CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.
Type: Ransomware
Target Technologies: MS Windows, Linux and MacOS
Introduction
CYFIRMA Research and Advisory Team has found Kuiper ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Kuiper ransomware
Kuiper ransomware was discovered in the wild in September 2023, coinciding with the launch of their Ransomware-as-a-Service (RaaS) platform during the same month. Ransomware is written in Golang.
The initial sales post for the Kuiper ransomware (Source: Surface Web)
Researchers found various versions of ransomware, namely A, B, and C. Each version has distinct “variants” corresponding to the targeted platform of the binary.
The Flow charts of Windows Variants of different versions:
For all flowcharts, a dotted line is a conditional action, whereas a solid line defines an action that will happen.
The ransomware’s flowchart for the Windows-targeting variant of version A (Source: Surface Web).
The third step, involving the termination and stopping of unwanted processes and services, occurs in two loops within the main function.
The ransomware’s flowchart for the Windows-targeting variant of version B (Source: Surface Web).
Although the flowchart for the Windows variant of version B bears a resemblance to version A, notable differences exist. Version B optimally utilizes Golang’s concurrency. Furthermore, the function for stopping and terminating unwanted processes and services is now distinct. A significant addition in version B is the continuous loop for terminating specific processes based on various process names, distinguishing it from version A.
The ransomware’s flowchart for the Windows-targeting variant of version C (Source: Surface web).
Linux & MacOS
Since researchers found only a single MacOS sample, it will be analyzed by comparing it with the Linux variant of the same version which is Version C.
The initial Linux-based sample acquired is version B. The ransomware’s capabilities on Linux are relatively straightforward compared to the Windows variant. It initiates recursive encryption of the designated folder, clears keys from memory, and optionally restarts the system. Essentially, it eliminates any Windows-specific functionalities, relying solely on platform agnostic code.
The ransomware’s flowchart for the Linux-targeting variant of version B (Source: Surface Web)
In version C, there are no significant differences, aside from minor details. Like the similarity between the Linux variants of version B and C, the MacOS version shows minimal variance from the mentioned Linux versions. The following flowchart encompasses both the Linux and MacOS variants of version C.
The ransomware’s flowchart for the Linux- and MacOS-targeting variants of version C (Source: Surface Web)
CLI-arguments of Ransomware
The ransomware employs an internal configuration to execute or skip particular actions. Some settings are adjustable through the command-line interface (CLI), while others are hardcoded into the binary.
The following lists the arguments along with brief explanations of their purposes.
Argument | Introduced in version | Type | Default value | Purpose |
---|---|---|---|---|
–help | A | String | – | Display the help menu |
–p | A | String | The root of the drive | The path to start the recursive file encryption in. When omitted, the root of the file system is used. On Windows, the drive letters A through Z are targeted when not specifying a path. |
–note | A | Boolean (yes/no) | yes | Defines if the ransom note is to be left during the encryption process, or only once the encryption process is complete. |
-reboot | A | Boolean (yes/no) | yes | When true, the malware forces the machine to reboot once the encryption has finished. |
–rename | A | Boolean (yes/no) | yes | Ensures the encrypted files are renamed to include the ransom extension, either on a per encrypted file basis, or once the encryption has finished, for yes and no respectively. |
–kill | A | Boolean (yes/no) | yes | Terminates specific processes to avoid interruption prior and during the encryption, when set to true. |
–bm | A | Boolean (yes/no) | yes | Ensures big files are encrypted first when set to true. |
–shared | C | String | auto or ip | The ransomware will find and mount remote shares. |
–chacha | C | Boolean (yes/no) | yes | Use the ChaCha20 algorithm, rather than the default AES, to encrypt files whose size is no larger than 500 megabyte. |
–safe | C | Boolean (yes/no) | yes | Reboot the system into safe mode, and start the encryption from there. |
–spread | C | Boolean (yes/no) | yes | Spread from a domain controller to all connected hosts. |
Settings are stored in global variables and accessed during the ransomware’s execution. Samples where the debug setting isn’t enabled can be patched by changing the boolean value in the binary to “1,” allowing debug messages to be printed during runtime. This setting is enabled by default in all encountered samples.
