Weekly Intelligence Report – 01 Sep 2023

Published On : 2023-09-01
Share :
Weekly Intelligence Report – 01 Sep 2023

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows, Linux.
Target Geographies: Bangladesh, Canada, Germany, Portugal, Sweden, United States, UK.
Target Industries: Business Training and Employment Agencies, Business Services, Containers and packaging, Education, Farming, Fishing & Plantations, Government Agencies, Health Care, Heavy Construction, Industrial Goods and services, Industrial Machinery, Media, Real Estate, Restaurants and bars, Specialized Consumer Services.

Introduction

The CYFIRMA Research and Advisory Team has identified recent updates of the Akira ransomware during its monitoring of various underground forums as part of the Threat Discovery Process.

Relevancy: From the onset of its operation, the ransomware has targeted various industries. The recent such targets include:

  • Education and Retail Industries in the US.
  • Business Services Industries in the UK.

Akira ransomware:

Akira’s ransomware operation is targeting corporate networks globally.
While another ransomware named Akira was released in 2017, there is no evidence suggesting that the current Akira ransomware operations are connected to it.

Windows:

The ransomware strain targeting the Windows Operating system looks to be based on the Conti ransomware source code.

The group will add the file extension “.akira” to the encrypted files’ name during the encryption process. Upon encrypting the files on a computer, the ransomware generates a ransom note named “akira_readme.txt” in every folder, explaining the situation to the victim and providing links to the Akira data leak and negotiation sites.

The ransomware attempts to remove the Windows Shadow Volume Copies from the infected device once it is executed.

The ransomware will encrypt the files with the following file extensions:

.accdb, .accde, .accdc, .accdt, .accdr, .adb, .accft, .adf, .ade, .arc, .adp, .alf, .ora, .btr, .ask, .cat, .bdf, .ckp, .cdb, .cpd, .cma, .dad, .dacpac, .daschema, .dadiagrams, .db-shm, .db-wal, .dbf, .dbc, .dbt, .dbs, .dbx, .dbv, .dct, .dcb, .ddl, .dcx, .dlis, .dsk, .dqy, .dtsx, .dsn, .eco, .dxl, .edb, .ecx, .exb, .epim, .fdb, .fcd, .fmp, .fic, .fmpsl, .fmp12, .fol, .fpt, .gdb, .frm, .gwi, .grdb, .his, .hdb, .idb, .itdb, .ihx, .jet, .itw, .kdb, .jtx, .kexic, .kexi, .lgc, .kexis, .maf, .lwx, .mar, .maq, .mav, .mas, .mdf, .mdb, .mrg, .mpd, .mwb, .mud, .ndf, .myd, .nrmlib, .nnt, .nsf, .nyf, .nwdb, .oqy, .odb, .owc, .orx, .pdb, .pan, .pnz, .pdm, .qvd, .qry, .rctd, .rbf, .rodx, .rod, .rsd, .rpd, .sbf, .sas7bdat, .sdb, .scx, .sdf, .sdc, .spq, .sis, .sqlite, .sql, .sqlitedb, .sqlite3, .temx, .tps, .tmd, .trm, .trc, .udl, .udb, .usr, .vpd, .vis, .wdb, .vvv, .wrk, .wmdb, .xld, .xdb, .abcddb, .xmlff, .abx, .abs, .adn, .accdw, .icg, .hjt, .kdb, .icr, .maw, .lut, .mdt, .mdn, .vhd, .vdi, .pvm, .vmdk, .vmsn, .vmem, .nvram, .vmsd, .raw, .vmx, .subvol, .qcow2, .vsv, .bin, .vmrs, .avhd, .avdx, .vhdx, .iso, .vmcx.

During encryption, it will not encrypt the files found in the Recycle Bin, System Volume Information, Boot, ProgramData, and Windows folders. It will also avoid encrypting the Windows system files with .exe, .lnk, .dll, .msi, and .sys file extensions.

Windows Restart Manager API is employed by Akira to close processes or shut down Windows services that may be keeping a file open and preventing encryption.

Similar to other ransomware attacks, the Akira ransomware will initially breach a corporate network and then spread to other devices through lateral movement. The threat actors behind Akira will then attempt to obtain Windows domain admin credentials, which they will use to deploy the ransomware throughout the network.

