Have you started 2024 feeling well prepared for the latest cyber threats? In this month’s cyber threats rollup, we have observed some major new attacks. The Keysight Application and Threat Intelligence (ATI) Research Center has been keeping our customers and partners safe by creating simulations of the latest cybersecurity attacks and incorporating them into Threat Simulator, our breach and attack simulation (BAS) platform.
Threat Simulator replicates real-world threats, allowing you to safely test your controls to ensure that your security posture is prepared and armed with identifiable Indicators of Compromise (IOC). With Threat Simulator, you can quickly determine your ability to defend yourself against the latest attacks seen in the news and answer this question while shortening the time to remediate with our recommendations.
Read on to learn about these new simulations and how we can assist you in maintaining your safety, no matter where you are in the world.
New Threat Campaigns
Figure 1: Threat Campaigns User Interface
Mimo CoinMiner and Mimus Ransomware Installed via Vulnerability Attacks
The Mimo threat actor, also known as Hezb, exploits various vulnerabilities to install malware, including CoinMiners, ransomware, proxyware, and reverse shell malware. The actor primarily targets poorly managed systems, exploiting known vulnerabilities such as Log4Shell, WSO2, Atlassian Confluence, PaperCut, and Apache ActiveMQ. The Mimo actor was first discovered in March 2022 and has since been observed carrying out a variety of attacks, including installing XMRig CoinMiner, deploying Mimus ransomware, and running proxyjacking attacks. The exact industries and regions affected by the Mimo threat actor are unspecified.
New MetaStealer malvertising campaigns
A Mirai botnet has been presented in this article, explaining the target profile, attacker’s management processes and methods used to infect further victims. The attackers use 32 CVEs in addition to the classic password brute-force technique. It is also observed that attackers have encrypted various data found in Mirai samples in order to evade detection. Regarding Mirai infrastructure, the infected IoT devices are grouped together based on their next attacking technique used to spread the malware.
New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs
The threat actor group known as Mint Sandstorm, also identified as APT35 and Charming Kitten, has targeted individuals involved in Middle Eastern affairs across several countries. Using social engineering techniques and phishing lures, the group attempted to trick individuals into downloading malicious files, ultimately deploying MediaPI and MischiefTut backdoors. While the group has ties to Iran’s Islamic Revolutionary Guard Corps, the exact motivation behind the campaign is unclear. However, given the high-profile nature of the targets, the campaign is likely an attempt to gather intelligence and perspectives on specific geopolitical events.
NSPX30: A sophisticated AitM-enabled implant evolving since 2005
The article describes a new China-aligned APT group named Blackwood that has been operating since at least 2018. The group uses a sophisticated implant called NSPX30, which it delivers via adversary-in-the-middle (AitM) attacks by hijacking updates from legitimate software. The implant was discovered being deployed through the update mechanisms of legitimate software such as Tencent QQ, WPS Office, and Sogou Pinyin, primarily targeting Chinese and Japanese companies, as well as individuals in China, Japan, and the UK. The researchers traced the evolution of NSPX30 back to a small backdoor from 2005 named Project Wood.
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
Trend Micro presents the activity of the threat actor known as Pawn Storm, APT28, or Forest Blizzard. This actor employs a mix of old and advanced tactics, including phishing emails and NTLMv2 hash relay attacks, to target a wide range of entities. The affected entities include government departments, defense, energy, transportation, finance, and more. The threat actor has a global reach, affecting regions including Europe, North America, South America, Asia, Africa, and the Middle East. No specific vulnerabilities were mentioned. The actor’s post-exploitation activities include modifying folder permissions for enhanced persistence and lateral movement within the victim’s organization.
Popping Blisters for research: An overview of past payloads and exploring recent developments
The article discusses the evolution of the Blister malware, a payload loader that has been observed to shift from dropping Cobalt Strike beacons to deploying Mythic agents. Blister is primarily used in targeted attacks, with most samples featuring environmental keying. In addition to the change in payloads, Blister’s developers have also started obfuscating the initial stage of the malware, making it more evasive. While the threat actor behind Blister is not explicitly mentioned, past activity linked to the malware has been associated with Evil Corp. The article does not specify the industries or regions affected by the Blister campaign.
Remcos RAT Being Distributed via Webhards
The AhnLab Security intelligence Center (ASEC) has identified a distribution method for Remcos RAT malware, which is being spread via webhards and disguised as adult games. The attackers use easily obtainable malware, such as njRAT, UDP RAT and disguise them as legitimate programs for distribution. The malware is distributed via multiple games using the same method, with a guide encouraging users to run a Game.exe file. The malware executes malicious VBS scripts when the game file is run. The malware downloads Remcos RAT through the C&C server and attempts to perform additional behaviors by injecting it into ServiceModelReg.exe.
