Spyware

Russia-linked APT28 targets government Polish institutions

Posted on August 12, 2024 - August 12, 2024 by Maq Verma

CERT Polska warns of a large-scale malware campaign against Polish government institutions conducted by Russia-linked APT28.

CERT Polska and CSIRT MON teams issued a warning about a large-scale malware campaign targeting Polish government institutions, allegedly orchestrated by the Russia-linked APT28 group.

The attribution of the attacks to the Russian APT is based on similarities with TTPs employed by APT28 in attacks against Ukrainian entities.

“the CERT Polska (CSIRT NASK) and CSIRT MON teams observed a large-scale malware campaign targeting Polish government institutions.” reads the alert. “Based on technical indicators and similarity to attacks described in the past (e.g. on Ukrainian entities), the campaign can be associated with the APT28 activity set, which is associated with Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).”

The threat actors sent emails designed to pique the recipient’s interest and encourage them to click on a link.

Upon clicking on the link, the victims are redirected to the domain run.mocky[.]io, which is a free service used by developers to create and test APIs. The domain, in turn, redirects to another legitimate site named webhook[.]site which allows logging all queries to the generated address and configuring responses.

Threat actors in the wild increasingly rely on popular services in the IT community to evade detection and speed up operations.

The attack chain includes the download of a ZIP archive file from webhook[.]site, which contains:

a Windows calculator with a changed name, e.g. IMG-238279780.jpg.exe, which pretends to be a photo and is used to trick the recipient into clicking on it,
script .bat (hidden file),
fake library WindowsCodecs.dll (hidden file).

If the victim runs the file fake image file, which is a harmless calculator, the DLL file is side-loaded to run the batch file.

The BAT script launches the Microsoft Edge browser and loads a base64-encoded page content to download another batch script from webhook.site. Meanwhile, the browser shows photos of a woman in a swimsuit with links to her genuine social media accounts, aiming to appear credible and lower the recipient’s guard. The downloaded file, initially saved as .jpg, is converted to .cmd and executed.

Finally, the code retrieves the final-stage script that gathers information about the compromised host and sends it back.

“This script constitutes the main loop of the program. In the loop for /l %n in () it first waits for 5 minutes, and then, similarly as before, downloads another script using the Microsoft Edge browser and the reference to webhook.site and executes it. This time, the file with the extension .css is downloaded, then its extension is changed to .cmd and launched.” continues the report. “The script we finally received collects only information about the computer (IP address and list of files in selected folders) on which they were launched, and then send them to the C2 server. Probably computers of the victims selected by the attackers receive a different set of the endpoint scripts.”

The CERT Polska team recommends network administrators to review recent connections to domains like webhook.site and run.mocky.io, as well as their appearance in received emails. These sites are commonly used by programmers, and traffic to them may not indicate infection. If your organization does not utilize these services, it’s suggested to consider blocking these domains on edge devices.

Regardless of whether your organization uses these websites, it’s also advised to filter emails for links to webhook.site and run.mocky.io, as legitimate use of these links in email content is very rare.

Last week, NATO and the European Union condemned cyber espionage operations carried out by the Russia-linked threat actor APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”) against European countries.

The Federal Government condemned in the strongest possible terms the long-term espionage campaign conducted by the group APT28 that targeted the Executive Committee of the Social Democratic Party of Germany.

“The Federal Government’s national attribution procedure regarding this campaign has concluded that, for a relatively long period, the cyber actor APT28 used a critical vulnerability in Microsoft Outlook that remained unidentified at the time to compromise numerous email accounts.” reads the announcement published by the German Bundesregierung.

The nation-state actor exploited the zero-day flaw CVE-2023-23397 in attacks against European entities since April 2022. The Russia-linked APT also targeted NATO entities and Ukrainian government agencies.

The Czech Ministry of Foreign Affairs also condemned long-term cyber espionage activities by the group APT28. The Ministry’s statement also confirmed that Czech institutions have been targeted by the Russia-linked APT28 exploiting the Microsoft Outlook zero-day from 2023.

The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

North Korea-linked Kimsuky APT attack targets victims via Messenger

Posted on August 12, 2024 - August 12, 2024 by Maq Verma

North Korea-linked Kimsuky APT group employs rogue Facebook accounts to target victims via Messenger and deliver malware.

Researchers at Genians Security Center (GSC) identified a new attack strategy by the North Korea-linked Kimsuky APT group and collaborated with the Korea Internet & Security Agency (KISA) for analysis and response. The nation-state actor attack used a fake account posing as a South Korean public official in the North Korean human rights sector. The APT group aimed at connecting with key individuals in North Korean and security-related fields through friend requests and direct messages.

The attack chain starts with the theft of the identity of a real person in South Korea, then the victims were contacted via Facebook Messenger.

Threat actors pretended to share private documents they had written with the victims.

“The initial individual approach is similar to an email-based spear phishing attack strategy. However, the fact that mutual communication and reliability were promoted through Facebook Messenger shows that the boldness of Kimsuky APT attacks is increasing day by day.” reads the report published by GSC. “The Facebook screen used in the actual attack has a background photo that appears to have been taken at a public institution. Threat actors disguised as public officials try to win the favor of their targets by pretending to share private documents they have written.”

The messages included a link to a decoy document hosted on OneDrive. The file is a Microsoft Common Console document that masquerades as an essay or content related to a trilateral summit between Japan, South Korea, and the U.S. One of the decoy documents (‘NZZ_Interview_Kohei Yamamoto.msc’) employed in the attacks was uploaded to the VirusTotal from Japan on April 5, 2024.

The malware had zero detection rate on VT at the upload time.

The experts speculate the APT group was targeting people in Japan and South Korea.

“This is the first time that a suspected attack against Japan was first observed, and then a variant was detected in Korea shortly after.” reads the analysis. “And if you compare the two malicious file execution screens, you can see the same pattern. Although the file name leading to execution is different, both used the name ‘Security Mode’.”

Upon launching the MSC file and allowing it to open it using Microsoft Management Console (MMC), victims are displayed a console screen containing a Word document. If the victims launch it the multi-stage attack chain starts.

The malicious file, named “Console Root task window ‘Security Mode’,” hid certain window styles and tabs. It misled users by labeling a task as “Open” with a description “My_Essay.docx,” making it appear as a document execution screen. Clicking “Open” triggers a malicious command. This command line involves ‘cmd.exe’ with various parameters and attempts to connect to the C2 host ‘brandwizer.co[.]in,’ registered by Whiteserver hosting in India and linked to the IP address ‘5.9.123.217’ in Germany.

The malware maintains persistence by registering a scheduled task named ‘OneDriveUpdate,’ which repeats every 41 minutes indefinitely. This interval is consistent with the timing used in previous Kimsuky group campaigns, such as ‘BabyShark‘ and ‘ReconShark.’

The malware gathered information and exfiltrated it to the C2 server, it can also harvest IP addresses, User-Agent strings, and timestamp information from the HTTP requests. The malware can also drop additional payloads on the infected machines.

“Among the APT attacks reported in Korea in the first quarter of this year, the most representative method is spear phishing attack. In addition, the method of combining shortcut (LNK) type malicious files is steadily becoming popular. Although not commonly reported, covert attacks through social media also occur.” concludes the report.

Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

Posted on August 12, 2024 - August 12, 2024 by Maq Verma

Russia-linked Turla APT allegedly used two new backdoors, named Lunar malware and LunarMail, to target European government agencies.

ESET researchers discovered two previously unknown backdoors named LunarWeb and LunarMail that were exploited to breach European ministry of foreign affairs.

The two backdoors are designed to carry out a long-term compromise in the target network, data exfiltration, and maintaining control over compromised systems.

The two backdoors compromised a European ministry of foreign affairs (MFA) and its diplomatic missions abroad. The experts speculate the Lunar toolset has been employed since at least 2020. ESET attributes the two backdoors to Russia-linked APT group Turla, with medium confidence.

The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2004 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The exact method of initial access in the compromises observed by ESET is still unclear. However, evidence suggests possible spear-phishing and exploitation of misconfigured Zabbix network and application monitoring software. The researchers noticed a LunarWeb component mimicking Zabbix logs and a backdoor command retrieving Zabbix agent configuration. The experts also spotted spear-phishing messages, including a weaponized Word document installing a LunarMail backdoor.

“LunarWeb, deployed on servers, uses HTTP(S) for its C&C communications and mimics legitimate requests, while LunarMail, deployed on workstations, is persisted as an Outlook add-in and uses email messages for its C&C communications.” reads the report published by ESET.

LunarWeb uses multiple persistence methods, including creating Group Policy extensions, replacing System DLL, and deploying as part of legitimate software.

ESET reported that the execution chain starts with a loader they tracked as LunarLoader. It uses the RC4 symmetric key cipher to decrypt the payloads.

Once the Lunar backdoor has compromised a system, it waits for commands from the C2 server. The cyberspies also used stolen credentials for lateral movement.

LunarWeb can also execute shell and PowerShell commands, gather system information, run Lua code, and exfiltrate data in AES-256 encrypted form.

“Our current investigation began with the detection of a loader decrypting and running a payload, from an external file, on an unidentified server. This led us to the discovery of a previously unknown backdoor, which we named LunarWeb. Subsequently, we detected a similar chain with LunarWeb deployed at a diplomatic institution of a European MFA. Notably, the attacker also included a second backdoor – which we named LunarMail – that uses a different method for command and control (C&C) communications.” continues the report. “During another attack, we observed simultaneous deployments of a chain with LunarWeb at three diplomatic institutions of this MFA in the Middle East, occurring within minutes of each other. The attacker probably had prior access to the domain controller of the MFA and utilized it for lateral movement to machines of related institutions in the same network.”

LunarMail is deployed on workstations with Microsoft Outlook, using an email-based communication system (Outlook Messaging API (MAPI)) to evade detection in environments where HTTPS traffic is monitored. The backdoor communicates with the C2 server via email attachments, often hidden in .PNG images. LunarMail can create processes, take screenshots, write files, and execute Lua scripts, allowing it to run shell and PowerShell commands indirectly.

“We observed varying degrees of sophistication in the compromises; for example, the careful installation on the compromised server to avoid scanning by security software contrasted with coding errors and different coding styles (which are not the scope of this blogpost) in the backdoors. This suggests multiple individuals were likely involved in the development and operation of these tools.” concludes the report. “Although the described compromises are more recent, our findings show that these backdoors evaded detection for a more extended period and have been in use since at least 2020, based on artifacts found in the Lunar toolset.”

North Korea-linked Kimsuky used a new Linux backdoor in recent attacks

Posted on August 12, 2024 - August 12, 2024 by Maq Verma

Symantec warns of a new Linux backdoor used by the North Korea-linked Kimsuky APT in a recent campaign against organizations in South Korea.

Symantec researchers observed the North Korea-linked group Kimsuky using a new Linux backdoor dubbed Gomir. The malware is a version of the GoBear backdoor which was delivered in a recent campaign by Kimsuky via Trojanized software installation packages.

Kimsuky cyberespionage group (aka Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, APT43) was first spotted by Kaspersky researcher in 2013. The APT group mainly targets think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.

In 2023 the state-sponsored group focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine.

Gomir and GoBear share a great portion of their code.

Researchers from South Korean security firm S2W first uncovered the compaign in February 2024, the threat actors were observed delivering a new malware family named Troll Stealer using Trojanized software installation packages. Troll Stealer supports multiple stealing capabilities, it allows operators to gather files, screenshots, browser data, and system information. The malicious code is written in Go, and researchers noticed that Troll Stealer contained a large amount of code overlap with earlier Kimsuky malware.

Troll Stealer can also copy the GPKI (Government Public Key Infrastructure) folder on infected computers. GPKI is the public key infrastructure schema for South Korean government personnel and state organizations, suggesting that government agencies were among the targeted by state-sponsored hackers.

