Thursday, June 29th, 2023
Cybersecurity Week in Review (30/06/2023)
HSE Attack Shows Cybersecurity is no Longer a Tech Issue
In May 2021, a malicious ransomware attack struck the heart of our healthcare infrastructure, reminding us of the immense dangers posed by cyber threats. Hospitals, a vital resource for our most vulnerable, found themselves paralysed, with patient care compromised amid fears that lives could be put at risk.
Earlier this month, the HSE announced that it was a victim of the MOVEit cyber breach. This cyber attack had targeted technology being used by an external partner on a project aiming to automate part of its recruitment process.
Clearly the first of these incidents was far more serious, but both of these sobering events have served as clarion calls for a fundamental shift in how we approach cybersecurity. It’s vital that authorities realise this is not ‘just’ a tech problem facing such an integral part of our society, but a holistic risk problem that demands urgent attention.
The healthcare sector, with its vast networks of interconnected devices, electronic health records, and critical infrastructure, has long since become an enticing target for cybercriminals, and it’s becoming a more pressing issue by the day.
Over an eight-week period between April and May of this year, our experts detected a 60% spike in attempted attacks targeting Irish hospitals and healthcare settings. We’re also monitoring an alarming threat of new ‘Phishing as a Service’ kits, specifically tailored to exploit vulnerabilities in the healthcare industry, which have emerged on the darknet.
These attackers regularly seek to exploit vulnerabilities in the digital systems of hospitals, extracting sensitive patient data or disrupting essential services until a hefty ransom is paid.
Such attacks can have devastating consequences, not only due to patient safety being compromised but also the loss of public trust. To effectively address these growing threats, Ireland must embrace a holistic approach to cybersecurity in our health sector. This would go beyond the mere deployment of technological solutions and calls for a comprehensive strategy that encompasses people, processes, and technology.
First and foremost, it is essential to establish a culture of cybersecurity awareness within healthcare organisations. Employees should be educated about the potential risks, such as phishing attempts, social engineering tactics, and the importance of strong password management. Regular training sessions and simulated exercises can empower staff to become the first line of defence against cyber threats, strengthening the overall security posture of the organisation.
Furthermore, healthcare organisations must invest in robust cybersecurity frameworks that incorporate stringent policies and procedures. Conducting regular risk assessments, implementing access controls, and performing vulnerability assessments are crucial steps in identifying and mitigating potential weaknesses within the system. A proactive approach to security, rather than a reactive one, can significantly reduce the likelihood of successful cyber attacks.
Of course, technology plays a vital role in safeguarding healthcare systems. Advanced threat detection systems, firewalls, encryption protocols, and endpoint security solutions must be implemented to fortify the digital infrastructure.
Additionally, regular software updates and patches should be applied promptly to address any known vulnerabilities and ensure the systems are up to date with the latest security measures.
But even if we have all these measures in place, we can’t afford to let our guard down. We need to keep a watchful eye on our networks 24/7. By staying vigilant and ready to spot and respond to any threats that pop up in real-time, we can minimise the damage. And if an incident does occur, we’ve got to have a plan for containing it. Acting quickly and decisively can make all the difference in limiting the impact and stopping the bad guys in their tracks.
Collaboration is another crucial aspect of a holistic cybersecurity strategy. Healthcare organisations should actively engage with industry peers, government agencies, and cybersecurity experts to share knowledge, best practices, and emerging threats. Together, we can build a collective defence against cybercriminals and stay one step ahead in this ever-evolving digital landscape.
The ransomware attack in May 2021, the incident reported this month, and the constant barrage of attempts we’re seeing during our monitoring services serve as powerful reminders of the immense dangers posed by cyber threats to our healthcare organisations.
To protect the lives and well-being of our citizens, we must recognise that cybersecurity is not solely a tech problem. It requires a holistic risk management approach that encompasses people, processes, and technology. By fostering a culture of cybersecurity awareness, implementing robust frameworks, deploying advanced technologies, and fostering collaboration, we can mitigate the risks and ensure the resilience of our healthcare systems.
