Thursday, June 8th, 2023
Cybersecurity Week in Review (09/06/2023)
New Powerdrop Malware Targeting US Aerospace Industry
An unknown threat actor has been observed targeting the U.S. aerospace industry with a new PowerShell-based malware called PowerDrop.
PowerDrop uses advanced techniques to evade detection such as deception, encoding, and encryption and was found implanted in an unnamed domestic aerospace defense contractor in May 2023.
The name is derived from the tool, Windows PowerShell, used to concoct the script, and ‘Drop’ from the DROP (DRP) string used in the code for padding. PowerDrop is also a post-exploitation tool, meaning it’s designed to gather information from victim networks after obtaining initial access through other means.
The malware employs Internet Control Message Protocol (ICMP) echo request messages as beacons to initiate communications with a command-and-control (C2) server. The server, for its part, responds back with an encrypted command that’s decoded and run on the compromised host. A similar ICMP ping message is used for exfiltrating the results of the instruction.
What’s more, the PowerShell command is executed by means of the Windows Management Instrumentation (WMI) service, indicating the adversary’s attempts to leverage living-off-the-land tactics to sidestep detection.
Source – https://thehackernews.com/2023/06/new-powerdrop-malware-targeting-us.html
Russia’s Cyber Gangs are Attacking the Soft Underbelly of the UK Economy
Clop, a Russian cybercrime organization recently executed a significant hack that exposed the personal information of tens of thousands of employees at major UK companies, including the BBC, British Airways, and Boots.
The frequency, severity, and sophistication of cyber attacks against UK organizations have been increasing, as cybercriminals constantly refine their techniques to outsmart existing security systems. No organization is exempt from these threats, as cyber gangs prove their ability to acquire any desired information.
British Airways, with its 34,000 UK employees, informed its staff that hackers might have obtained their bank account details, national insurance numbers, addresses, and dates of birth – essentially compromising their entire personal profiles.
This vulnerability in the British economy is exacerbated by the fact that companies entrusted with individuals’ data cannot guarantee its security. Every aspect of our personal lives now exists in numerous databases, controlled by major corporations, and we often entrust sensitive information to various entities without fully considering the potential consequences.
Part of the challenge lies in the increasing sophistication of hackers, blurring the lines between criminal enterprises and state-sponsored activities. Clop is just one example of Russian hacker groups targeting the West, often with tacit approval from the Kremlin. This merging of actual conflicts and economic warfare places companies in a perilous international arena due to Western sanctions against Russia.
Companies must take more proactive measures to prevent such cyber attacks, investing significantly in reinforcing their cybersecurity defenses. Failure to do so can lead to significant financial losses and prolonged recovery periods, as seen in recent high-profile breaches.
The issue of corporate cybersecurity requires urgent attention and should be a concern for the boardroom, rather than just an afterthought mentioned in annual reports. Mere lip service is no longer sufficient to safeguard businesses from today’s cyber terrorists.
Source – https://news.yahoo.com/russia-cyber-gangs-attacking-soft-050000515.html?
Active Exploitation of MOVEit Vulnerability
The Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical security vulnerability in the Progress MOVEit Transfer managed file transfer (MFT) solution that is actively being exploited. The flaw, known as CVE-2023-34362, is an SQL injection vulnerability that allows remote attackers to access the MOVEit Transfer database and execute malicious code. CISA has instructed U.S. federal agencies to patch their systems by June 23, following a binding operational directive issued in November 2022.
While the directive primarily applies to federal agencies, it is recommended that private companies also prioritize securing their systems against this vulnerability. Progress, the company behind MOVEit Transfer, advises all its customers to install patches to prevent exploitation attempts and potential data breaches. In cases where immediate updates are not possible, disabling all HTTP and HTTPS traffic to MOVEit Transfer environments can reduce the attack surface.
The flaw – CVE-2023-34362 has since been patched with the release of patched versions, namely 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). While MOVEit Cloud was affected, a fix has already been implemented, requiring no action from users.
It has been reported that over 2,500 MOVEit Transfer servers are currently accessible on the internet, with the majority located in the United States. Threat actors have been actively exploiting the CVE-2023-34362 vulnerability since at least May 27 with widespread data theft occurring as a result of this exploitation. The motivation of the attackers is currently unknown, but organisations should prepare for potential extortion and publication of stolen data.