The malware was distributed inside the installation packages for TrustPKI and NX_PRNMAN, software developed by SGA Solutions. Victims downloaded the packages from a page that was redirected from a specific website.

Symantec also discovered that Troll Stealer was also delivered in Trojanized Installation packages for Wizvera VeraPort.

The WIZVERA VeraPort integration installation program is used to manage additional security software (e.g., browser plug-ins, security software, identity verification software, etc.) that is requested to visit particular government and banking domains. WIZVERA VeraPort is used to digitally sign and verify downloads.

Wizvera VeraPort was previously reported to have been compromised by a supply chain attack conducted by North Korea-linked group Lazarus.

“Troll Stealer appears to be related to another recently discovered Go-based backdoor named GoBear. Both threats are signed with a legitimate certificate issued to “D2innovation Co.,LTD”. GoBear also contains similar function names to an older Springtail backdoor known as BetaSeed, which was written in C++, suggesting that both threats have a common origin.” reads the report published by Symantec.

When executed, the malware checks the group ID value to determine if it is running as group 0 (group is associated with the superuser or administrative privileges) on the Linux machine, and then copies itself to /var/log/syslogd to maintain persistence persistence.

It creates a systemd service named ‘syslogd’ and starts it, then deletes the original executable and terminates the initial process. The backdoor also attempts to configure a crontab command to run on system reboot by creating a helper file (‘cron.txt’) in the current directory. If the crontab list is successfully updated, the malware deletes the helper file without any command-line parameters before executing it.

The Gomir backdoor periodically communicates with its C2 via HTTP POST requests to http://216.189.159[.]34/mir/index.php

The malicious code pools the commands to execute, and the researchers observed it supporting multiple commands. including:

Operation	Description
01	Pauses communication with the C&C server for an arbitrary time duration.
02	Executes an arbitrary string as a shell command (“[shell]” “-c” “[arbitrary_string]”). The shell used is specified by the environment variable “SHELL”, if present. Otherwise, a fallback shell is configured by operation 10 below.
03	Reports the current working directory.
04	Changes the current working directory and reports the working directory’s new pathname.
05	Probes arbitrary network endpoints for TCP connectivity.
06	Terminates its own process. This stops the backdoor.
07	Reports the executable pathname of its own process (the backdoor executable).
08	Collects statistics about an arbitrary directory tree and reports: total number of subdirectories, total number of files, total size of files
09	Reports the configuration details of the affected computer: hostname, username, CPU, RAM, network interfaces, listing each interface name, MAC, IP, and IPv6 address
10	Configures a fallback shell to use when executing the shell command in operation 02. Initial configuration value is “/bin/sh”.
11	Configures a codepage to use when interpreting output from the shell command in operation 02.
12	Pauses communication with the C&C server until an arbitrary datetime.
13	Responds with the message “Not implemented on Linux!” (hardcoded).
14	Starts a reverse proxy by connecting to an arbitrary control endpoint. The communication with the control endpoint is encrypted using the SSL protocol and uses messages consistent with https://github.com/kost/revsocks.git, where the backdoor acts as a proxy client. This allows the remote attacker to initiate connections to arbitrary endpoints on the victim network.
15	Reports the control endpoints of the reverse proxy.
30	Creates an arbitrary file on the affected computer.
31	Exfiltrates an arbitrary file from the affected computer.

Gomir and GoBear Windows backdoor supports almost the same commands.

The latest Kimsuky campaign highlights that North Korean espionage actors increasingly favor software installation packages and updates as infection vectors. The experts noticed a shift to software supply chain attacks through trojanized software installers and fake software installers. A prominent example is the 3CX supply chain attack, stemming from the earlier X_Trader attack.

“This latest Springtail campaign provides further evidence that software installation packages and updates are now among the most favored infection vectors for North Korean espionage actors.” concludes the report. “Springtail, meanwhile, has focused on Trojanized software installers hosted on third-party sites requiring their installation or masquerading as official apps. The software targeted appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.”

The report also provides indicators of compromise for artifacts employed in the latest campaign, including the Troll Stealer, Gomir, and the GoBear dropper.

Chinese actor ‘Unfading Sea Haze’ remained undetected for five years

Posted on August 12, 2024 - August 12, 2024 by Maq Verma

A previously unknown China-linked threat actor dubbed ‘Unfading Sea Haze’ has been targeting military and government entities since 2018.

Bitdefender researchers discovered a previously unknown China-linked threat actor dubbed ‘Unfading Sea Haze’ that has been targeting military and government entities since 2018. The threat group focuses on entities in countries in the South China Sea, experts noticed TTP overlap with operations attributed to APT41.

Bitdefender identified a troubling trend, attackers repeatedly regained access to compromised systems, highlighting vulnerabilities such as poor credential hygiene and inadequate patching practices.

Unfading Sea Haze remained undetected for over five years, despite extensive artifact cross-referencing and public report analysis, no traces of their prior activities were found.

Unfading Sea Haze’s targets confirms an alignment with Chinese interests. The group utilized various variants of the Gh0st RAT, commonly associated with Chinese actors.

A notable technique involved running JScript code through SharpJSHandler, similar to a feature in the “funnyswitch” backdoor linked to APT41. Both methods involve loading .NET assemblies and executing JScript code, suggesting shared coding practices among Chinese threat actors.

However, these findings indicate a sophisticated threat actor possibly connected to the Chinese cyber landscape.

The researchers cannot determine the initial method used by Unfading Sea Haze to infiltrate victim systems because the initial breach happened over six years ago, making hard to recover forensic evidence.

However, the researchers determined that one of methods used by the threat actors to regaining access to the target organizations are spear-phishing emails. The messages use specially crafted archives containing LNK files disguised as regular documents. When clicked, the LNK files would execute malicious commands. The experts observed multiple spear-phishing attempts between March and May 2023.

Some of the email attachment names used in the attacks are:

SUMMARIZE SPECIAL ORDERS FOR PROMOTIONS CY2023
Data
Doc
Startechup_fINAL

The payload employed in the attacks is a backdoor named SerialPktdoor, however, in March 2024, the researchers observed the threat actors using a new initial access archive files. These archives mimicked the installation process of Microsoft Defender or exploited current US political issues.

The backdoor runs PowerShell scripts and performs operations on files and directories.

“These LNK files execute a PowerShell command line” reads the report. “This is a clever example of a fileless attack that exploits a legitimate tool: MSBuild.exe. MSBuild, short for Microsoft Build Engine, is a powerful tool for automating the software build process on Windows. MSBuild reads a project file, which specifies the location of all source code components, the order of assembly, and any necessary build tools.”

The threat actors maintain persistence through scheduled tasks, in order to avoid detection attackers used task names impersonating legitimate Windows files. The files are combined with DLL sideloading to execute a malicious payload.

Attackers also manipulate local Administrator accounts to maintain persistence, they were spotted enabling the disabled local Administrator account, followed by resetting its password.

Unfading Sea Haze has notably begun using Remote Monitoring and Management (RMM) tools, particularly ITarian RMM, since at least September 2022 to compromise targets’ networks. This approach represents a significant shift from typical nation-state tactics. Additionally, experts collected evidence that they may have established persistence on web servers, such as Windows IIS and Apache httpd, likely using web shells or malicious modules. However, the exact persistence mechanisms remain unclear due to insufficient forensic data.

The Chinese threat actor has developed a sophisticated collection of custom malware and hacking tools. Since at least 2018, they used SilentGh0st, TranslucentGh0st, and three variants of the .NET agent SharpJSHandler supported by Ps2dllLoader. In 2023, they replaced Ps2dllLoader with a new mechanism using msbuild.exe and C# payloads from a remote SMB share. The attackers also replaced fully featured Gh0stRat variants to more modular, plugin-based versions called FluffyGh0st, InsidiousGh0st (available in C++, C#, and Go), and EtherealGh0st.

“One of the payloads delivered by Ps2dllLoader is SharpJSHandler.” reads the report. “SharpJSHandler operates by listening for HTTP requests. Upon receiving a request, it executes the encoded JavaScript code using the Microsoft.JScript library.

Our investigation also uncovered two additional variations that utilize cloud storage services for communication instead of direct HTTP requests. We have found variations for DropBox and for OneDrive. In this case, SharpJSHandler retrieves the payload periodically from a DropBox/OneDrive account, executes it, and uploads the resulting output back to the same location.

These cloud-based communication methods present a potential challenge for detection as they avoid traditional web shell communication channels.”

The threat actors used both custom malware and off-the-shelf tools to gather sensitive data from victim machines.

One of the malware used for data collection is a keylogger called xkeylog, they also used a web browser data stealer, a tool to monitor the presence of portable devices, and a custom tool named DustyExfilTool.

The attackers are also able to target messaging applications like Telegram and Viber. They first terminate the processes for these apps (telegram.exe and viber.exe), then use rar.exe to archive the application data.

“The Unfading Sea Haze threat actor group has demonstrated a sophisticated approach to cyberattacks. Their custom malware arsenal, including the Gh0st RAT family and Ps2dllLoader, showcases a focus on flexibility and evasion techniques.” concludes the report. “The observed shift towards modularity, dynamic elements, and in-memory execution highlights their efforts to bypass traditional security measures. Attackers are constantly adapting their tactics, necessitating a layered security approach.”

APT41: The threat of KeyPlug against Italian industries

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

Tinexta Cyber’s Zlab Malware Team uncovered a backdoor known as KeyPlug employed in attacks against several Italian industries

During an extensive investigation, Tinexta Cyber’s Zlab Malware Team uncovered a backdoor known as KeyPlug, which hit for months a variety of Italian industries. This backdoor is attributed to the arsenal of APT41,a group whose origin is tied to China.

APT41, known also as Amoeba, BARIUM, BRONZE ATLAS, BRONZE EXPORT, Blackfly, Brass Typhoon, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Red Kelpie, TA415, WICKED PANDA e WICKED SPIDER originated from China (with possible ties to the government), it’s known for its complex campaigns and variety of targeted sectors, their motivation varies from exfiltration of sensible data to financial gain.

The backdoor has been developed to target both Windows and Linux operative systems and using different protocols to communicate which depend on the configuration of the malware sample itself.

Tinexta Cyber’s team has analyzed both variants for Windows and Linux, showing common elements that makes the threat capable of remaining resilient inside attacked systems, nonetheless, implants of perimetral defense were present, such as Firewalls, NIDS and EDR employed on every endpoint.

The first malware sample is an implant attacking the Microsoft Windows operating systems. The infection doesn’t directly start from the implant itself but from another component working as a loader written in the .NET framework. This loader is designed to decrypt another file simulating an icon type file. The decryption is through AES, a well-known symmetric encryption algorithm, with keys stored directly in the sample itself.

Once all decryption operations are completed, the new payload, with SHA256 hash 399bf858d435e26b1487fe5554ff10d85191d81c7ac004d4d9e268c9e042f7bf, can be analyzed. Delving deeper into that malware sample, it is possible to detect a direct correspondence with malware structure with Mandiant’s report “Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments”. In this specific case, the XOR key is 0x59.

The Linux version of the Keyplug malware, however, is slightly more complex and appears to use VMProtect. During static analysis, many strings related to the UPX packer were detected, but the automatic decompression routine did not work. This variant is designed to decode the payload code during execution, and once this is complete, it relaunches using the syscall fork. This method interrupts the analyst’s control flow, making malware analysis more difficult.

Pivoting cyber intelligence information in the cybersecurity community, a potential link has emerged between the APT41 group and the Chinese company I-Soon. On Feb. 16, a large amount of sensitive data from China’s Ministry of Public Security was exposed and then spread on GitHub and Twitter, generating great excitement in the cybersecurity community.

