1 March 2024

Cyber Security Week in Review: March 1, 2024


Cyber Security Week in Review: March 1, 2024

Russian cyberspies evolve to target cloud environments

International partners from the Five Eyes alliance released a joint alert warning that the Russian cyber espionage group tracked as APT29, Midnight Blizzard, the Dukes, or Cozy Bear is evolving its methods to infiltrate organizations that have migrated to cloud-based infrastructures.

Additionally, the Five Eyes alliance issued a warning about threat actors exploiting known security flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893, CVE-2024-22024). CISA notes that “the Ivanti Integrity Checker Tool is not sufficient to detect compromise due to the ability of threat actors to deceive it”, and “a cyber threat actor may be able to gain root-level persistence despite the victim having issued factory resets on the Ivanti device.”

According to Google-owned cybersecurity firm Mandiant, at least two Chinese state-backed actors, UNC5325 and UNC3886, have been exploiting the Ivanti flaws to deploy a wide range of new malware.

North Korean Lazarus hackers abused recent Windows zero-day to obtain kernel-level access

The infamous Lazarus Group hacking outfit tied to the North Korean government leveraged a recently patched flaw in the Windows kernel, exploiting it as a zero-day to gain kernel-level access and bypass security measures on affected systems.

The issue came to light after Avast researchers discovered an active exploit targeting the appid.sys AppLocker driver, exploiting a previously undisclosed zero-day vulnerability — CVE-2024-21338. The flaw is a buffer overflow issue that can be leveraged by a local user to execute arbitrary code on the system. Microsoft addressed this issue in the February 2024 Patch Tuesday updates.

In a separate campaign, observed by JPCERT/CC, Lazarus uploaded four packages to the Python Package Index (PyPI) repository with the intent of compromising developer systems with malware. These packages are pycryptoenv, pycryptoconf, quasarlib, and swapmempool. The malicious packages amassed a total of 3,269 downloads, with pycryptoconf being the most downloaded at 1,351 instances.

Russian hackers use compromised Ubiquiti EdgeRouters for covert cyber ops

The Russian state-backed cyberespionage group tracked as APT28, Fancy Bear or Forrest Blizzard (Strontium), is using compromised Ubiquiti EdgeRouters to facilitate malicious cyber operations worldwide. The threat actor has used compromised EdgeRouters to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools.

Threat actor UAC-0149 targets Armed Forces of Ukraine with Cookbox backdoor

CERT-UA has warned of a targeted cyberattack aimed at infecting the computer systems used by the Armed Forces of Ukraine with the Cookbox backdoor. Cookbox is a PowerShell script that implements functionality for downloading and executing PowerShell cmdlets. The campaign has been ongoing since at least fall 2023.

Multiple threat actors exploiting recent ConnectWise flaws

The BlackBasta and Bl00dy ransomware gangs have joined the list of threat actors that are exploiting the recently patched security vulnerabilities in the ConnectWise SmartConnect remote access tool.

One of the flaws (CVE-2024-1709) an authentication bypass issue, which can allow a remote non-authenticated attacker to bypass the authentication process and gain full access to the system. The vulnerabilities affect ScreenConnect 23.9.7 and prior. The second flaw (CVE-2024-1708) is a path traversal issue that can be used by a remote privileged user to read arbitrary files on the system using a specially crafted HTTP request.

The attacks range from ransomware deployment to information theft.

New Spikedwine threat actor targets European diplomats with Wineloader backdoor

Zscaler's ThreatLabz recently uncovered a previously unknown threat actor they named Spikedwine, targeting officials in European countries with Indian diplomatic missions. The threat actor is utilizing a new backdoor named Wineloader. The attack involves sending emails with a PDF attachment posing as an invitation to a wine-tasting event hosted by the Ambassador of India. Noteworthy is the attack's low volume and the sophisticated tactics, techniques, and procedures (TTPs) used in the malware and command and control (C2) infrastructure. The researchers believe that Spikedwine is a state-backed actor, but they have not yet attributed the observed campaign to any known APT group.

Suspected Iranian threat actor UNC1549 targets Israeli and Middle East aerospace and defense sectors

Mandiant published a report on a cyberespionage campaign by a suspected Iranian threat actor it tracks as UNC1549, which is targeting the aerospace, aviation, and defense industries across the Middle East, including Israel and the UAE, with potential implications for Turkey, India, and Albania. The activity bears similarities to Tortoiseshell, a group previously linked to Iran's Islamic Revolutionary Guard Corps (IRGC). The campaign leverages multiple evasion techniques, notably using Microsoft Azure cloud infrastructure and employing social engineering tactics to distribute two distinct backdoors named ‘Minibike’ and ‘Minibus.’

The US indicts an alleged Iranian hacker, offers a $10M reward

The US Justice Department has unveiled an indictment against an Iranian individual, Alireza Shafie Nasab, for his alleged involvement in a cyber scheme targeting various US governmental and private entities. The indictment accuses Nasab, along with others, of being part of a hacking group engaged in a series of computer intrusions from around 2016 to April 2021. The targets included government agencies such as the Departments of Treasury and State, defense contractors, and two New York-based companies. Nasab, aged 39, is currently at large. Additionally, the US authorities have offered a reward of up to $10 million for information on Nasab.

Ukrainian hacktivists share new details on production of Russian Orlan-10 drones

The Ukrainian hacktivist collective known as “Кіберспротив” (Cyber Resistance) team shared new details on how Russia procures foreign components for the production of weapons and equipment, bypassing Western sanctions. The data was obtained from hacked email correspondence from the Russian LLC “Special Technological Center.” The obtained data indicates that Russian companies are increasingly purchasing equipment through China and using Chinese currency.