Researchers link 3AM ransomware to Conti, Royal cybercrime gangs
The 3AM ransomware operation, also known as ThreeAM, has been linked to notorious groups like Conti and Royal ransomware. The group uses a unique extortion method of sharing news of data leaks with the victim’s social media followers. In addition, they use bots to reply to high-ranking accounts with messages pointing to data leaks. The connection between 3AM and Conti was strengthened based on similarities in tactics, infrastructure used in attacks, and communication channels. The group has also been seen testing a new extortion tactic using automated replies on Twitter. The primary target of the campaign was a U.S. company providing automated packaging services.
Security Insights: Investigating Ivanti Connect Secure Auth Bypass and RCE
An active exploitation of Ivanti Connect Secure (ICS) VPN devices was reported by Volexity on January 10th, 2024. The threat actor used two zero-day vulnerabilities, an authentication-bypass vulnerability (CVE-2023-46805) and a command-injection vulnerability (CVE-2024-21887), to run commands on the system, steal configuration data, modify files, and perform ‘Living off the Land’ techniques. The attacker was also observed making modifications to legitimate ICS components to evade the ICS Integrity Checker Tool.
The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 – v0.7.3 Analysis – Researcher Blog – ITOCHU Cyber and Intelligence Inc.
The article discusses the ongoing struggle against the infamous APT10 group, focusing on its use of the LODEINFO malware, which targets Japanese media, diplomacy, public institutions, defense industries, and think tanks. The LODEINFO malware is fileless and is usually delivered via spear-phishing emails with malicious Word file attachments. The malware has been continuously updated with new features and anti-analysis techniques, indicating the attackers are focusing on concealing their Tactics, Techniques, and Procedures (TTPs).
The Good, the Bad and the Ugly in Cybersecurity – Week 4
The article discusses three separate cyber threats. First, Vladimir Dunaev, a Russian national and developer of the TrickBot malware, has been sentenced to over five years in prison. TrickBot, initially a banking trojan, evolved into a complex malware framework that caused tens of millions of dollars in losses and was used to attack various entities, including hospitals, schools, and businesses. Second, the article warns of the risks associated with Google Search due to the increasing abuse of Google Ads by threat actors. Lastly, it reports that both Microsoft and Hewlett Packard have been victims of intrusions by Russian state-sponsored APT 29, resulting in unauthorized access and data exfiltration.
The Many Faces of Undetected macOS InfoStealers | KeySteal, Atomic & CherryPie Continue to Adapt
The report discusses a surge in infostealers targeting macOS, including variations of Atomic Stealer, macOS MetaStealer, RealStealer, and others. Despite Apple’s efforts to update its XProtect signature database, these rapidly evolving malware variants continue to evade. The report specifically highlights three active infostealers, namely KeySteal, Atomic InfoStealer, and CherryPie, which are evading many static signature detection engines. These variants have been seen to change their methods and distribution techniques over time, making them difficult to detect and mitigate.
Three New Malicious PyPI Packages Deploy CoinMiner on Linux Devices
The article describes a high-severity threat campaign targeting Linux users via malicious PyPI packages named modularseven-1.0, driftme-1.0, and catme-1.0. These packages, upon initial use, deploy a CoinMiner executable that causes latency in device performance. The malicious packages conceal their payload by hosting it on a remote URL, reducing the detectability of their malicious code. The payload is then incrementally released to execute its malicious activities. All these packages are created by an author named ‘sastra’ and bear resemblance to the ‘culturestreak’ PyPI package discovered in September 2023.
Turkish espionage campaigns in the Netherlands
The threat actor group known as Sea Turtle, believed to be based in Turkey, has been conducting cyber espionage campaigns, primarily targeting organizations in Europe, the Middle East, and North Africa. The group has been active from 2017 to 2023, with a focus on government entities, Kurdish political groups, NGOs, telecom entities, ISPs, IT service providers, and media & entertainment organizations. The group uses DNS hijacking and other techniques to steal valuable and sensitive data, likely for surveillance or intelligence gathering. They utilize open-source tools such as SnappyTCP and NoHup in their operations to collect and extract sensitive data.
Using Google Search to Find Software Can Be Risky
The article describes an ongoing campaign where threat actors are using Google’s ad platform to trick users into downloading malicious versions of popular free software applications. These malicious ads often appear above organic search results, making it a risky affair to search for software on Google. The threat actors manage to evade Google’s anti-abuse policies by periodically swapping legitimate copies of popular software titles with backdoored versions. This allows them to remotely control the systems.