In addition, Hector is a possible RAT (Remote Administration Tool) if not KeyPlug itself, among the arsenal of APT41 uncovered through the I-SOON leak, according to which it can be employed on both Windows and Linux, and uses the WSS protocol. WSS (WebSocket Secure) is a network protocol used to establish a secure WebSocket connection between a client and a server. It is the encrypted version of the WS (WebSocket) protocol and relies on TLS (Transport Layer Security) to provide security, similar to how HTTPS is the secure version of HTTP. However, this type of protocol is not widely adopted by attackers for malware threats, making, therefore, the attribution narrow toward this type of threat.

A connection between the APT41 group and the ISOON data leak incident can be hypothesized. The advanced techniques used and the wide range of sectors targeted coincide with APT41’s typical modus operandi, suggesting a possible connection to this cyber espionage campaign. Deepening the investigation of the ISOON data leak, especially about the tools and methodologies employed, could offer further insight into the involvement of APT41 or similar groups.

“APT41, has always been distinguished by its sophistication and ability to conduct global cyber espionage operations. One of the tools it has used and continues to use is KEYPLUG, a modular backdoor capable of evading major detection systems has offered the attacker the ability to be silent within compromised systems for months.” Luigi Martire, Technical Leader at Tinexta Cyber told Security Affairs.
The risks associated with industrial espionage carried out by groups such as APT41 are significant. Their operations can aim to steal intellectual property, trade secrets, and sensitive information that could confer illicit competitive advantages. Companies operating in technologically advanced or strategic industries are particularly vulnerable, and the consequences of such attacks can include large economic losses, reputational damage, and compromised national security”

Technical details about the attacks and indicators of compromise (Ioc) are included in the report published by Tinexta Cyber.

MITRE December 2023 attack: Threat actors created rogue VMs to evade detection

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

The MITRE Corporation revealed that threat actors behind the December 2023 attacks created rogue virtual machines (VMs) within its environment.

The MITRE Corporation has provided a new update about the December 2023 attack. In April 2024, MITRE disclosed a security breach in one of its research and prototyping networks. The security team at the organization promptly launched an investigation, logged out the threat actor, and engaged third-party forensics Incident Response teams to conduct independent analysis in collaboration with internal experts.

According to the MITRE Corporation, China-linked nation-state actor UNC5221 breached its systems in January 2024 by chaining two Ivanti Connect Secure zero-day vulnerabilities.

MITRE spotted the foreign nation-state threat actor probing its Networked Experimentation, Research, and Virtualization Environment (NERVE), used for research and prototyping. The organization immediately started mitigation actions which included taking NERVE offline. The investigation is still ongoing to determine the extent of information involved.

The organization notified authorities and affected parties and is working to restore operational alternatives for collaboration.

Despite MITRE diligently following industry best practices, implementing vendor recommendations, and complying with government guidance to strengthen, update, and fortify its Ivanti system, they overlooked the lateral movement into their VMware infrastructure.

The organization said that the core enterprise network or partners’ systems were not affected by this incident.

According to the new update, threat actors exploited zero-day flaws in Ivanti Connect Secure (ICS) and created rogue virtual machines (VMs) within the organization’s VMware environment.

“The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access. They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure.” reads the latest update. “By deploying rogue VMs, adversaries can evade detection by hiding their activities from centralized management interfaces like vCenter. This allows them to maintain control over compromised systems while minimizing the risk of discovery.”

The attackers deployed rogue virtual machines (VMs) to evade detection by hiding their activities from centralized management interfaces like vCenter. This tactic allows them to control the compromised systems while minimizing the risk of discovery.

On January 7, 3034, the adversary accessed VMs and deployed malicious payloads, including the BRICKSTORM backdoor and a web shell tracked as BEEFLUSH, enabling persistent access and arbitrary command execution.

The hackers relied on SSH manipulation and script execution to maintain control over the compromised systems. Mitre noted attackers exploiting a default VMware account to list drives and generate new VMs, one of which was removed on the same day. BRICKSTORM was discovered in directories with local persistence setups, communicating with designated C2 domains. BEEFLUSH interacted with internal IP addresses, executing dubious scripts and commands from the vCenter server’s /tmp directory

In the following days, the threat actors deployed additional payloads on the target infrastrcuture, including the WIREFIRE (aka GIFTEDVISITOR) web shell, and the BUSHWALK webshell for data exfiltration.

The threat actors exploited a default VMware account, VPXUSER, to make API calls for enumerating drives. They bypassed detection by deploying rogue VMs directly onto hypervisors, using SFTP to write files and executing them with /bin/vmx. These operations were invisible to the Center and the ESXi web interface. The rogue VMs included the BRICKSTORM backdoor and persistence mechanisms, configured with dual network interfaces for communication with both the Internet/C2 and core administrative subnets.

“Simply using the hypervisor management interface to manage VMs is often insufficient and can be pointless when it comes to dealing with rogue VMs.” continues the update. “This is because rogue VMs operate outside the standard management processes and do not adhere to established security policies, making them difficult to detect and manage through the GUI alone. Instead, one needs special tools or techniques to identify and mitigate the risks associated with rogue VMs effectively.”

MITRE shared two scripts, Invoke-HiddenVMQuery and VirtualGHOST, that allow admins to identify and mitigate potential threats within the VMware environment. The first script, developed by MITRE, Invoke-HiddenVMQuery is written in PowerShell and serves to detect malicious activities. It scans for anomalous invocations of the /bin/vmx binary within rc.local.d scripts.

“As adversaries continue to evolve their tactics and techniques, it is imperative for organizations to remain vigilant and adaptive in defending against cyber threats. By understanding and countering their new adversary behaviors, we can bolster our defenses and safeguard critical assets against future intrusions.” MITRE concludes.

LilacSquid APT targeted organizations in the U.S., Europe, and Asia since at least 2021

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

A previously undocumented APT group tracked as LilacSquid targeted organizations in the U.S., Europe, and Asia since at least 2021.

Cisco Talos researchers reported that a previously undocumented APT group, tracked as LilacSquid, conducted a data theft campaign since at least 2021.

The attacks targeted entities in multiple industries, including organizations in information technology and industrial sectors in the United States, organizations in the energy sector in Europe, and the pharmaceutical sector in Asia.

Threat actors were observed using the open-source remote management tool MeshAgent and a customized version of QuasarRAT malware tracked by Talos as PurpleInk.

PurpleInk is the primary implant in post-exploitation activity in attacks aimed at vulnerable application servers.

The attackers exploited vulnerabilities in Internet-facing application servers and compromised remote desktop protocol (RDP) credentials to deploy a variety of open-source tools, including MeshAgent and Secure Socket Funneling (SSF), alongside customized malware, such as “PurpleInk,” and “InkBox” and “InkLoader loaders.” The Secure Socket Funneling (SSF) tool allows attackers to proxy and tunnel multiple sockets through a secure TLS tunnel.

The threat actors aim to establish long-term access to compromised victims’ organizations to steal sensitive data.

The researchers pointed out that LilacSquid’s tactics, techniques, and procedures (TTPs) overlap with North Korea-linked APT groups such as Andariel and Lazarus. The Andariel APT group has been reported using MeshAgent for post-compromise access, while Lazarus extensively uses SOCKs proxy and tunneling tools along with custom malware to maintain persistence and data exfiltration. LilacSquid similarly uses SSF and other malware to create tunnels to their remote servers.

InkLoader is .NET-based loader designed to run a hardcoded executable or command. It supports persistence mechanism and was spotted deploying PurpleInk.

LilacSquid uses InkLoader in conjunction with PurpleInk when they can create and maintain remote desktop (RDP) sessions using stolen credentials. After a successful RDP login, attackers downloaded InkLoader and PurpleInk, copied to specific directories, and InkLoader is registered as a service. The service is used to launch the InkLoader, which in turn deploys PurpleInk.

PurpleInk is actively developed since 2021, it relies on a configuration file to obtain information such as the command and control (C2) server’s address and port, which is typically base64-decoded and decrypted.

PurpleInk is heavily obfuscated and versatile, the malware supports multiple RAT capabilities including:

Enumerating processes and sending details to the C2.
Terminating specified processes.
Running new applications.
Gathering drive information.
Enumerating directories and obtaining file details.
Reading and exfiltrating specified files.
Replacing or appending content to specified files.

Talos also observed the APT using a custom tool called InkBox to deploy PurpleInk prior to InkLoader.

“InkBox is a malware loader that will read from a hardcoded file path on disk and decrypt its contents. The decrypted content is another executable assembly that is then run by invoking its Entry Point within the InkBox process.” reads the analysis published by Talos.

The researchers provided Indicators of Compromise (IOCs) for the above threats on GitHub.

FlyingYeti targets Ukraine using WinRAR exploit to deliver COOKBOX Malware

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

Russia-linked threat actor FlyingYeti is targeting Ukraine with a phishing campaign to deliver the PowerShell malware COOKBOX.

Cloudflare researchers discovered phishing campaign conducted by a Russia-linked threat actor FlyingYeti (aka UAC-0149) targeting Ukraine. The experts published a report to describe real-time effort to disrupt and delay this threat activity.

At the beginning of Russia’s invasion of Ukraine on February 24, 2022, Ukraine implemented a moratorium on evictions and termination of utility services for unpaid debt. The moratorium ended in January 2024, leading to significant debt liability and increased financial stress for Ukrainian citizens. The FlyingYeti campaign exploited this anxiety by using debt-themed lures to trick targets into opening malicious links embedded in the messages. Upon opening the files, the PowerShell malware COOKBOX infects the target system, allowing the attackers to deploy additional payloads and gain control over the victim’s system.

The threat actors exploited the WinRAR vulnerability CVE-2023-38831 to infect targets with malware.

Cloudflare states that FlyingYeti’s tactics, techniques, and procedures (TTPs) are similar to the ones detailed by Ukraine CERT while analyzing UAC-0149 cluster.

UAC-0149 targeted Ukrainian defense entities with COOKBOX malware since at least the fall of 2023.

“The threat actor uses dynamic DNS (DDNS) for their infrastructure and leverages cloud-based platforms for hosting malicious content and for malware command and control (C2).” reads the report published by Cloudflare. “Our investigation of FlyingYeti TTPs suggests this is likely a Russia-aligned threat group. The actor appears to primarily focus on targeting Ukrainian military entities.”

Threat actors targeted users with a spoofed version of the Kyiv Komunalka communal housing site (https://www.komunalka.ua), hosted on an actor-controlled GitHub page (hxxps[:]//komunalka[.]github[.]io). Komunalka is a payment processor for utilities and other services in the Kyiv region.

FlyingYeti likely directed targets to this page via phishing emails or encrypted Signal messages. On the spoofed site, a large green button prompted users to download a document named “Рахунок.docx” (“Invoice.docx”), which instead downloaded a malicious archive titled “Заборгованість по ЖКП.rar” (“Debt for housing and utility services.rar”).

Once the RAR file is opened, the CVE-2023-38831 exploit triggers the execution of the COOKBOX malware.

The RAR archive contains multiple files, including one with the Unicode character “U+201F,” which appears as whitespace on Windows systems. This character can hide file extensions by adding excessive whitespace, making a malicious CMD file (“Рахунок на оплату.pdf[unicode character U+201F].cmd”) look like a PDF document. The archive also includes a benign PDF with the same name minus the Unicode character. Upon opening the archive, the directory name also matches the benign PDF name. This naming overlap exploits the WinRAR vulnerability CVE-2023-38831, causing the malicious CMD to execute when the target attempts to open the benign PDF.

“The CMD file contains the Flying Yeti PowerShell malware known as COOKBOX. The malware is designed to persist on a host, serving as a foothold in the infected device. Once installed, this variant of COOKBOX will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run.” continues the report. “Alongside COOKBOX, several decoy documents are opened, which contain hidden tracking links using the Canary Tokens service.”