New Russian disinformation campaigns

Recorded Future’s Insikt Group released a report detailing Russia's misinformation/disinformation campaign, focusing on spreading narratives of “war fatigue” to demoralize Western audiences. Russia evaluates Western “war fatigue” as part of a Soviet-era computational analysis (called Correlation of Forces and Means [COFM]), which is very likely reinforced by Western political statements, economic data, and public sentiment, and uses this information in its strategy of “information confrontation” to further its goals, the report noted.

Pre-installed malware found on Acemagic mini PCs

Chinese PC manufacturer Acemagic has confirmed that some of models have been shipped with pre-installed malware. The issue came to light in early February when a user discovered malicious software within Acemagic AD08's recovery section on its NVMe drive. The identified threats, ENDEV and EDIDEV, are associated with the Bladabindi (aka NjRat) remote access trojan and the Redline info-stealer.

The company explained that one of its software developers, aiming to optimize the user experience by minimizing initial boot time, modified the Microsoft source code, including network settings, without obtaining proper software digital signatures.

Silver SAML attack bypasses protections against Golden SAML attacks

Semperis researchers discovered a novel attack method named Silver SAML, which remains effective even when defenses against Golden SAML attacks are in place. This technique leverages SAML to launch attacks from an identity provider, such as Entra ID, targeting applications like Salesforce that rely on it for authentication. No instances of Silver SAML attacks in the wild have been documented thus far, the researchers said.

Savvy Seahorse lures victims to investment scams via Facebook ads

A DNS threat actor called ‘Savvy Seahorse’ has been orchestrating financial scams targeting users through fake investment platforms. To lure victims to the spoofed websites, the threat actor employs Facebook ads, as well as fake ChatGPT and WhatsApp bots that provide automated responses to users, urging them to divulge their personal information in exchange for alleged high-return investment opportunities.

Savvy Seahorse's campaigns target users worldwide, with a focus on Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers, while sparing potential victims in certain countries. Notably, they exploit DNS canonical name (CNAME) records to construct a traffic distribution system (TDS) for their scams. This way, Savvy Seahorse can control who has access to content and can dynamically update the IP addresses of malicious campaigns.

Tornado Cash users’ funds at risk due to malicious code

Deposits made to Tornado Cash, a well-known crypto privacy tool favored by hackers, may be at risk after a malicious code was inserted into certain user interfaces. The attack appears to have been orchestrated by an individual posing as a Tornado Cash developer who embedded malicious JavaScript code within the project’s user interface. This code stealthily captured and transmitted users' private deposit notes to an unauthorized external server. 

New IDAT Loader variant uses steganography to deliver Remcos RAT

Ukrainian entities based in Finland were targeted in a malicious campaign distributing a commercial remote access trojan (RAT) known as Remcos RAT. The attackers utilized a malware loader dubbed IDAT Loader and steganography to evade detection and compromise systems.

IDAT Loader has a modular architecture and advanced capabilities. It is capable of loading various malware families, including Danabot, SystemBC, and RedLine Stealer. It implements features like code injection, dynamic loading of Windows API functions, and evasion tactics such as HTTP connectivity tests and process blocklists. The infection process involves multiple stages, each serving distinct functionalities.

Large-scale spam operation hijacks over 8K subdomains of trusted brands

Researchers at Guardio Labs uncovered a sprawling cyber operation dubbed “SubdoMailing,” which has hijacked over 8,000 domains belonging to esteemed brands and institutions to disseminate massive volumes of spam and malicious phishing emails daily, effectively circumventing security measures.

The operation, which has been active for at least two years, involves the manipulation of thousands of hijacked subdomains affiliated with recognized brands like Marvel, Columbia, EasyJet, VMware, and others.

Ransomware attack on Optum subsidiary disrupts healthcare services across the US

Optum, a subsidiary of UnitedHealth Group, was hit with a ransomware attack, leading to a significant outage that has impacted the Change Healthcare payment exchange platform, a critical component of the US healthcare system. The attack, orchestrated by the BlackCat/ALPHV ransomware group, has caused disruptions in prescription deliveries and various healthcare services across the United States.

In a blog post, the ALPHV/BlackCat gang claimed to have obtained 6 TB of data. The group listed a wide range of prominent American healthcare organizations reportedly affected by the hack, including Medicare, Tricare, CVS-CareMark, Loomis, HealthNet, and MetLife. Interestingly, the post was taken down soon after it was published.

On Friday, Reuters reported that healthcare providers across the United States are struggling to get paid following the week-long ransomware outage at UnitedHealth Group. Large hospital chains are also locked out of processing payments, with some absorbing the upfront costs of being unable to collect, according to the American Hospital Association (AHA), which represents nearly 5,000 hospitals, healthcare systems, networks and other providers.

LockBit resurfaces after law enforcement takedown

It appears that the notorious ransomware group is restoring its infrastructure following the global law enforcement takedown on February 19, 2024. The group reportedly kept the brand name and moved its data leak site to a new .onion address that lists new victims with countdown timers for publishing stolen information.

Back to the list

Latest Posts

Iranian hackers exploit RMM tools to deliver malware

Iranian hackers exploit RMM tools to deliver malware

One of the aspects of MuddyWater's strategy involves exploiting Atera's free trial offers.
24 April 2024
Ongoing malware campaign targets multiple industries, distributes infostealers

Ongoing malware campaign targets multiple industries, distributes infostealers

The campaign leverages a CDN cache domain as a download server, hosting malicious HTA files and payloads.
24 April 2024
US charges four Iranian hackers for cyber intrusions

US charges four Iranian hackers for cyber intrusions

The group targeted both both government and private entities.
24 April 2024