Once the ransomware starts, it will print debug messages in the console.
Using the “-safe” command-line argument triggers an immediate response during internal configuration initialization. It checks if the ransomware has administrative privileges. If not, it requests these privileges, rebooting the device into safe mode. If already granted, it directly reboots the system into safe mode.
The check for administrative privileges involves attempting to read physical drive 0. Only processes with admin privileges can access this file, and an error is triggered if attempted without the necessary privileges, resulting in a boolean outcome.
In the absence of administrative privileges, a PowerShell script is run using “cmd.exe /c.” This script restarts the ransomware with the necessary privileges.
After the sleep period concludes, normal execution resumes as the function returns. If the necessary privileges are present, the “main.RestartSafemode” function is invoked. Initially, it reads itself and writes the newly acquired data into “safemode.exe” within the public user profile’s home folder.
Following that, it creates a file named “safemode.bat” in the same folder as “safemode.exe.” This batch file adds a registry key named “Shell” to execute the ransomware on system startup. If the key already exists, it is overwritten. After writing the batch file, it’s executed, and after a one-second sleep, it’s removed. The system is then configured to start in safe mode with network access during the next boot sequences, ultimately leading to an automatic launch of the ransomware.
Deleting Backup:
Versions A, B, and C all employ a wrapper call to execute command-line interface strings. On Windows, it uses “cmd.exe /c,” and on Linux platforms, it uses “/bin/bash -c,” followed by a space and the command to execute. In Windows variants, the process window is hidden. While Version A utilizes stack strings for constructing command-line interface strings, Versions B and C use hard coded strings.
Noteworthy in Version A is the inclusion of “cmd.exe /c” at the beginning of the strings, indicating the presence of two “cmd.exe” instances in the execution chain before the actual command. Starting from Version B, “cmd.exe /c” has been excluded from the command strings. The table below illustrates the executed commands for each version, with potential additions in Versions B and C. No commands were removed over time.
Source: Surface Web
In the Windows variant of Version A, the boot status policy is configured to ignore all failures, with recovery mode disabled to prevent Windows’ automatic repair feature from activating. Additionally, all shadow copies, existing backup catalogs, system state backups, and application and security logs are quietly deleted. This removal reduces traces available for detecting the intrusion, although clearing logs can signal an intrusion, the specific details become inaccessible. Furthermore, the presence of ransomed files alone suffices, rendering the telltale sign argument irrelevant.
Before encrypting files, the ransomware takes precautions by terminating specific processes and stopping targeted services to prevent interruptions during its main activity. The following tables list the targeted processes and services slated for neutralization. No removals were identified between the different versions.
This practice is widespread among various ransomware families, enhancing the likelihood of successfully encrypting the victim’s files. Concerning blocklisted services, there is a slight increase in their number from version A to B, with only one addition. The count then doubles from version B to C, resulting in a total of 22 blocklisted services.
Source: Surface Web
Blocklisted processes exhibit a similar pattern, initiating at 13; version B contributes one, and version C substantially increases the count to 27 by adding 13 more processes.
After attempting to disable blocklisted processes and services, the ransomware proceeds to disable Windows Defender, with different methods in various Kuiper versions.
In Kuiper version A, the commands to disable Defender are hex encoded and decoded at runtime, likely to evade literal string matching in binary detection rules. In contrast, versions B and C use base64 encoded PowerShell commands instead of hex encoded strings.
The structure of each command is consistent, employing the SetMpPreferences cmdlet: “powershell.exe -ep bypass -c Set-MpPreference -[setting] 1 -ErrorAction SilentlyContinue.” The value of “[setting]” varies for each command, and there is no string replacement; each command is present in full. The error action ensures that any failed command is silently ignored. The command execution wrapper function utilizes “cmd.exe /c,” followed by a space and the given command, to execute each command.
In Version B, the approach diverges by implementing multiple loops. One loop continuously disables Defender’s real-time monitoring capability, while other loops continually terminate processes such as “taskkill.exe,” “tasklist.exe,” “taskmgr.exe,” “cmd.exe,” and “ps.exe.”