The report also provide recommendations and Indicators of Compromise (IoCs).

APT28 targets key networks in Europe with HeadLace malware

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

Russia-linked APT28 used the HeadLace malware and credential-harvesting web pages in attacks against networks across Europe.

Researchers at Insikt Group observed Russian GRU’s unit APT28 targeting networks across Europe with information-stealer Headlace and credential-harvesting web pages. The experts observed the APT deploying Headlace in three distinct phases from April to December 2023, respectively, using phishing, compromised internet services, and living off the land binaries. The credential harvesting pages were designed to target Ukraine’s Ministry of Defence, European transportation infrastructures, and an Azerbaijani think tank. The credential harvesting pages created by the group can defeat two-factor authentication and CAPTCHA challenges by relaying requests between legitimate services and compromised Ubiquiti routers.

In some attackers, threat actors created specially-crafted web pages on Mocky that interact with a Python script running on compromised Ubiquiti routers to exfiltrate the provided credentials.

The compromise of networks associated with Ukraine’s Ministry of Defence and European railway systems could allow attackers to gather intelligence to influence battlefield tactics and broader military strategies. Additionally, their interest in the Azerbaijan Center for Economic and Social Development indicates a potential agenda to understand and possibly influence regional policies.

Insikt Group speculates the operation is aimed at influencing regional and military dynamics.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

The attack chain used in the attacks detailed by Insikt Group has seven distinct infrastructure stages to filter out sandboxes, incompatible operating systems, and non-targeted countries. Victims who failed these checks downloaded a benign file and were redirected to Microsoft’s web portal, msn.com. Those who passed the checks downloaded a malicious Windows BAT script, which connected to a free API service to execute successive shell commands.

In December 2023, researchers from Proofpoint and IBM detailed a new wave of APT spear-phishing attacks relying on multiple lure content to deliver Headlace malware. The campaigns targeted at least thirteen separate nations.

“Upon analyzing Headlace geofencing scripts and countries targeted by credential harvesting campaigns from 2022 onwards, Insikt Group identified that thirteen separate countries were targeted by BlueDelta. As expected, Ukraine topped the list, accounting for 40% of the activity.” reads the report published by the Insikt Group. “Türkiye might seem like an unexpected target with 10%, but it’s important to note that it was singled out only by Headlace geofencing, unlike Ukraine, Poland, and Azerbaijan, which were targeted through both Headlace geofencing and credential harvesting.”

Researchers call on organizations within government, military, defense, and related sectors, to bolster cybersecurity measures: prioritizing the detection of sophisticated phishing attempts, restricting access to non-essential internet services, and enhancing surveillance of critical network infrastructure.

UAC-0020 threat actor used the SPECTR Malware to target Ukraine’s defense forces

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

Ukraine CERT-UA warned of cyber attacks targeting defense forces with SPECTR malware as part of a cyber espionage campaign dubbed SickSync.

The Computer Emergency Response Team of Ukraine (CERT-UA) warned of cyber espionage campaign targeting defense forces in the country. The Ukrainian CERT attributes the attack to the threat actor UAC-0020 which employed a malware called SPECTR as part of the campaign tracked as SickSync.

The threat actor UAC-0020, aka Vermin, operates under the control of the law enforcement agencies of the temporarily occupied Luhansk.

The SPECTR malware has been active since at least 2019, it allows operators to steal sensitive data and files from the infected computer, it relies on the standard synchronization functionality of the legitimate SyncThing software.

Threat actors sent out spear-phishing messages with an attachment in the form of a password-protected archive named “turrel.fop.vovchok.rar”.

The archive contains another archive, named RARSFX archive (“turrel.fop.ovchok.sfx.rar.scr”) that contains the “Wowchok.pdf” decoy file, the “sync.exe” EXE installer created using InnoSetup, and the BAT file ” run_user.bat” used for initial startup.

The UA-CERT states that the “sync.exe” file contains the legitimate SyncThing components and SPECTR malware files, including additional libraries and scripts. Attackers modified the standard files of the SyncThing software to change the names of directories, scheduled tasks, disable the functionality of displaying messages to the user, etc.

The SPECTR information stealer can capture screenshots every 10 seconds, collect files, extract data from removable USB drives, and steal credentials from web browsers and applications like Element, Signal, Skype, and Telegram.

“It should be noted that the stolen information is copied to subfolders in the directory %APPDATA%\sync\Slave_Sync\, after which, using the standard synchronization functionality of the legitimate program SyncThing , the contents of these directories get to the attacker’s computer, which ensures data exfiltration.” reads the report from the CERT-UA. “From the point of view of network indicators (in case of confidence in not using the mentioned technology is authorized), taking into account the establishment of a peer-to-peer connection, among other things, we recommend paying attention to signs of interaction with the SyncThing infrastructure: *.syncthing.net.”

The report also includes indicators of cyber threats.

Sticky Werewolf targets the aviation industry in Russia and Belarus

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

Morphisec researchers observed a threat actor, tracked as Sticky Werewolf, targeting entities in Russia and Belarus.

Sticky Werewolf is a threat actor that was first spotted in April 2023, initially targeting public organizations in Russia and Belarus. The group has expanded its operations to various sectors, including a pharmaceutical company and a Russian research institute specializing in microbiology and vaccine development.

In their latest campaign, Sticky Werewolf targeted the aviation industry with emails supposedly from the First Deputy General Director of AO OKB Kristall, a Moscow-based company involved in aircraft and spacecraft production and maintenance. Previously, the group used phishing emails with links to malicious files. In the latest campaign, the threat actor used archive files containing LNK files that pointed to a payload stored on WebDAV servers.

After executing the binary hosted on a WebDAV server, an obfuscated Windows batch script is launched. The script runs an AutoIt script that ultimately injects the final payload.

“In previous campaigns, the infection chain began with phishing emails containing a link to download a malicious file from platforms like gofile.io. However, in their latest campaign, the infection method has changed.” reads the analysis published by Morphisec. “The initial email includes an archive attachment; when the recipient extracts the archive, they find LNK and decoy files. These LNK files point to an executable hosted on a WebDAV server. Once executed, this initiates a Batch script, which then launches an AutoIt script that ultimately injects the final payload.”

The archive includes a decoy PDF File and two LNK Files Masquerading as DOCX Documents named Повестка совещания.docx.lnk (Meeting agenda) and Список рассылки.docx.lnk (Mailing list) respectively.

The threat actor used phishing messages allegedly sent by the First Deputy General Director and Executive Director of AO OKB Kristall. The recipients are individuals from the aerospace and defense sector who are invited to a video conference on future cooperation. The messages use a password-protected archive containing a malicious payload.

The payloads employed by the threat actors include commodity RATs or stealers. Recently, Sticky Werewolf was spotted using Rhadamanthys Stealer and Ozone RAT in their campaigns. In previous attacks the group also deployed MetaStealer, DarkTrack, and NetWire.

“These malwares enable extensive espionage and data exfiltration. While there is no definitive evidence of Sticky Werewolf’s national origin, the geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists, though this attribution remains uncertain.” concludes the report that also includes Indicators of Compromise (IoCs).

China-linked Velvet Ant uses F5 BIG-IP malware in cyber espionage campaign

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

Chinese cyberespionage group Velvet Ant was spotted using custom malware to target F5 BIG-IP appliances to breach target networks.

In late 2023, Sygnia researchers responded to an incident suffered by a large organization that they attributed to a China-linked threat actor tracked as ‘Velvet Ant.’

The cyberspies deployed custom malware on F5 BIG-IP appliances to gain persistent access to the internal network of the target organization and steal sensitive data.

The investigation revealed that the threat actor had been present in the organization’s on-premises network for about three years, aiming to maintain access for espionage purposes. They achieved persistence by establishing multiple footholds within the company’s environment. One method used was exploiting a legacy F5 BIG-IP appliance exposed to the internet, which served as an internal Command and Control (C&C). When one foothold was discovered and remediated, the threat actor quickly adapted and pivoted to another. This demonstrated their agility and deep understanding of the target’s network infrastructure.

The investigation revealed that the Chinese hackers had been present in the organization’s on-premises network for about three years. They achieved persistence by establishing multiple footholds within the company’s environment. One method used was exploiting a legacy internet-facing F5 BIG-IP appliance, which was also used by attackers as an internal Command and Control (C&C). After the researchers discovered and remediated one foothold, the APT group quickly pivoted to another. This demonstrated their agility and deep understanding of the target’s network infrastructure.

“The compromised organization had two F5 BIG-IP appliances which provided services such as firewall, WAF, load balancing and local traffic management. These appliances were directly exposed to the internet, and both of which were compromised. Both F5 appliances were running an outdated, vulnerable, operating system. The threat actor may have leveraged one of the vulnerabilities to gain remote access to the appliances.” reads the analysis published by Sygnia. “As a result, a backdoor hidden within the F5 appliance can evade detection from traditional log monitoring solutions.”

Once the attackers had compromised the F5 BIG-IP appliances, they gained access to internal file servers and deployed the PlugX RAT. The PlugX RAT was used by multiple Chinese APT groups in cyberespionage campaigns over the years.

Forensic analysis of the F5 appliances revealed that the Velvet Ant group also used the following malware in their attacks:

VELVETSTING – a tool that connects to the threat actor’s C&C once an hour, searching commands to execute. Once the tool received a command, it was executed via ‘csh’ (Unix C shell).
VELVETTAP – a tool with the ability to capture network packets.
SAMRID – identified as ‘EarthWorm’, an open-source SOCKS proxy tunneller available on GitHub. The tool was utilized in the past by multiple China-linked APT groups, including ‘Volt Typhoon’, ‘APT27’ and ‘Gelsemium’.
ESRDE – a tool with similar capabilities to that of ‘VELVETSTING’, but with minor differences, such as using bash instead of ‘csh’.

Researchers provided the following recommendations for organizations to mitigate attacks of groups like Velvet Ant:

Limit outbound internet traffic.
Limit lateral movement throughout the network.
Enhance security hardening of legacy servers.
Mitigate credential harvesting.
Protect public-facing devices.

The report also includes indicators of compromise for the attack analyzed by the researchers.

China-linked spies target Asian Telcos since at least 2021

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

A China-linked cyber espionage group has compromised telecom operators in an Asian country since at least 2021.

The Symantec Threat Hunter Team reported that an alleged China-linked APT group has infiltrated several telecom operators in a single, unnamed, Asian country at least since 2021.

The threat actors used tools associated with Chinese espionage groups, they planted multiple backdoors on the networks of targeted companies to steal credentials.

“The attacks have been underway since at least 2021, with evidence to suggest that some of this activity may even date as far back as 2020. Virtually all of the organizations targeted were telecoms operators, with the addition of a services company that serves the telecoms sector and a university in another Asian country.” reads the report published by Broadcom Symantec Threat Hunter Team.

Evidence collected by the experts suggests that the cluster activity may have been active since 2020.

In a recent espionage campaign, the attackers employed custom malware associated with several Chinese APT groups. Some of the malware used by the threat actors are:

Coolclient: A backdoor linked to the Fireant group (also known as Mustang Panda or Earth Preta). It logs keystrokes, manages files, and communicates with a C2 server. This campaign used a version of VLC Media Player (disguised as googleupdate.exe) to sideload a Coolclient loader, which then reads and executes encrypted payloads.
Quickheal: A backdoor associated with the Needleminer group (also known as RedFoxtrot or Nomad Panda). The variant used by the attackers in recent attacks was a 32-bit DLL that communicated with a hardcoded C&C server using a custom protocol mimicking SSL traffic.
Rainyday: A backdoor, linked to the Firefly group (also known as Naikon), was used in a recent espionage campaign.

