May 2023 Cyberwatch Recap: A Month in Cybersecurity
Welcome to our May Cyberwatch blog post. Following our latest webinar, we delve into the notable cyber incidents from the past month. May 2023 saw a surge in ransomware, malware threats, and data leaks, unprecedentedly shaping the cybersecurity landscape.
In this concise recap, we distill our webinar discussion, highlighting key incidents. Our mission is to empower you with an understanding and awareness of the ever-evolving cyber threats and arm you with the tools and knowledge needed to fortify your digital defenses.
So, let’s dive into the turbulent digital waters of May 2023 and navigate through the complex currents of the month’s cybersecurity incidents.
RaidForums Data Leak
A database for the notorious RaidForums hacking forums has been leaked online. RaidForums was a popular and notorious hacking and data leak forum known for hosting, leaking, and selling stolen data from breached organizations.
Details of the Leaked Data: The leaked data includes the registration information for 478,870 RaidForums members, including their usernames, email addresses, hashed passwords, registration dates, and other related information. The data pertains to registered users between March 20, 2015, and September 24, 2020.
Closure of RaidForums and Emergence of New Forums: RaidForums was seized in an international law enforcement operation in April 2022, leading to the arrest of the site’s administrator and two accomplices. After its closure, users moved to a new forum called Breached, which shut down in March 2023 after the FBI arrested its founder. A new forum called ‘Exposed‘ was launched to fill the void left by these closures.
Potential Use of the Leaked Data: The leaked data could be useful for security researchers to build profiles of threat actors and potentially link them to other malicious activities. Law enforcement likely already has access to this database following the seizure of RaidForums.
Update on the Leak: The admin of Exposed, ‘Impotent,’ who leaked the RaidForums member database, stated that the data dump was not originally intended to be public. However, they decided to leak it and confirmed that the member database table still contains 99% of the original lines, with some removed to “cause no drama.” The source of the data remains undisclosed.
New Data Leak Platform: LeakBase.cc
LeakBase.cc is an online platform that serves as a community forum for sharing and discussing leaked databases and is trying to replace RaidForums and Breach.co
Community Forum: LeakBase.cc is a community forum where members can share and discuss fresh database dumps, accesses, and accounts. The forum promises a pleasant user experience without any advertisements or banners.
Participation Requirements: To download files from the forum, one must be a participant. There’s a limit of 15 likes per day. Members can share their leaks, but there are rules against certain leaks (e.g., RUS Leaks). To use the forum without restrictions, members need to increase their status. The forum is not a marketplace, and trading is not allowed.
Content: The forum contains various sections, including leaked databases from the staff team, mixed databases, big database leaks, cloud packs, accounts, logs, backups, FTP, servers, software, tools, tutorials, and manuals. Each section has specific rules and guidelines for posting and sharing content.
Membership: The forum encourages new users to register and participate in the community. It also provides options for users to upgrade their membership for additional benefits.
Snake Malware
Five Eyes Operation: Russia’s Federal Security Service (FSB) used the Snake cyber-espionage malware, but all Five Eyes member countries’ cybersecurity and intelligence agencies took down its infrastructure. The operation was named Operation MEDUSA.
Snake Malware: The development of the Snake malware started under the name “Uroburos” in late 2003. The malware is linked to a unit within Center 16 of the FSB, the notorious Russian Turla hacking group. The malware allowed its operators to remotely install malware on compromised devices, steal sensitive documents and information, maintain persistence, and hide their malicious activities.
Targets: Among the computers in the Snake peer-to-peer botnet, the FBI also found devices belonging to NATO member governments. The Snake malware infrastructure, detected in more than 50 countries, has been used by Russian FSB hackers to gather and steal sensitive data from various targets, including government networks, research organizations, and journalists.
Disabling the Malware: The FBI developed a tool named PERSEUS, that establishes communication sessions with the Snake malware implant on a particular computer and issues commands that cause the Snake implant to disable itself without affecting the host computer or legitimate applications. The FBI took down all infected devices within the United States and is engaging with local authorities to provide notice of Snake infections within those authorities’ countries and remediation guidance.
Aftermath: The FBI is now notifying all owners or operators of computers remotely accessed to remove the Snake malware and informing them that they might have to remove other malicious tools or malware planted by the attackers, including keyloggers that Turla often also deploys on infected systems.
New Ransomware Group: Cactus
Kroll has identified a new ransomware strain called Cactus, which has been active since at least March 2023. The ransomware leverages documented vulnerabilities in VPN appliances to gain initial access.
Infiltration and Encryption: Once inside the network, Cactus actors attempt to enumerate local and network user accounts and reachable endpoints before creating new user accounts. They use custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks. The ransomware encryptor is unique because it requires a key to decrypt the binary for execution, likely to prevent detection via anti-virus software.
Data Exfiltration: Cactus has been observed exfiltrating sensitive data and extorting victims over the peer-to-peer messaging service known as Tox. However, a known victim leak site was not identified during analysis.