Version C maintains the disablement of real-time monitoring and targets several processes, with three notable changes: the processes have undergone slight modifications, all code is consolidated within a single loop, and the loop now includes a one-second sleep at the end of each iteration. Notably, “taskkill.exe,” “cmd.exe,” and “ps.exe” have been removed, and “regedit.exe” and “ProcessHacker.exe” have been added.
Source: Surface Web
Version C introduces extra functionalities, including the ability to bypass sandbox environments and disable Defender through a single function call.
The sandbox evasion process involves attempting to read “C:\Windows\system32\cmd.exe.” If unsuccessful, the malware initiates a shutdown.
Subsequently, it seeks to disable Windows Defender by invoking WDEnable. The malware first loads this DLL to ensure its accessibility, then acquires the function’s address. Utilizing the obtained address, the function is called with “false” passed as the sole argument.
The malware author implements another sandbox bypass strategy, consisting of an empty loop iterating 1000 times. This loop, devoid of any content, is intended to consume CPU cycles. However, in practice, this bypass accomplishes nothing substantial. Although the loop exists within a function in the leaked source code, the compiler places it within the overarching bypass function. This decision ensures that calling the function would merely increase runtime overhead.
The sole ‘bypass’ function present in the Linux and MacOS variants is this empty loop, whose purpose is derived from the leaked Kuiper source code. The significance of the empty loop in the decompiled code remains unclear. In the Linux and MacOS variants, this loop is situated within the threaded main function, with the compiler opting for inlining to eliminate function calls and minimize overhead.
The ransomware attempts to propagate across the network by first acquiring the IP address of the current device. It then spreads the executable over IPs within the range of the last octet of the local IP and proceeds to mount all shared folders and drives.
For obtaining the local IP, there are two methods, depending on the command-line interface argument. The “auto” method utilizes “main.GetNetworkIp,” while the “main.GetNetworkIpByIp” is used if an IP address is provided through the command-line interface.
In “main.GetNetworkIp,” Golang’s net.Interfaces are utilized to fetch a list of interfaces on the machine. It excludes interfaces with names “docker,” “lo,” and “lo0.” The function iterates through the remaining interfaces, calling “main.GetNetworkIpByIp” in a loop with a gradual IP increment. This results in a list of reachable IP addresses.
The objective of “main.GetNetworkIpByIp” is to verify the feasibility of an SMB connection on devices within the last octet of the local IP. Any IP where this connection is possible is then recorded.
After iterating through the IP addresses and obtaining the local address, the malware initiates the process of spreading to all previously identified IPs where an SMB connection is possible. This is accomplished by copying itself into the public user profile on the remote machine.
The newly copied ransomware is launched using “wmic /node:[location] process call create” with the path to the ransomware and command-line interface arguments for its initiation. In this instance, the ransomware runs with default settings but refrains from rebooting the machine once the encryption is complete.
After replicating itself to other machines and initiating processes on remote machines, the ransomware proceeds to mount shared folders on the machine where it is currently executing. It retrieves all shares using WMIC and verifies if there are additional shares beyond the default ones, which are blocklisted.
The obtained locations are then mapped to a drive letter using “net use [drive] [location]”
Getting into the ransom notes, the notes of Kuiper have not changed much throughout the different versions. In each version thus far, the notes are hex encoded, only to be decoded during runtime.
In Version A, the victim ID is dynamically generated at runtime and encompasses the utilized key and IV, encrypted, along with an MD-5 hash of the public key. The data is delimited with colons, and the entire string commences with “RSA=”. This lengthy string is hex encoded and replaces the “ID” in the ransom note, providing all the necessary information for the threat actor to retrieve the key and IV, enabling file decryption.
In Version C, the format evolves with the introduction of ChaCha20 as an option for encrypting large files. The ID remains hex encoded and still starts with “RSA=” before encoding. It now consists of 32 characters, a colon, four digits, and a boolean. The data within the ID is akin to the previous version but now also includes the ChaCha20 key and IV, alongside the AES key and IV. This data is gzip compressed, with the boolean indicating whether ChaCha20 was employed.
Ransomware will exclude some folders from encryption.
Source: Surface Web
On Linux, excluded folders are incorporated starting from version B onwards, although they are not explicitly present in the specific version C build. The leaked source code contains this information, suggesting a potential error made by the actor during the construction of version C. The excluded folders are detailed below.