In addition to utilizing custom backdoors. the cyber espionage group also employed a range of tactics, techniques, and procedures (TTPs) to compromise their targets. They deployed custom keylogging malware, port scanning tools, credential theft through the dumping of registry hives, a publicly available tool known as Responder that acts as a Link-Local Multicast Name Resolution (LLMNR) NetBIOS Name Service (NBT-NS) and multicast DNS (mDNS) poisoner, and enabling RDP.

“Tools used in this campaign have strong associations with multiple Chinese groups and at least three of the custom backdoors deployed are believed to be used exclusively by Chinese espionage actors.” concludes the report.” “The nature of the link between the actors involved in the current campaign remains unclear. Possibilities include, but are not limited to:

Attacks by multiple actors, acting independently of one another.
A single actor using tools and/or personnel acquired from or shared by other groups.
Multiple actors collaborating in a single campaign.

The ultimate motive of the intrusion campaign remains unclear.”

Russia-linked APT Nobelium targets French diplomatic entities

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

French information security agency ANSSI reported that Russia-linked threat actor Nobelium is behind a series of cyber attacks that targeted French diplomatic entities.

The French information security agency ANSSI reported that Russia-linked APT Nobelium targeted French diplomatic entities. Despite the French agency linked the attacks to the cyberespionage group Nobelium (aka APT29, SVR group, Cozy Bear, Midnight Blizzard, BlueBravo, and The Dukes), ANSSI differentiates these groups into separate threat clusters, including a group named Dark Halo, which was responsible for the 2020 SolarWinds attack.

October 2020, used against high-value targets, most likely for espionage purposes. Western diplomatic entities, such as embassies and Ministries of Foreign Affairs, account for the majority of known victims of Nobelium. However, several IT companies have also reported that they have been targeted by Nobelium’s operators in late 2023 and 2024.

The report published by ANSSI is based upon elements collected by the French agency, evidence shared by its national partners (known as C4 members), and publicly available reports. The document warns of phishing campaigns conducted by Nobelium against French public and diplomatic entities aiming at gathering strategic intelligence.

“Nobelium is characterized by the use of specific codes, tactics, technics and procedures. Most of Nobelium campaigns against diplomatic entities use compromised legitimate email accounts belonging to diplomatic staff, and conduct phishing campaigns against diplomatic institutions, embassies and consulates.” reads the report published by ANSSI. “These activities are also publicly described as a campaign called “Diplomatic Orbiter”.”

Attackers forge lure documents to target diplomatic staff, attempting to deliver their custom loaders to drop public post-exploitation tools such as Cobalt Strike or Brute Ratel C4. The tools allows attackers to access the victim’s network, perform lateral movements, drop additional payloads, maintain persistence, and exfiltrate valuable intelligence.

The agency confirmed that several IT companies have also reported being targeted by Nobelium in late 2023 and 2024.

“French public organisations have been targeted several times by phishing emails sent from foreign institutions previously compromised by Nobelium’s operators.” continues the report. “From February to May 2021, Nobelium operators conducted several phishing campaigns3 exploiting compromised email accounts belonging to the French Ministry of Culture and the National Agency for Territorial Cohesion (ANCT), sending an attachment called “Strategic Review”.”

In March 2022, a European embassy in South Africa received a phishing email that impersonated a French embassy, announcing the closure after a terrorist attack. The attackers sent the email from a compromised account of a French diplomat. In April and May 2022, Nobelium phishing messages reached dozens of email addresses from the French Ministry of Foreign Affair. Threat actors used themes like the closure of a Ukrainian embassy or a meeting with a Portuguese ambassador.

In May 2023, Nobelium targeted several European embassies in Kyiv, including the French embassy, with a phishing campaign involving an email about a “Diplomatic car for sale.” The ANSSI also reported a failed attempt to compromise the French Embassy in Romania.

“ANSSI has observed a high level of activities linked to Nobelium against the recent backdrop of geopolitical tensions, especially in Europe, in relation to Russia’s aggression against Ukraine. Nobelium’s activities against government and diplomatic entities represent a national security concern and endanger French and European diplomatic interests. The targeting of IT and cybersecurity entities for espionage purposes by Nobelium operators potentially strengthens their offensive capabilities and the threat they represent.” concludes the report that also provides indicators of compromise. “Nobelium’s techniques, tactics, and procedures remain mainly constant over time.”

Russia-linked group APT29 likely breached TeamViewer’s corporate network

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

Russia-linked APT group, reportedly APT29, is suspected to be behind a hack of TeamViewer ‘s corporate network.

TeamViewer discovered that a threat actor has breached its corporate network and some reports attribute the intrusion to the Russia-linked APT group APT29 (aka SVR group, BlueBravo, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes).

The unauthorized access to the IT infrastructure of the company occurred on June 26, threat actors used the credentials of a standard employee account within its IT environment.

Upon detecting the suspicious activity by this account, the company immediately started the incident response measures.

“A comprehensive taskforce consisting of TeamViewer’s security team together with globally leading cyber security experts has worked 24/7 on investigating the incident with all means available. We are in constant exchange with additional threat intelligence providers and relevant authorities to inform the investigation.” reads the statement published by the company.

“Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment. Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard. Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data.”

An update published by TeamViewer states that findings confirmed that the attack on its infrastructure was limited to its internal corporate IT environment and did not affect the product environment, connectivity platform, or any customer data.

The popular Ars Technica reporter Dan Goodin reported that an alert issued by security firm NCC Group reports a “significant compromise of the TeamViewer remote access and support platform by an APT group.”

In May 2019, the German newspaper Der Spiegel revealed that the German software company behind TeamViewer was compromised in 2016 by Chinese hackers.

According to the media outlet, Chinese state-sponsored hackers used the Winnti trojan malware to infect the systems of the Company.

The Winnti group was first spotted by Kaspersky in 2013, according to the researchers, the nation-state actor has been active since at least 2007.

The gang is financially-motivated and was mostly involved in cyber espionage campaigns. The hackers were known for targeting companies in the online gaming industry, the majority of the victims are located in Southeast Asia.

The Winnti cyberespionage group is known for its ability in targeting supply chains of legitimate software to spread malware.

According to the company, it was targeted by the hackers in autumn 2016, when its experts detected suspicious activities were quickly blocked them to prevent major damages.

TeamViewer spokesperson revealed that the company investigated the attempts of intrusion, but did not find any evidence of exposure for customer data and sensitive data.

Der Spiegel pointed out that TeamViewer did not disclose the security breach to the public.

“In autumn 2016, TeamViewer was target of a cyber-attack. Our systems detected the suspicious activities in time to prevent any major damage. An expert team of internal and external cyber security researchers, working together closely with the responsible authorities, successfully fended off the attack and with all available means of IT forensics found no evidence that customer data or other sensitive information had been stolen, that customer computer systems had been infected or that the TeamViewer source code had been manipulated, stolen or misused in any other way.” said company spokesman.

“Out of an abundance of caution, TeamViewer conducted a comprehensive audit of its security architecture and IT infrastructure subsequently and further strengthened it with appropriate measures.”

At the time the company published a statement to exclude it was breached by hackers:

“Göppingen/Germany, May 23, 2016. A recent article warns, “TeamViewer users have had their bank accounts emptied by hackers gaining full-system access”. TeamViewer is appalled by any criminal activity; however, the source of the problem, according to our research, is careless use, not a potential security breach on TeamViewer’s side.” wrote the company.

Only in 2019, the company admitted it was breached in 2016.

China-linked APT exploited Cisco NX-OS zero-day to deploy custom malware

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

Cisco fixed an actively exploited NX-OS zero-day, the flaw was exploited to install previously unknown malware as root on vulnerable switches.

Cisco addressed an NX-OS zero-day, tracked as CVE-2024-20399 (CVSS score of 6.0), that the China-linked group Velvet Ant exploited to deploy previously unknown malware as root on vulnerable switches.

The flaw resides in the CLI of Cisco NX-OS Software, an authenticated, local attacker can exploit the flaw to execute arbitrary commands as root on the underlying operating system of an affected device.

“This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command.” reads the advisory published by Cisco. “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root.”

The IT giant pointed out that only attackers with Administrator credentials can successfully exploit this vulnerability on a Cisco NX-OS device.

In April 2024, researchers reported to the Cisco Product Security Incident Response Team (PSIRT) that the issue was actively exploited in the wild.

Cybersecurity firm Sygnia observed the attacks on April 2024 and reported them to Cisco.

“Sygnia identified that CVE-2024-20399 was exploited in the wild by a China-nexus threat group as a ‘zero-day’ and shared the details of the vulnerability with Cisco. By exploiting this vulnerability, a threat group – dubbed ‘Velvet Ant’ – successfully executed commands on the underlying operating system of Cisco Nexus devices.” reads the report published by Sygnia. “This exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.“

The vulnerability impacts the following devices:

MDS 9000 Series Multilayer Switches (CSCwj97007)
Nexus 3000 Series Switches (CSCwj97009)
Nexus 5500 Platform Switches (CSCwj97011)
Nexus 5600 Platform Switches (CSCwj97011)
Nexus 6000 Series Switches (CSCwj97011)
Nexus 7000 Series Switches (CSCwj94682) *
Nexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009)

Cisco recommends customers monitor the use of credentials for the administrative users network-admin and vdc-admin.

Cisco provides the Cisco Software Checker to help customers determine if their devices are vulnerable to this flaw.

In late 2023, Sygnia researchers responded to an incident suffered by a large organization that they attributed to the same China-linked threat actor ‘Velvet Ant.’

The cyberspies deployed custom malware on F5 BIG-IP appliances to gain persistent access to the internal network of the target organization and steal sensitive data.

Multiple cybersecurity agencies warn of China-linked APT40 ‘s capabilities

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

Multiple cybersecurity agencies released a joint advisory warning about a China-linked group APT40 ‘s capability to rapidly exploit disclosed security flaws.

Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. released a joint advisory warning about the China-linked group APT40 (aka TEMP.Periscope, TEMP.Jumper, Bronze Mohawk, Gingham Typhoon, ISLANDDREAMS, Kryptonite Panda, Red Ladon, TA423, and Leviathan) and its capability to rapidly exploit disclosed flaws

The China-linked group was able to exploit vulnerabilities within hours or days of the public disclosure.

APT40 has previously targeted organizations in countries like Australia and the United States. The group is able to rapidly adapt vulnerability proofs of concept (POCs) for their operations. They identify new exploits in widely used public software, such as Log4J, Atlassian Confluence, and Microsoft Exchange, to target the associated infrastructure.

“APT 40 has previously targeted organizations in various countries, including Australia and the United States. Notably, APT 40 possesses the ability to quickly transform and adapt vulnerability proofs of concept (POCs) for targeting, reconnaissance, and exploitation operations.” reads the advisory. “APT 40 identifies new exploits within widely used public software such as Log4J, Atlassian Confluence and Microsoft Exchange to target the infrastructure of the associated vulnerability.“

In July 2021, the U.S. Justice Department (DoJ) indicted four members of the cyber espionage group APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan) for hacking tens of government organizations, private businesses and universities around the world between 2011 and 2018.

The APT40 group has been active since at least 2013, it is focused on targeting countries important to the country’s Belt and Road Initiative (i.e. Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom).

The group appears to be focused on supporting the naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation, and defense sectors, experts observed a specific interest in maritime technologies.

The cyberspies also targeted research centres and universities involved in naval research with the intent to access advanced technology to push the growth of the Chinese naval industry. The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.

Three of the defendants are said to be officers in a provincial arm of the MSS and one was an employee of a front company that was used to obfuscate the government’s role in the hacking campaigns.

“APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities from as early as 2017.” continues the joint advisory. “APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207, CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473). ASD’s ACSC and the authoring agencies expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release.”

APT40 use to exploit vulnerable public-facing infrastructure over other hacking techniques like phishing. They prioritize obtaining valid credentials for subsequent activities. The group often relies on web shells to maintain persistence early in an intrusion. Persistence is established early in an intrusion, making it likely to be observed in all cases, regardless of the level of compromise or further actions taken.

