Thursday, March 23rd, 2023
Cybersecurity Week in Review (24/03/23)
German and South Korean Agencies Warn of Kimsuky’s Expanding Cyber Attack Tactics
German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users’ Gmail inboxes.
The joint advisory comes from Germany’s domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea’s National Intelligence Service of the Republic of Korea (NIS). The intrusions are designed to strike “experts on the Korean Peninsula and North Korea issues” through spear-phishing campaigns, the agencies noted.
Kimsuky, also known Black Banshee, Thallium, and Velvet Chollima, refers to a subordinate element within North Korea’s Reconnaissance General Bureau and is known to collect strategic intelligence on geopolitical events and negotiations affecting the DPRK’s interests.
Primary targets of interest include entities in the U.S. and South Korea, particularly singling out individuals working within the government, military, manufacturing, academic, and think tank organisations. The threat actor’s activities include collecting financial, personal, and client data specifically from academic, manufacturing, and national security industries in South Korea.
Recent attacks orchestrated by the group suggest an expansion of its cyber activity to encompass Android malware strains such as FastFire, FastSpy, FastViewer, and RambleOn. The use of Chromium-based browser extensions for cyber espionage purposes is not new for Kimsuky, which has previously used similar techniques as part of campaigns tracked as Stolen Pencil and SharpTongue.
The SharpTongue operation also overlaps with the latest effort in that the latter is also capable of stealing a victim’s email content using the rogue add-on, which, in turn, leverages the browser’s DevTools API to perform the function. But in an escalation of Kimsuky’s mobile attacks, the threat actor has been observed logging into victims’ Google accounts using credentials already obtained in advance through phishing tactics and then installing a malicious app on the devices linked to the accounts.
“The attacker logs in with the victim’s Google account on the PC, accesses the Google Play Store, and requests the installation of a malicious app,” the agencies explained. “At this time, the target’s smartphone linked with the Google account is selected as the device to install the malicious app on.”
It’s suspected that the apps, which embed FastFire and FastViewer, are distributed using a Google Play feature known as internal testing that allows third-party developers to distribute their apps to a small set of trusted testers.
A point worth mentioning here is that these internal app tests, which are carried out prior to releasing the app to production, cannot exceed 100 users per app, indicating that the campaign is extremely targeted in nature. Both the malware-laced apps come with capabilities to harvest a wide range of sensitive information by abusing Android’s accessibility services. The apps’ APK package names are –
com.viewer.fastsecure (FastFire)
com.tf.thinkdroid.secviewer (FastViewer)
The disclosure comes as the North Korean advanced persistent threat (APT) actor dubbed ScarCruft has been linked to different attack vectors that are employed to deliver PowerShell-based backdoors onto compromised hosts.
Source – https://thehackernews.com/2023/03/german-and-south-korean-agencies-warn.html
NAPLISTENER: New Malware in REF2924 Group’s Arsenal for Bypassing Detection
The threat group tracked as REF2924 has been observed deploying previously unseen malware in its attacks aimed at entities in South and Southeast Asia.The malware, dubbed NAPLISTENER is an HTTP listener programmed in C# and is designed to evade network-based forms of detection.
REF2924 is the moniker assigned to an activity cluster linked to attacks against an entity in Afghanistan as well as the Foreign Affairs Office of an ASEAN member in 2022. The threat actor’s modus operandi suggests overlaps with another hacking group dubbed ChamelGang, which was documented in October 2021.
Attacks orchestrated by the group are said to have exploited internet-exposed Microsoft Exchange servers to deploy backdoors such as DOORME, SIESTAGRAPH, and ShadowPad.
DOORME, an Internet Information Services (IIS) backdoor module, provides remote access to a contested network and executes additional malware and tools.
SIESTAGRAPH employs Microsoft’s Graph API for command-and-control via Outlook and OneDrive, and comes with capabilities to run arbitrary commands through Command Prompt, upload and download files to and from OneDrive, and take screenshots.
ShadowPad is a privately sold modular backdoor and a successor of PlugX, enabling threat actors to maintain persistent access to compromised computers and run shell commands and follow-on payloads. The use of ShadowPad is noteworthy as it indicates a potential link to China-based hacking groups, which are known to utilise the malware in various campaigns over the years.
To this list of expanding malware arsenal used by REF2924 joins NAPLISTENER (“wmdtc.exe”), which masquerades as a legitimate service Microsoft Distributed Transaction Coordinator (“msdtc.exe”) in an attempt to fly under the radar and establish persistent access. NAPLISTENER creates an HTTP request listener that can process incoming requests from the internet, reads any data that was submitted, decodes it from Base64 format, and executes it in memory.