/bin, /boot, /dev, /etc, /initrd, /lib, /lib64, /libx32, /opt, /proc, /root, /run, /sbin, /srv, /sys, /tmp,
/usr/, /var
The MacOS variant also excludes specific folders. The excluded folders are listed below.
/Applications, /bin, /cores, /dev, /etc, /home, /Library, /net, /private, /sbin, /System, /tmp, /usr, /var
Each identified file undergoes evaluation based on its extension. If the extension is not included in the blocklist, the file is encrypted. The blocked extensions are outlined in the table below.
Source: Surface Web
For large files intended to be encrypted differently, employing either ChaCha20 or AES, a distinct percentage of the file undergoes encryption. Furthermore, the extension of any substantial file undergoes an additional check. If it matches “.sql,” “.txt,” “.db,” or “.json,” it is encrypted as if it were a normal-sized file, irrespective of its actual size.
If the file is categorized as large, an additional extension check is performed. If the extension corresponds to any of the extensions listed below, it undergoes encryption in fast mode, wherein only a quarter of the file is encrypted.
Abk, .abu1, .acp, .adi, .avdx, .avhd, .backup, .bkz, .blend1, .doc, .docx, .dsb, .gho, .iso, .jpa, .mbk, .nba, .nvram, .pdf, .pvm, .qbmb, .qcow2, .raw, .scripa, .sis, .spg, .subvol, .vbox- prev, .vdi, .vhd, .vhdx, .vmcx, .vmdk, .vmem, .vmrs, .vmsd, .vmsn, .vmx, .vsv, .wx, .xlsx, .zip.
After encrypting the files, ransomware adds the “.kuiper” extension to that encrypted files.
After completing the encryption process, the ransomware executes several actions. It proceeds to clear the memory keys, with the boolean checked defaulting to “true” and remaining unaltered during runtime. If the reboot function is invoked, the ransomware’s execution halts at that point. If not, the execution continues.
Establishing a Signature and Performing Cleanup
After encrypting the machine, the ransomware employs additional tactics, which vary depending on the malware’s version. Across all versions, the removal of backups is a consistent action, eliminating any trace of the execution except for the modified files on the disk. The function utilized for deleting backups remains the same.
In Version C, additional features are introduced, including a modification of the desktop’s wallpaper and the removal of the binary itself (In version C of this ransomware, the wallpaper is hex encoded. During runtime, it is decoded, after which it is set as the new wallpaper).
The decoded wallpaper within the ransomware executable (Source: Surface web)
The function to set the new wallpaper comes from user32.dll, and is named SystemParametersInfoW.
Following the completion of the wallpaper change function, the ransomware proceeds to remove itself from the disk. This is achieved by generating a small batch file named “setup.bat.”
Screenshot of file encrypted by Kuiper ransomware (Source: Surface web)
Relevancy & Insights:
Following are the TTPs based on the MITRE Attack Framework.
Sr. No | Tactics | Techniques/Sub-Techniques |
1 | TA0002: Execution | T1047: Windows Management Instrumentation |
T1059: Command and Scripting Interpreter | ||
T1106: Native API | ||
T1129: Shared Modules | ||
2 | TA0003: Persistence | T1543.003: Create or Modify System Process: Windows Service |
T1547.004: Boot or Logon Autostart Execution: Winlogon Helper DLL | ||
3 | TA0004:Privilege Escalation | T1543.003: Create or Modify System Process: Windows Service |
T1547.004: Boot or Logon Autostart Execution: Winlogon Helper DLL | ||
4 | TA0005:Defense Evasion | T1027: Obfuscated Files or Information |
T1027.005: Obfuscated Files or Information: Indicator Removal from Tools | ||
T1070.001: Indicator Removal: Clear Windows Event Logs | ||
T1070.004: Indicator Removal: File Deletion | ||
T1112: Modify Registry | ||
T1202: Indirect Command Execution | ||
T1497.001:Virtualization/Sandbox Evasion: System Checks | ||
T1562.001: Impair Defenses: Disable or Modify Tools | ||
5 | TA0006:Credential Access | T1056: Input Capture |
6 | TA0007:Discovery | T1016: System Network Configuration Discovery |
T1082: System Information Discovery | ||
T1124: System Time Discovery | ||
T1135: Network Share Discovery | ||
T1497.001: Virtualization/Sandbox Evasion : System Checks | ||
T1518.001: Software Discovery: Security Software Discovery | ||
7 | TA0009:Collection | T1056: Input Capture |
8 | TA0011: Command and Control | T1071: Application Layer Protocol |
9 | TA0040:Impact | T1485: Data Destruction |
T1486: Data Encrypted for Impact | ||
T1490: Inhibit System Recovery |
ETLM Assessment:
CYFIRMA’s assessment, relying on available information, indicates potential future developments in Kuiper ransomware. The evolving tactics, such as the inclusion of new features in recent Versions, signify an ongoing trend of ransomware enhancements. Future iterations may continue to refine evasion techniques, expand targeting capabilities, and possibly introduce more sophisticated anti-detection measures. Organizations should remain vigilant, continuously update cybersecurity measures, and monitor threat intelligence for proactive defense against emerging ransomware threats.