The stakes are high, but by acting decisively, we can safeguard the foundation of our society and protect the lives of those who depend on us.
Newly Uncovered ThirdEye Windows-based Malware Steals Sensitive Data
A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.
The malware was found in an executable that masqueraded as a PDF file with a Russian name “CMK Правила оформления больничных листов.pdf.exe,” which translates to “CMK Rules for issuing sick leaves.pdf.exe.”
The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign. The very first ThirdEye sample was uploaded to VirusTotal on April 4, 2023, with relatively fewer features.
The evolving stealer, like other malware families of its kind, is equipped to gather system metadata, including BIOS release date and vendor, total/free disk space on the C drive, currently running processes, register usernames, and volume information. The amassed details are then transmitted to a command-and-control (C2) server.
A notable trait of the malware is that it uses the string “3rd_eye” to beacon its presence to the C2 server.
There are no signs to suggest that ThirdEye has been utilised in the wild. That said, given that a majority of the stealer artifacts were uploaded to VirusTotal from Russia, it’s likely that the malicious activity is aimed at Russian-speaking organizations.
The development comes as trojanised installers for the popular Super Mario Bros video game franchise hosted on sketchy torrent sites are being used to propagate cryptocurrency miners and an open-source stealer written in C# called Umbral that exfiltrates data of interest using Discord Webhooks. The combination of mining and stealing activities leads to financial losses, a substantial decline in the victim’s system performance, and the depletion of valuable system resources.
Video game users have also been targeted with Python-based ransomware and a remote access trojan dubbed SeroXen, which has been found to take advantage of a commercial batch file obfuscation engine known as ScrubCrypt (aka BatCloak) to evade detection. Evidence shows that actors associated with SeroXen’s development have also contributed to the creation of ScrubCrypt.
The malware, which was advertised for sale on a clearnet website that was registered on March 27, 2023 prior to its shutdown in late May, has further been promoted on Discord, TikTok, Twitter, and YouTube. A cracked version of SeroXen has since found its way to criminal forums.
8Base Ransomware Spikes in Activity, Threatens US and Brazilian Businesses
A ransomware threat called 8Base that has been operating under the radar for over a year has been attributed to a massive spike in activity in May and June 2023.
The group utilises encryption paired with ‘name-and-shame’ techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries.
According to statistics, 8Base has been linked to 67 attacks as of May 2023, with about 50% of the victims operating in the business services, manufacturing, and construction sectors. A majority of the targeted companies are located in the U.S. and Brazil.
With very little known about the operators of the ransomware, its origins remain something of a cipher. What’s evident is that it has been active since at least March 2022 and the actors describe themselves as “simple pentesters.”
8Base is similar to that of another data extortion group tracked as RansomHouse, citing overlaps in the ransom notes dropped on compromised machines and the language used in the respective data leak portals. A comparison of the two threat groups reveals that while RansomHouse openly advertises their partnerships, 8Base does not. Another crucial differentiator is their leak pages.
But in an interesting twist, a Phobos ransomware sample that uses the “.8base” file extension for encrypted files, identified the possibility that 8Base could be a successor to Phobos or that the attackers are simply making use of already existing ransomware strains without having to develop their own custom locker.
8Base is part of a wave of ransomware newbies entering the market such as CryptNet, Xollam, and Mallox, even as known families like BlackCat, LockBit, and Trigona have witnessed continuous updates to their features and attack chains to broaden their horizons beyond Windows to infect Linux and macOS systems.
UCLA, Siemens Among Latest Victims of Relentless MOVEit Attacks
Schneider Electric; Siemens Energy; the University of California at Los Angeles (UCLA); Werum, a pharmaceutical technology provider; and AbbVie, a biopharmaceutical company, are the five latest organisations identified on the Cl0p ransomware group’s Dark Web data leak site as victims of MOVEit cyberattacks.