Tactics, Techniques, and Procedures (TTPs): Cactus uses a variety of TTPs, including the use of tools such as Chisel, Rclone, TotalExec, Scheduled Tasks, and custom scripts to disable security software to distribute the ransomware binary. Initial access is often gained through the exploitation of VPN appliances.
Encryption Process: The ransomware binary has three main modes of execution controlled by command-line switches. It sets itself up for persistence, reads the configuration, and then attempts file system encryption. The malware decodes a hardcoded hex string and then decrypts the resulting data using the AES algorithm with the “-i” parameter and a hardcoded initialization vector.
Recommendations: We strongly recommend patching and updating VPN devices, implementing password managers, monitoring PowerShell execution, auditing user, administrator, and service accounts, implementing multi-factor authentication, and reviewing backup strategies to mitigate the risk of a Cactus attack.
New Malvertising Campaign: LOBSHOT
Google advertisements have been exploited to distribute various types of malware, including a new malware family called LOBSHOT. Threat actors have used the platform to promote fake websites for legitimate software and application updates, tricking users into downloading malware onto their systems.
LOBSHOT continues to collect victims while remaining undetected. The infrastructure is believed to belong to TA505, a well-known cybercriminal group associated with the Dridex, Locky, and Necurs campaigns.
Infection Campaign: Elastic Security Labs observed a multiple infection chain campaign that targeted users searching for legitimate software downloads on Google. Attackers promoted their malware using an elaborate scheme of fake websites through Google Ads and embedded backdoors in what appeared to users as legitimate installers.
Malware Execution: Once users clicked on a ‘Download Now’ button on a fake website, it launched the execution of the LOBSHOT malware. LOBSHOT performs a Windows Defender anti-emulation check and then moves a copy of itself to the C:ProgramData folder, spawning a new process using explorer.exe.
Capabilities of LOBSHOT: LOBSHOT has banking trojans, cryptocurrency, and information-stealing capabilities, indicating it is used for financial purposes. It targets various browser extensions, allowing threat actors to steal cryptocurrency assets.
Continued Use of Malvertising: Malvertising campaigns are a popular way for cybercriminals to distribute malware, indicating that they will continue to use the technique. Despite LOBSHOT being relatively new and yet to expand its attack scope, it packs significant functionality, which assists threat actors in moving quickly during the initial stage, allowing them to gain full control over systems remotely.
New Phishing as a Service Platform: GREATNESS
New Phishing-as-a-Service (PaaS) Tool: A previously unreported PaaS offering named “Greatness” has been used in several phishing campaigns since at least mid-2022. This tool incorporates advanced features such as multi-factor authentication (MFA) bypass, IP filtering, and integration with Telegram bots.
Targeted Platforms and Victims: Greatness is focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages. The victims of these campaigns were almost exclusively companies in the U.S., U.K., Australia, South Africa, and Canada, with the most commonly targeted sectors being manufacturing, healthcare, and technology.
Attack Flow: The attack starts when the victim receives a malicious email, typically containing an HTML file as an attachment. The victim is led to open the HTML page, which then redirects them to a Microsoft 365 login page, usually pre-filled with the victim’s email address and the custom background and logo used by their company. Once the victim submits their password, the PaaS will connect to Microsoft 365, impersonate the victim, and attempt to log in. If MFA is used, the service will prompt the victim to authenticate using the MFA method requested by the real Microsoft 365 page.
Phishing Service Components: The service consists of three components: a phishing kit (which contains the admin panel), the service API, and a Telegram bot or email address. The phishing kit is the only part of the service the victim connects to. The kit communicates with the PaaS API service in the background, forwarding the credentials received from the victim and receiving information on what page it should deliver to the victim at each step of the attack.
Prevention and Detection: Cisco’s suite of security products, including Secure Endpoint, Secure Web Appliance, Secure Email, Secure Firewall, Secure Malware Analytics, Duo, Umbrella, and Secure Web Appliance, can detect and block this threat. Open-source Snort Subscriber Rule Set customers can stay current by downloading the latest rule pack available on Snort.org. The article also lists Indicators of Compromise (IOCs) for this threat.
Cross-Platform Threat with RaaS and Advanced Features
The Cyclops group has developed a new ransomware that can infect three major platforms: Windows, Linux, and macOS. The group offers ransomware utilities as a service, known as Ransomware-as-a-Service (RaaS).
Stealing Sensitive Data: Alongside the ransomware service, the group has shared a separate binary to steal sensitive data, including infected computer names and various processes.
Promotion on Hacker Forums: The Cyclops group actively promotes their offerings on hacker forums and seeks a share of the profits from users who use their malware.
Cyclops Ransomware & Stealer Offerings: Cyclops has a dedicated panel for distributing ransomware across Windows, Linux, and MacOS operating systems. This panel has separate binaries for the additional stealer component, catering specifically to Linux and Windows.
Ransomware Binary of Cyclops: The Cyclops ransomware payload scans and identifies processes running on the victim’s machine, terminating any processes that could interfere with targeted file encryption. It uses the GetLogicalDriveStrings API to retrieve information about the logical drives in the system and then enumerates the folders, dropping a ransom note file named “How To Restore Your Files.txt” onto the disk.