Sigma Rule
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.defense_evasion
– attack.impact
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’
selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) fields:
– CommandLine
– ParentCommandLine falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface web)
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Type: Information Stealer
Objective: Credential Stealing, Data Exfiltration
Target Technology: Windows OS
Target Geography: Vietnam
Targets: Government, Public and Private Organizations, Universities, Banks, Enterprises, Social Media Platforms (Facebook)
Active Malware of the Week
This week “VietCredCare” is trending.
Summary
Researchers have identified multiple variants of the VietCredCare malware targeting Windows operating systems. The malware, which continuously evolves, is primarily designed to take over corporate Facebook accounts. The researchers’ analysis shows that various Vietnamese Government Agencies, Public and Private Organizations, Universities, Banks, Enterprises, and personal/business social media accounts are at risk of compromise, indicating a widespread threat affecting diverse sectors in Vietnam.
VietCredCare
VietCredCare, an information stealer operational since at least August 2022, operates under the stealer-as-a-service model and is likely managed by Vietnamese-speaking individuals. Noteworthy for its automatic filtering of session cookies and credentials for Facebook accounts, the malware targets individuals in Vietnam, especially those managing profiles of prominent businesses. Compromised Facebook accounts with large followings can be exploited for political posts or financial gains through scams and credential sales.
VietCredCare spreads through phishing sites shared on social media, disguised as legitimate software downloads. Purchasers of VietCredCare gain access to individual Telegram bot channels, facilitating the exfiltration, delivery of stolen data, and communication with developers. Researchers identified over 20 distinct Telegram bot channels associated with VietCredCare.
VietCredCare Structure
VietCredCare’s stealer-as-a-service campaign affects three main groups: the malware developers and advertisers, the users (buyers), and the unwitting victims who download it. Each group plays a distinct role in the operation of VietCredCare.
Developers and advertisers of the stealer
The first group in the VietCredCare campaign consists of the developers responsible for creating the information stealer. They manage components, Telegram bots for data reception, and distribute the stealer as a loader to buyers. Notably, researchers discovered numerous advertisements for the information stealer not only on the dark web but also on widely used public platforms like YouTube and Facebook.
Buyers of the stealer
The second group in the VietCredCare campaign comprises individuals who purchase the information stealer and employ advanced phishing tactics to trick victims into downloading the payload onto their devices. After successful exfiltration, buyers gain access to victims’ credentials and cookies, with a focus on Facebook data. Each buyer receives a unique Telegram bot channel configured by the threat actor. These buyers may use various strategies to exploit compromised Facebook accounts, including spreading misinformation or shaping public perception, or engaging in financially motivated activities such as phishing campaigns, fake product sales, affiliate scams, directing web traffic for advertising revenue, or selling stolen credentials.
Hunting for buyers: stealer–as-a-service
Researchers uncovered a series of Vietnamese-language advertisements on Facebook promoting VietCredCare to potential buyers involved in cybercriminal activities. These ads also surfaced in prominent Vietnamese-language Telegram channels, enticing users with access to a 1MB C# executable file specifically crafted to evade antivirus and firewall protections. This malware can disguise itself as a legitimate application, enhancing its chances of avoiding detection. Advertisements highlight features such as stealing browser cookies and passwords, as well as bypassing Facebook’s two-factor authentication system. Following these operations, the threat actor gains two .txt files containing stolen cookies and passwords. Notably, researchers identified over 20 individual threat actors utilizing the same VietCredCare sample, with one case standing out as a buyer attempted to modify the stealer malware.
