Search This Blog

Showing posts with label Threat actor. Show all posts

HHS Warns, Karakurt Ransomware Group Targeting Healthcare Providers

 

The US Department of Health and Human Services Cybersecurity Coordination Center (HC3) recently issued a warning about rising Karakurt activities against the healthcare centre. The department has now issued a new warning about Evil Corp attacks. 

According to the alert, Evil Corp is supposedly obtaining intellectual property from the United States healthcare sector on behalf of the Russian government. Evil Corp's Dridex trojan is competent in compromising the confidentiality and accessibility of operational systems and data, including financial and health data. 

The threat actor has constantly changed its tactics in order to avoid sanctions imposed by the US government, causing millions of dollars in damage.

Evil Corp has a plethora of tools and techniques at its disposal, which are frequently combined with commodity malware and off-the-grid tactics. Furthermore, HC3 is concerned because nation-state-sponsored threat actors, such as Evil Corp, see data exfiltration as a cost-effective way to steal intellectual property. 

In addition to the aforementioned, Evil Corp makes no distinction between large and small organisations, preferring to target wherever there is an opportunity. Karakurt has at least compromised an assisted living facility, a healthcare provider, a hospital, and a dental clinic, according to HC3. The group even transformed its leak site into a searchable database, making it easier to locate victims.

The healthcare sector has long been a favourite target of cybercriminals, and this has only increased since the pandemic's onslaught. On a regular basis, various threat groups target the sector. As a result, putting in place the necessary security measures is advised.

Microsoft: Large-Scale AiTM Phishing Attacks Against 10K+Organizations

 

More than 10,000 companies were targeted in a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites. Microsoft identified a large-scale phishing effort that employed adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user's sign-in session, and circumvent authentication even when the victim had activated MFA. 

Threat actors utilise AiTM phishing to set up a proxy server between a target user and the website the user desires to access, which is the phishing site controlled by the attackers. The proxy server enables attackers to intercept communications and steal the target's password and a session cookie. 

Threat actors started business email compromise (BEC) attacks against other targets after obtaining the credentials and session cookies needed to access users' mails. Since September 2021, Microsoft specialists think the AiTM phishing effort has targeted over 10,000 companies. 

Phishing using AITM 

By impersonating the Office online authentication page, the landing sites utilised in this campaign were meant to attack the Office 365 authentication process. Microsoft researchers discovered that the campaign's operators utilise the Evilginx2 phishing kit as its AiTM infrastructure. Threat actors utilised phishing emails with an HTML file attachment in several of the attacks seen by the experts. The message alerted recipients that they had a voice message in order to deceive them into opening the file.
 
The analysis published by Microsoft states, “This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable.”

“By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.” 

After capturing the session cookie, the attackers inserted it into their browser to bypass the authentication procedure, even if the receiver had activated MFA for his account. Microsoft advises organisations to use systems that enable Fast ID Online (FIDO) v2.0 and certificate-based authentication to make their MFA deployment "phish-resistant."

Microsoft also advises establishing conditional access controls if an attacker attempts to utilise a stolen session cookie and monitoring for suspicious or anomalous activity, such as sign-in attempts with suspicious features and odd mailbox operations. 

“This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organisations put in place to defend themselves against potential attacks. While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place," concludes the report.

US Defense Contractors Struck by SockDetour Windows backdoor

 

SockDetour, a new custom malware discovered on US defence contractor computers, has been utilised as a backup backdoor to sustain access to hijacked networks. 

The malicious payload was discovered by Unit 42 security researchers, who believe its administrators kept it hidden for a long time because it has been utilised in the open since at least July 2019. The fact that SockDetour "operates filelessly and socketlessly" on compromised Windows servers by hijacking network connections explains its stealthiness, making it much difficult to identify at the host and network levels. 

The connection hijacking is carried out with the help of the official Microsoft Detours library package, which is used for monitoring and instrumenting Windows API calls.

Unit 42 explained, “With such implementation, SockDetour [..] serves as a backup backdoor in case the primary backdoor is detected and removed by defenders." 

The threat actors utilised a very precise delivery server in one of the attacks, QNAP network-attached storage (NAS) device commonly used by small businesses that had earlier been infected with QLocker ransomware — they most likely utilised the same security vulnerability (the CVE-2021-28799 remote code execution bug) to acquire access to the server. 

