/09/2023)
Building Automation Giant Johnson Controls Hit by Ransomware Attack
Johnson Controls International has suffered what is described as a massive ransomware attack that encrypted many of the company devices, including VMware ESXi servers, impacting the company’s and its subsidiaries’ operations.
Johnson Controls is a multinational conglomerate that develops and manufactures industrial control systems, security equipment, air conditioners, and fire safety equipment. The company employs 100,000 people through its corporate operations and subsidiaries, including York, Tyco, Luxaire, Coleman, Ruskin, Grinnel, and Simplex.
Yesterday, a source stated that Johnson Controls suffered a ransomware attack after initially being breached at its Asia offices. The cyberattack occurred over the weekend and caused the company to shut down portions of its IT systems. Since then, many of its subsidiaries, including York, Simplex, and Ruskin, have begun to display technical outage messages on website login pages and customer portals.
“We are currently experiencing IT outages that may limit some customer applications such as the Simplex Customer Portal,” reads a message on the Simplex website.
“We are actively mitigating any potential impacts to our services and will remain in communication with customers as these outages are resolved.”
If you have any information on this attack or other attacks, you can contact us confidentially via Signal at 646-961-3731.
Customers of York, another Johnson Controls subsidiary, report that they are being told the company’s systems are down, with some stating they were told it was due to a cyberattack.
“Their computer system crashed over the weekend. Manufacturing and everything is down,” a York customer posted to Reddit.
“I talked to our rep and he said someone hacked them,” posted another customer.
This morning, a threat researcher tweeted a sample of a Dark Angels VMware ESXi encryptor containing a ransom note stating it was used against Johnson Controls. The ransom note links to a negotiation chat where the ransomware gang demands $51 million to provide a decryptor and to delete stolen data. The threat actors also claim to have stolen over 27 TB of corporate data and encrypted the company’s VMWare ESXi virtual machines during the attack.
Johnson Controls confirmed the cybersecurity incident in a Form 8-K filing with the SEC, stating that they are working with external cybersecurity experts to investigate the incident and coordinating with insurers.
Dark Angels is a ransomware operation launched in May 2022 when it began targeting organizations worldwide. Like almost all human-operated ransomware gangs, Dark Angels breaches corporate networks and then spreads laterally through the network. During this time, the threat actors steal data from file servers to be used in double-extortion attacks.
When they gain access to the Windows domain controller, the threat actors deploy the ransomware to encrypt all devices on the network. The threat actors initially used Windows and VMware ESXi encryptors based on the source code leak for the Babuk ransomware.
Dark Angels launched a data leak site in April 2023 called ‘Dunghill Leaks’ that is used to extort its victims, threatening to leak data if a ransom is not paid. This extortion site currently lists nine victims, including Sabre and Sysco, who recently disclosed cyberattacks.
Florida city duped out of $1.2M in simple BEC scam
Scammers impersonated a construction company building a new police headquarters to trick the Florida city of Fort Lauderdale out of $1.2 million. Law enforcement is now investigating.
“During the construction project, residents and visitors will see an increased presence of construction vehicles, equipment, and personnel in the vicinity of the construction site,” the Fort Lauderdale Police Department announced at the beginning of August.
Residents of this city in the US state of Florida had indeed approved funding for the $119 million construction project back in 2019.
The city paid the sum after receiving what it believed to be a legitimate bill from Moss Construction. The incident took place on September 14, and the wrong transaction was discovered six days later.
“Someone sent a request for an ACH payment (Automated Clearing House electronic funds transfer) pretending to be Moss Construction,” Fort Lauderdale City Manager Greg Chavarria told staff in a Wednesday email, according to a report by the South Florida Sun Sentinel.
“The scammer filled out the paperwork and had a blank check attached. Accounts Payable checked the names and they matched corporate records.”
Dean Trantalis, the mayor of Fort Lauderdale, also told WSVN that the scam “wasn’t just an email, like, ‘Hey, this is Moss Construction. Send me $1.2 million.’ It was followed up with full documentation, multiple paperwork.”
