Cyber Security

U.S. cybersecurity and intelligence agencies have accused an Iranian hacking group of infiltrating multiple organizations nationwide and collaborating with affiliates to launch ransomware attacks. This activity has been attributed to a threat group known as Pioneer Kitten, also referred to as Fox Kitten, Lemon Sandstorm (previously Rubidium), Parisite, and UNC757. The group is believed to be connected to the Iranian government, using an Iranian IT company, Danesh Novin Sahand, likely as a front. According to the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense Cyber Crime Center (DC3), “Their cyber operations focus on deploying ransomware to gain and establish network access. These operations enable the group to collaborate with affiliate actors to continue deploying ransomware.” The targets include sectors such as education, finance, healthcare, and defense, along with local government entities in the U.S. Similar intrusions have also been reported in Israel, Azerbaijan, and the United Arab Emirates (U.A.E.), aimed at stealing sensitive data. The agencies believe the team’s objective is to establish initial access to victim networks and then work with ransomware affiliates linked to NoEscape, RansomHouse, and BlackCat (also known as ALPHV) to deploy file-encrypting malware in exchange for a share of the illegal profits, while deliberately keeping their nationality and origin ambiguous. These attack attempts reportedly began as early as 2017 and have continued through this month. The threat actors, also known by the online aliases Br0k3r and xplfinder, have been found to sell their access to victim organizations on underground marketplaces, highlighting their efforts to diversify revenue streams. A Substantial Section of the team’s U.S.-focused cyber activities is dedicated to obtaining and maintaining technical access to victim networks, facilitating future ransomware attacks. The actors offer full domain control rights, including domain admin credentials, to multiple networks worldwide. The Iranian cyber actors’ involvement in these ransomware campaigns extends beyond providing access; they closely collaborate with ransomware affiliates to lock down victim networks and strategize extortion tactics. Initial access is typically achieved by exploiting remote external services on internet-facing assets vulnerable to known flaws (CVE-2019-19781, CVE-2022-1388, CVE-2023-3519, CVE-2024-3400, and CVE-2024-24919), followed by steps to maintain persistence, escalate privileges, and establish remote access through tools like AnyDesk or the open-source Ligolo tunneling tool.

A critical vulnerability affecting AVTECH IP cameras has been exploited by threat actors as a zero-day, adding the devices to a botnet. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed the details earlier this month, emphasizing the flaw’s low attack complexity and remote exploitability. CISA warned in an alert published on August 1, 2024, that successful exploitation could allow attackers to inject and execute commands with the permissions of the running process. The vulnerability impacts AVM1203 camera models with firmware versions up to and including FullImg-1023-1007-1011-1009. Although these devices are no longer produced, they are still in use in sectors like commercial facilities, financial services, healthcare, public health, and transportation systems. The web infrastructure company noted that attackers managing these botnets have been leveraging new or less-known vulnerabilities to spread malware.

A Cyber espionage group aligned with South Korea has been linked to the exploitation of a recently patched severe remote code execution vulnerability in Kingsoft WPS Office, which has been used to deploy a custom backdoor known as SpyGlace. Cybersecurity firms ESET and DBAPPSecurity attribute this activity to a threat actor identified as APT-C-60. These attacks have been observed infecting users in China and East Asia with malware. The vulnerability in question, CVE-2024-7262 (CVSS score: 9.3), arises from inadequate validation of user-supplied file paths. This flaw allows an attacker to upload an arbitrary Windows library, enabling remote code execution. ESET noted that the flaw “permits code execution by hijacking the control flow of the WPS Office plugin component promecefpluginhost.exe” and mentioned discovering an additional method to exploit this issue, tracked as CVE-2024-7263 (CVSS score: 9.3). APT-C-60 has exploited this vulnerability by creating a one-click exploit embedded in a malicious spreadsheet document, which was uploaded to VirusTotal in February 2024. The file contains a deceptive image of the spreadsheet’s content, with a hidden malicious link. Clicking on a cell within this image initiates a multi-stage infection process to deploy the SpyGlace trojan, a DLL file named TaskControler.dll, which includes capabilities for file theft, plugin loading, and command execution. Security researcher Romain Dumont explained, “The exploit developers embedded an image of the spreadsheet’s rows and columns to trick users into believing the document was ordinary. The malicious hyperlink was attached to this image, so interacting with a cell in the picture would activate the exploit.” APT-C-60 has been active since at least 2021, with SpyGlace sightings dating back to June 2022, according to ThreatBook, a Beijing-based cybersecurity firm.