Before encrypting the files, the attackers will first exfiltrate sensitive corporate data. They will then use this data as leverage during their extortion attempts, threatening to publicly release it if the ransom is not paid.

Screenshot of files encrypted by Akira ransomware (Windows). (Source: Surface Web)

Windows Akira ransomware note. (Source: Surface Web)

Linux:

The Akira ransomware group uses a Linux encryptor to target and encrypt VMware ESXi virtual machines.

Encrypted files will be renamed to have the “.akira” extension, and a hardcoded ransom note named akira_readme.txt will be created in each folder on the encrypted device.

According to researchers, the Linux encryptor used by the Akira ransomware group carries the project name ‘Esxi_Build_Esxi6,’ signifying a specific focus on targeting VMware ESXi servers.

In contrast to other VMware ESXi encryptors analyzed by researchers, Akira’s encryptors lack some advanced features like automatically shutting down virtual machines using the esxcli command before encryption.

However, the binary does offer specific command line options enabling attackers to tailor their assaults:
-p –encryption_path (specific file/folder paths)
-s –share_file (designated network drive path)
– n –encryption_percent (encryption percentage)
–fork (generation of a child process for encryption)

The -n parameter is particularly notable as it allows attackers to define how much data is encrypted on each file.

When encrypting files, the Linux Akira encryptor focuses on the following file extensions:

.4dd, .accdb, .accdc, .accde, .accdr, .accdt, .accft, .adb, .ade, .adf, .adp, .arc, .ora, .alf, .ask, .btr, .bdf, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, .dadiagrams, .daschema, .db- shm, .db-wa, .db3, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .dlis, .dp1, .dqy, .dsk, .dsn, .dtsx, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmps, .fp3, .fp4, .fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .idb, .ihx, .itdb, .itw, .jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc, .lwx, .maf, .maq, .mar, .mas, .mav, .mdb, .mdf, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, .ns2, .ns3, .ns4, .nsf, .nv2, .nwdb, .nyf, .odb, .oqy, .orx, .owc, .p96, .p97, .pan, .pdb, .pdm, .pnz, .qry, .qvd, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sqlite, .sqlite3, .sqlitedb, .temx, .tmd, .tps, .trc, .trm, .udb, .usr, .v12, .vis, .vpd, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff, .abcddb, .abs, .abx, .accdw, .adn, .db2, .fm5, .hjt, .icg, .icr, .lut, .maw, .mdn, .mdt, .vdi, .vhd, .vmdk, .pvm, .vmem, .vmsn, .vmsd, .nvram, .vmx, .raw, .qcow2, .subvo, .bin, .vsv, .avhd, .vmrs, .vhdx, .avdx, .vmcx, .iso

The Linux locker avoids specific Windows-related folders and files, including executables. This implies that the Linux Akira version might be derived from its Windows counterpart. The files and folders are listed below,
winnt, temp, thumb, $Recycle.Bin, $RECYCLE.BIN, System Volume Information, Boot, Windows, Trend Micro, .exe, .dll, .lnk, .sys, .msi

Researchers found that the encryptor incorporates a public RSA encryption key. It utilizes several symmetric key algorithms for file encryption, encompassing AES, CAMELLIA, IDEA-CB, and DES.

The symmetric key serves to encrypt victim files, and subsequently, it undergoes encryption using the RSA public key. This strategy ensures that access to the decryption key remains restricted to those in possession of the attackers’ exclusive RSA private decryption key.

Screenshot of files encrypted by Akira ransomware (Linux). (Source: Surface Web)

Akira ransom note dropped on Linux servers (source: surface web)

Countries targeted by Akira ransomware.

Recent observations:

  • Researchers have noted that the Akira ransomware employs Cisco VPN (virtual private network) products as an initial method to infiltrate corporate networks, enabling data theft and eventual encryption. They have observed the ransomware group using a VPN with single-factor authentication to gain access to a network.
  • The lack of logging in Cisco ASA has created ambiguity regarding whether Akira brute- forced the VPN account credentials or obtained them from dark web markets, as stated by the researcher. The possibility has been raised by the researcher that Akira may have exploited an undisclosed vulnerability in Cisco’s VPN software, potentially allowing them to bypass authentication even without multi-factor authentication (MFA). This hypothesis is supported by leaked data on the group’s extortion page, which demonstrates Akira’s utilization of Cisco VPN gateways.
  • Utilizing the RustDesk open-source remote access tool, Akira traverses compromised networks, marking them as the inaugural ransomware group to exploit this software.