A newly identified web shell called LemurLoot has also been discovered, which assists attackers in harvesting Azure Blob Storage account information. This includes credentials that can be used to extract data from victims’ Azure Blob Storage containers. There are indications of a possible connection between the attacks on MOVEit Transfer servers and the financially-motivated threat group FIN11. FIN11 is known for attempting data theft extortion through the Clop ransomware gang’s leak site, often exploiting zero-day vulnerabilities in file transfer systems.
The attackers’ identity is currently unknown, and they have not yet started extorting their victims. However, their methods bear similarities to previous incidents involving the exploitation of other managed file transfer platforms, such as Accellion FTA and GoAnywhere MFT, both of which were targeted by the Clop ransomware gang for data theft and extortion.
Victims of the exploitation have been identified in the US, Canada and India, with data theft occurring within minutes of the webshell deployment in some cases. International Airlines Group (IAG), a group containing Aer Lingus and British Airways, was targeted as well as Boots and the BBC. Employee data was accessed through a third-party service provider. Zellis, a prominent payroll company, reported that a “global issue” affected eight of its customers, potentially leading to the exposure of personal information such as names and addresses to unauthorised individuals. Aer Lingus and British Airways have notified both the affected personnel as well as the relevant authorities but have confirmed that no financial or bank details were compromised.
This is yet another case highlighting the importance for organisations to prioritise strong third-party security measures to protect themselves from potential threats. In today’s interconnected digital world, businesses rely on third-party vendors and partners to provide critical services such as cloud storage, payment processing, and software development. While these relationships can offer tremendous benefits, they also come with significant risks. Third-party vendors can pose a significant threat to a company’s cybersecurity posture, as they often have access to sensitive data and systems that can be compromised.
Steps to Strengthen Third-Party Security Measures
- Conduct Risk Assessments: Before engaging with a third-party vendor, organisations should conduct a thorough risk assessment to evaluate the potential risks and vulnerabilities associated with the vendor. This assessment should include an evaluation of the vendor’s security controls, data handling practices, and history of security incidents.
- Establish Security Requirements: Organisations should establish clear security requirements for their third-party vendors, including minimum security standards, data handling practices, and incident response procedures. These requirements should be clearly communicated to vendors and monitored regularly to ensure compliance.
- Monitor Third-Party Vendors: Organisations should establish a system for monitoring third-party vendors’ security practices and performance. This can include regular security audits, vulnerability assessments, and ongoing monitoring of vendor activities.
- Establish Incident Response Procedures: In the event of a security incident involving a third-party vendor, organisations should have established incident response procedures to minimize the impact of the incident and restore normal operations as quickly as possible.
- Maintain Communication: Communication is critical in maintaining strong third-party security measures. Organisations should establish clear lines of communication with their vendors to ensure that they are aware of any security issues and can work together to address them.
In conclusion, strong third-party security is essential for protecting private and public organisations from potential cyber threats. By conducting thorough risk assessments, establishing clear security requirements, monitoring vendor activities, and maintaining open communication, you can help ensure that your third-party vendors are maintaining secure and reliable systems. By prioritising third-party security, companies can protect sensitive data, maintain business continuity, comply with regulatory requirements, and safeguard their reputation.
Smarttech247 can help you ensure that you minimise your third-party security risk. Request a free consultation today!
Source – https://www.smarttech247.com/news/active-exploitation-of-moveit-vulnerability/
Cyclops Ransomware Gang Offers Go-Based Info Stealer to Cybercriminals
Threat actors associated with the Cyclops ransomware have been observed offering an information stealer malware that’s designed to capture sensitive data from infected hosts.
The threat actor behind this RaaS promotes its offering on forums. There it requests a share of profits from those engaging in malicious activities using its malware.
Cyclops ransomware is notable for targeting all major desktop operating systems, including Windows, macOS, and Linux. It’s also designed to terminate any potential processes that could interfere with encryption.
The macOS and Linux versions of Cyclops ransomware are written in Golang. The ransomware further employs a complex encryption scheme that’s a mix of asymmetric and symmetric encryption.
The Go-based stealer, for its part, is designed to target Windows and Linux systems, capturing details such as operating system information, computer name, number of processes, and files of interest matching specific extensions.
The harvested data, which comprises .TXT, .DOC, .XLS, .PDF, .JPEG, .JPG, and .PNG files, is then uploaded to a remote server. The stealer component can be accessed by a customer from an admin panel.