The Fort Lauderdale Police Department has offered few details about the ongoing investigation – its homepage and Facebook account are silent about the incident. The city’s bank is working to get the money back, but it’s going to take some time.
Business email compromise and phishing scams targeting city governments have been on the rise in the US.
A February report by the Federal Trade Commission (FTC) shows that consumers lost nearly $8.8 billion to fraud in 2022, citing imposter scams as the most commonly reported online fraud.
The FTC defines phishing as an online scam that targets people, businesses, and agencies through messages sent via email, text, or direct message that appear to be from a reputable source. Attackers may use credible information about a company and its employees to make their messages more realistic.
New ZenRAT Malware Targeting Windows Users via Fake Password Manager Software
A new malware strain called ZenRAT has emerged in the wild that’s distributed via bogus installation packages of the Bitwarden password manager.
The malware is specifically targeting Windows users and will redirect people using other hosts to a benign web page. The malware is a modular remote access trojan (RAT) with information stealing capabilities.
ZenRAT is hosted on fake websites pretending to be associated with Bitwarden, although it’s uncertain as to how traffic is being directed to the domains. Such malware has been propagated via phishing, malvertising, or SEO poisoning attacks in the past.
The payload (Bitwarden-Installer-version-2023-7-1.exe), downloaded from crazygameis[.]com, is a trojanized version of the standard Bitwarden installation package that contains a malicious .NET executable (ApplicationRuntimeMonitor.exe).
A noteworthy aspect of the campaign is that users who end up visiting the deceptive website from non-Windows systems are redirected to a cloned opensource.com article published in March 2018 about “How to manage your passwords with Bitwarden, a LastPass alternative.”
Further, Windows users clicking on downloading links marked for Linux or macOS on the Downloads page are redirected to the legitimate Bitwarden site, vault.bitwarden.com.
An analysis of the installer’s metadata reveals attempts on the part of the threat actor to masquerade the malware as Piriform’s Speccy, a freeware Windows utility to show hardware and software information.
The digital signature used to sign the executable is not only invalid, but also claims to be signed by Tim Kosse, a well-known German computer scientist known for developing the free cross-platform FTP software FileZilla.
ZenRAT, once launched, gathers details about the host, including CPU name, GPU name, operating system version, browser credentials, and installed applications and security software, to a command-and-control (C2) server (185.186.72[.]14) operated by the threat actors.
ZenRAT is also configured to transmit its logs to the server in plaintext, which captures a series of system checks carried out by the malware and the status of the execution of each module, indicating its use as a “modular, extendable implant.”
To mitigate such threats, it’s recommended that users download software only from trusted sources and ensure the authenticity of the websites.
The disclosure comes as the information stealer known as Lumma Stealer has been observed compromising manufacturing, retail, and business industries since the beginning of August 2023.
In a related campaign, rogue websites impersonating Google Business Profile and Google Sheets were found to trick users into installing a stealer malware dubbed Stealc under the pretext of a security update.
DarkBeam leaks billions of email and password combinations
DarkBeam, a digital risk protection firm, left an Elasticsearch and Kibana interface unprotected, exposing records with user emails and passwords from previously reported and non-reported data breaches.
According to CEO of SecurityDiscovery Bob Diachenko, who first identified the leak, the now-closed instance contained over 3.8 billion records.
DarkBeam has apparently been collecting information to alert its customers in case of a data breach. The incident will most likely affect more than DarkBeam users alone. The data leak, first identified on September 18th, was closed instantly after Diachenko informed the company about the issue.
Diachenko claims that such data leaks usually happen due to human error, for example when employees forget to password-protect the instance after maintenance.
Among the leaked data, there were 16 collections named “email 0-9” and “email A-F,” each containing 239,635,000 records.
Exposing the collections of login pairs – emails and passwords – is dangerous as it provides malicious actors with almost limitless attack capabilities.
While the majority of the leaked data comes from already known sources, the extensive and organized compilation of this data presents a significant threat to individuals whose credentials have been disclosed.
Threat actors might target affected users with crafted phishing campaigns using their personal information. Phishing messages often impersonate trusted people or organizations to trick victims into giving up sensitive data.
Similar databases – large combinations of email and password pairs – have been leaked in the past. So far, the largest leaked password collection of all time, dubbed RockYou, contained 8.4 billion password entries, which had presumably been combined from previous data leaks and breaches.
ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families
Cybersecurity experts have shed light on a new cybercrime group known as ShadowSyndicate (formerly Infra Storm) that may have leveraged as many as seven different ransomware families over the past year.
The actor, active since July 16, 2022, has been linked to ransomware activity related to Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play strains, while also deploying off-the-shelf post-exploitation tools like Cobalt Strike and Sliver as well as loaders such as IcedID and Matanbuchus.
The findings are based on a distinct SSH fingerprint (1ca4cbac895fc3bd12417b77fc6ed31d) discovered on 85 servers, 52 of which have been used as command-and-control (C2) for Cobalt Strike. Among those servers are eight different Cobalt Strike license keys (or watermarks).
A majority of the servers (23) are located in Panama, followed by Cyprus (11), Russia (9), Seychelles (8), Costa Rica (7), Czechia (7), Belize (6), Bulgaria (3), Honduras (3), and the Netherlands (3).
Additional infrastructure overlaps have been found that connect ShadowSyndicate to TrickBot, Ryuk/Conti, FIN7, and TrueBot malware operations.
The disclosure comes as the German law enforcement authorities announced a second targeted strike against actors associated with the DoppelPaymer ransomware group, some of whom were targeted earlier this March, executing search warrants against two suspects in Germany and Ukraine.
The individuals, a 44-year-old Ukrainian and a 45-year-old German national, are alleged to have held key responsibilities within the network and received illicit proceeds from the ransomware attacks. Their names were not disclosed.
The development also follows a joint advisory issued by the U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) about a double extortion actor called Snatch (formerly Team Truniger) that has targeted a wide range of critical infrastructure sectors since mid-2021.
“Snatch threat actors employ several different methods to gain access to and maintain persistence on a victim’s network,” the agencies said, calling out their consistent evolution of tactics and the ability of the malware to evade detection by rebooting Windows systems into Safe Mode.
“Snatch affiliates primarily rely on exploiting weaknesses in Remote Desktop Protocol (RDP) for brute-forcing and gaining administrator credentials to victims’ networks. In some instances, Snatch affiliates have sought out compromised credentials from criminal forums/marketplaces.”
The U.S. Department of Homeland Security (DHS), in its latest Homeland Threat Assessment report, noted that ransomware groups are continuously developing new methods to improve their ability to financially extort victims, making 2023 the second most profitable year after 2021.
“These groups have increased their use of multilevel extortion, in which they encrypt and exfiltrate their targets’ data and typically threaten to publicly release stolen data, use DDoS attacks, or harass the victim’s customers to coerce the victim to pay,” the DHS report said.
Akira is a case in point. The ransomware has expanded its reach since emerging as a Windows-based threat in March 2023 to include Linux servers and VMWare ESXi virtual machines, underscoring its ability to quickly adapt to trends. As of mid-September, the group has successfully hit 110 victims in the U.S. and the U.K.
The constant flux in the threat landscape is best exemplified by BlackCat, Cl0p, and LockBit, which have remained some of the most prolific and evolutionary ransomware families in recent months, primarily targeting small and large enterprises spanning banking, retail, and transportation sectors. The number of active RaaS and RaaS-related groups has grown in 2023 by 11.3%, rising from 39 to 45.
A report last week detailed two LockBit attacks in which the e-crime group was observed leveraging the victim companies’ internet-exposed remote monitoring and management (RMM) tools (or their own) to spread the ransomware across the IT environment or push it to their downstream customers.
The reliance on such living-off-the-land (LotL) techniques is an attempt to avoid detection and confuse attribution efforts by blending malicious and legitimate use of IT management tools.
Sony Investigating After Hackers Offer to Sell Stolen Data
Sony has launched an investigation after a cybercrime group claimed to have compromised the company’s systems, offering to sell stolen data.
A representative of the Japanese electronics and entertainment giant said that it’s currently investigating the situation and has no further comments at this time.
The probe was launched after a relatively new ransomware group named RansomedVC listed Sony on its Tor-based website, claiming to have compromised all Sony systems.
“We won’t ransom them,” the hackers said. “We will sell the data due to Sony not wanting to pay. Data is for sale.”
The cybercriminals have provided several files in an effort to demonstrate their claims, including some Java files and screenshots apparently showing access to source code and applications associated with Sony’s Creators Cloud media production solution.
One leaked file, a PowerPoint slideshow, is marked ‘confidential’ and appears to be from Sony’s quality department, but it’s dated 2017.
A majority of the leaked files seem to originate from servers associated with Creators Cloud and the hackers have not provided evidence that all Sony systems have been compromised. It’s not uncommon for these types of cybercrime groups to make exaggerated claims.
Threat intelligence group VX-Underground reported on X (formerly Twitter) that the cybercriminals did not deploy file-encypting ransomware or steal any corporate data. They allegedly exfiltrated data from Jenkins, SVN, SonarQube, and Creator Cloud development systems.
The RansomedVC group’s website currently lists nearly 40 victims, with ransom demands ranging between a few thousand dollars and $1 million, depending on the targeted organization’s size and revenue. The group announced its first victim in early 2023.
On the same day it announced Sony as a target, RansomedVC also listed Japanese mobile phone operator NTT Docomo as a victim on its website.
The gang claims they do not target Russian and Ukrainian organizations as most of its members are from these countries.
Xenomorph Banking Trojan: A New Variant Targeting 35+ U.S. Financial Institutions
An updated version of an Android banking trojan called Xenomorph has set its sights on more than 35 financial institutions in the U.S.
The campaign leverages phishing web pages that are designed to entice victims into installing malicious Android apps that target a broader list of apps than its predecessors. Some of the other targeted prominent countries targeted comprise Spain, Canada, Italy, and Belgium.
Xenomorph is a variant of another banker malware called Alien which first emerged in 2022. Later that year, the financial malware was propagated via a new dropper dubbed BugDrop, which bypassed security features in Android 13.
A subsequent iteration spotted earlier this March came fitted with features to conduct fraud using what’s known as the Automatic Transfer System (ATS).
The feature allows its operators, named Hadoken Security, to completely seize control over the device by abusing Android’s accessibility privileges and illicitly transfer funds from the compromised device to an actor-controlled account.
The malware also leverages overlay attacks to steal sensitive information such as credentials and credit card numbers by displaying fake login screens on top of the targeted bank apps. The overlays are retrieved from a remote server in the form of a list of URLs.
In other words, the ATS framework makes it possible to automatically extract credentials, access account balance information, initiate transactions, obtain MFA tokens from authenticator apps, and perform fund transfers, all without the need for any human intervention.
Some of the new capabilities added to the latest versions of Xenomorph include an “antisleep” feature that prevents the phone’s screen from turning off by creating an active push notification, an option to simulate a simple touch at a specific screen coordinate, and impersonate another app using a “mimic” feature.
As a way to bypass detection for long periods of time, the malware hides its icon from the home screen launcher upon installation. The abuse of the accessibility services further allows it to grant itself all the permissions it needs to run unimpeded on a compromised device.
Previous versions of the banking trojan have masqueraded as legitimate apps and utilities on the Google Play Store. But the latest attack wave observed in mid-August 2023 switches up the modus operandi by distributing the apps through counterfeit sites offering Chrome browser updates.
In a sign that the threat actors are targeting multiple operating systems, the investigation found that the payload hosting infrastructure is also being used to serve Windows stealer malware such as Lumma C2 and RisePro, as well as a malware loader referred to as PrivateLoader.
BORN Ontario child registry data breach affects 3.4 million people
The Better Outcomes Registry & Network (BORN), a healthcare organization funded by the government of Ontario, has announced that it is among the victims of Clop ransomware’s MOVEit hacking spree.
BORN is a perinatal and child registry that collects, interprets, shares and protects critical data about pregnancy, birth and childhood in the province of Ontario.
MOVEit attacks leveraged a zero-day vulnerability (CVE-2023-34362) in the Progress MOVEit Transfer software to compromise and steal data from thousands of organizations worldwide.
BORN first became aware of the security breach on May 31 and posted a public notice on its site while simultaneously notifying the relevant authorities (Privacy Commissioner of Ontario).
The firm engaged with cybersecurity experts to isolate the impacted servers and contain the threat, which allowed its operations to continue.
The investigation revealed that the threat actors copied files containing sensitive information of approximately 3.4 million people, primarily newborns and pregnancy care patients, who benefited from BORN services between January 2010 and May 2023.The exposed data includes the following:
- Full name
- Home address
- Postal code
- Date of birth
- Health card number
Depending on the type of care received by BORN, the additional data below may have been exposed as well:
- Dates of service/care,
- Lab test results,
- Pregnancy risk factors,
- Type of birth,
- Pregnancy and birth outcomes
BORN created a web page with details about the impact the incident has on its patients and who is likely affected by the data theft.
Despite confirming the data breach, BORN says there is no evidence that any stolen data is being circulated on the dark web yet.
“At this time, there is no evidence that any of the copied data has been misused for any fraudulent purposes,” reads BORN’s notice.
“We continue to monitor the internet, including the dark web, for any activity related to this incident and have found no sign of BORN’s data being posted or offered for sale” – BORN
Individuals who are potentially impacted by this security incident are not recommended to take other action at this time apart from treating incoming communication with caution and be suspicious especially of unsolicited messages requesting sensitive data.
Any suspicious activity detected on online accounts or defrauding attempts should be reported to the police and concerned service providers.
Ukrainian Military Targeted in Phishing Campaign Leveraging Drone Manuals
Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin.
Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface. The campaign is being tracked under the name STARK#VORTEX.
The Windows-based payload is decoded to extract the Merlin Agent, which, in turn, is configured to communicate with a command-and-control (C2) server for post-exploitation actions, effectively seizing control over the host.
This is the first time Ukrainian government organizations have been targeted using Merlin. In early August 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) disclosed a similar attack chain that employs CHM files as decoys to infect the computers with the open-source tool.
CERT-UA attributed the intrusions to a threat actor it monitors under the name UAC-0154.
The development arrives weeks after the CERT-UA said it detected an unsuccessful cyber attack against an unnamed critical energy infrastructure facility in the country undertaken by the Russian state-sponsored crew called APT28.
New stealthy and modular Deadglyph malware used in govt attacks
A novel and sophisticated backdoor malware named ‘Deadglyph’ was seen used in a cyberespionage attack against a government agency in the Middle East. The Deadglyph malware is attributed to the Stealth Falcon APT (aka Project Raven or FruityArmor), a state-sponsored hacking group from the United Arab Emirates (UAE).
The hacking group has been known for targeting activists, journalists, and dissidents for almost a decade.
In a new report released analysis was shared of the new modular malware and how it infects Windows devices. The means of initial infection was not stated, but it is suspected that a malicious executable, possibly a program installer, is used.
Deadglyph’s loading chain begins with a registry shellcode loader (DLL) that extracts code from the Windows registry to load the Executor (x64) component, which in turn loads the Orchestrator (.NET) component.
Only the initial component exists on the compromised system’s disk as a DLL file, minimizing the likelihood of detection. The loader will load the shellcode from the Windows Registry, which is encrypted to make analysis more challenging.