On Tuesday, The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a significant security weakness in the Apache OFBiz open-source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) list, noting evidence of ongoing exploitation. The issue, identified as CVE-2024-38856, has a CVSS rating of 9.8, signifying a critical level of severity. CISA stated, “Apache OFBiz has a flaw in authorization that could permit remote code execution through a Groovy payload within the OFBiz user process by an unauthenticated attacker.” This vulnerability was first revealed earlier this month when SonicWall labeled it as a workaround bypass for another vulnerability, CVE-2024-36104, which allows remote code execution through customized requests.

Fortra has resolved a critical security vulnerability affecting FileCatalyst Workflow, which could be exploited by a remote attacker to gain administrative privileges. The flaw, identified as CVE-2024-6633, has a CVSS score of 9.8 and arises from the use of a static password for connecting to an HSQL database. In a vendor knowledge base article, the default credentials for the HSQL database (HSQLDB) used by FileCatalyst Workflow are disclosed, Fortra noted in an advisory. “Exploiting these credentials could compromise the confidentiality, integrity, or availability of the software.” The advisory added, “The HSQLDB is only included to assist with installation, has been deprecated, and is not intended for production use according to vendor guidelines. Nevertheless, users who have not switched to an alternative database as recommended remain vulnerable to attacks from any entity that can access the HSQLDB.” Cybersecurity firm Tenable, which discovered and reported the vulnerability, stated that the HSQLDB is by default accessible remotely on TCP port 4406, allowing attackers to connect using the static password and execute malicious activities.

On Friday, Meta Platforms joined Microsoft, Google, and OpenAI in revealing the activities of an Iranian state-sponsored threat actor, who reportedly utilized a set of WhatsApp accounts to target individuals in Israel, Palestine, Iran, the U.K., and the U.S. This cluster of activities, originating from Iran, appeared to be directed at political and diplomatic officials, as well as other public figures, including some associated with the administrations of President Biden and former President Trump, according to Meta. The social media giant attributed the campaign to a nation-state actor identified as APT42, also known as Charming Kitten, Damselfly, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda, which is believed to be linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). This adversarial group is notorious for employing sophisticated social engineering tactics to spear-phish targets and steal their credentials through malware. Earlier in the week, Proofpoint reported that this threat actor had targeted a prominent Jewish figure with malware known as AnvilEcho. Meta disclosed that the “small cluster” of WhatsApp accounts pretended to be technical support for AOL, Google, Yahoo, and Microsoft, although these attempts are thought to have been unsuccessful. These accounts have since been blocked. “We have not seen evidence that their accounts were compromised,” stated the parent company of Facebook, Instagram, and WhatsApp. “We have advised those who reported to us to take precautions to secure their online accounts across the internet. This development comes as the U.S. government formally accused Iran of attempting to disrupt U.S. elections.

Recent findings revealed a previously patched flaw in Microsoft 365 Copilot that could have been exploited to steal sensitive user data through a technique known as ASCII smuggling. ASCII Smuggling is an innovative method that leverages special Unicode characters that resemble ASCII but are actually hidden from view in the user interface, explained security researcher Johann Rehberger. This allows an attacker to have the large language model render hidden data to the user and embed it within clickable links, effectively staging the data for exfiltration. As a result, sensitive information found in emails, such as multi-factor authentication (MFA) codes, could be sent to a server controlled by the attacker.” This discovery follows proof-of-concept (PoC) attacks on Microsoft’s Copilot, demonstrating how the system could be manipulated to alter responses, leak private data, and bypass security measures, underscoring the ongoing need for vigilance with AI tools. According to Zenity, these tactics enable attackers to perform retrieval-augmented generation (RAG) poisoning and indirect prompt injections that could lead to remote code execution, granting full control over Microsoft Copilot and other AI applications. In a potential attack scenario, a remote attacker with the ability to execute code could deceive Copilot into delivering phishing content to users. One particularly sophisticated attack involves converting the AI into a spear-phishing tool, termed LOLCopilot, where an attacker with access to a victim’s email could send phishing emails that mimic the style of the compromised user. Microsoft has also warned that Copilot bots, publicly accessible via Microsoft Copilot Studio without authentication protections, could be exploited by attackers to extract confidential data if they have prior knowledge of the bot’s name or URL.