Linux and macOS Versions of Cyclops Ransomware: The Linux version is compiled in Golang and uses CGO with C integration. The macOS version is a Golang-compiled Mach-O binary. Both versions offer options for file encryption and place encrypted files in a designated folder along with a ransom note.
Similarities with Babuk and LockBit Ransomware: Cyclops ransomware shares similarities with Babuk and LockBit ransomware regarding encryption algorithms and string obfuscation techniques.
Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign
SentinelLabs has observed ongoing attacks from Kimsuky, a North Korean state-sponsored APT with a long history of targeting organizations across Asia, North America, and Europe. The group is currently using a new malware component called ReconShark, delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros.
ReconShark’s Functionality: ReconShark is a reconnaissance tool with unique execution instructions and server communication methods. It is designed to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicating that it is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks.
Targeted Organizations: Kimsuky’s targets are located across countries in North America, Asia, and Europe. The group’s latest campaigns have focused on ongoing geopolitical topics, including nuclear agendas between China and North Korea and the ongoing war between Russia and Ukraine.
Initial Access Targeting: Kimsuky uses specially crafted phishing emails to deploy ReconShark. The likelihood that the target will open the spear-phishing emails rises due to their high quality and customization for particular individuals. The emails contain links to download malicious documents.
Payload Deployment: ReconShark deploys further payloads in a multi-stage manner implemented as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DLL files. ReconShark decides what payloads to deploy depending on what detection mechanisms are running on infected machines.
Infrastructure Analysis: All observed infrastructure in this campaign is hosted on a shared hosting server from NameCheap. Kimsuky operators continually used LiteSpeed Web Server (LSWS) to manage the malicious functionality. Phishing emails have been observed sent from the yonsei[.]lol domain, while rfa[.]ink and mitmail[.]tech are used for command and control.
The ongoing attacks from Kimsuky and their use of the new reconnaissance tool, ReconShark, highlight the evolving nature of the North Korean threat landscape. Organizations and individuals must be aware of the TTPs used by North Korean state-sponsored APTs and take the necessary precautions to protect themselves against such attacks.
Google’s New ZIP and MOV Internet Domains
Google has introduced two new top-level domains (TLDs), .zip and .mov, which have raised concerns among security researchers. These TLDs can be used to create malicious URLs that even tech-savvy users might overlook.
Potential for Malicious Use: Security researcher Bobby Rauch demonstrated how these TLDs could be used to create URLs that appear to download a zip file from a GitHub repository but instead redirect users to an attacker’s website. This is achieved using Unicode slashes, an “@” sign, and the .zip domain. The .zip or .mov TLDs can lure unsuspecting users into accidentally downloading malware.
Google’s Response: Google responded to the criticism by stating that the opportunity to expand choice outweighs any potential security dangers. They believe that website creators benefit from more choices in domain names and that all users benefit from shorter, easier-to-remember URLs. Google also noted that the risk of confusion between domain names and file names is not new, and applications have mitigations for this, such as Google Safe Browsing.
No Active Phishing Attacks Yet: While the potential for misuse is evident, no active phishing attacks have been reported using these new TLDs. However, security researchers continue monitoring for any related URLs and blocking them as needed to prepare for potential phishing campaigns.
Advice for Users and Companies: Users are advised to check links carefully, and companies can restrict new domain names until cybersecurity providers can assign them a reputation. The most effective defenses will likely be a combination of efforts, including security control detections for special Unicode characters, risk scoring for newly created domains, and updated user awareness training.
IT Employee Impersonates Ransomware Gang to Extort Employer
Employee Impersonates Ransomware Gang: Ashley Liles, a 28-year-old IT Security Analyst from Fleetwood, Hertfordshire, United Kingdom, has been convicted of unauthorized computer access with criminal intent and blackmailing his employer. He impersonated a ransomware gang to extort his employer during a ransomware attack on the company.
Ransomware Attack and Internal Investigation: In February 2018, the Oxford-based company where Liles worked suffered a ransomware attack. As an IT Security Analyst, Liles was part of the internal investigations and incident response effort, which also involved other members of the company and the police.
Secondary Attack: During the investigation, Liles launched a secondary attack against the company. He gained access to a board member’s private emails more than 300 times and modified the original blackmail email by changing the payment address that the original attacker had provided. He planned to divert the ransom payment to a cryptocurrency wallet under his control.
Discovery of the Secondary Attack: The company owner wasn’t interested in paying the ransom. The ongoing internal investigations revealed Liles’ unauthorized access to private emails, traced back to his home’s IP address. Although Liles wiped all data from his personal devices, incriminating data was restored.
Conviction and Sentencing: Liles initially denied involvement, but five years later, he pleaded guilty during a Reading Crown Court hearing. He will return to court on July 11, 2023, for sentencing. According to UK law, unauthorized computer access can lead to up to 2 years in prison, while blackmail carries a maximum imprisonment sentence of 14 years.