Technical Analysis
VietCredCare, an information stealer designed for Windows operating systems and developed in .NET, functions by tricking users into executing a file (payload) disguised as legitimate software. Upon execution, VietCredCare cleverly generates a self-replicating copy named “crsysys.exe” in the %STARTUP% folder. Notably, this information stealer operates autonomously without relying on a command-and-control (C2) server to launch a payload. Stolen data from the infected device is discreetly transmitted to a Telegram bot, making it accessible to the threat actor. Researchers identified over 20 distinct Telegram bots utilizing messenger’s API functionality for this purpose. VietCredCare can pilfer various data, including session IDs, cookies, and passwords, from the browsers (Chrome, Chromium, and MS Edge, along with the Vietnam-specific Cốc Cốc) of infected devices, showcasing its multifaceted functionalities.
Functions of VietCredCare
Telegram Bot Functionalities
VietCredCare relies on its Telegram bot functionalities for a crucial role in the data exfiltration process. The primary purpose of this bot, beyond notifying about the presence of Facebook account credentials in the stealer logs, is to receive the stolen data. This data is converted into two text files (.txt), containing cookies and passwords extracted from compromised devices. Additionally, the bot facilitates communication between the malware’s developers and buyers.
In the data exfiltration process, the threat actor first receives a message indicating the number of Facebook accounts present in the logs. Subsequently, a second message includes an attachment of a .txt file containing the browser cookies exfiltrated from the infected device. The final message in this thread contains the compromised passwords stolen from the browsers of infected devices, also sent in a .txt file. This workflow was detailed in advertisement videos uploaded to YouTube and posts on Facebook, all presented in the Vietnamese language.
INSIGHTS
ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that the impact of VietCredCare on organizations appears poised to deepen, with a potential escalation in the scale and sophistication of cyber threats. As this information stealer continues to target individuals managing profiles of prominent businesses and organizations in Vietnam, the risks associated with account takeover are likely to grow. Recent findings indicate active promotion within the Vietnamese cybercriminal community, suggesting a sustained threat in the coming months. This highlights the ongoing relevance and potential risks associated with VietCredCare in the evolving cybersecurity landscape.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Key Intelligence Signals:
APT29’s Latest Tactics: Navigating the Evolving Threat Landscape
Summary:
In a recent observation, Russian hackers affiliated with APT29, also known as Cozy Bear or Midnight Blizzard, are now shifting their focus to target cloud services, according to a warning issued by members of the Five Eyes intelligence alliance. These hackers, also linked to the Russian Foreign Intelligence Service (SVR), have previously breached U.S. federal agencies and compromised Microsoft 365 accounts belonging to entities within NATO nations.
SVR actors exploit service accounts through brute forcing and password spraying, as they lack Multi-Factor Authentication and hold high privileges. Dormant accounts of former employees are also targeted for access. SVR actors exploit enforced password resets to regain access via inactive accounts, complicating incident response efforts. SVR actors leverage password spraying and credential reuse to breach personal accounts, bypassing password authentication. They also use “MFA bombing” to overwhelm victims with Multi-Factor Authentication requests until access is granted.
Once inside the cloud environment, they register their own devices to gain network access, exploiting gaps in device validation rules. To evade detection, SVR actors utilize residential proxies, masking their true origin and complicating identification by network defenses reliant on IP addresses. This underscores the importance of employing a range of detection methods, such as application and host-based logging, to detect and thwart such malicious activities.