The development comes as a new strain of information stealer called Dot Net Stealer has been identified siphoning information from web browsers, VPNs, installed apps, and cryptocurrency wallets, in what’s a further evolution of the cybercrime ecosystem into a more lethal threat.
Source – https://thehackernews.com/2023/06/cyclops-ransomware-gang-offers-go-based.html
Outlook.com Hit by Outages as Hacktivists Claim DDoS Attacks
Outlook.com suffered a series of outages this week after being down multiple time, with hacktivists known as Anonymous Sudan claiming to perform DDoS attacks on the service.
This outage follows two major outage, creating widespread disruptions for global Outlook users, preventing users worldwide from reliably accessing or sending email and using the mobile Outlook app.
Outlook users have taken to Twitter to complain about the spotty email service, stating that it is affecting their productivity.
Microsoft says these outages are caused by a technical issue, posting to Twitter a series of updates switching between saying they mitigated the issues and saying that the problem is happening again.
“We’ve identified that the impact has started again, and we’re applying further mitigation,” tweeted Microsoft.
“Telemetry indicates a reduction in impact relative to earlier iterations due to previously applied mitigations. Further details about the workstreams are in the admin center via MO572252.”
While Microsoft claims technical issues cause the outages, a group known as Anonymous Sudan is claiming to be behind them, warning that they are performing DDoS attacks on Microsoft to protest the US getting involved in Sudanese internal affairs.
“We can target any US company we want. Americans, do not blame us, blame your government for thinking about intervening in Sudanese internal affairs. We will continue to target large US companies, government and infrastructure,” Anonymous Sudan posted to their Telegram channel yesterday.
“We hope you enjoyed it, Microsoft”
Since then, the group has been taunting Microsoft in statements about the repeated DDoS attacks on Microsoft Outlook and Microsoft 365 services.
“Microsoft, today we played football with your services. Let’s play a fun game. The fate of your services, which is used by hundreds of millions of people everyday, is under our dominion and choice,” Anonymous Sudan posted to their Telegram channel.
“You have failed to repel the attack which has continued for hours, so how about you pay us 1,000,000 USD and we teach your cyber-security experts how to repel the attack and we stop the attack from our end?”
From the check-host.net URLs shared by Anonymous Sudan, they say they are targeting “https://outlook.live.com/mail/0/,” the main URL for the Outlook.com web service.
While these claims remain unverified, the service has been sluggish and plagued by a series of outages over the past 24 hours.
2.5M Impacted by Enzo Biochem Data Leak After Ransomware Attack
After facing a ransomware attack at the hands of hackers who breached its computer systems, Enzo Biochem is notifying nearly 2.5 million individuals that their protected health information (PHI) and Social Security numbers were compromised.
Enzo Biochem is a life sciences and molecular diagnostics company based in New York that provides clinical research services, and develops products such as DNA tests.
On May 30, the company filed documents with the Securities and Exchange Commission (SEC) to announce the breach, alerting the public that there were 2.47 million individuals across the US that were affected by the data breach, 600,000 of whom had personal identifiable information (PII) such as their Social Security numbers leaked.
On April 6, the company confirmed that a ransomware attack had breached its external systems, and on April 11 it determined definitively what kind of data had been leaked, including names and testing information, and is now disclosing the incident publicly.
Though the company continues to operate, and its facilities are still open, it is implementing new measures to its disaster recovery plan and has launched an investigation with the help of cybersecurity experts in response to the attack.
Identity PII and PHI data continues to be a high-demand target for malicious attackers. Disconnecting machines from outside access for the most part will not help against an already encrypted system or further prevent automatic propagation of malware.
It is still unknown as to whether or not employee data was affected by the breach.
GIGABYTE Releases New Firmware to Fix Recently Disclosed Security Flaws
GIGABYTE has released firmware updates to fix security vulnerabilities in over 270 motherboards that could be exploited to install malware.
The firmware updates were released last Thursday in response to a report that found flaws in a legitimate GIGABYTE feature used to install a software auto-update application in Windows.
Windows includes a feature called Windows Platform Binary Table (WPBT) that allows firmware developers to automatically extract an executable from the firmware image and execute it in the operating system.