Insights:

  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. It may use WMI calls to perform tasks such as gathering system information, disabling the security software, moving laterally, and deleting backups.
  • The use of techniques like “detect-debug-environment”, and “long-sleeps” in the ransomware code suggests that the attackers may be trying to avoid detection by antivirus and other security software.
  • The ransomware’s attempt to remove Windows Shadow Volume Copies upon execution suggests that it aims to hinder data recovery options for victims, potentially increasing the urgency for them to pay the ransom to regain access to their encrypted files.
  • The ransomware strain initially focused on Windows OS and had a decryptor released. Subsequently, it evolved to encrypt Linux systems, exploiting vulnerabilities and circumventing the Windows decryptor. This showcases the ransomware’s adaptability and emphasizes the evolving cross-platform threat landscape.
  • Looking into the targeted victims suggests this ransomware group is predominantly active in the US region. However, we believe the group could expand its attack surface to other parts of the globe.
  • Ransomware employs the legitimate tool RustDesk for remote access, ensuring stealthy infiltration. RustDesk’s cross-platform functionality, encrypted P2P connections, and file transfer support enhances Akira’s capabilities, expanding its target range and facilitating data exfiltration.

Following are the TTPs based on MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0001: Initial Access T1190: Exploit Public-Facing Applicationts
2 TA0002: Execution T1047: Windows Management Instrumentation
T1129:Shared Modules
3 TA0003: Persistence T1176: Browser Extensions
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
4 TA0004: Privilege Escalation T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
5 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
T1497: Virtualization/Sandbox Evasion
6 TA0006: Credential Access T1003: OS Credential Dumping
7 TA0007: Discovery T1010: Application Window Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1497: Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
T1614: System Location Discovery
8 TA0009: Collection T1560: Archive Collected Data
T1005: Data from Local System
T1185: Browser Session Hijacking
9 TA0011: Command and Control T1090: Proxy
T1105: Ingress Tool Transfer
10 TA0040: Impact T1486: Data Encrypted for Impact

Indicators of Compromise

Kindly refer to the IOCs section to exercise controls on your security systems. Sigma Rule:
title: Deletion of Volume Shadow Copies via WMI with PowerShell tags:
– attack.impact
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection_get:
CommandLine|contains:
– ‘Get-WmiObject’
– ‘gwmi’
– ‘Get-CimInstance’
– ‘gcim’ selection_shadowcopy:
CommandLine|contains: ‘Win32_Shadowcopy’ selection_delete:
CommandLine|contains:
– ‘.Delete()’
– ‘Remove-WmiObject’
– ‘rwmi’
– ‘Remove-CimInstance’
– ‘rcim’
condition: all of selection* falsepositives:
– Unknown level: high

(Source: Surface web)

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Banking Trojan
Objective: Steal Sensitive Information, Remote Access, Unauthorized financial transactions
Target Technology: Android OS
Target Geography: Southeast Asia
Target Industry: Banks
Active Malware of the Week
This week “MMRat” is trending.

MMRat

Researchers have recently discovered a new, fully undetected Android banking trojan called MMRat, which has been targeting mobile users in Southeast Asia since late June 2023. MMRat has the ability to seize user input and screen content and can manipulate victim devices remotely to execute bank fraud. It employs a unique custom command-and- control protocol using protocol buffers (Protobuf), an open-source data format. This feature, which is rarely seen in Android banking trojans, enhances its performance during the transfer of large volumes of data.

The MMRat trojan comes from fake websites that look like real app stores. These websites use different languages to target specific people. However, researchers are unsure about how these fake links get onto people’s devices. The malware currently remains undetected on VirusTotal, highlighting the efficacy of its evasion techniques. Additionally, similar malware like GigabudRat and Vultur, utilizing tactics like keylogging and screen capturing, also achieve significant success in avoiding detection during their attack phases.