On July 27, 2021, the researchers discovered the malware on the Windows server of at least one US defence contractor, which led to the identification of three additional defence organisations being attacked by the same group with the same backdoor. 

"Based on Unit 42’s telemetry data and the analysis of the collected samples, we believe the threat actor behind SockDetour has been focused on targeting U.S.-based defence contractors using the tools. Unit 42 has evidence of at least four defence contractors being targeted by this campaign, with a compromise of at least one contractor," researchers explained. 

What is SockDetour?

The SockDetour backdoor was earlier linked to attacks exploiting various vulnerabilities in Zoho products, including ManageEngine ADSelfService Plus (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077), by an APT activity cluster tracked by Unit 42 as TiltedTemple. While Unit 42 analysts suspected in November that the TiltedTemple campaign was the work of a Chinese-sponsored threat group known as APT27, the firm did not link the SockDetour malware to a specific hacking group. 

The partial attribution is based on techniques and harmful tools that match APT27's earlier activities, as well as similar cyber espionage targeting of the same industries (e.g., defence, technology, energy, aerospace, government, and manufacturing). TiltedTemple attacks targeting Zoho vulnerabilities resulted in the compromise of critical infrastructure organisations' networks. 

In three separate campaigns in 2021, TiltedTemple assaults targeting Zoho vulnerabilities resulted in the penetration of networks belonging to critical infrastructure organisations around the world, using: 
• an ADSelfService zero-day exploit between early-August and mid-September, 
• an n-day AdSelfService exploit until late October, 
• and a ServiceDesk one starting with October 25.

PDC Discovered a Phishing Campaign that Spoofs Power BI Emails to Harvest Microsoft Credentials

 

The Cofense Phishing Defense Center (PDC) has discovered a new phishing effort that impersonates Power BI emails in order to steal Microsoft credentials. Power BI is a business intelligence-focused interactive data visualisation programme developed by Microsoft. It's a component of the Microsoft Power Platform. 

Power BI is a set of software services, apps, and connectors that work together to transform disparate data sources into coherent, visually immersive, and interactive insights. Data can be read directly from a database, a webpage, or structured files like spreadsheets, CSV, XML, and JSON. Power BI offers cloud-based BI (business intelligence) services known as "Power BI Services," as well as a desktop interface known as "Power BI Desktop."

It provides data warehouse functionality such as data preparation, data discovery, and interactive dashboards. Microsoft added a new service called Power BI Embedded to its Azure cloud platform in March 2016. The ability to import custom visualisations is a key differentiator of the product. 

The email appears to be a genuine Microsoft notification. There are a couple of reasons how this happens. Threat actors have grown accustomed to using authentic Microsoft notifications into their phishing designs. Researchers also saw them use stolen credentials to generate a legitimate-looking notification from a legitimate Microsoft instance. They noticed that the threat actor in this email employed a common theme to entice the recipient to click on the links. 

After clicking the link in the email, the user is taken to a website that appears to be a legitimate Microsoft log-in page. The first sign that anything is wrong with the page, aside from the lack of conventional imagery, is that the URL does not look anything like what is specified in the email or linked with Microsoft services. 

Following the recipient's input of their credentials, the attack concludes with an error message indicating that there was a problem with the account verification. This is yet another Microsoft spoof used by the threat actor to divert the recipient's attention away from the fact that they were not routed to the Power BI report they anticipated to view. This makes the recipient less likely to suspect that they have just given away their credentials. 

"Cofense continues to observe credential phishing as a major threat to organizations. This is why it’s critical to condition users to identify and report suspicious messages to the security operations team. Attacks such as this one are effective at eluding common email security controls, and are – by design — overlooked by end users," the company said.

Baltimore City was Duped Out of $376K

 

A new report from the Office of the Inspector General (OIG) reveals that a cyber-criminal posing as a vendor duped Baltimore city out of hundreds of thousands of dollars last year. In October 2021, the OIG initiated an investigation after obtaining information from Baltimore's Bureau of Accounting and Payroll Services (BAPS) about an alleged fraudulent Electronic Funds Transfer (EFT). The Mayor's Office of Children and Family Success (MOCFS) issued the Vendor with EFT payment funds.