In the past, the APT40 was observed using compromised Australian websites as C2 servers, however he recently evolved this technique.

“APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors [T1584.008] for its operations in Australia. This has enabled the authoring agencies to better characterize and track this group’s movements.” continues the report.

Many of the compromised SOHO devices are end-of-life or unpatched that can be easily hacked using N-day exploits. Compromised SOHO (Small Office/Home Office) devices provide attackers with a platform to launch attacks by mimicking legitimate traffic.

The report provides details about Tactics, Techniques, and Procesured associated by the the group and detection and mitigation recommendations.

Void Banshee exploits CVE-2024-38112 zero-day to spread malware

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

Void Banshee APT group exploited the Windows zero-day CVE-2024-38112 to execute code via the disabled Internet Explorer.

An APT group tracked as Void Banshee was spotted exploiting the Windows zero-day CVE-2024-38112 (CVSS score of 7.5) to execute code through the disabled Internet Explorer.

The vulnerability is a Windows MSHTML Platform Spoofing Vulnerability. Successful exploitation of this vulnerability requires an attacker to take additional actions before exploitation to prepare the target environment. An attacker can trigger the issue by sending the victim a malicious file that the victim would have to execute.

Trend Micro researchers discovered that the flaw was actively exploited in the wild in May and reported it to Microsoft which addressed the zero-day with the July 2024 Patch Tuesday security updates.

Void Banshee was observed exploiting the CVE-2024-38112 flaw to drop the Atlantida info-stealer on the victims’ machines. The malware allows operators to gather system information and steal sensitive data, such as passwords and cookies, from multiple applications.

In the group’s attack chain, Void Banshee attempts to trick victims into opening zip archives containing malicious files disguised as book PDFs. The archives are disseminated in cloud-sharing websites, Discord servers, and online libraries, and other means. The APT group focuses on North America, Europe, and Southeast Asia.

“This zero-day attack is a prime example of how unsupported Windows relics are an overlooked attack surface that can still be exploited by threat actors to infect unsuspecting users with ransomware, backdoors, or as a conduit for other kinds of malware.” states Trend Micro.

Void Banshee exploited the disabled Internet Explorer process to run HTML Application (HTA) files using specially crafted .URL files with the MHTML protocol handler and the x-usc! directive. This technique resembles the exploitation of CVE-2021-40444, another MSHTML flaw that was exploited in zero-day attacks. The experts warn that this attack method is very concerning because Internet Explorer no longer receives updates or security fixes.

“In this attack, CVE-2024-38112 was used as a zero-day to redirect a victim by opening and using the system-disabled IE to a compromised website which hosted a malicious HTML Application (HTA)” states the report. “In the URL parameter of the internet shortcut file, we can see that Void Banshee specifically crafted this URL string using the MHTML protocol handler along with the x-usc! directive. This logic string opens the URL target in the native Internet Explorer through the iexplore.exe process.”

Attackers used the internet shortcut file to direct the victims to an attacker-controlled domain where an HTML file downloads the HTA stage of the infection chain. The researchers noticed that Void Banshee uses this HTML file to control the window view size of Internet Explorer, hiding browser information and hiding the download of the next infection stage from the victim.

By default, IE prompts users to open or save the HTML application, but the APT group disguised the HTA file as a PDF by adding spaces to the file extension. Upon running the HTA file, a series of scripts is executed, along with the LoadToBadXml .NET trojan loader, the Donut shellcode, and the Atlantida stealer.

“In this campaign, we have observed that even though users may no longer be able to access IE, threat actors can still exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware.” Trend Micro concludes. “The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide. Since services such as IE have a large attack surface and no longer receive patches, it represents a serious security concern to Windows users.”

China-linked APT group uses new Macma macOS backdoor version

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

China-linked APT group Daggerfly (aka Evasive Panda, Bronze Highland) Evasive Panda has been spotted using an updated version of the macOS backdoor Macma.

The China-linked APT group Daggerfly (aka Evasive Panda or Bronze Highland) has significantly updated its malware arsenal, adding a new malware family based on the MgBot framework and an updated Macma macOS backdoor.

“The Daggerfly (aka Evasive Panda, Bronze Highland) espionage group has extensively updated its toolset, introducing several new versions of its malware, most likely in response to exposure of older variants.” reads the report. “The new tooling was deployed in a number of recent attacks against organizations in Taiwan and a U.S. NGO based in China, which indicates the group also engages in internal espionage. In the attack on this organization, the attackers exploited a vulnerability in an Apache HTTP server to deliver their MgBot malware.“

The APT group was spotted using the malware families in attacks against Taiwanese organizations and a U.S. NGO in China. The attackers exploited an Apache HTTP server vulnerability to deliver their MgBot malware.

Daggerfly has been active for at least a decade, the group is known for the use of the custom MgBot malware framework. In 2023, Symantec identified a Daggerfly intrusion at an African telecom operator, using new MgBot plugins. This highlights the group’s ongoing evolution in cyber espionage tactics.

The Macma macOS backdoor was first detailed by Google in 2021 and has been used since at least 2019. At the time of discovery, threat actors employed the malware in watering hole attacks involving compromised websites in Hong Kong. The watering hole attacks used exploits for iOS and macOS devices. Attackers exploited the privilege escalation vulnerability CVE-2021-30869 to install Macma on macOS devices.

Macma is a modular backdoor that supports multiple functionalities, including device fingerprinting, executing commands, screen capture, keylogging, audio capture, uploading and downloading files.

Although Macma was widely used in cyber operations carried out by nation-state actors, it was not linked to a particular group. However, Symantec has found evidence to suggest that it is part of the Daggerfly toolkit. Two variants of the Macma backdoor C2 server (103.243.212[.]98) that was also used by an MgBot dropper.

In addition to this shared infrastructure, Macma and other malware in the Daggerfly’s arsenal, including Mgbot all contain code from a single, shared library or framework. Elements of this library have been used to build Windows, macOS, Linux, and Android threats. The functionality provided by this library includes:

Threading and synchronization primitives
Event notifications and timers
Data marshaling
Platform-independent abstractions (e.g. time)

The new variants used by Daggerfly implement the following additions/improvements:

New logic to collect a file’s system listing, with the new code based on Tree, a publicly available Linux/Unix utility.
Modified code in the AudioRecorderHelper feature
Additional parametrisation
Additional debug logging
Addition of a new file (param2.ini) to set options to adjust screenshot size and aspect ratio

The experts also observed another malware, tracked as Suzafk (aka ‘NetMM’, Nightdoor), in the group toolkit that ESET researchers linked to Evasive Panda in March.

“Suzafk is a multi-staged backdoor capable of using TCP or OneDrive for C&C. The malware contained the following configuration, indicating the functionality to connect to OneDrive is in development or present in other variants of the malware.” continues the report.

The backdoor includes the code from the al-khaser project, a public code repository developed to avoid detection by detecting virtual machines, sandboxes, and malware analysis environments.

The malware can also execute commands for network and system monitoring, such as ‘ipconfig,’ ‘systeminfo,’ ‘tasklist,’ and ‘netstat.’

“The [Daggerfly] group can create versions of its tools targeting most major operating system platforms.” concludes the report. “In addition to the tools documented here, Symantec has seen evidence of the ability to Trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting Solaris OS. Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption.”

Belarus-linked APT Ghostwriter targeted Ukraine with PicassoLoader malware

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

Belarus-linked APT group GhostWriter targeted Ukrainian organizations with a malware family known as PicassoLoader, used to deliver various malicious payloads.

The Ukrainian Government’s Computer Emergency Response Team (CERT-UA) reported a surge in activity associated with the APT group UAC-0057 (aka GhostWriter) group between July 12 and 18, 2024. Threat actors distributed documents containing macros designed to deploy the PICASSOLOADER malware on victim computers, which then delivered the post-exploitation tool Cobalt Strike Beacon.

The attackers used bait documents related to local government reform (USAID/DAI “HOVERLA” project), taxation, and financial-economic metrics (“oborona.rar,” “66_oborona_PURGED.xls,” “trix.xls,” “equipment_survey_regions_.xls,” “accounts.xls,” “spreadsheet.xls,” “attachment.xls,” “Податок_2024.xls”).

“Based on this, it can be inferred that UAC-0057 might have targeted both project office specialists and their counterparts among the employees of relevant local government bodies in Ukraine.” reads the report published by CERT-UA.

The campaign was likely part of a broader cyber espionage activity against the Ukrainian government.

In November 2021, Mandiant Threat Intelligence researchers linked the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus.

In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites.

According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.

Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.

The operators behind Ghostwriter targeted Belarusian entities before the 2020 elections, some of the individuals (representatives of the Belarusian opposition) targeted by the nation-state actor were later arrested by the Belarusian government.

Chinese StormBamboo APT compromised ISP to deliver malware

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

A China-linked APT, tracked as StormBamboo, compromised an internet service provider (ISP) to poison software update mechanisms with malware.

Volexity researchers reported that a China-linked APT group, tracked as StormBamboo (aka Evasive Panda, Daggerfly, and StormCloud), successfully compromised an undisclosed internet service provider (ISP) in order to poison DNS responses for target organizations.

The threat actors targeted insecure software update mechanisms to install malware on macOS and Windows victim machines.

In mid-2023, Volexity discovered multiple malware infections affecting macOS and Windows systems within victim organizations. The company linked the attacks to StormBamboo APT group. Upon investigating the incidents, the researchers determined that a DNS poisoning attack at the ISP level caused the infection. The attackers altered DNS responses for domains related to software updates to deploy multiple malware families, including MACMA and POCOSTICK (MGBot). The attacker’s methods resemble those of DriftingBamboo, suggesting a possible connection between the two threat actors.

Macma is a modular backdoor that supports multiple functionalities, including device fingerprinting, executing commands, screen capture, keylogging, audio capture, uploading and downloading files.

Although Macma was widely used in cyber operations carried out by nation-state actors, it was not linked to a particular group.

“During one incident investigated by Volexity, it was discovered that StormBamboo poisoned DNS requests to deploy malware via an HTTP automatic update mechanism and poison responses for legitimate hostnames that were used as second-stage, command-and-control (C2) servers.” reads the report published by Volexity. “The DNS records were poisoned to resolve to an attacker-controlled server in Hong Kong at IP address 103.96.130[.]107. Initially, Volexity suspected the initial victim organization’s firewall may have been compromised. However, further investigation revealed the DNS poisoning was not performed within the target infrastructure, but further upstream at the ISP level.”

Volexity promptly alerted the ISP, which then investigated key traffic-routing devices on their network. After rebooting and taking parts of the network offline, the DNS poisoning stopped. The researchers were not able to identify a specific compromised device, however updating or deactivating various infrastructure components effectively ended the malicious activity.

“The logic behind the abuse of automatic updates is the same for all the applications: the legitimate application performs an HTTP request to retrieve a text-based file (the format varies) containing the latest application version and a link to the installer.” continues the report. “Since the attacker has control of the DNS responses for any given DNS name, they abuse this design, redirecting the HTTP request to a C2 server they control hosting a forged text file and a malicious installer. The AiTM workflow is shown below.”

StormBamboo targeted various software vendors with insecure update mechanisms, using complex methods to deploy malware. For example, they targeted 5KPlayer’s update process for the “youtube-dl” dependency to deliver a backdoored installer from their C2 servers. Once compromised systems, the attackers installed a malicious Google Chrome extension called ReloadText to steal browser cookies and email data.