Relevancy & Insights:
APT29, also known as Cozy Bear or Midnight Blizzard, has long been associated with the Russian SVR intelligence service. With the increasing migration of infrastructure and data to the cloud organizations, have adapted their techniques and procedures (TTPs) to infiltrate and access intelligence hosted in cloud environments. In 2022, APT29 introduced MagicWeb; a sophisticated post-exploitation malware, leveraging a rogue DLL to gain covert access to AD FS systems through an authentication bypass. Recent attacks by APT29 have also incorporated password spray attacks, indicating a convergence of tactics among threat actors targeting cloud-hosted infrastructure. This adaptation highlights APT29’s agility and suggests a potential exchange of cyber tactics among state-sponsored threat groups, emphasizing the importance of robust cybersecurity measures for organizations moving to the cloud.
ETLM Assessment:
The recent nation-state attack by Cozy Bear/Midnight Blizzard, known as APT29 and linked to the Russian SVR, highlights the critical need for effective management of external threats. Targeting organizations shaping foreign policies in NATO countries, across sectors like education, and government, APT29 has demonstrated agility by incorporating password spray attacks, particularly focusing on cloud-hosted infrastructure. This convergence of tactics underscores the importance of robust cybersecurity measures, necessitating advanced threat detection, updated security protocols, and a culture of cybersecurity awareness. Collaboration with cybersecurity experts and information sharing among industry peers is essential to enhance readiness against evolving external threats.
Recommendations:
Chinese cyberespionage company data leak
A massive collection of files from the Chinese cyberespionage firm i-SOON, also known as Sichuan Anxun, was released online by an unknown source, probably an insider. Business pitches, internal conversation logs, product descriptions, passwords and other credentials taken from victims are among the documents that were uploaded to a public GitHub repository. The topics covered in the business presentations are diverse and include everything from data analysis and Outlook email account hacking tools to i-SOON’s bids for a contract for a surveillance tool that will be used against Uyghurs in Xinjiang. The company targeted colleges and NATO offices in Europe, pro-democracy movements in Hong Kong, and businesses in Southeast Asia, giving the impression that it had a wide range of overseas targets.
ETLM Assessment:
The compromised conversation logs demonstrate how cyber espionage has been made possible by China’s vulnerability disclosure policy, which has been altered in the last year to require companies to notify the government of flaws, before making them public. Wu Haibo, the CEO of i-SOON, asked one of his staff members in the chats if he could get an exploit code from the local Ministry of Public Security for the Tianfu Cup; a Chinese cybersecurity firm. China is then using this knowledge to engage in large-scale IP theft, which we have reported earlier.
The Rhysida Ransomware impacts the Ironrock
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from the United States of America; (www[.]ironrock[.]com), was compromised by the Rhysida Ransomware. Ironrock is a manufacturer of high-quality indoor/outdoor unglazed ceramic quarry tile and architectural thin brick. The data that has been compromised has not yet surfaced on the leak site, suggesting ongoing negotiations between the affected party and the ransomware group. Within the compromised data are confidential and sensitive details pertaining to the organization. The ransom demanded for the entire dataset is set at 5 BTC.
The following screenshot was observed published on the dark web:
Source: Dark Web
Relevancy & Insights:
The Top 10 Industries, most affected by Rhysida Ransomware from 1 Jan 2023 to 28 Feb 2024 are as follows:
ETLM Assessment:
CYFIRMA’s assessment indicates a sustained focus on US-based companies by the Rhysida ransomware, as illustrated in the attached graph. Despite this, recent events, including the Ironrock attack, underscore the potential vulnerability of other prominent manufacturing entities to similar targeting. It is evident that the threat landscape is dynamic, and organizations across various sectors should remain vigilant to mitigate risks associated with ransomware attacks.
Summary:
The vulnerability allows a remote attacker to compromise a vulnerable system.
Relevancy & Insights:
The vulnerability exists due to a use-after-free error in the DICOM Element Parsing as implemented within the parse_meta_sequence_end() function.
Impact :
A remote attacker can use a specially crafted DICOM file and execute arbitrary code on the target system.
Affected Products:
https[:]//www[.]talosintelligence[.]com/vulnerability_reports/TALOS- 2024-1931
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various products, due to a range of vulnerabilities. The following are the top 5 most affected products.