Attack Method

MMRat’s role in bank fraud involves a series of steps. In this attack scenario, the victim first downloads and installs MMRat, granting it permission. MMRat then establishes communication with a remote server, sending device status, personal data, and keylogging data. When the device is idle, the attacker can remotely awaken it, unlock the screen, and conduct bank fraud. Additionally, the attacker can capture the device screen for visual monitoring. The process concludes with MMRat uninstalling itself, erasing all signs of the malware.

MMRat can capture user input, screen content, and remotely control victims’ devices. It depends on the Android Accessibility service and MediaProjection API for its functionality.

Techniques and Tactics of MMRat

Impersonation and persistence routine – MMRat employs disguises such as posing as a government or dating app to lower suspicion. Once launched, it directs victims to phishing websites. It sets up a receiver to monitor system events like powering on/off and reboots. Upon detecting these events, the malware initiates a 1×1-small pixel activity to maintain its presence on the device.

Network communication with remote server – Once the Accessibility service is activated, MMRat connects to a server controlled by the attacker. Remarkably, MMRat uses separate ports on the same server for various functions:

Port Protocol Description
8080 HTTP Data exfiltration
8554 RTSP RTSP video streaming
8887 Customized Command and Control

The Communication and Control (C&C) protocol of MMRat is exceptional due to its personalized design using Netty (a network application framework) and Protobuf, which includes well-structured message formats. The threat actor employs a comprehensive structure to convey different message types, using the “oneof” keyword to represent diverse data types. Researchers carefully reconstructed the significant Protobuf layouts used in C&C communication. The “PackType” serves as an enum structure for C&C instructions, with the “pack” field containing specific data for various C&C commands.
Researchers observe the defined C&C commands and their corresponding explanations. This communication is two-way, split into server commands sent to the client and vice versa.

Collection of device status and personal information – MMRat gathers various device status and personal information like network details, screen activity, battery status, installed apps, and contact lists. Network data includes signal strength and type, while screen data indicates screen lock, active app, and displayed content. Battery data reveals the battery’s condition, contacts cover the user’s contact list, and installed apps encompass device applications. MMRat employs a timer task executing every second and a counter resetting every 60 seconds to promptly collect this data.

MMRat focuses on gathering the victim’s contact list and list of installed apps, likely with the intention of profiling the victim. This enables the threat actor to identify individuals with certain geographical or app-related attributes, potentially facilitating subsequent malicious actions.

Automatic permission approval – Once Accessibility permission is given, MMRat misuses it to acquire additional permissions and alter settings. For instance, during the data collection phase, MMRat can self-assign the READ_CONTACTS permission to gather contact data.

The code excerpt demonstrates MMRat’s capability to autonomously secure permissions. It achieves this by initiating the system dialog and automatically authorizing incoming permission requests. This automated approval mechanism identifies “ok” or related terms on the screen and uses Accessibility to simulate clicks. Consequently, MMRat can sidestep user involvement and independently acquire the required permissions for its harmful actions.

Actions and capturing user inputs – MMRat exploits the Accessibility service for keylogging, capturing user input and actions. This data aims to retrieve victim credentials and replay actions later. Unlike other keyloggers targeting specific scenarios, such as logging keys only when the victim is using bank apps, MMRat logs all user actions, transmitting them via the C&C channel. The threat actor seeks a wealth of action logs to determine the malware’s future steps. These logs are structured as LogInfo and serialized through Protobuf. Apart from keylogging, MMRat is particularly intrigued by lock screen patterns.

When the device is unlocked, the pattern is collected and uploaded via C&C, granting the attacker access even when the device is locked.

Capturing screen content – MMRat can capture and stream real-time screen content from the victim’s device to a remote server. It primarily employs the MediaProjection API to achieve this, recording the screen. However, another method called the “user terminal state” is used to bypass FLAG_SECURE protection. This capability likely complements remote control actions, allowing threat actors to monitor the device’s live status during bank fraud activities. Instead of capturing credentials, the malware continually checks for commands and halts screen content streaming if no commands are received within 30 seconds.

Android MediaProjection API – MMRat efficiently utilizes the MediaProjection API and exploits the open-source framework “rtmp-rtsp-stream-client-java” to stream video data to a remote server. This enables real-time recording and streaming of screen content via the Real Time Streaming Protocol (RTSP). Upon receiving the MEDIA_STREAM command, MMRat can record two types of data, screen, and camera data, based on the provided configuration. For instance, when capturing screen data, MMRat initiates an activity called DisplayActivity. This activity seeks recording permission through the createScreenCaptureIntent method, prompting a system dialog for approval. Notably, this system dialog is automatically accepted via auto-clicking. After obtaining approval, MMRat commences screen recording and uses the API startStream from the open-source framework repository to stream the data to the C&C server.