For its part, UCLA uses MOVEit Transfer to transfer files across the campus and to other entities. In a statement, the university noted that it discovered the attack on May 28, after which it “immediately activated its incident response procedures, fixed the vulnerability using the security patch issued by Progress Software, and enhanced monitoring of the system.”
The statement continues, “the university notified the FBI and worked with external cybersecurity experts to investigate the matter and determine what happened, what data was impacted and to whom the data belongs. Those who have been impacted have been notified. This is not a ransomware incident. There is no evidence of any impact to any other campus systems.”
Last Saturday, the New York City Department of Education (DoE) revealed it was also the victim of a MOVEit cyberattack, resulting the in unauthorized access of around 19,000 documents affecting 45,000 students. The managed file transfer (MFT) software was used by NYC DOE to securely transfer data and documents internally and externally to various vendors, including special education service providers.
“The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both the NYPD and FBI as they investigate,” the DoE announcement of the breach said. “Given that review and investigation are ongoing, we are limited in terms of additional details at this point.”
Gas Stations Impacted by Cyberattack on Canadian Energy Giant Suncor
Some services at Petro-Canada gas stations have been disrupted following a cyberattack on parent company Suncor, one of the largest energy companies in North America.
Suncor is a Canada-based company that produces oil and runs several refineries in North America. The organisation owns a network of more than 1,800 Petro-Canada retail and wholesale locations.
In a brief statement issued on June 25, Suncor said it had experienced a cybersecurity incident that may impact some transactions with suppliers and customers. The company said it brought in third-party experts to aid investigation and response efforts and noted that authorities have been notified.
“At this time, we are not aware of any evidence that customer, supplier or employee data has been compromised or misused as a result of this situation,” the company said.
On June 26, Petro-Canada said on Twitter that it’s working with Suncor to respond to the cybersecurity incident, informing customers that some services may be unavailable, including credit card payments and car washes.
Petro-Canada also informed customers that they will not be able to log into their loyalty program account from the app or website.
It’s unclear if the disruptions have been caused by a ransomware attack. In these types of attacks, cybercriminals can encrypt files and steal data from the victim’s systems — they can conduct only one or both types of activities.
In 2021, American oil pipeline system Colonial Pipeline was targeted in a ransomware attack that resulted both in significant disruption and the theft of information, with the company paying millions of dollars to the attackers.
Threat actors have been observed selling access to energy organisations, including oil and gas firms, on cybercrime forums.
Hundreds of Devices With Internet-Exposed Management Interface Found in US Agencies
Hundreds of devices residing within federal networks that have internet-exposed management interfaces have been identified. During an analysis of more than 50 federal civilian executive branch (FCEB) organizations and sub-organisations, more than 13,000 distinct hosts across 100 autonomous systems were discovered.
A deep dive into a subset of roughly 1,300 of these hosts that were accessible via IPv4 addresses revealed hundreds of devices that have management interfaces exposed to the public internet, and which fall within the scope of CISA’s Binding Operational Directive (BOD) 23-02.
Meant to help federal agencies mitigate the risks associated with internet-exposed management interfaces, BOD 23-02 provides guidance on how to secure remotely accessible interfaces, which often fall victim to malicious attacks.
According to CISA, threat actors are targeting specific classes of devices that support network infrastructures, to evade detections. After compromising these devices, the attackers often gain full access to a network.
“Inadequate security, misconfigurations, and out of date software make these devices more vulnerable to exploitation. The risk is further compounded if device management interfaces are connected directly to, and accessible from, the public-facing internet,” CISA’s BOD 23-02 reads.
Devices searched for included access points, firewalls, routers, VPNs, and other remote server management appliances. Over 250 hosts with exposed interfaces that were running remote protocols such as SSH and Telnet were identified.
Furthermore, exposed remote access protocols (FTP, SMB, NetBIOS, and SNMP), out-of-band remote server management devices, managed file transfer tools (including MOVEit, GoAnywhere, and SolarWinds Serv-U), HTTP services exposing directory listings, Nessus vulnerability scanning servers, physical Barracuda Email Security Gateway appliances, and more than 150 instances of end-of-life software were discovered.
Vulnerabilities in all these are known to have been targeted by threat actors, often with dire consequences for hundreds of organisations, as was the case with the SolarWinds, GoAnywhere, and MOVEit attacks. Vulnerable Barracuda, Fortinet, SonicWall, and Cisco appliances are also frequent targets in malicious attacks.
Trojanised Super Mario Installer Goes After Gamer Data
Attackers have turned a legitimate installer for a popular Super Mario Bros game into a Trojan that spreads various malware infections — including a cryptocurrency miner and info stealer — across Windows machines.
Researchers discovered an installer for Super Mario 3: Mario Forever — a perfectly legitimate, free Windows version of the enormously popular Nintendo game — that also includes an XMR miner, a SupremeBot mining client, and the open-source Umbral Stealer. The malware bomb could be an issue for the many businesses with remote or hybrid workers who use personal devices for work purposes and vice versa.
The installer file — an NSIS installer file dubbed “Super-Mario-Bros.exe” — actually contains three executables—”super-mario-forever-v702e,” which itself is “a genuine and safe Super Mario game application,” as well as two malicious executables — “java.exe” and “atom.exe” — that deliver the malware, they said.
Perhaps the most concerning for businesses is the Umbral Stealer — a lightweight stealer written in C# that’s been available on GitHub since April — which it loads into the process memory, the researchers said. Umbral Stealer lifts credential and other data from various browsers — including Brave, Chrome, Opera, Edge, and Vivaldi — and also captures screenshots and webcam images; steals Telegram session files and Discord tokens; acquires Roblox cookies and Minecraft session files; and collects files associated with cryptocurrency wallets. The data that the stealer collects is saved to appropriate directories within the temporary folder and eventually is transmitted to the attacker using Discord webhooks, the researchers added.
Threat actors often tuck malware into game installers because of the substantial size of the online gaming community and the inherent trust gamers have that legitimate game installers are safe, the researchers said. Using Super Mario Bros. — a franchise that’s been around since the 1980s and already has millions of followers — to deliver malware makes perfect sense then, especially as the franchise has experienced a recent resurgence in popularity of lately thanks to the release of new games and 2023’s “The Super Mario Bros. Movie.”
Malware distributed through game installers can be monetised through activities like stealing sensitive information, conducting ransomware attacks, and more. Moreover, using game installers to mine crypto is an especially popular tactic with threat actors because the powerful hardware commonly associated with gaming provides valuable computing power for mining cryptocurrencies.
Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers
Microsoft has disclosed that it’s detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard.
The intrusions, which make use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant’s threat intelligence team said.
Midnight Blizzard, formerly known as Nobelium, is also tracked under the monikers APT29, Cozy Bear, Iron Hemlock, and The Dukes.
The group, which drew worldwide attention for the SolarWinds supply chain compromise in December 2020, has continued to rely on unseen tooling in its targeted attacks aimed at foreign ministries and diplomatic entities.
It’s a sign of how determined they are to keep their operations up and running despite being exposed, which makes them a particularly formidable actor in the espionage area.
“These credential attacks use a variety of password spray, brute-force, and token theft techniques,” Microsoft said in a series of tweets, adding the actor “also conducted session replay attacks to gain initial access to cloud resources leveraging stolen sessions likely acquired via illicit sale.”
The tech giant further called out APT29 for its use of residential proxy services to route malicious traffic in an attempt to obfuscate connections made using compromised credentials.
“The threat actor likely used these IP addresses for very short periods, which could make scoping and remediation challenging,” the Windows maker said.
The development comes as a new spear-phishing campaign orchestrated by APT28 (aka BlueDelta, Forest Blizzard, FROZENLAKE, Iron Twilight, and Fancy Bear) targeting government and military entities in Ukraine since November 2021 was identified.
The attacks leveraged emails bearing attachments exploiting multiple vulnerabilities in the open-source Roundcube webmail software (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to conduct reconnaissance and data gathering.