Code analysis suggests the threat actor borrows or repurposes code from open source projects hosted on GitHub to develop its own tools, a sign that REF2924 may be actively honing a raft of cyber weapons.
The findings also come as a Vietnamese organisation was targeted in late December 2022 by a previously unknown Windows backdoor codenamed PIPEDANCE to facilitate post-compromise and lateral movement activities, including deploying Cobalt Strike.
Source – https://thehackernews.com/2023/03/new-naplistener-malware-used-by-ref2924.html
Clop ransomware claims Saks Fifth Avenue, retailer says mock data stolen
The Clop ransomware gang claims to have attacked Saks Fifth Avenue on its dark web leak site. The cyber security incident is among Clop’s ongoing attacks against vulnerable GoAnywhere MFT servers belonging to established enterprises. Although the company states no real customer data is impacted, it did not address if corporate or employee data was stolen.
Founded in 1867 by Andrew Saks and headquartered in New York City, Saks Fifth Avenue remains among prominent luxury brand retailers serving the U.S., Canada and parts of the Middle East.
Yesterday, the Clop ransomware gang listed “Saks Fifth Avenue” on its data leak website among their latest victims. The threat actor has not yet disclosed any additional information, such as what all data it stole from the luxury brand retailer’s systems, or details about any ongoing ransom negotiations.
The flaw, now tracked as CVE-2023-0669, enables attackers to gain remote code execution on unpatched GoAnywhere MFT instances with their administrative console exposed to Internet access. GoAnywhere MFT’s developer Fortra (formerly HelpSystems) had previously disclosed to its customers that the vulnerability had been exploited as a zero-day in the wild and urged customers to patch their systems. The official advisory remains hidden to the public, but was earlier made public by investigative reporter Brian Krebs.
In February, Clop claimed it had breached 130+ organisations and stolen their data over the course of ten days by exploiting this particular vulnerability on enterprise servers. This month, Hitachi Energy disclosed a data breach by Clop resulting from the same zero-day.
“Fortra, a vendor to Saks and many other companies, recently experienced a data security incident that led to mock customer data being taken from a storage location used by Saks,” a Saks spokesperson confirmed.
While the retail giant states no “real” customer data or payment information was stolen, it did not answer our follow up question, as to whether corporate or employee data was compromised in this incident.
“We take information security very seriously and are conducting an ongoing investigation into this incident alongside outside experts and law enforcement. As organisations increasingly face cybersecurity threats, we remain committed to ensuring the safety of the information we hold,” concluded Saks in its statement.
For the avoidance of doubt, Saks OFF 5TH—while previously a subsidiary of Saks Inc., is now a separate company and as such not linked to this incident.
In 2018, the Fin7 cybercrime syndicate had hacked Saks Fifth Avenue and Lord & Taylor to steal payment card information of 5 million customers. Nearly a year prior to that, BuzzFeed News had reported that Saks Fifth Avenue was storing personal information of tens of thousands of customers on publicly-accessible pages.
General Bytes Bitcoin ATMs hacked using zero-day, $1.5M stolen
Leading Bitcoin ATM maker General Bytes disclosed that hackers stole cryptocurrency from the company and its customers using a zero-day vulnerability in its BATM management platform.
General Bytes makes Bitcoin ATMs allowing people to purchase or sell over 40 cryptocurrencies. Customers can deploy their ATMs using standalone management servers or General Bytes cloud service.
Over the weekend, the company disclosed that hackers exploited a zero-day vulnerability tracked as BATM-4780 to remotely uploaded a Java application via ATM’s master service interface and run it with ‘batm’ user privileges.
“The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider),” General Bytes explained in a security incident disclosure. The company took to Twitter to urge customers to “take immediate action” and install the latest updates to protect their servers and funds from attackers.
After uploading the Java application, the threat actors were able to perform the following actions on compromised devices:
- Ability to access the database.
- Ability to read and decrypt API keys used to access funds in hot wallets and exchanges.
- Send funds from hot wallets.
- Download user names, their password hashes and turn off 2FA.
- Ability to access terminal event logs and scan for any instance where customers scanned private keys at the ATM. Older versions of ATM software were logging this information.
General Bytes warned that its customers and its own cloud service were breached during the attacks. Although the company disclosed how much money the attacker stole, they provided a list of cryptocurrency addresses used by the hacker during the attack. These addresses show that the hacker began stealing cryptocurrency from Bitcoin ATM servers on March 17th, with the attacker’s Bitcoin address receiving 56.28570959 BTC, worth approximately $1,589,000, and 21.79436191 Ethereum, worth roughly $39,000.
While the Bitcoin wallet still contains the stolen cryptocurrency, the threat actors appear to have used Uniswap to convert the stolen Ethereum into USDT. CAS (Crypto Application Server) admins are urged to examine their “master.log” and “admin.log” log files for any suspicious gaps in time caused by the attacker deleting log entries to conceal their actions on the device.
General Byte’s report also warned that the uploaded malicious JAVA applications would appear in the “/batm/app/admin/standalone/deployments/” folder as random-named .war and .war.deployed files, as shown below. The company notes that the file names are likely different per victim.
Those without signs of a breach should still consider all their CAS passwords and API keys compromised and immediately invalidate them and generate new ones. All user passwords should also be reset. Detailed step-by-step instructions for all server operators on protecting their endpoints are enclosed in the company’s statement.
General Bytes says they are shuttering its cloud service, stating it finds it “theoretically (and practically) impossible” to secure it from bad actors when it must simultaneously provide access to multiple operators. The company will provide support with data migration to those who would like to install their own standalone CAS, which should now be placed behind a firewall and VPN.
General Byte has also released a CAS security fix that addresses the exploited vulnerability, provided in two patches, 20221118.48 and 20230120.44. It also highlights that the breached system underwent multiple security audits since 2021, but none identified the exploited vulnerability.
However, even with these security audits, in August 2022, General Bytes had a security incident where hackers exploited a zero-day vulnerability in its ATM servers to steal cryptocurrency from its customers.
The company says its plans to conduct numerous security audits of its products by multiple companies in a short period to discover and fix other potential flaws before bad actors find them.
Cyberattackers Hoop NBA Fan Data via Third-Party Vendor
As it moves into the final stretch of its regular season, the National Basketball Association said over the weekend that “an unauthorised third party” netted a database filled with the names and email addresses of fans.
The data was housed by a newsletter service that it partners with, the NBA noted in a letter to those affected — an all-too-common instance of the risk that third-party vendors can represent for organisations if their security isn’t properly vetted.
While account credentials, phone numbers, and other sensitive information were not included in the heist, victims should still expect targeted email phishing attacks related to NBA topics, the NBA warned in the letter, which was tweeted out by one recipient. Those could include messages appearing to relate to office pools and other business-themed attacks.
“Even though the information did not contain much sensitive information, by using a name and email address, along with the knowledge that this individual has an interest in the NBA, social engineers could put together a much more appealing phishing attack than if they had none of this information,” Erich Kron, security awareness advocate at KnowBe4, said in an emailed statement.
Source – https://www.darkreading.com/risk/cyberattackers-hoop-nba-fan-data-third-party-vendor
Ferrari discloses data breach after receiving ransom demand
Ferrari has disclosed a data breach following a ransom demand received after attackers gained access to some of the company’s IT systems.
“We regret to inform you of a cyber incident at Ferrari, where a threat actor was able to access a limited number of systems in our IT environment,” Ferrari says in breach notification letters sent to customers.
While the Italian luxury sports car maker said the attackers gained access to its network and the attackers demanded a ransom not to leak data stolen from its systems, Ferrari is yet to disclose if this was a ransomware attack or just an extortion attempt.
“Ferrari N.V. announces that Ferrari S.p.A., its wholly-owned Italian subsidiary, was recently contacted by a threat actor with a ransom demand related to certain client contact details,” the company said in a statement.
“Upon receipt of the ransom demand, we immediately started an investigation in collaboration with a leading global third-party cybersecurity firm.”
Ferrari says customer information exposed in the incident includes names, addresses, email addresses, and telephone numbers. So far, Ferrari is yet to find evidence that payment details, bank account numbers, or other sensitive payment information was accessed or stolen.
Ferrari has taken measures to secure the compromised systems and says the attack has had no impact on the company’s operations. After discovering the breach, Ferrari also reported the attack to relevant authorities and is working with a cybersecurity company to investigate the scope of the impact.
DotRunpeX: The Malware That Infects Systems with Multiple Families
A new malware that distributes multiple known malware families, including Agent Tesla, FormBook, Ave Maria, NetWire, LokiBot, Raccoon Stealer, Remcos, RedLine Stealer, Vidar, and Rhadamanthys, has been discovered. Dubbed DotRunpeX, the malware is a new injector written in .NET, created using the Process Hollowing technique, and used to infect systems with different malware families.
Researchers noted that DotRunpeX is being actively developed. Its infection chain invades the system as a second-stage malware, usually deployed via a downloader or loader delivered via malicious attachments in phishing emails. Additionally, it can leverage malicious Google Ads that appear in search results to direct unsuspecting users when they search for commonly used software such as LastPass and AnyDesk and send them to copycat sites delivering trojanised installers.
Though the injector is fairly new, there are several similarities it shares with its previous versions. For example, the injector’s name is derived from its version information, which is the same for both versions across all samples the researchers analysed. They also noted that it contained ProductName – RunpeX.Stub.Framework.
Analysis revealed that each malware sample had an embedded payload of a specific malware family to be injected, which becomes possible by abusing the vulnerable procexp.sys process explorer driver incorporated into the malware for obtaining kernel mode execution.
Publicly shared data regarding DotRunpeX showed that the malware was misattributed to a well-known malware family. Furthermore, they learned that the first-stage loader and the second-stage loader had no connection.
The most recent activity of DotRunpeX was detected in October 2022. It was noticed that using the KoiVM virtualising protector adds an extra obfuscation layer. These findings were somewhat similar to a malvertising campaign discovered in February 2023. In that instance, the loader and injector components were referred to as MalVirt.
Researchers suspect that the malware may be operated by Russian-speaking groups, given the references to the language in its code.
Source – https://www.hackread.com/dotrunpex-malware-infects-multiple-families/
Emotet Rises Again: Evades Macro Security via OneNote Attachments
The notorious Emotet malware, in its return after a short hiatus, is now being distributed via Microsoft OneNote email attachments in an attempt to bypass macro-based security restrictions and compromise systems.
Emotet, linked to a threat actor tracked as Gold Crestwood, Mummy Spider, or TA542, continues to be a potent and resilient threat despite attempts by law enforcement to take it down.
A derivative of the Cridex banking worm – which was subsequently replaced by Dridex around the same time GameOver Zeus was disrupted in 2014 – Emotet has evolved into a monetised platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion.
While Emotet infections have acted as a conduit to deliver Cobalt Strike, IcedID, Qakbot, Quantum ransomware, and TrickBot, its return in late 2021 was facilitated by means of TrickBot. It is known for extended periods of inactivity, often occurring multiple times per year, where the botnet maintains a steady-state but does not deliver spam or malware.
The dropper malware is commonly distributed through spam emails containing malicious attachments. But with Microsoft taking steps to block macros in downloaded Office files, OneNote attachments have emerged as an appealing alternative pathway. The OneNote file is simple but effective at social engineering users with a fake notification stating that the document is protected. When instructed to double-click on the View button, victims will inadvertently double-click on an embedded script file instead. The Windows Script File (WSF) is engineered to retrieve and execute the Emotet binary payload from a remote server.
That said, Emotet still continues to use booby-trapped documents containing macros to deliver the malicious payload, employing social engineering lures to entice users into enabling macros to activate the attack chain. This is achieved by padding 00-byte at the end of the document to artificially inflate the file size so as to exceed the limitations imposed by anti-malware solutions.
The latest development is a sign of the operators’ flexibility and agility in switching attachment types for initial delivery to evade detection signatures. It also comes amid a spike in threat actors using OneNote documents to distribute a wide range of malware such as AsyncRAT, Icedid, RedLine Stealer, Qakbot, and XWorm.
A majority of the malicious OneNote detections in 2023 have been reported in the U.S., South Korea, Germany, Saudi Arabia, Poland, India, the U.K., Italy, Japan, and Croatia, with manufacturing, high-tech, telecom, finance, and energy emerging as the top targeted sectors.
Source – https://thehackernews.com/2023/03/emotet-rises-again-evades-macro.html
Chinese Hackers Exploit Fortinet Zero-Day Flaw for Cyber Espionage Attack
The zero-day exploitation of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system has been linked to a suspected Chinese hacking group. The activity cluster is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments. The malicious operation is being tracked under its uncategorised moniker UNC3886, and being described as a China-nexus threat actor.
UNC3886 has been observed targeting firewall and virtualisation technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates they have curated a deeper-level of understanding of such technologies. It’s worth noting that the adversary was previously tied to another intrusion set targeting VMware ESXi and Linux vCenter servers as part of a hyperjacking campaign designed to drop backdoors such as VIRTUALPITA and VIRTUALPIE.
The latest disclosure comes as Fortinet revealed that government entities and large organisations were victimised by an unidentified threat actor by leveraging a zero-day bug in Fortinet FortiOS software to result in data loss and OS and file corruption.
The vulnerability, tracked as CVE-2022-41328 (CVSS score: 6.5), concerns a path traversal bug in FortiOS that could lead to arbitrary code execution. It was patched by Fortinet on March 7, 2023. The attacks mounted by UNC3886 targeted Fortinet’s FortiGate, FortiManager, and FortiAnalyzer appliances to deploy two different implants such as THINCRUST and CASTLETAP. This, in turn, was made possible owing to the fact that the FortiManager device was exposed to the internet.
THINCRUST is a Python backdoor capable of executing arbitrary commands as well as reading and writing from and to files on disk. The persistence afforded by THINCRUST is subsequently leveraged to deliver FortiManager scripts that weaponise the FortiOS path traversal flaw to overwrite legitimate files and modify firmware images.
This includes a newly added payload called “/bin/fgfm” (referred to as CASTLETAP) that beacons out to an actor-controlled server so as to accept incoming instructions that allow it to run commands, fetch payloads, and exfiltrate data from the compromised host.
Alternatively, on FortiManager devices that implement internet access restrictions, the threat actor is said to have pivoted from a FortiGate firewall compromised with CASTLETAP to drop a reverse shell backdoor named REPTILE (“/bin/klogd”) on the network management system to regain access.
Also employed by UNC3886 at this stage is a utility dubbed TABLEFLIP, a network traffic redirection software to connect directly to the FortiManager device regardless of the access-control list (ACL) rules put in place.
This is far from the first time Chinese adversarial collectives have targeted networking equipment to distribute bespoke malware, with recent attacks taking advantage of other vulnerabilities in Fortinet and SonicWall devices. The revelation also comes as threat actors are developing and deploying exploits faster than ever before, with as many as 28 vulnerabilities exploited within seven days of public disclosure.
This is also significant, not least because China-aligned hacking crews have become particularly proficient at exploiting zero-day vulnerabilities and deploying custom malware to steal user credentials and maintain long-term access to target networks. The activity is further evidence that advanced cyber espionage threat actors are taking advantage of any technology available to persist and traverse a target environment, especially those technologies that do not support EDR solutions.
Source – https://thehackernews.com/2023/03/chinese-hackers-exploit-fortinet-zero.html
Microsoft Outlook Warning: Critical New Email Exploit Triggers Automatically—Update Now
Microsoft has confirmed that a critical Outlook vulnerability, rated at 9.8 out of a maximum 10, is known to have already been exploited in the wild. The exploit is triggered upon receipt of a malicious email, and so is executed before that email is read in the preview pane.
CVE-2023-23397 is a Microsoft Outlook elevation of privilege vulnerability that, according to the Microsoft Security Resource Center (MSRC), has already been used by a “Russia-based threat actor” in targeted attacks against government, transport, energy, and military sectors in Europe. Indeed, the Ukrainian Computer Emergency Response Team (CERT) is credited as reporting the zero-day to Microsoft.
Full technical details are, as yet, fairly thin on the ground. However, an MSRC posting says that the critical Microsoft Outlook vulnerability is “triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No interaction is required.” The posting continues to explain that the connection to a remote SMB (server message block) server sends the user new technology LAN manager (NTLM) negotiation message which is then relayed for authentication against supporting systems. “Online services such as Microsoft 365 do not support NTLM authentication,” the MSRC posting confirms, so are not vulnerable to this exploit.
UNC4697 was created to track the early exploitation of CVE-2023-23397, publicly attributed to the Russian military intelligence (GRU) connected threat actor, APT28, which is better known as Fancy Bear. The vulnerability is thought to have been exploited since April 2022 against government, defense, logistics, transportation, and energy targets based in Poland, Romania, Turkey, and Ukraine. These targets could facilitate strategic intelligence collection and disruptive or destructive attacks aimed both within and outside of Ukraine.
Multiple proofs-of-concept are now widely available. Given that this is a no-user-interaction exploit, the potential for harm is high. Broad, rapid adoption of the CVE-2023-23397 exploit by multiple nation-state and financially motivated actors, including both criminal and cyber espionage actors is thought to be expected.
The warning concerning CVE-2023-23397 coincides with the release of the latest Patch Tuesday round of security updates for Microsoft users. Applying the relevant patch is therefore recommended. That said, if your organisation is unable to apply these security updates immediately, then Microsoft has published some workaround mitigations. Adding users to the Protected Users Security Group will prevent the use of NTLM for authentication, but Microsoft warns that this could “cause impact to applications that require NTLM.” Alternatively, you can block outbound TCP 445/SMB using a firewall or through VPN settings.
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.