User terminal state – The “user terminal state” approach for capturing screen content in MMRat is distinct from the MediaProjection API method. In this approach, MMRat avoids recording the screen as a video. Instead, it leverages the Accessibility service to systematically extract all child nodes within Windows every second. The collected data is then uploaded via the C&C channel. As a result, only text-based information is obtained, lacking a graphical user interface, and resembling a “terminal.”

Despite its rudimentary nature, this method effectively gathers crucial information for remote monitoring and control, such as node data for interactions. While this approach demands additional effort from the threat actor to reconstruct data on the server side, it successfully bypasses FLAG_SECURE protection—a measure to prevent screenshots and screen recordings. Additionally, the implementation of Protobuf and customized Netty- based protocols optimizes performance, especially useful for the swift transfer of substantial screen data, providing a similar effect to a video stream for the threat actor.

Remote controlling – MMRat employs the Accessibility service to remotely manipulate victims’ devices, performing actions like gestures, screen unlocking, and text input. This capability, coupled with stolen credentials, facilitates bank fraud by malicious actors.
MMRat adopts preliminary steps for user evasion before executing its remote access routine. These steps include simulating a double-click to wake the device and using previously obtained unlock patterns to unlock the screen. Consequently, MMRat attains remote control over devices, even when users are not actively engaged with their phones.

Hiding tracks – MMRat has the ability to remove itself when it receives the C&C command UNINSTALL_APP. This action typically occurs after conducting bank fraud, adding a layer of complexity to tracking its actions.

INSIGHTS

  • MMRat is a powerful Android banking trojan that poses a significant danger to mobile users, especially in Southeast Asia. With features like keylogging, screen recording, and remote-control access, it’s well-equipped to carry out bank fraud effectively. This trojan’s capabilities have sparked concern among security professionals, primarily due to its potential to leverage mobile devices within the intricate digital landscape, heightening the need for vigilance among users and defenders alike.
  • MMRat shows us that cybersecurity is like a never-ending game. Malware, like MMRat, quickly change their tactics to find new ways to break into things. MMRat’s Proficiency in handling multiple technological tasks paints a portrait of an adaptable and resourceful adversary, constantly evolving to exploit new avenues of vulnerability. This emphasizes the ongoing need for comprehensive cybersecurity strategies that not only react to known threats but also anticipate and defend against novel tactics that may arise.
  • Targeting financial transactions via bank fraud highlights the significant potential for financial losses and personal damage caused by malware like MMRat. As technology becomes increasingly intertwined with our lives, threats such as MMRat underscore the essentiality of maintaining constant awareness, implementing advanced security measures, and continually adapting defensive tactics to effectively counter the ever- evolving landscape of cyber risks.

Indicators of Compromise
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Deploy an Extended Detection and Response (XDR) solution as part of the organization’s layered security strategy that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.

MANAGEMENT RECOMMENDATIONS

  • Regularly reinforce awareness related to different cyberattacks using impersonated domains/spoofed webpages with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.
  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Enforce policies to validate third-party software before installation.
  • Always listen to the research community and customer feedback when contacted about potential vulnerabilities detected in your infrastructure, or related compliance issues.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Web Attacks, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gain.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption, Reputational Damage.
  • Ransomware –Cl0p Ransomware | Malware – MMRat
  • Cl0p Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – MMRat
  • Behavior –Most of this malware uses phishing and social engineering techniques as its initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

New Threat Actor STAC4663 Linked to FIN8 Exploits RCE Vulnerability

  • Threat Actors: STAC4663
  • Attack Type: Vulnerability Exploitation
  • Objective: Financial Gains
  • Target Technology: Windows
  • Target Geographies: The United States of America
  • Target Industries: Information Technology
  • Business Impact: Operational Disruption