A novel dropper has been identified that acts as a conduit for deploying next-stage Malware, ultimately aiming to infect Windows systems with information stealers and loaders. This memory-resident dropper decrypts and runs a PowerShell-based downloader,” stated Google-owned Mandiant. This PowerShell-based downloader is being tracked as PEAKLIGHT. This method is used to distribute various malware strains, including Lumma Stealer, Hijack Loader (also known as DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot, all offered through a malware-as-a-service {MaaS} Model. The attack chain begins with a Windows shortcut (LNK) file, which is obtained through drive-by download methods, such as when users search for movies on search engines. These LNK files are often contained in ZIP archives that are falsely presented as pirated movies. Once executed, the ‘LNK‘ file connects to a content delivery network (CDN) that hosts an obfuscated, in-memory JavaScript dropper. This dropper then triggers the execution of the PEAKLIGHT PowerShell downloader script on the system, which contacts a command-and-control (C2) server to download additional payloads. If the required archives are unavailable, the downloader will attempt to retrieve the archive file from a CDN site and store it on the local disk.

The BlackByte Ransomware group is reportedly exploiting a recently patched security vulnerability affecting VMware ESXi hypervisors and using various vulnerable drivers to bypass security measures. According to a technical report shared with The Hacker News by Cisco Talos, “The BlackByte ransomware group continues to use tactics, techniques, and procedures (TTPs) that have been central to its operations since its inception. It persistently iterates its use of vulnerable drivers to circumvent security defenses and deploys a self-propagating, wormable ransomware encryptor.” The exploitation of CVE-2024-37085, an authentication bypass flaw in VMware ESXi that other ransomware groups have also weaponized, indicates a shift in the e-crime group’s tactics. BlackByte emerged in the latter half of 2021 and is thought to be one of the ransomware variants that surfaced before the shutdown of the notorious Conti ransomware group. This ransomware-as-a-service (RaaS) group has a track record of exploiting ProxyShell vulnerabilities in Microsoft Exchange Server for initial access while avoiding systems with certain Eastern European and Russian languages. The BlackByte ransomware group employs double extortion tactics, using a name-and-shame strategy through a data leak site on the dark web to coerce victims into paying. Multiple variants of this ransomware, written in C, .NET, and Go, have been seen in the wild. Although Trustwave released a decryptor for BlackByte in October 2021, the group has continued to evolve its methods, including the use of a custom tool called ExByte for data exfiltration before starting encryption. In early 2022, a U.S. government advisory linked the RaaS group to financially motivated attacks on critical infrastructure sectors, such as financial institutions, food and agriculture, and government facilities. A key aspect of their attacks is the use of vulnerable drivers to disable security processes and bypass controls, a method known as bring your own vulnerable driver (BYOVD). Cisco Talos, which investigated a recent BlackByte ransomware incident, reported that the breach was likely facilitated using valid credentials to access the victim’s VPN. Initial access is believed to have been achieved through a brute-force attack. Using the victim’s VPN for remote access also provides the adversary with additional benefits, such as decreased visibility from the organization’s EDR. Given BlackByte’s history of exploiting public-facing vulnerabilities for initial access, the use of VPN for remote access might indicate a minor change in technique or could be a case of opportunism,” said security researchers James Nutland, Brennan Evans Terryn Valikodath, and Craig Jackson,.

Cybersecurity experts have discovered a new Concealed Linux malware that uses a unique approach to maintain persistence on compromised systems and conceal credit card skimming code. Malicious actors are continually adapting and enhancing their tactics, often employing innovative methods to avoid detection, which is unsurprising given the evolving nature of cyber threats. The malware includes features that enable it to establish a reverse shell for remote access to the infected system and to alter memory in order to hide any file containing the string “sedexp” from commands like ls or find. The Malware Uses udev Rules to Ensure Persistence. Udev, which replaces the Device File System, provides a way to identify devices by their attributes and set rules that trigger responses when the device’s state changes, such as when a device is inserted or removed. Each entry in the udev rules file contains at least one key-value pair, allowing devices to be matched by name and specific actions to be initiated in response to various device events. SUSE Linux documentation explains that a rule can specify the device node name, create symbolic links pointing to the node, or execute a designated program as part of the event handling,” notes SUSE Linux. “If no rule matches, the default device node name is used.” For the sedexp malware, the udev rule — ACTION==”add”, ENV{MAJOR}==”1″, ENV{MINOR}==”8″, RUN+=”asedexpb run:+” — ensures that the malware is executed whenever /dev/random (corresponding to device minor number 8) is activated, which usually happens during each reboot.