“The WPBT allows vendors and OEMs to run an .exe program in the UEFI layer. Every time Windows boots, it looks at the UEFI, and runs the .exe. It’s used to run programs that aren’t included with the Windows media,” explains Microsoft.
GIGABYTE motherboards use the WPBT feature to automatically install an auto-update application to ‘%SystemRoot%\system32\GigabyteUpdateService.exe’ on new installations of Windows.
While enabled by default, this feature can be disabled in the BIOS settings under the Peripherals tab > APP Center Download & Install Configuration configuration option.
However, various security flaws in this process were discovered that attackers could potentially exploit to deliver malware in man-in-the-middle (MiTM) attacks.
When the firmware drops and executes the GIGABYTEUpdateService.exe, the executable will connect to one of three GIGABYTE URLs to download and install the latest version of the auto-update software.
The problem is that two of the URLs used to download the software utilize non-secure HTTP connections, which can be hijacked in MiTM attacks to install malware instead.
Furthermore, the researchers found that GIGABYTE did not perform any signature verification for downloaded files, which could prevent malicious or tampered files from being installed.
In response, GIGABYTE has now released firmware updates for Intel 400/500/600/700 and AMD 400/500/600 series motherboards to fix these issues.
“To fortify system security, GIGABYTE has implemented stricter security checks during the operating system boot process. These measures are designed to detect and prevent any possible malicious activities, providing users with enhanced protection:
1. Signature Verification: GIGABYTE has bolstered the validation process for files downloaded from remote servers. This enhanced verification ensures the integrity and legitimacy of the contents, thwarting any attempts by attackers to insert malicious code.
2. Privilege Access Limitations: GIGABYTE has enabled standard cryptographic verification of remote server certificates. This guarantees that files are exclusively downloaded from servers with valid and trusted certificates, ensuring an added layer of protection.” – GIGABYTE.
While the risks from these vulnerabilities is likely low, all GIGABYTE motherboard users are advised to install the latest firmware updates to benefit from the security fixes.
Furthermore, if you wish to remove the GIGABYTE auto-update application, you should first turn off the ‘APP Center Download & Install Configuration’ setting in the BIOS and then uninstall the software in Windows.
Alarming Surge in Truebot Activity Revealed with New Delivery Vectors
A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed.
TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks.
Active since at least 2017, TrueBot is linked to a group known as Silence that’s believed to share overlaps with the notorious Russian cybercrime actor known as Evil Corp.
Recent TrueBot infections have leveraged a critical flaw in Netwrix auditor (CVE-2022-31199, CVSS score: 9.8) as well as Raspberry Robin as delivery vectors.
The attack chain, on the other hand, starts off with a drive-by-download of an executable named “update.exe” from Google Chrome, suggesting that users are lured into downloading the malware under the pretext of a software update.
Once run, update.exe establishes connections with a known TrueBot IP address located in Russia to retrieve a second-stage executable (“3ujwy2rz7v.exe”) that’s subsequently launched using Windows Command Prompt.
The executable, for its part, connects to a command-and-control (C2) domain and exfiltrates sensitive information from the host. It’s also capable of process and system enumeration.
When an organization is infected with this malware, it can quickly escalate to become a bigger infection, similar to how ransomware spreads throughout a network.
The findings come as a new variant of another downloader malware known as GuLoader (aka CloudEyE) that’s used to deliver a wide range of malware such as Agent Tesla, Azorult, and Remcos was identified.
Source – https://thehackernews.com/2023/06/alarming-surge-in-truebot-activity.html
New Linux Ransomware Strain Blacksuit Shows Striking Similarities to Royal
An analysis of the Linux variant of a new ransomware strain called BlackSuit has covered significant similarities with another ransomware family called Royal.
Examination of an x64 VMware ESXi version targeting Linux machines, identified an extremely high degree of similarity between Royal and BlackSuit. A comparison of the Windows artifacts has identified 93.2% similarity in functions, 99.3% in basic blocks, and 98.4% in jumps based on BinDiff.BlackSuit first came to light in early May 2023.
In line with other ransomware groups, it runs a double extortion scheme that steals and encrypts sensitive data in a compromised network in return for monetary compensation. Data associated with a single victim has been listed on its dark web leak site.
The latest findings show that, both BlackSuit and Royal use OpenSSL’s AES for encryption and utilize similar intermittent encryption techniques to speed up the encryption process. The overlaps aside, BlackSuit incorporates additional command-line arguments and avoids a different list of files with specific extensions during enumeration and encryption.