As the DLL component is stored on the filesystem, it is more likely to be detected. Due to this, the threat actors utilized a homoglyph attack in the VERSIONINFO resource using distinct Greek and Cyrillic Unicode characters to mimic Microsoft’s information and appear as legitimate Windows file.
This method employs distinct Unicode characters that appear visually similar, but in this case not identical, to the original characters, specifically Greek Capital Letter San (U+03FA, Ϻ) and Cyrillic Small Letter O (U+043E, о) in Ϻicrоsоft Corpоratiоn.
The Executor component loads AES-encrypted configurations for the backdoor, initializes the .NET runtime on the system, loads the .NET part of the backdoor, and acts as its library.
Finally, the Orchestrator is responsible for command and control server (C2) communications, using two modules for the task, ‘Timer’ and ‘Network.’
If the backdoor fails to establish communications with the C2 server after a determined period, it triggers a self-removal mechanism to prevent its analysis by researchers and cybersecurity experts.
The Deadglyph malware is modular, meaning it will download new modules from the C2 that contain different shellcodes to be executed by the Executor component.
Using a modular approach allows the threat actors to create new modules as needed to tailor attacks, which can then be pushed down to victims to perform additional malicious functionality.
These modules have Windows and custom Executor APIs at their disposal, with the latter offering 39 functions that make it possible to perform file operations, load executables, access Token Impersonation, and perform encryption and hashing.
It is believed there are nine to fourteen different modules but could only obtain three: a process creator, an info collector, and a file reader.
The information collector uses WMI queries to feed the Orchestrator with the following information about the compromised system:
- operating system
- network adapters
- installed software
- environment variables
- security software
The process creator is a command execution tool that executes specified commands as a new process and gives the result to the Orchestrator. The file reader module reads the content of files and passes it to the Orchestrator, while it also gives the operators the option to delete the file after reading.
National Student Clearinghouse data breach impacts 890 schools
U.S. educational nonprofit National Student Clearinghouse (NSC) has disclosed a data breach affecting 890 schools using its services across the United States.
In a breach notification letter filed with the Office of the California Attorney General, Clearinghouse said that attackers gained access to its MOVEit managed file transfer (MFT) server on May 30 and stole files containing a wide range of personal information.
“On May 31, 2023, the Clearinghouse was informed by our third-party software provider, Progress Software, of a cybersecurity issue involving the provider’s MOVEit Transfer solution,” NSC said.
“After learning of the issue, we promptly initiated an investigation with the support of leading cybersecurity experts. We have also coordinated with law enforcement.”
The personally identifiable information (PII) contained in the stolen documents includes names, dates of birth, contact information, Social Security numbers, student ID numbers, and some school-related records (e.g., enrollment records, degree records, and course-level data).
According to the data breach notification letters, the data exposed in the attack varies for each affected individual. The complete list of educational organizations affected by this massive data breach can be found here.
NSC provides educational reporting, data exchange, verification, and research services to roughly 22,000 high schools and around 3,600 colleges and universities.
The organization says its participants enroll roughly 97% of students in public and private institutions.
In August, NSC revealed in a data breach filing with the Office of Maine’s attorney general that over 51,500 people were impacted in the incident.
The Clop ransomware gang is responsible for the extensive data-theft attacks that started on May 27, leveraging a zero-day security flaw in the MOVEit Transfer secure file transfer platform.
Starting June 15, the cyber criminals began extorting organizations that fell victim to the attacks, exposing their names on the group’s dark web data leak site.
The fallout from these attacks is anticipated to impact hundreds of organizations globally, with many already notifying affected customers over the past four months. Despite the widespread potential victim pool, estimates from Coveware suggest that only a limited number are likely to yield to Clop’s ransom demands. Nonetheless, the cybercrime gang is expected to collect an estimated $75-100 million in payments due to the high ransom requests.
Reports have also revealed that multiple U.S. federal agencies and two U.S. Department of Energy (DOE) entities have fallen prey to these data theft and extortion attacks.