What to do with that fancy new internet-connected device you got as a holiday gift
The article discusses the vulnerabilities of IoT devices and how to mitigate them. It also highlights a ransomware attack on a network-connected torque wrench used in industrial environments. The article mentions the release of a new version of the decryptor for the Babuk ransomware by Cisco Talos and Avast.
Whispers of Atlantida: Safeguarding Your Digital Treasure
Rapid7 discovered a new stealer named Atlantida. It tricks users into downloading a malicious HTA file from a compromised website and uses various evasion techniques. After several steps of the attack are executed, involving VBScript and PowerShell scripts, an open-source tool called Donut is used to load Atlantida. The stealer collects login information of various softwares, hardware data, and even captures the victim’s screen. It focuses on stealing data from three web browsers, Google Chrome, Mozilla Firefox, and Microsoft Edge. It also harvests data from Chrome-based browser extensions, Steam, Telegram, and crypto wallets. After collection, all data is compressed and sent to a C&C server.
Windows Computer Hit with AgentTesla Malware to Steal Data
The article does not provide a description of a specific cyber threat campaign. It only discusses the process of checking if the connection to the site gbhackers.com is secure.
WorkersDevBackdoor Delivered via Malvertising
eSentire describes an investigation into the WorkersDevBackdoor malware spread via Google Ads, disguised as an enterprise network scanner. The malware can collect sensitive information such as keystrokes and active applications and provides backdoor access to infected systems. The malware uses a complex PowerShell script and a .NET payload for in-memory execution. The attacker used commands for lateral movement and executed additional tools, indicating an intent to expand their control over the network.
Zloader: No Longer Silent in the Night
Zscaler discusses updates to the Zloader malware, which uses advanced anti-analysis techniques, including API import hashing, junk code, a filename check, and string obfuscation. The malware also uses a Domain Generation Algorithm (DGA) for communication when the primary C2 server is unavailable. It uses HTTP POST requests to communicate with its C2 server, with network encryption done using 1,024-bit RSA with RC4 and Zeus ‘visual encryption’ algorithms. The malware is currently believed to be operated by a single threat actor, as evidenced by the same RSA public key being used across different samples.
Traders’ Dollars in Danger: CVE-2023-38831 zero-Day vulnerability in WinRAR exploited by cybercriminals to target traders
Group-IB disclosed their findings regarding the abuse of CVE-2023-38831 zero-day vulnerability to send victims specially crafted zip archives that execute malware instead of benign files. The vulnerability is a logical error in how the WinRAR searches for files inside an archive. If an attacker includes two similar named files, they can force the archiver to ignore the correct target document and extract the next in line, which during an attack, would be the malware itself. This technique has been observed to deploy backdoors such as DarkMe, GuLoader and Remcos by tricking users into opening an image file. However, the image file is ignored and a batch script with a similar name is executed.
DarkGate reloaded via malvertising and SEO poisoning campaigns
Malwarebytes has published a report about a new campaign that focuses on a new version of DarkGate malware which lures users to fraudulent websites. The threat actor used malvertising for this campaign and techniques suchs as SEO poisoning which takes advantage of the recommendations algorithm, pushing malicious decoy pages on top of the search results. These pages then download the DarkGate malware to the victim’s computer and some of them even had implemented advanced fingerprinting checks.
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China
Mandiant released a report regarding the exploitation of a vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG), by a Chinese threat actor identified as UNC4841 in order to start espionage campaigns against various targets.
The threat actor sends emails with specifically crafted attachments which trigger in the Barracuda ESG a remote code execution due to incorrect file parsing. Usually, the command injected and executed was to download further malicious components which gain persistence and allow more features for the attacker. Regarding backdoors, the attacker utilizes SEASPY, SALTWATER and SEASIDE to collect data about the victim’s machine and the network it resides in. A rootkit disguised as a Linux kernel module (SANDBAR) is also present to hide the previously stated backdoors. In additions, other helper modules (SEASPRAY and SKIPJACK written in Lua), and WHIRLPOOL (written in C) further increase the features that the attacker might utilize.
Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)
Mandiant released a follow-up report regarding the Chinese threat actor identified as UNC4841, which showcase new methods to exploit the CVE-2023-2868 vulnerability in the Barracuda Email Security Gateway (ESG). It has been observed that the threat actor has used selective deployment of specific malware tools for different targets. These tools are SKIPJACK, DEPTHCHARGE, and FOXTROT / FOXGLOVE. SKIPJACK is a passive backdoor that works by injecting Lua code into Barracuda ESG, setting up a listener to monitor designated email headers and subjects, and then decoding and executing the content of them. It also has the most variants from all three and is the most widely deployed.