More importantly, the activity is said to dovetail with another set of attacks weaponising a then-zero-day flaw in Microsoft Outlook (CVE-2023-23397) that Microsoft disclosed as employed by Russia-based threat actors in limited targeted attacks against European organisations.
The privilege escalation vulnerability was addressed as part of Patch Tuesday updates rolled out in March 2023.
The findings demonstrate Russian threat actors’ persistent efforts in harvesting valuable intelligence on various entities in Ukraine and across Europe, especially following the full-scale invasion of the country in February 2022.
American Airlines, Southwest Airlines Impacted by Data Breach at Third-Party Provider
American Airlines and Southwest Airlines have started informing thousands of pilots that their personal information was compromised in a data breach at Pilot Credentials.
A portal managing pilot and cadet recruitment applications on behalf of various airlines, Pilot Credentials informed both companies on May 3 that it had suffered a cyberattack resulting in the compromise of files on its systems.
The vendor was breached on or around April 30 and the attackers obtained files containing the personal information of pilot and cadet applicants.
The compromised information includes names, birth dates, Social Security numbers, driver’s license numbers, Airman Certificate numbers, and passport and other ID numbers.
Both airlines say they moved pilot applications to internal portals managed by the airlines themselves.
American Airlines and Southwest Airlines say that they have no evidence that the exposed information has been misused. However, stolen personal data is typically sold or shared on underground cybercrime websites and may be used in other types of attacks.
The airlines also pointed out that the attack targeted the vendor’s systems only and that neither American Airlines nor Southwest Airlines systems or networks were compromised.
American Airlines informed the Maine Attorney General’s Office that more than 5,700 individuals were impacted by the data breach. Southwest Airlines said that just over 3,000 were impacted.
In September last year, American Airlines disclosed a data breach after the email account of an employee was used in phishing attacks. The company said at the time that the personal information of multiple employees was eventually compromised in the attack.
Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks
The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest. The adversary is being tracked under the name Vanguard Panda.
The group consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement.
Volt Typhoon, as known as Bronze Silhouette, is a cyber espionage group from China that’s been linked to network intrusion operations against the U.S government, defense, and other critical infrastructure organisations.
An analysis of the group’s modus operandi has revealed its emphasis on operational security, carefully using an extensive set of open-source tools against a limited number of victims to carry out long-term malicious acts.
In one unsuccessful incident targeting an unspecified customer, the actor targeted the Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server to trigger the execution of suspicious commands pertaining to process enumeration and network connectivity, among others.
Vanguard Panda’s actions indicate a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI.
A closer examination of the Tomcat access logs unearthed several HTTP POST requests to /html/promotion/selfsdp.jspx, a web shell that’s camouflaged as the legitimate identity security solution to sidestep detection. The web shell is believed to have been deployed nearly six months before the aforementioned hands-on-keyboard activity, indicative of extensive prior recon of the target network.
While it’s not immediately clear how Vanguard Panda managed to breach the ManageEngine environment, all signs point to the exploitation of CVE-2021-40539, a critical authentication bypass flaw with resultant remote code execution.
It’s suspected that the threat actor deleted artifacts and tampered with the access logs to obscure the forensic trail. However, in a glaring misstep, the process failed to account for Java source and compiled class files that were generated during the course of the attack, leading to the discovery of more web shells and backdoors.
This includes a JSP file that’s likely retrieved from an external server and which is designed to backdoor “tomcat-websocket.jar” by making use of an ancillary JAR file called “tomcat-ant.jar” that’s also fetched remotely by means of a web shell, after which cleanup actions are performed to cover up the tracks.
The trojanised version of tomcat-websocket.jar is fitted with three new Java classes – named A, B, and C – with A.class functioning as another web shell capable of receiving and executing Base64-encoded and AES-encrypted commands.
The use of a backdoored Apache Tomcat library is a previously undisclosed persistence TTP in use by Vanguard Panda with the implant used to enable persistent access to high-value targets downselected after the initial access phase of operations using then zero-day vulnerabilities.