BAPS and MOCFS were contacted by email on December 22, 2020 and January 7, 2021, from an email address linked with an employee of the Vendor firm, asking for a change to its EFT remittance details. On December 16, 2020, the email linked with the Vendor Employee sent BAPS a Vendor Payment & Electronic Funds Transfer Form. 

The OIG later determined that the Vendor Employee's email account had been hacked by a malicious actor who had set up rules within the Vendor Employee's email account as a result of a phishing assault. As a result, the malicious actor was able to correspond with City workers without the Vendor's awareness. 

On January 5, 2021, the fraudster contacted MOCFS and BAPS once more, this time requesting that the funds be transferred to a new account at a third financial institution. As verification, the fraudster sent a bank letter and a copy of a voided check with the same details as the third account. BAPS paid $376,213.10 into the third account on January 7, 2021, believing the fraudster's assertions. 

The OIG discovered that BAPS employees do not have access to a list of authorized signatories for vendors and must rely on the information given by representatives from City agencies. Furthermore, instead of independently validating information and requests, BAPS relied on MOCFS to assist the request and accepted an incoming phone call from someone pretending to be the Vendor's Chief Financial Officer. 

In his response to this report, Director of Finance Henry Raymond notified the OIG that new protocols had been implemented requiring Department of Finance (DOF) workers to independently verify bank changes with an executive-level employee. DOF has also devised processes to exclude City agencies from vendor accounting procedures.

68K People Who Received Services from Advocates were Affected by Data Theft

 

Approximately 68,000 Advocates clients are being alerted that their personal and protected health information was stolen during a four-day incident in September 2021. Advocates also notified certain employees whose data was stolen during the hacking incident. 

Advocates, Inc. ("Advocates") is a non-profit organization established in Massachusetts that provides a wide range of services to people facing life issues such as addiction, aging, autism, brain damage, intellectual disabilities, mental health, and behavioral health. 

On October 1, 2021, Advocates was notified that an unauthorized actor had copied data from its digital environment. When Advocates discovered this activity, they took action to secure their digital environment. They also hired a top cybersecurity firm to help with the investigation to discover whether personal information was accessed or acquired without authorisation as part of the attack. The research indicated that between September 14, 2021 and September 18, 2021, an unknown person got access and collected data from the Advocates network.

The incident may have involved the following personal and protected health information: name, address, Social Security number, date of birth, client identification number, health insurance information, and medical diagnosis or treatment information. 

Following the inquiry, Advocates began gathering contact information to notify possibly affected individuals. Advocates also alerted the Federal Bureau of Investigation and stated that they will provide whatever assistance is required to hold the criminals accountable, if at all feasible. Advocates take the security and privacy of service recipient information extremely seriously and have taken additional precautions to prevent a similar incident from happening in the future. 

Advocates is not aware of any proof of any information being misused in this incident. However, commencing on January 3, 2022, Advocates distributed notice of this incident to possibly affected persons. Advocates gave information about the incident as well as recommendations that potentially impacted individuals can do to protect their information in this notification letter. Individuals were also given free credit monitoring and identity protection services through IDX, according to Advocates. 

 To answer questions about the incident and address related concerns, Advocates set up a toll-free call centre. Advocates advise users to report their financial institution promptly if they see any suspicious behaviour on any of their accounts, such as unlawful transactions or new accounts opened in their name that they do not recognise. They should also report any fraudulent behaviour or suspected occurrences of identity theft to the appropriate law enforcement authorities as soon as possible.

A Phishing Campaign in Germany is Attempting to Steal Banking Credentials

 

Credential phishing attacks aimed at obtaining German banking credentials have become more widespread, according to Proofpoint researchers. Proofpoint analysts have identified multiple high-volume operations imitating large German institutions, such as Volksbank and Sparkasse, employing customized, actor-owned landing sites, since August 2021. Hundreds of organizations are affected by the activity, which is still ongoing.

The commercials were aimed at a variety of industries, with a focus on German companies and foreign workers in Germany. Each campaign, which included tens of thousands of letters, had an influence on hundreds of organizations. Account administration information is included in the phishing emails, but they also contain links or QR codes that lead to a geo-fenced credential harvesting website. Targeted information includes banking branch details, login identity, and PIN. The threat actor used a number of URL redirection tactics to spread the infected URLs. In various efforts, the threat actor used hacked WordPress websites to redirect users to phishing landing pages. 

To spread malicious URLs for phishing and malware assaults, threat actors regularly use WordPress plugins and websites built using WordPress software. Feedproxy URLs and QR codes were also identified being exploited to redirect to phishing pages. Only German visitors are directed to the phishing website. The threat actor's employment of geofencing measures is to blame. Threat actors are utilising IP geolocation checks to determine the location of a target, according to Proofpoint. If the user is not in Germany, they are directed to a website clone ostensibly providing tourist information for Dusseldorf's Rhine Tower. If the user is in Germany, they will be directed to a website that resembles a bank's website. 

Using identical domain naming conventions, the actor hosts these pages on their own actor-controlled infrastructure. Sparkasse credential phishing URLs, for example, frequently begin with "spk-," whereas Volksbank clones begin with "vr-." Some samples of the domains used by this threat actor are, vr-mailormular[.]com/Q20EBD6QLJ, vr-umstellungssystem-de[.]com/FLBSEKZ9S3, spk-security-spk[.]com/P84OZ3OIS2, spk-systemerneuerung-spk[.]com/CJ4F6UFR0T. 

This campaign cannot be linked to a known threat group, according to Proofpoint. However, registrant information linked to several domains found in some of this activity has been linked to over 800 phoney websites, the majority of which imitate banks or financial institutions. This perpetrator may have been targeting users of Spanish banks early this year, according to domain registration. Banking credential theft and fraudulent financial activity cybercriminal threat actors are opportunistic and target huge numbers of victims.

Kazakhstan Has Been The Target of a PowerShell-Based Attack

 

Malwarebytes discovered a multi-stage PowerShell attack on November 10 that used a document lure imitating the Kazakh Ministry of Health Care. On November 8, a threat actor using the handle DangerSklif (perhaps in reference to Moscow's emergency hospital) set up a GitHub account and posted the first part of the attack. 

PowerShell is a sophisticated scripting language that gives you full access to a computer's inner workings, including Windows APIs. PowerShell also has the advantage of being an integral part of Windows that is entirely trusted, thus security software normally ignores the commands it executes. The ability to execute PowerShell remotely via WinRM makes it an even more tempting tool. This functionality allows attackers to bypass Windows Firewall, run PowerShell scripts remotely, or simply drop into an interactive PowerShell session, giving them complete administrative control over a system. 

When PowerShell is used in a fileless malware attack, the line between infecting a single machine and compromising the entire enterprise is entirely blurred. The route to total compromise is paved the instant an attacker obtains a user name and password for a single system. 

The attack began with the distribution of the RAR archive “Увeдомление.rar” ("Notice.rar"). The archive file contains an lnk file with the same name that pretends to be a PDF document from Kazakhstan's "Ministry of Health Care." When the lnk file is opened, a PDF file is shown to confuse victims while numerous stages of the assault are being carried out in the background. The fake document is an update to a Covid 19 policy released by the Republic of Kazakhstan's Chef State Sanitary. 

The attack began with the execution of the lnk file, which invokes PowerShell and uses an autorun registry key to accomplish multiple techniques such as privilege escalation and persistency. The entire attack was stored in a single Github repository called GoogleUpdate. On November 8th, a user named DangerSklif created this repository. On November 1st, the DangerSklif user was created on GitHub.

It used cmd.exe to call PowerShell to download and execute the first stage of the attack from the Github account (lib7.ps1) after de-obfuscating the embedded lnk file. The fake PDF file is downloaded from the same Github account and saved in the Downloads directory by lib7.ps1. The following step is to open a decoy PDF to fool the user while the remainder of the procedure is carried out in the background, including obtaining the OS version and downloading the next stage based on the OS version.

Thousands of Coinbase Clients were Robbed due to an MFA Flaw

 

After exploiting a vulnerability in Coinbase's SMS multi-factor authentication security mechanism, a threat actor stole cryptocurrency from 6,000 customers, according to the firm. A threat actor executed a hacking campaign between March and May 20th, 2021 to penetrate Coinbase customer accounts and steal cryptocurrency, according to a warning given to impacted consumers this week. 

The hackers apparently required to know the user's email address, password, and phone number, as well as have access to their email accounts, according to the US-based exchange, which has roughly 68 million customers from over 100 countries. It's unclear how the hackers got their hands on that information. 

"In this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase's SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account," Coinbase told customers in electronic notifications. 

Customers' personal information was exposed as well, according to the report, "including their complete name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balances."

According to Coinbase, a flaw in their SMS account recovery process allowed hackers to acquire access to the SMS two-factor authentication token required to access a secured account. Coinbase claims to have updated the "SMS Account Recovery protocols" after learning of the incident, preventing any further bypassing of SMS multi-factor authentication. 

Because the Coinbase bug allowed threat actors to gain access to accounts that were thought to be secure, the exchange is depositing funds in affected accounts equal to the stolen amount. 

"We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed -- we will ensure all customers affected receive the full value of what you lost," promised Coinbase. It's unclear whether Coinbase will credit hacked users with the stolen cryptocurrency or fiat currency. If fiat currency is used, it may result in a taxable event for the victims if their profits increase. 

Coinbase recommends implementing multi-factor authentication (MFA) with security keys, Time-based One-Time Passwords (TOTP) with an authenticator app, or SMS text messages as a last resort in their account security guide.

Kindle's E-book Vulnerability Could Have Been Exploited to Hijack a User's Device

 

Amazon patched a significant vulnerability in its Kindle e-book reader platform earlier this April, which could have been used to gain complete control of a user's device and steal sensitive data by simply deploying a malicious e-book. "By sending Kindle users a single malicious e-book, a threat actor could have stolen any information stored on the device, from Amazon account credentials to billing information," Yaniv Balmas, head of cyber research at Check Point, said in an emailed statement. "The security vulnerabilities allow an attacker to target a very specific audience."

In other words, if a threat actor wanted to target a certain group of individuals or demographic, the adversary could tailor and coordinate a highly targeted cyber-attack using a popular e-book in a language or dialect widely spoken among the group.

Threat actors might readily target speakers of a specific language, according to Balmas. To target Romanians, for example, they would only need to publish a bestselling book in that language as an e-book. Because the majority of people who download that book will almost certainly speak Romanian, a hacker may be confident that nearly all of the victims will be Romanian. 

“That degree of specificity in offensive attack capabilities is very sought after in the cybercrime and cyber-espionage world. In the wrong hands, those offensive capabilities could do some serious damage, which concerned us immensely,” Balmas said. 

Following a responsible disclosure of the problem to Amazon in February 2021, the retail and entertainment behemoth released a patch in April 2021 as part of its 5.13.5 edition of Kindle software. The flaw is exploited by sending a malicious e-book to an intended victim, who, upon opening the book, triggers the infection sequence without any interaction from the user, allowing the threat actor to delete the user's library, gain full access to the Amazon account, or turn the Kindle into a bot for striking other devices in the target's local network. 

The flaw is in the firmware's e-book parsing architecture, notably in the implementation of how PDF documents are opened, which allows a malicious payload to be executed on the device. 

"Kindle, like other IoT devices, are often thought of as innocuous and disregarded as security risks," Balmas said. "These IoT devices are vulnerable to the same attacks as computers. Everyone should be aware of the cyber risks in using anything connected to the computer, especially something as ubiquitous as Amazon's Kindle."

Threat Actor Targets New Zealand Reserve Bank to Acquire Sensitive Information

 

New Zealand’s Reserve Bank data systems were hacked by an anonymous hacker who potentially secured access to sensitive and personal information. The hacker managed to get his hands on a third-party file sharing service, the one used by Central Bank of New Zealand to share and reserve sensitive information. 

The Reserve Bank of New Zealand based in Wellington, commonly named as Te Putea Matua is accountable for generating monetary policy to stabilize prices in the nation. The Governor of Reserve Bank of New Zealand Adrian Orr assured the public that the data breach has been restrained and the bank’s core functions “remain sound and operational”. 

Threat actors have targeted a number of major organizations in New Zealand in the past year. New Zealand Stock Exchange was one of the prominent victims of the cyber attack and its servers were knocked out for nearly a week in August 2020. In a conversation with Radio New Zealand, Dave Parry the professor of computer science at Auckland University told that there might be a possibility of another government’s influence behind the Reserve Bank data leak. 

Adrian Orr stated that “we are working closely with domestic and international security experts and other relevant authorities as part of our investigation and response to this malicious attack. The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information. The system has been secured and taken offline until we have completed our initial investigations”.

Till further investigations, the Reserve Bank of New Zealand is currently considering alternative techniques to secure data and has taken its systems offline.