DEPTHCHARGE is a backdoor malware packed as a Linux shared object library, pre-loaded into the Barracuda SMTP. It can connect through TCP to the C2 server and executes commands from received from it, having backdoor capability as a Linux daemon. In was discovered that the malware execution chain contains a file that defines a malicious trigger in the MySQL database and in some instances, the threat actor was harvesting credentials from the database.
FOXGLOVE is a launcher written in C that executes the FOXTROT (written in C++) backdoor. It communicates via TCP and is able to be used as a proxy, receiving commands from a C2 server. It was not specifically designed for Barracuda ESGs. It was discovered that the threat actor tried to move laterally to Active Directory and OWA from impacted ESG appliances. It employed different methods, such as log in to mailboxes from users within the victim organization or harvesting credentials using their data. In one case it managed to access Windows Server Update using a domain administrator account.
BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection
SentinelOne released a report regarding a new variant of RustBucket macOS backdoor delivered by a North-Korean threat group called BlueNoroff. The initial attack vector is represented by a fake PDF Viewer app which the victim is tricked to install in order to see protected documents. This app is a compiled AppleScript sample used to drop the second stage. The second phase is represented by binaries of Swift and Objective-C origins which download the main backdoor. Finally, the Rust-based backdoor known as RustBucket gains persistence and has the ability to execute commands from the C2 server and gather disk information.
Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors
Symantec released a report regarding the activity of Lancefly, a threat actor that uses a custom backdoor and targets organization in South and Southeast Asia. The backdoor is called Merdoor, and it has been first seen in 2018. During this time, it has been rarely seen, meaning that the attacks are highly targeted. The functionalities of the backdoor include installation as a service, keylogging, communication with command-and-control servers and listening on a local port for commands.
SapphireStealer: Open-source information stealer enables credential and data theft
Talos announced the apparition of a new open-source information stealer labeled as SaphireStealer, which was modified or enhanced using other malicious tools by numerous attackers. SaphireStealer is a .NET malware capable of gathering system and hardware information, take screenshots, capture cached browser credentials, and inspect file contents. The exfiltration data process is through Simple Mail Transfer Protocol (SMTP) in which SaphireStaler send emails to attacker-controlled inboxes. Other modifications observed by Talos, regarding the exfiltration, are the use of Discord or Telegram API. In addition, a malware variant was deployed using a .NET malicious tool called FUD-Loader.
Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats
Between August and October 2022, the number of attacks exploiting CVE-2021-35394, a Realtek Jungle SDK remote code execution vulnerability, accounted for more than 40% of the total number of attacks with 134 million exploit attempts in December 2022. Threat actors are beginning to leverage supply chain vulnerabilities to infiltrate networks on a large scale via vulnerable IoT devices. Supply chain vulnerabilities can be difficult to identify and remediate for average user as IoT devices and routers are often not considered as part of an organization security posture.
CyberheistNews Vol 14 #03 Red Flags for Phishing: Verizon Outlines Latest Scams to Watch Out For
Verizon has published an article outlining various forms of social engineering attacks, including smishing, vishing, and spear phishing. The company warns about scare tactics, urgent messages or subject lines, and unsolicited calls from ‘customer service’. It also warns about lookalike or misspelled web or email addresses and suspicious attachments. Users are advised to trust their gut, and when in doubt, hang up, delete the message, and contact the respective company directly.
GhostSec offers Ransomware-as-a-Service Possibly Used to Target Israel
The hacktivist group known as GhostSec, an offshoot of Anonymous, has developed a Ransomware-as-a-Service (RaaS) called GhostLocker. They have shifted focus from counterterrorism efforts to launching cyber-attacks primarily on Israel, which marks a shift from their past activities. They have successfully executed attacks on multiple industries, such as telecommunications, electricity, energy, sewage, and military data. They promote their RaaS on a dedicated Telegram channel and encourage cyberattacks on Israel. The ransomware uses an innovative approach by using the Python compiler Nuitka to compile Python code into machine code, making it more resistant to reverse engineering. GhostSec has also targeted other regions, as indicated by different hashtags used in their campaigns.
Keysight is an S&P 500 technology company; we are headquartered in California and operate in over 100 countries worldwide. With 20+ years of network and security excellence, our global Application and Threat Intelligence (ATI) Research Center stays current on the latest threats. By using Threat Simulator, you can proactively identify, remediate, and validate security vulnerabilities.
Stay ahead of the curve in the ever-changing world of cybersecurity with Keysight.
Visit our website for more information.