Summary:
In a recent observation, the threat actor associated with the FIN8 group has been targeting Citrix NetScaler systems by exploiting the CVE-2023-3519 remote code execution vulnerability in a large-scale campaign. The attackers exploit the CVE-2023- 3519 vulnerability and share striking similarities with past attacks in terms of tactics, techniques, and procedures. In an attack observed in mid-August, the threat actors utilized the NetScaler vulnerability as a means of code injection. This included injecting payloads into “wuauclt.exe” or “wmiprvse.exe,” using BlueVPS ASN 62005 for staging malware and employing heavily obfuscated PowerShell scripts with distinct arguments. The researcher revealed tactics where the attacker deploys PHP web shells with random names onto the targeted machines. Researchers also mentioned that a similar attack Fox-IT had recently reported where around 2000 NetScaler systems were compromised worldwide due to CVE-2023-3519. The specifics of the injected payload are under ongoing analysis. A previous case with similar TTPs, though not tied to Citrix vulnerability, suggests a likely link to a recognized ransomware threat actor.

Researchers have labeled this pattern of activity as threat activity cluster number STAC4663. Citrix issued a patch on July 18, emphasizing that mitigation is solely possible through patching, as no workarounds exist.

Insights:
The deployment of obfuscated PowerShell scripts reveals a deliberate effort to evade detection and enact their malicious activities. The injection of payloads into legitimate system processes also reflects the intention of evading detections. In addition to this, the utilization of PHP web shells further underlines their strategy of establishing persistent backdoors on compromised machines. This tactic aligns with usual tactics seen across the cybersecurity landscape, where attackers focus on maintaining long- term access to systems.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Crude “cyberattack” stops trains in Poland
A recent cyberattack in which an emergency radio signal was compromised, halted trains near the Polish city of Szczecin, resulting in forced stoppage of about twenty trains, affecting both freight and passenger service. The incident is currently under investigation by Poland’s internal security service ABW, however, the incident is likely to be a work of Russian hacktivist auxiliaries. Evidence for that attribution is circumstantial but compelling. The signals were interspersed with a recording of Russia’s national anthem and a speech by President Vladimir Putin. The Polish government has not called out the perpetrator yet but offered comments on previous attacks undertaken by the Russian Federation in conjunction with Belarus.

The emergency stop signal was transmitted over a legacy radio-frequency system that lacks either authentication or encryption, which makes it vulnerable to any attacker with the right equipment, which is both cheap and readily available. The emergency stoppage is triggered by a stop signal consisting of a series of three acoustic tones at a 150.100 megahertz frequency. The biggest difficulty such a hacker might face is getting physically close enough for their signal to be within range.

Future of Russia’s information operations upon death of Yevgeniy Prigozhin
Yevgeniy Prigozhin, who ran Russia’s Internet Research Agency and played a major role in developing Russian digital influence operations — most notably, interference in the 2016 U.S. elections — has been confirmed dead by the Russian authorities after a deadly plane crash.

One of the crucial parts of Prigozhin’s power in Russia has been his media empire centered around the aforementioned Internet Research Agency, also known as the Troll Factory. This part of the business was officially shut down earlier this month, after Mr. Prigozhin’s fall from grace, after the mutiny of his mercenaries by late June. Analysts speculate, however, that the core information operations and the psy-op part of the media group is currently being restructured and resurrected.

The Kremlin needs the services provided by Prigozhin’s troll factories, and will likely seek to save the capability, under the leadership of a different pro-Kremlin oligarch. Analysts speculate that this vacuum could be filled by the banker Yuri Kovalchuk, who owns most of the privately operated media in the country and is a close friend and ally of Vladimir Putin. The aftermath of Mr. Prigozhin’s mutiny and subsequent death may hold the information operations performed by the Kremlin back, but we should expect them to be back in full force within a couple of weeks or at maximum months. To read more about the role of Yevgeniy Prigozhin and the Troll Factory in Russian politics.

Rise in Malware/Ransomware and Phishing NASCO is Impacted by Cl0p Ransomware

  • Attack Type: Ransomware
  • Target Industry: Healthcare Software, Software Development & Design
  • Target Geography: The United States of America
  • Ransomware: Cl0p Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from the United States of America, (www[.]nasco[.]com), was compromised by Cl0p Ransomware. NASCO is a healthcare technology company, dedicated to co-creating digital health solutions for Blue Cross and Blue Shield companies. The data that has been compromised could potentially include sensitive and confidential information related to the organization, amounting to around 30 GB in size.