The emergence of BlackSuit ransomware (with its similarities to Royal) indicates that it is either a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented modifications to the original family.
Given that Royal is an offshoot of the erstwhile Conti team, it’s also possible that BlackSuit emerged from a splinter group within the original Royal ransomware gang.
The development once again underscores the constant state of flux in the ransomware ecosystem, even as new threat actors emerge to tweak existing tools and generate illicit profits.
This includes a new ransomware-as-a-service (RaaS) initiative codenamed NoEscape that Cyble said allows its operators and affiliates to take advantage of triple extortion methods to maximize the impact of a successful attack.
Triple extortion refers to a three-pronged approach wherein data exfiltration and encryption is coupled with distributed denial-of-service (DDoS) attacks against the targets in an attempt to disrupt their business and coerce them into paying the ransom.
The DDoS service, per Cyble, is available for an added $500,000 fee, with the operators imposing conditions that forbid affiliates from striking entities located in the Commonwealth of Independent States (CIS) countries.
Source – https://thehackernews.com/2023/06/new-linux-ransomware-strain-blacksuit.html
New Horabot Campaign Takes Over Victim’s Gmail, Outlook Accounts
A previously unknown campaign involving the Horabot botnet malware has targeted Spanish-speaking users in Latin America since at least November 2020, infecting them with a banking trojan and spam tool.
The malware enables the operators to take control of the victim’s Gmail, Outlook, Hotmail, or Yahoo email accounts, steal email data and 2FA codes arriving in the inbox, and send phishing emails from the compromised accounts.
The new Horabot operation was discovered by analysts, who report that the threat actor behind it is likely based in Brazil.
The multi-stage infection chain begins with a tax-themed phishing email sent to the target, with an HTML attachment that is supposedly a payment receipt. Opening the HTML launches a URL redirection chain that lands the victim on an HTML page hosted on an attacker-controlled AWS instance.
The victim clicks on the hyperlink on the page and downloads a RAR archive that contains a batch file with a CMD extension, which downloads a PowerShell script that fetches trojan DLLs and a set of legitimate executables from the C2 server. These trojans execute to fetch the final two payloads from a different C2 server. One is a PowerShell downloader script, and the other is the Horabot binary.
One of the DLL files in the downloaded ZIP, “jli.dll,” which is sideloaded by the “kinit.exe” executable, is a banking trojan written in Delphi. It targets system info (language, disk size, antivirus software, hostname, OS version, IP address), user credentials, and activity data. Moreover, the trojan also offers its operators remote access capabilities like performing file actions and can also conduct keylogging, screenshot snapping, and mouse event tracking.
When the victim opens an application, the trojan overlays a fake window on top of it to trick victims into entering sensitive data like online banking account credentials or one-time codes. All information collected from the victim’s computer is sent to the attacker’s command and control server via HTTP POST requests. The trojan has several built-in anti-analysis mechanisms to prevent it from running in sandboxes or alongside debuggers.
The ZIP archive also contains an encrypted spam tool DLL named “_upyqta2_J.mdat,” designed to steal credentials for popular webmail services like Gmail, Hotmail, and Yahoo.
Once the credentials are compromised, the tool takes over the victim’s email account, generates spam emails, and sends them to the contacts found in the victim’s mailbox, furthering the infection somewhat randomly. This tool also features keylogging, screenshot snapping, and mouse event interception or tracking capabilities, functionally overlapping with the banking trojan, possibly for redundancy.
The primary payload dropped onto the victim’s system is Horabot, a documented PowerShell-based botnet that targets the victim’s Outlook mailboxes to steal contacts and disseminate phishing emails containing malicious HTML attachments.
The malware launches the victim’s desktop Outlook application to scrutinize the address book and contacts from the mailbox contents. All extracted email addresses are written into an “.Outlook” file and then encoded and exfiltrated to the C2 server.
Finally, the malware creates an HTML file locally, fills it with content copied from an external resource, and sends phishing emails to all extracted email addresses individually.
When the phishing email distribution process is finished, the locally created files and folders are deleted to wipe any traces.
Although this Horabot campaign mainly targets users in Mexico, Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama, the same or collaborating threat actors could expand its reach to other markets anytime, using phishing themes written in English.
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.