“The incident described in this blog post confirms the supposition made by ESET concerning the infection vector for the POCOSTICK malware. The attacker can intercept DNS requests and poison them with malicious IP addresses, and then use this technique to abuse automatic update mechanisms that use HTTP rather than HTTPS.” concludes the report. “This method is similar to the attack vector Volexity previously observed being used by DriftingBamboo following the 0-day exploitation of Sophos Firewalls.”

North Korea Kimsuky Launch Phishing Attacks on Universities

Posted on August 8, 2024 - August 8, 2024 by Maq Verma

Cybersecurity analysts have uncovered critical details about the North Korean advanced persistent threat (APT) group Kimsuky, which has been targeting universities as part of its global espionage operations.

Kimsuky, active since at least 2012, primarily targets South Korean think tanks and government entities, though its reach extends to the US, the UK and other European nations. The group specializes in sophisticated phishing campaigns, often posing as academics or journalists to infiltrate networks and steal sensitive information.

Recent Findings and Tactics

According to a new advisory published by Resilience today, its analysts capitalized on Kimsuky’s operational security mistakes, which led to the collection of source code, login credentials and other crucial data.

The data revealed that Kimsuky has been phishing university staff, researchers and professors, aiming to access and exfiltrate valuable research and intelligence. Once inside university networks, the group was observed stealing information critical for North Korea, particularly given the country’s limited scientific community.

The group’s actions align with the objectives of the Reconnaissance General Bureau (RGB), North Korea’s primary foreign intelligence agency.

Historically, Kimsuky has been linked to attempts to steal sensitive data, including nuclear research, healthcare innovations and pharmaceutical secrets. There is also evidence suggesting that Kimsuky engages in financially motivated cybercrime, potentially as a means to fund its espionage activities.

Resilience’s new findings shed light on Kimsuky’s methods, particularly its use of phishing pages that mimic legitimate university login portals. By altering the code of these pages, Kimsuky can capture the credentials of unsuspecting victims. Notably, the group has targeted institutions such as Dongduk University, Korea University and Yonsei University.

The operation also highlighted Kimsuky’s use of a custom tool called “SendMail,” which was deployed to send phishing emails using compromised email accounts. These emails were carefully crafted to deceive recipients into providing their login information, furthering Kimsuky’s espionage efforts.

According to Resilience, the breadth and depth of Kimsuky’s tactics underscore the persistent and evolving threat posed by state-backed cyber groups.

Recommendations for Organizations

To tackle this threat, the security firm recommended leveraging phish-resistant multifactor authentication (MFA), such as FIDO-compliant hardware tokens or push-based mobile applications.

Additionally, users should always double-check that the URL they are logging into matches the page they expect to be on, as some password managers can assist with this automatically.

Finally, organizations are encouraged to review and test Breach and Attack Simulation packages that simulate Kimsuky activity to better prepare for potential attacks.

New CMoon USB worm targets Russians in data theft attacks

Posted on August 8, 2024 - August 8, 2024 by Maq Verma

A new self-spreading worm named ‘CMoon,’ capable of stealing account credentials and other data, has been distributed in Russia since early July 2024 via a compromised gas supply company website.

According to Kaspersky researchers who discovered the campaign, CMoon can perform a broad range of functions, including loading additional payloads, snapping screenshots, and launching distributed denial of service (DDoS) attacks.

Judging from the distribution channel the threat actors used, their targeting scope is focused on high-value targets rather than random internet users, which indicates a sophisticated operation.

Distribution mechanism

Kaspersky says the infection chain begins when users click on links to regulatory documents (docx, .xlsx, .rtf, and .pdf) found on various pages of a company’s website that provides gasification and gas supply services to a Russian city.

The threat actors replaced the document links with links to malicious executables, which were also hosted on the site and delivered to the victims as self-extracting archives containing the original document and the CMoon payload, named after the original link.

“We have not seen other vectors of distribution of this malware, so we believe that the attack is aimed only at visitors to the particular site,” reports Kaspersky.

After the gas firm was notified of this compromise, the malicious files and links were removed from its website on July 25, 2024.

However, due to CMoon’s self-propagation mechanisms, its distribution may continue autonomously.

CMoon is a .NET worm that copies itself to a newly created folder named after the antivirus software it detected on the compromised device or one resembling a system folder if no AVs are detected.

The worm creates a shortcut on the Windows Startup directory to ensure it runs on system startup, securing persistence between reboots.

To avoid raising suspicions during manual user checks, it alters its files’ creation and modification dates to May 22, 2013.

The worm monitors for newly connected USB drives, and when any are hooked up on the infected machine, it replaces all files except for ‘LNKs’ and ‘EXEs’ with shortcuts to its executable.

CMoon also looks for interesting files stored on the USB drives and temporarily stores them in hidden directories (‘.intelligence’ and ‘.usb’) before these are exfiltrated to the attacker’s server.

CMoon features standard info-stealer functionality, targeting cryptocurrency wallets, data stored in web browsers, messenger apps, FTP and SSH clients, and document files in the USB or user folders that contain the text strings ‘secret,’ ‘service,’ or ‘password.’

An interesting and somewhat unusual feature is the targeting of files that might contain account credentials such as .pfx, .p12, .kdb, .kdbx, .lastpass, .psafe3, .pem, .key, .private, .asc, .gpg, .ovpn, and .log files.

Targeted data — **Targeted directories and data**
*Source: Kaspersky*

The malware can also download and execute additional payloads, capture screenshots of the breached device, and initiate DDoS attacks on specified targets.

Stolen files and system information are packaged and sent to an external server, where they are decrypted (RC4) and verified for their integrity using an MD5 hash.

**Generating the data package for exfiltration**
*Source: Kaspersky*

Kaspersky leaves open the possibility of more sites outside its current visibility distributing CMoon, so vigilance is advised.

No matter how targeted this campaign may be, the fact that the worm spreads autonomously means it could reach unintended systems and create the conditions for opportunistic attacks.

FBI: BlackSuit ransomware made over $500 million in ransom demands

Posted on August 8, 2024 - August 8, 2024 by Maq Verma

CISA and the FBI confirmed today that the Royal ransomware rebranded to BlackSuit and has demanded over $500 million from victims since it emerged more than two years ago.

This new information was shared as an update to a joint advisory published in March 2023, which says the BlackSuit gang has been active since September 2022.

However, this private group is believed to be a direct successor of the notorious Conti cybercrime syndicate and started as Quantum ransomware in January 2022.

While they initially used other gangs’ encryptors (like ALPHV/BlackCat), likely to avoid drawing unwanted attention, they deployed their own Zeon encryptor soon after and rebranded to Royal in September 2022.

After attacking the City of Dallas, Texas, in June 2023, the Royal ransomware operation began testing a new encryptor called BlackSuit amid rebranding rumors. Since then, they have been operating under the BlackSuit name, and Royal Ransomware attacks have stopped altogether.

“BlackSuit ransomware is the evolution of the ransomware previously identified as Royal ransomware, which was used from approximately September 2022 through June 2023. BlackSuit shares numerous coding similarities with Royal ransomware and has exhibited improved capabilities,” the FBI and CISA confirmed in a Wednesday update to their original advisory.

“Ransom demands have typically ranged from approximately $1 million to $10 million USD, with payment demanded in Bitcoin. BlackSuit actors have demanded over $500 million USD in total and the largest individual ransom demand was $60 million.”

In March 2023 and a subsequent November 2023 advisory update, the two agencies shared indicators of compromise and a list of tactics, techniques, and procedures (TTPs) to help defenders block the gang’s attempts to deploy ransomware on their networks.

CISA and the FBI also linked the BlackSuit gang to attacks against over 350 organizations since September 2022 and at least $275 million in ransom demands.

The joint advisory was first issued after the Department of Health and Human Services (HHS) security team revealed in December 2022 that the ransomware operation was behind multiple attacks targeting healthcare organizations across the United States.

Most recently, multiple sources told BleepingComputer that the BlackSuit ransomware gang was behind a massive CDK Global IT outage that disrupted operations at over 15,000 car dealerships across North America.

This widespread outage after last month’s attack forced CDK to shut down its IT systems and data centers to contain the incident and car dealerships to switch to pen and paper, making it impossible for buyers to purchase cars or receive service for already-bought vehicles.

McLaren hospitals disruption linked to INC ransomware attack

Posted on August 8, 2024 - August 8, 2024 by Maq Verma

On Tuesday, IT and phone systems at McLaren Health Care hospitals were disrupted following an attack linked to the INC Ransom ransomware operation.

McLaren is a non-profit healthcare system with annual revenues of over $6.5 billion, which operates a network of 13 hospitals across Michigan supported by a team of 640 physicians. It also has over 28,000 employees and works with 113,000 network providers throughout Michigan, Indiana, and Ohio.

“While McLaren Health Care continues to investigate a disruption to our information technology system, we want to ensure our teams are as prepared as possible to care for patients when they arrive,” a statement on the health system’s website reads.

“Patients with scheduled appointments should plan to attend those appointments unless they are contacted by a member of our care team.

McLaren hinted the hospitals had lost access to patient information databases when advising patients to bring detailed information about their current medications to appointments, including physician orders and printed results of recent lab tests. The health system also said it may have to reschedule some appointments and non-emergent or elective procedures “out of an abundance of caution.”

“We understand this situation may be frustrating to our patients – and to our team members – and we deeply and sincerely apologize for any inconvenience this may cause,” McLaren added. “We kindly ask for your patience while our caregivers and support teams work as diligently as ever to provide our communities the care they need and deserve.”

Even though McLaren has yet to disclose the nature of the incident, employees at McLaren Bay Region Hospital in Bay City have shared a ransom note warning that the hospital’s systems have been encrypted and stolen data will be published on INC RANSOM ransomware gang’s leak site if a ransom is not paid.

*Alleged McLaren ransom note (Thomas Barz)*

INC Ransom is a ransomware-as-a-service (RaaS) operation that surfaced in July 2023 and has since targeted organizations in both the public and private sectors.

The list of victims includes education, healthcare, government, and industrial entities like Yamaha Motor Philippines, the U.S. division of Xerox Business Solutions (XBS), and Scotland’s National Health Service (NHS).

In May, a threat actor known as “salfetka” claimed to be selling source code of INC Ransom’s Windows and Linux/ESXi encrypter versions for $300,000 on the Exploit and XSS hacking forums.

Two months later, in July, malware analysts stated that the source code might have been purchased by a newly emerged ransomware group called Lynx ransomware. However, this could also be a rebranding effort, potentially allowing INC RANSOM to continue operations with less scrutiny from law enforcement.

BleepingComputer did an analysis of strings between the new Lynx ransomware encryptors and recent INC encryptors, and other than small changes, can confirm they are mostly the same.

INC vs Lynx ransomware string comparison — *INC vs. Lynx ransomware string comparison (BleepingComputer)*

In November 2023, McLaren notified almost 2.2 million people of a data breach that exposed their personal and health information between late July and August 2023.

Compromised data included names, Social Security numbers, health insurance and physician information, as well as Medicare/Medicaid, prescription/medication, and diagnostic results and treatment information.

The ALPHV/BlackCat ransomware group claimed the July 2023 attack behind the data breach on October 4.

Are Mobile Devices Less Secure than PCs?

Posted on August 4, 2024 - August 4, 2024 by Maq Verma

Are smartphones less secure than PCs? The answer to that is, they’re different. They face different security threats. Yet they certainly share one thing in common — they both need protection.

So, what makes a smartphone unique when it comes to security? And how do you go about protecting it? We’ll cover both here.

Apps, spam texts, and other smartphone vulnerabilities

Several facts of life about smartphones set them apart when it comes to keeping your devices safer. A quick rundown looks like this:

First off, people keep lots of apps on their phones. Old ones, new ones, ones they practically forgot they had. The security issue that comes into play there is that any app on a phone is subject to vulnerabilities.

A vulnerability in just one of the dozens of apps on a phone can lead to problems. The adage of “the weakest link” applies here. The phone is only as secure as its least secure app. And that goes for the phone’s operating system as well.

Additionally, app permissions can also introduce risks. Apps often request access to different parts of your phone to work — such as when a messenger app asks for access to contacts and photos. In the case of malicious apps, they’ll ask for far more permissions than they need. A classic example involves the old “flashlight apps” that invasively asked for a wide swath of permissions. That gave the hackers all kinds of info on users, including things like location info. Today, the practice of malicious, permission-thirsty apps continues with wallpaper apps, utility apps, games, and more.

As for other malicious apps, sometimes people download them without knowing. This often happens when shopping in third-party app stores, yet it can happen in legit app stores as well — despite rigorous review processes from Apple and Google. Sometimes, hackers sneak them through the review process for approval. These apps might include spyware, ransomware, and other forms of malware.

Many people put their smartphones to personal and professional use.[i] That might mean the phone has access to corporate apps, networks, and data. If the phone gets compromised, those corporate assets might get compromised too. And it can work in the other direction. A corporate compromise might affect an employee’s smartphone.

More and more, our phones are our wallets. Digital wallets and payment apps have certainly gained popularity. They speed up checkout and make splitting meals with friends easy. That makes the prospect of a lost or stolen phone all the more serious. An unsecured phone in the hands of another is like forking over your wallet.

Lastly, spam texts. Unique to phones are the sketchy links that crop up in texting and messaging apps. These often lead to scam sites and other sites that spread malware.

With a good sense of what makes securing your smartphone unique, let’s look at several steps you can take to protect it.

How to protect your smartphone

Update your phone’s apps and operating system

Keeping your phone’s apps and operating system up to date can greatly improve your security. Updates can fix vulnerabilities that hackers rely on to pull off their malware-based attacks. it’s another tried and true method of keeping yourself safer — and for keeping your phone running great too.

Lock your phone

With all that you keep and conduct on your phone, a lock is a must. Whether you have a PIN, passcode, or facial recognition available, put it into play. The same goes for things like your payment, banking, and financial apps. Ensure you have them locked too.

Avoid third-party app stores

As mentioned above, app stores have measures in place to review and vet apps that help ensure they’re safe and secure. Third-party sites might very well not, and they might intentionally host malicious apps as part of a front. Further, legitimate app stores are quick to remove malicious apps from their stores once discovered, making shopping there safer still.

Review apps carefully

Check out the developer — have they published several other apps with many downloads and good reviews? A legit app typically has many reviews. In contrast, malicious apps might have only a handful of (phony) five-star reviews. Lastly, look for typos and poor grammar in both the app description and screenshots. They could be a sign that a hacker slapped the app together and quickly deployed it.

Go with a strong recommendation.

Yet better than combing through user reviews yourself is getting a recommendation from a trusted source, like a well-known publication or app store editors themselves. In this case, much of the vetting work has been done for you by an established reviewer. A quick online search like “best fitness apps” or “best apps for travelers” should turn up articles from legitimate sites that can suggest good options and describe them in detail before you download.

Keep an eye on app permissions

Another way hackers weasel their way into your device is by getting permissions to access things like your location, contacts, and photos — and they’ll use malicious apps to do it. If an app asks for way more than you bargained for, like a simple puzzle game that asks for access to your camera or microphone, it might be a scam. Delete the app.

Learn how to remotely lock or erase your smartphone

So what happens if your phone ends up getting lost or stolen? A combination of device tracking, device locking, and remote erasing can help protect your phone and the data on it. Different device manufacturers have different ways of going about it, but the result is the same — you can prevent others from using your phone. You can even erase it if you’re truly worried that it’s gone for good. Apple provides iOS users with a step-by-step guide, and Google offers a guide for Android users as well.

Protect your phone and block sketchy links

Comprehensive online protection software can secure your phone in the same ways that it secures your laptops and computers. Installing it can protect your privacy, and keep you safe from attacks on public Wi-Fi, just to name a few things it can do. Ours also includes Text Scam Detector that blocks sketchy links in texts, messages, and email before they do you any harm. And if you tap that link by mistake, Text Scam Detector still blocks it.

DigiCert Revoking 83,000 Certificates of 6,800 Customers

Posted on August 4, 2024 - August 4, 2024 by Maq Verma

DigiCert has started revoking thousands of certificates impacted by a recently discovered verification issue, but some customers in critical infrastructure and other sectors are asking for more time.

The certificate authority (CA) informed customers on July 29 of an incident related to domain validation, saying that it needs to revoke some certificates within 24 hours due to strict CA/Browser Forum (CABF) rules.

The company initially said roughly 0.4% of applicable domain validations were impacted. A DigiCert representative clarified in discussions with stakeholders that 83,267 certificates and 6,807 subscribers are affected.

DigiCert said some of the impacted customers were able to quickly reissue their certificates, but others would not be able to do so within the 24-hour time frame.

“Unfortunately, many other customers operating critical infrastructure, vital telecommunications networks, cloud services, and healthcare industries are not in a position to be revoked without critical service interruptions. While we have deployed automation with several willing customers, the reality is that many large organizations cannot reissue and deploy new certificates everywhere in time,” said Jeremy Rowley, CISO at DigiCert.

DigiCert said in an updated notification that it has been working with browser representatives and customers in an effort to delay revocations under exceptional circumstances in order to avoid disruption to critical services.

However, the company highlighted that “all certificates impacted by this incident, regardless of circumstances, will be revoked no later than Saturday, August 3rd 2024, 19:30 UTC.”

Rowley noted that some customers have initiated legal action against DigiCert in an attempt to block the revocation of certificates.

The certificates are being revoked due to an issue related to the process used by DigiCert to validate that a customer requesting a TLS certificate for a domain is actually the owner or administrator of that domain.

One option is for customers to add a DNS CNAME record with a random value provided by DigiCert to their domain. The random value provided by DigiCert is prefixed by an underscore character to prevent collisions between the value and the domain name. However, the underscore prefix was not added in some cases since 2019.

In order to comply with CABF rules, DigiCert has to revoke certificates with an issue in their domain validation within 24, without exception.

Andrew Ayer, founder of SSLMate and an expert in digital certificates, believes that DigiCert’s public notification about this incident “gets the security impact of the noncompliance completely wrong”.

“[…] this is truly a security-critical incident, as there is a real risk […] that this flaw could have been exploited to get unauthorized certificates. Revocation of the improperly validated certificates is security-critical,” Ayer said.

CrowdStrike sued by investors over massive global IT outage

Posted on August 4, 2024 - August 4, 2024 by Maq Verma

Cybersecurity company CrowdStrike has been sued by investors who say it provided false claims about its Falcon platform after a bad security update led to a massive global IT outage causing the stock price to tumble almost 38%.

The plaintiffs claim that the massive IT outage that occurred on July 19, 2024, proves CrowdStrike’s claims that their cybersecurity platform is thoroughly tested and validated are false.

As a result of this incident and its aftermath, CrowdStrike’s stock price has tumbled almost 38% from $343 on July 18 to $214, causing significant financial losses to investors.

The class action lawsuit submitted by the Plymouth County Retirement Association in the U.S. District Court of Austin, Texas, seeks compensatory damages for these losses.

A bad update causes a global IT outage

On July 19, Crowdstrike pushed out a faulty Falcon sensor update to Windows devices running the security software. The update slipped past Crowdstrike’s internal tests due to a bug in its content validator and inadequate testing procedures.

The update was received by 8,500,000 Windows devices, if not more, causing an out-of-bounds memory read when processed by Falcon, leading to the operating system crashing with Blue Screen of Death (BSOD).

CrowdStrike is widely used in enterprises, including airports, hospitals, government organizations, the media, and financial firms, causing catastrophic, costly, and even dangerous IT outages.

As restoring systems required staff to remove the faulty update manually, it took days for some companies to resume normal operations, leading to extended outages and delays.

While most have returned to normal operations, the fallout from the incident continues to unfold on multiple levels, including elevated cybercrime activity, loss of trust, and litigation threats.

According to the plaintiffs, the faulty Falcon update proved that contrary to CrowdStrike’s assurances around the diligence in its procedures and the efficacy and reliability of the Falcon platform, updates were inadequately tested and controlled, and the risk of outages is high.

The class action alleges that stockholders were defrauded by CrowdStrike’s knowingly false statements about the quality of its products and procedures.

“Because of their positions and access to material, nonpublic information, the Individual Defendants knew or recklessly disregarded that the adverse facts specified herein had not been disclosed to and were being concealed from the investing public and that the positive representations that were being made were false and misleading.” – Class action document.

To reflect the extent of the losses, the lawsuit mentions that the CrowdStrike stock price fell by 11% on the day of the incident, then another 13.5% on July 22, when Congress called CEO George Kurtz for a testimony, and another 10% on July 29 following news that Delta Airlines, one of the impacted entities, hire an attorney to seek damages.

The plaintiff alleges violations of Sections 10(b) and 20(a) of the Exchange Act and seeks compensation.

Financial impact

The IT outage caused by the CrowdStrike Falcon update has caused massive financial losses to impacted organizations, with many of them exploring litigation pathways to get some of it back.

Delta Airlines CEO Ed Bastian previously stated that the outage forced the cancellation of 2,200 flights for the company, resulting in losses estimated at $500,000,000.

The firm has already hired a law firm that will seek compensation from CrowdStrike and Microsoft, which is now in the crosshairs despite not being responsible for the incident.

Market analysts estimate that the outage has caused big enterprises $5.4 billion in losses.

A report by Guy Carpenter projects the estimated insured losses resulting from the bad Falcon update to be between $300 million and $1 billion, while CyberCube have raised the figure to $1.5 billion.

Fake AI editor ads on Facebook push password-stealing malware

Posted on August 4, 2024 by Maq Verma

A Facebook malvertising campaign targets users searching for AI image editing tools and steals their credentials by tricking them into installing fake apps that mimic legitimate software.

The attackers exploit the popularity of AI-driven image-generation tools by creating malicious websites that closely resemble legitimate services and trick potential victims into infecting themselves with information stealer malware, as Trend Micro researchers who analyzed the campaign found.

The attacks start with phishing messages sent to Facebook page owners or administrators, which will send them to fake account protection pages designed to trick them into providing their login information.

After stealing their credentials, the threat actors hijack their accounts, take control of their pages, publish malicious social media posts, and promote them via paid advertising.

“We discovered a malvertising campaign involving a threat actor that steals social media pages (typically related to photography), changing their names to make them seem connected to popular AI photo editors,” said Trend Micro threat researcher Jaromir Horejsi.

“The threat actor then creates malicious posts with links to fake websites made to resemble the actual website of the legitimate photo editor. To increase traffic, the perpetrator then boosts the malicious posts via paid ads.”

*Fake AI photo editor website (Trend Micro)*

Facebook users who click the URL promoted in the malicious ad are sent to a fake web page impersonating legitimate AI photo editing and generating software, where they are prompted to download and install a software package.

However, instead of AI image editing software, the victims install the legitimate ITarian remote desktop tool configured to launch a downloader that automatically deploys the Lumma Stealer malware.

The malware then quietly infiltrates their system, allowing the attackers to collect and exfiltrate sensitive information like credentials, cryptocurrency wallet files, browser data, and password manager databases.

This data is later sold to other cybercriminals or used by the attackers to compromise the victims’ online accounts, steal their money, and promote further scams.

“Users should enable multi-factor authentication (MFA) on all social media accounts to add an extra layer of protection against unauthorized access,” Horejsi advised.

“Organizations should educate their employees on the dangers of phishing attacks and how to recognize suspicious messages and links. Users should always verify the legitimacy of links, especially those asking for personal information or login credentials.”

In April, a similar Facebook malvertising campaign promoted a malicious page impersonating Midjourney to target almost 1.2 million users with the Rilide Stealer Chrome browser extension.