The following screenshot was observed published on the dark web:

Source: Dark Web

Insights:
Recently, the Cl0p ransomware gang acknowledged its role in the data theft incidents involving MOVEit Transfer, where servers belonging to numerous companies were compromised through the exploitation of a zero-day vulnerability. This confirmation aligns with Microsoft’s attribution of these activities to the hacking group known as ‘Lace Tempest,’ also recognized as TA505 and FIN11.

The Cl0p ransomware victims across the globe from 25-08-2023 to 30-08-2023 are shown below.

Vulnerabilities and Exploits Vulnerability in PTC Codebeamer

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Universal Components / Libraries
  • Vulnerability: CVE-2023-4296 (CVSS Base Score 8.8)
  • Vulnerability Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Summary:
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

Insights:
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website.

Impact :
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Affected Products: : http[:]//codebeamer[.]com/cb/wiki/31346480

Latest Cyber-Attacks, Incidents, and Breaches

Hungary: Media freedom confronted with significant new threat from DDoS cyber-attacks

  • Threat Actors: HANO
  • Attack Type: DDoS
  • Objective: Operational Disruption
  • Target Technology: Web Application
  • Target Geographies: Hungary
  • Target Industries: Media
  • Business Impact: Operational Disruption

Summary:
Starting from April 2023, over 40 distinct media websites within Hungary have been targeted by Distributed Denial of Service (DDoS) attacks. This type of cyber assault, characterized by overwhelming website servers with millions of simultaneous access requests, effectively causing slowdowns or outages, has resulted in readers being unable to access news and information for prolonged periods. Although the precise intent behind these attacks is yet to be verified, most of the websites subjected to DDoS attacks are prominent independent media outlets in the country. This list encompasses Telex, HVG, 444.hu, Magyar Hang, and Népszava, all of which hold a critical stance toward Prime Minister Viktor Orbán’s government. In addition to these, international media enterprises like Forbes Hungary have also fallen victim to hacking attempts. While no actor has claimed responsibility, the hacker or hackers appear to go by the nickname HANO – an acronym in Hungarian for a type of disorder that affects the human body. In recent months, they have also left messages in Hungarian behind in the code of attacks, indicating that they are being coordinated domestically, rather than by foreign actors. The attacker appears to demonstrate a knowledge of the Hungarian media landscape and individual journalists.

Insights:
In alternate instances, within the code of DDoS attacks, messages were discovered that forewarned forthcoming assaults on specific media outlets. Subsequently, these predicted attacks transpired exactly as scheduled. The expenses linked to the extensive and prolonged nature of these DDoS attacks, spanning several months, also suggest that the individuals behind them possess relatively substantial financial resources, as stated by experts.

Data Leaks

Vuliv Player’s Data Advertised in Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Telecommunications
  • Target Geography: India
  • Target Technology: SQL Database
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
CYFIRMA Research team observed a potential data leak related to VuLiv Player, {www[.]vuliv[.]com}. VuLiv Player is an entertainment firm that offers services for mobile advertising platforms, remote content management, and media players. The data that has been compromised consists of UIDs, emails, operator, and circle information, along with other confidential details, all presented in SQL format. The overall size of the data is 5GB.


Source: Underground forums

Insights:
Cybercriminals driven by the pursuit of financial gains are constantly searching for exposed and susceptible systems and software. The majority of these malicious actors conduct their activities in hidden online communities, where they discuss relevant matters and trade stolen digital assets. In contrast to other financially motivated groups such as ransomware or extortion syndicates, who often publicize their exploits, these perpetrators prefer to remain discreet. They secure unauthorized access and filch valuable information by capitalizing on unpatched software or exploiting vulnerabilities within systems or applications. The ill-gotten data is subsequently promoted for sale within clandestine online spaces, and it may be further sold and repurposed by fellow attackers in their own campaigns.

Other Observations

CYFIRMA Research team observed a potential data leak related to Squeezer Software, {www[.]squeezer-software[.]com}. Squeezer Software is a company that operates in the Computer Software industry. The company is headquartered in Tunisia. The data that has been compromised includes user passwords, user email addresses, and other sensitive information in SQL format.


Source: Underground forums

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and, are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.