US PHARMACY OUTAGE CAUSED BY BLACKCAT RANSOMWARE ATTACK ON OPTUM SOLUTIONS
Summary:
Sources familiar with the investigation have linked a cyberattack on Optum; a subsidiary of UnitedHealth Group, to the BlackCat ransomware group. This attack has caused an ongoing outage of the Change Healthcare payment exchange platform, significantly impacting its operations. Change Healthcare has informed its customers of the service disruptions due to a cybersecurity incident. In a filing with the SEC, UnitedHealth Group reported that the cyberattack was executed by hackers, suspected to be affiliated with a nation-state, who managed to infiltrate Change Healthcare’s IT systems.
This incident has resulted in extensive billing outages across the U.S. healthcare system, affecting a wide array of services, including electronic health records (EHR), payment processing, care coordination, and data analytics in various healthcare facilities, such as hospitals, clinics, and pharmacies. The outage is particularly disruptive given the central role of the Change Healthcare platform in these operations. BlackCat has not officially claimed responsibility for the cyberattack on Change Healthcare. This might suggest that the group is possibly negotiating a ransom. A key sign of the breach, according to those close to the investigation, is the exploitation of a critical vulnerability, known as the ScreenConnect auth bypass flaw (CVE-2024-1709). This flaw has been actively exploited to deploy ransomware on servers that have not been patched, indicating the sophisticated nature of the attack.
Relevancy & Insights:
The BlackCat/ALPHV ransomware gang, operational since November 2021, has left a trail of victims across various sectors. Among its notable targets are SOLAR INDUSTRIES INDIA; a manufacturer of industrial explosives, the US defense contractor NJVC, gas pipeline operator Creos Luxembourg S.A., renowned fashion brand Moncler, aviation services provider Swissport, technology companies such as NCR, and data storage solutions provider Western Digital. The ransom demands issued by this group span from modest sums ranging from tens of thousands of dollars to staggering amounts in tens of millions.
ETLM Assessment:
BlackCat operates as a ransomware-as-a-service (RaaS) under the umbrella of ALPHV; a group of cybercriminals primarily communicating in Russian. Their modus operandi frequently involves a triple-extortion strategy. While BlackCat has historically targeted entities in the financial, manufacturing, legal, and professional services sectors, its reach extends across all industries. Assessments by CYFIRMA from the ongoing campaign indicate a strong likelihood of BlackCat persisting in its global ransomware activities, driven by the pursuit of substantial financial rewards.
Chunghwa Telecom data advertised in the Leak Site
Summary:
CYFIRMA Research team observed a potential data sale related to Chunghwa Telecom, {www[.]cht[.]com[.]tw}. Chunghwa Telecom Company, Ltd. is the largest integrated telecom service provider in Taiwan, and the incumbent local exchange carrier of PSTN, Mobile, and broadband services in the country. The dataset for sale includes internal documents, databases, contracts from both The Company and the Taiwan government, along with other confidential information. The total size of the dataset available for sale is approximately 1.7 Terabytes.
Source: Underground forums
Relevancy & Insights:
In the realm of cybersecurity, opportunistic cybercriminals driven by financial incentives are perpetually scanning for exposed and vulnerable systems and applications. A significant portion of these adversaries operate within clandestine underground forums, where they engage in discussions related to cybercrime and trade stolen digital assets. Unlike more overt financially motivated threat actors such as ransomware or extortion groups, these individuals prefer to operate discreetly. They exploit unpatched systems or vulnerabilities within applications to gain unauthorized access and pilfer valuable data. Subsequently, this stolen data is advertised for sale within underground forums, facilitating its resale and repurposing by other malicious actors in their illicit activities.
ETLM Assessment:
The “303’s Forum threat actor” is driven predominantly by financial incentives. At present, they are actively involved in the illicit trade of sensitive data, encompassing personally identifiable information (PII), financial records, and other confidential data sourced from Chunghwa Telecom. As per CYFIRMA’s evaluation, this threat actor, based in Taiwan, poses a heightened risk to institutions with inadequate security protocols and infrastructure, making them susceptible to potential cyberattacks.
CYFIRMA Research team observed a potential data leak related to Mahalasa Group, {www[.]mahalasa[.]co[.]in}. Mahalasa Group stands as a reputable IT company in delivering comprehensive IT solutions and services to clients globally. The compromised data includes personally identifiable information such as names, phone numbers, email addresses, physical addresses, access tokens, and other confidential and sensitive data.
Source: Underground forums
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS